Create Client Certificate Credential
MITRE ATT&CK Tactics
Creates a client certificate for a privileged user. This client certificate can be used to authenticate to the cluster.
- Create a certificate signing request (CSR)
- Wait for the CSR to be picked up and return a certificate
- Print the client-side certificate and private key
Note: This attack technique does not succeed on AWS EKS. Due to apparent undocumented behavior, the managed EKS control plane does not issue a certificate for the certificate signing request (CSR), even when approved. However, it is still relevant to simulate attacker behavior.
Note: The certificate is issued to
system:kube-controller-manager because it exists in most clusters, and already has a ClusterRoleBinding to
which includes privileged permissions, such as access all secrets of the cluster and create tokens for any service account.
Using Kubernetes API server audit logs. In particular, look for creation and approval of CSR objects, which do not relate to standard cluster operation (e.g. Kubelet certificate issuance).