So I became a node: Kubernetes bootstrap tokens and AKS

Kubernetes clusters rely on TLS for secure and authenticated internal communication. However, managing TLS certificates in such environments can be complex. Kubernetes offers built-in mechanisms to handle certificate signature and distribution to ease this challenge. Bootstrap tokens play an important role in this process, serving as initial identifiers that enable certificate signing requests. Typically, these requests are automatically approved and signed. As often in security, this ease of use implies the emergence of attack vectors.

This presentation will delve into the mechanics of Kubernetes authentication and bootstrap tokens to highlight exploitation possibilities of such tokens. Inspired by Marc Wickenden’s research on Google GKS TLS Bootstrapping, we will demonstrate a new attack in AKS clusters (Azure), that will not be fixed by Microsoft.

The presentation will be conducted as follows :

• A quick introduction about the speakers.
• A quick introduction to Kubernetes: master/node, control plane parts, Kubelet.
• A description of the TLS communication between these parts which will lead to the authentication mechanisms: x509, jwt, user/password.
• A brief overview of authorization management in Kubernetes with a focus on the special node authorization mode.
• The presentation of CertificateSigningRequest (CSR) and bootstrap tokens to resolve the distribution of certificate issue. We will demonstrate the deployment of a cluster with Kubeadm
• Azure AKS application of the attack: - Presentation of the setup and prerequisites. - Discussion about the deployment mechanism of new node in AKS. - Retrieval and exploitation of the bootstrap token. - Privileges escalation to cluster admin.
• Microsoft response to our advisory.
• Mitigation proposal.