GKE Autopilot Node Compromise via SSH Metadata

Date: Mar 5, 2021 04:22PM

Vulnerability Details

GKE Autopilot provides many default security controls to protect the node, including protections against privileged pods and limitations on hostPath volume mounts.

The nodes are configured to pull from the compute metadata SSH keys list. As documented here, a user with compute.projects.setCommonInstanceMetadata can set project-wide SSH keys. To prevent users from simply logging in to the nodes directly, the nodes use an sshd configuration to set all user shells to /sbin/nologin. However, they do not restrict SSH tunneling. We can set up a SOCKS proxy and use this proxy to access the compute metadata service on the nodes (normally protected by the GKE metadata server). This enables the standard kubelet bootstrapping attack (with one difference). To demonstrate:

  1. Create an autopilot cluster and use kubectl get node -o wide to view node IP addresses
  2. Configure project wide SSH keys here: https://console.cloud.google.com/compute/metadata/sshKeys
  3. Download the following file: socks.sh
  4. Run socks.sh <username> <node IP> using your username from step 2 and a node IP address from step 1. This script automates the following steps:

Screenshot of working exploit: Screenshot of working exploit

Attack Scenario

The Autopilot documentation describes the motivation for its security controls as:

In order for GKE to offer management of the nodes and provide you with a more streamlined operational experience, there are a few restrictions and limitations when compared to GKE Standard. Some of these limitations are security best practices, while others allow Autopilot clusters to be safely managed.

A user with compute.projects.setCommonInstanceMetadata permission in the project could bypass the security controls in the cluster and gain privileged access to the managed Kubernetes nodes. Using this access, they could read all secrets in the cluster (including those outside their provisioned access) or explore the attack surface of the Autopilot control plane.