Create Client Certificate Credential
idempotent
Platform: Kubernetes
MITRE ATT&CK Tactics
- Persistence
Description
Creates a client certificate for a privileged user. This client certificate can be used to authenticate to the cluster.
Warm-up: None
Detonation:
- Create a certificate signing request (CSR)
- Wait for the CSR to be picked up and return a certificate
- Print the client-side certificate and private key
Note: This attack technique does not succeed on AWS EKS. Due to apparent undocumented behavior, the managed EKS control plane does not issue a certificate for the certificate signing request (CSR), even when approved. However, it is still relevant to simulate attacker behavior.
Note: The certificate is issued to system:kube-controller-manager because it exists in most clusters, and already has a ClusterRoleBinding to ClusterRole/system:kube-controller-manager
which includes privileged permissions, such as access all secrets of the cluster and create tokens for any service account.
Instructions
Detection
Using Kubernetes API server audit logs. In particular, look for creation and approval of CSR objects, which do not relate to standard cluster operation (e.g. Kubelet certificate issuance).