diff --git a/pentesting-cloud/kubernetes-security/kubernetes-enumeration.md b/pentesting-cloud/kubernetes-security/kubernetes-enumeration.md
index d8806904a9..bdb29e9b7f 100644
--- a/pentesting-cloud/kubernetes-security/kubernetes-enumeration.md
+++ b/pentesting-cloud/kubernetes-security/kubernetes-enumeration.md
@@ -1,8 +1,8 @@
# Kubernetes Enumeration
{% hint style="success" %}
-Learn & practice AWS Hacking:
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: .png)
[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+Learn & practice AWS Hacking:
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
+Learn & practice GCP Hacking: .png)
[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
@@ -135,9 +135,11 @@ Having the token and the address of the API server you use kubectl or curl to ac
By default, The APISERVER is communicating with `https://` schema
+{% code overflow="wrap" %}
```bash
-alias k='kubectl --token=$TOKEN --server=https://$APISERVER --insecure-skip-tls-verify=true'
+alias k='kubectl --token=$TOKEN --server=https://$APISERVER --insecure-skip-tls-verify=true [--all-namespaces]' # Use --all-namespaces to always search in all namespaces
```
+{% endcode %}
> if no `https://` in url, you may get Error Like Bad Request.
@@ -221,7 +223,7 @@ kurl -i -s -k -X $'POST' \
{% endtab %}
{% endtabs %}
-Another way to check your privileges is using the tool: [**https://github.com/corneliusweig/rakkess**](https://github.com/corneliusweig/rakkess)****
+Another way to check your privileges is using the tool: [**https://github.com/corneliusweig/rakkess**](https://github.com/corneliusweig/rakkess)\*\*\*\*
You can learn more about **Kubernetes RBAC** in:
@@ -275,7 +277,7 @@ kurl -k -v https://$APISERVER/api/v1/namespaces/
{% tabs %}
{% tab title="kubectl" %}
-```
+```bash
k get secrets -o yaml
k get secrets -o yaml -n custnamespace
```
@@ -320,8 +322,8 @@ The deployments specify the **components** that need to be **run**.
{% tabs %}
{% tab title="kubectl" %}
-```
-.k get deployments
+```bash
+k get deployments
k get deployments -n custnamespace
```
{% endtab %}
@@ -339,7 +341,7 @@ The Pods are the actual **containers** that will **run**.
{% tabs %}
{% tab title="kubectl" %}
-```
+```bash
k get pods
k get pods -n custnamespace
```
@@ -358,7 +360,7 @@ Kubernetes **services** are used to **expose a service in a specific port and IP
{% tabs %}
{% tab title="kubectl" %}
-```
+```bash
k get services
k get services -n custnamespace
```
@@ -377,7 +379,7 @@ Get all the **nodes configured inside the cluster**.
{% tabs %}
{% tab title="kubectl" %}
-```
+```bash
k get nodes
```
{% endtab %}
@@ -395,7 +397,7 @@ kurl -v https://$APISERVER/api/v1/nodes/
{% tabs %}
{% tab title="kubectl" %}
-```
+```bash
k get daemonsets
```
{% endtab %}
@@ -413,7 +415,7 @@ Cron jobs allows to schedule using crontab like syntax the launch of a pod that
{% tabs %}
{% tab title="kubectl" %}
-```
+```bash
k get cronjobs
```
{% endtab %}
@@ -430,9 +432,8 @@ kurl -v https://$APISERVER/apis/batch/v1beta1/namespaces//cronjobs
configMap always contains a lot of information and configfile that provide to apps which run in the kubernetes. Usually You can find a lot of password, secrets, tokens which used to connecting and validating to other internal/external service.
{% tabs %}
-
{% tab title="kubectl" %}
-```
+```bash
k get configmaps # -n namespace
```
{% endtab %}
@@ -442,15 +443,25 @@ k get configmaps # -n namespace
kurl -v https://$APISERVER/api/v1/namespaces/${NAMESPACE}/configmaps
```
{% endtab %}
-
{% endtabs %}
+### Get Network Policies / Cilium Network Policies
+
+{% tabs %}
+{% tab title="First Tab" %}
+```bash
+k get networkpolicies
+k get CiliumNetworkPolicies
+k get CiliumClusterwideNetworkPolicies
+```
+{% endtab %}
+{% endtabs %}
-### Get "all"
+### Get Everything / All
{% tabs %}
{% tab title="kubectl" %}
-```
+```bash
k get all
```
{% endtab %}
@@ -460,7 +471,7 @@ k get all
{% tabs %}
{% tab title="kubectl" %}
-```
+```bash
k top pod --all-namespaces
```
{% endtab %}
@@ -479,8 +490,6 @@ kubectl get pod [-n ] -o yaml
> `k get nodes --show-labels`
>
> Commonly, kubernetes.io/hostname and node-role.kubernetes.io/master are all good label for select.
->
-> [reference]: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
Then you create your attack.yaml file
@@ -541,8 +550,8 @@ Information obtained from: [Kubernetes Namespace Breakout using Insecure Host Pa
{% embed url="https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-3" %}
{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
+Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)