Kubernetes Security Threats Guide
Kubernetes Security Threats Guide
COM
Attacking Kubernetes
· Apr 15, 2024 · 31 min read
Table of contents
Restrict Kubernetes API access to specific IP ranges
Use Role-Based Access Control (RBAC)
Enable PodSecurityPolicy (PSP)
Use Network Policies
Enable Audit Logging
Use Secure Service Endpoints
Use Pod Security Context
Use Kubernetes Secrets
Enable Container Runtime Protection
Enable Admission Controllers
Hardcoded Credential
Container Escape Attack
Kubernetes API Server Attack
Pod-to-Pod Network Attack
Privilege Escalation Attack
Denial-of-Service (DoS) Attack
Kubernetes Threat Matrix
Initial access
USING CLOUD CREDENTIALS
COMPROMISED IMAGES IN REGISTRY
KUBECONFIG FILE
VULNERABLE APPLICATION
EXPOSED DASHBOARD
Execution
EXEC INTO CONTAINER:
NEW CONTAINER:
APPLICATION EXPLOIT:
SSH SERVER RUNNING INSIDE CONTAINER:
Persistence
BACKDOOR CONTAINER:
WRITABLE HOSTPATH MOUNT:
KUBERNETES CRONJOB:
Privilege escalation
PRIVILEGED CONTAINER
CLUSTER-ADMIN BINDING
HOSTPATH MOUNT
ACCESSING CLOUD RESOURCES:
Defense evasion
CLEAR CONTAINER LOGS:
DELETE KUBERNETES EVENTS:
POD/CONTAINER NAME SIMILARITY:
CONNECT FROM PROXY SERVER
Credential access
LIST KUBERNETES SECRETS:
MOUNT SERVICE PRINCIPAL:
ACCESS CONTAINER SERVICE ACCOUNT:
APPLICATION CREDENTIALS IN CONFIGURATION FILES:
Discovery
ACCESS THE KUBERNETES API SERVER:
ACCESS KUBELET API:
NETWORK MAPPING:
ACCESS KUBERNETES DASHBOARD:
INSTANCE METADATA API:
Lateral movement
ACCESS THE KUBERNETES API SERVER:
ACCESS CLOUD RESOURCES:
CONTAINER SERVICE ACCOUNT:
CLUSTER INTERNAL NETWORKING:
APPLICATION CREDENTIALS IN CONFIGURATION FILES:
WRITABLE VOLUME MOUNTS ON THE HOST:
ACCESS KUBERNETES DASHBOARD:
ACCESS TILLER ENDPOINT:
Impact
DATA DESTRUCTION:
RESOURCE HIJACKING:
DENIAL OF SERVICE (DOS):
References
Show less
potentially evade IP-based restrictions and gain unauthorized access to the API
server. The following command demonstrates how an attacker might attempt to
modify this parameter using kubectl :
COPY
Upon executing this command, the attacker gains access to the Kubernetes service
configuration in the default editor. Within the configuration, they can locate and
modify the spec.loadBalancerSourceRanges field to allow traffic from unauthorized IP
addresses. By removing or adding IP ranges to this field, the attacker can effectively
bypass the intended security controls, granting themselves unrestricted access to
the Kubernetes API.
COPY
spec:
loadBalancerSourceRanges:
- 0.0.0.0/0 # Allow all IP addresses (example of bypassing security
control)
create new service accounts and bind them to cluster-wide roles, potentially granting
themselves elevated privileges beyond their intended scope.
COPY
In executing these commands, attackers create a new service account named <name>
and bind it to a specified cluster role using a cluster role binding named <name> . This
effectively associates the new service account with the permissions defined by the
specified cluster role, granting the account access to resources and capabilities
within the Kubernetes cluster according to the role's permissions.
COPY
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: <name>
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: <role>
subjects:
- kind: ServiceAccount
name: <name>
namespace: <namespace>
In the resulting RBAC configuration, the cluster role binding <name> associates the
service account <name> in the specified namespace <namespace> with the cluster role
<role> , effectively granting the associated permissions to the service account.
In executing these commands, attackers create a new service account named psp-sa
and bind it to a cluster role named psp:vmxnet3 using a cluster role binding named
psp-binding . This effectively associates the new service account with permissions
defined by the specified PSP cluster role, potentially granting it escalated privileges
related to the use of VMXNET3 network interfaces.
COPY
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: psp-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: psp:vmxnet3
subjects:
- kind: ServiceAccount
name: psp-sa
namespace: default
In the resulting RBAC configuration, the cluster role binding psp-binding associates
the service account psp-sa in the default namespace with the PSP cluster role
psp:vmxnet3 , potentially granting the associated permissions to the service account.
In executing this command, the attacker applies the Network Policy defined in the
YAML file to the Kubernetes cluster. The content of the networkpolicy.yml file may
include rules that allow traffic from unauthorized sources or permit communication
between pods that should be restricted.
COPY
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
spec:
podSelector: {}
ingress:
- from:
- namespaceSelector:
matchLabels:
name: default
- podSelector:
matchLabels:
app: example-app
policyTypes:
- Ingress
In the above example, the Network Policy named allow-all allows all ingress traffic
from pods labeled with app: example-app in the default namespace. Attackers can
exploit such misconfigured or overly permissive Network Policies to bypass intended
security controls and communicate with pods or services that they should not have
access to.
In executing these commands, attackers apply a custom audit policy defined in the
YAML file audit-policy.yaml and edit the ConfigMap kube-apiserver in the kube-
system namespace, where the audit logging configuration is stored.
The audit-policy.yaml file may contain a custom audit policy defining which events
should be logged:
COPY
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
The kubectl edit command allows attackers to modify parameters related to audit
logging, such as --audit-log-path and --audit-policy-file , potentially altering the
destination and content of audit logs or disabling auditing altogether.
COPY
apiVersion: v1
data:
audit-log-path: /var/log/kubernetes/audit.log
audit-policy-file: /etc/kubernetes/audit-policy.yaml
{
"spec": {
"publishNotReadyAddresses": true,
"sessionAffinity": "ClientIP"
}
}
By enabling the publishing of not ready addresses, attackers may exploit services
that are still in the process of initialization or recovery, potentially bypassing intended
restrictions on access. Setting session affinity to ClientIP may allow attackers to
manipulate session handling to maintain persistence or evade detection.
a role associated with Pod Security Policies (PSP), potentially granting themselves
elevated privileges beyond the intended restrictions.
COPY
In executing these commands, attackers create a new service account named pod-sa
and bind it to a role named psp:vmxnet3 using a role binding named pod-sa . This
effectively associates the new service account with permissions defined by the
specified PSP role, potentially granting it escalated privileges related to the use of
VMXNET3 network interfaces.
COPY
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: pod-sa
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: psp:vmxnet3
subjects:
- kind: ServiceAccount
name: pod-sa
namespace: default
In the resulting RBAC configuration, the role binding pod-sa associates the service
account pod-sa in the default namespace with the PSP role psp:vmxnet3 , potentially
granting the associated permissions to the service account.
In executing this command, attackers create a new secret named <name> and
populate it with the contents of a file located at <path-to-file> . This file may contain
sensitive information such as passwords, API keys, or certificates.
By gaining access to create secrets within the cluster, attackers can potentially
extract sensitive data and use it to escalate privileges, access restricted resources, or
carry out further attacks. Additionally, if secrets are not adequately protected or
encrypted, attackers may be able to intercept or manipulate them, compromising the
security of the entire system.
In executing this command, the attacker applies the configuration defined in the
YAML file falco.yaml to the Kubernetes cluster. This configuration may include rules
and policies for container runtime protection, such as monitoring for abnormal
behaviors or unauthorized access attempts.
The content of the falco.yaml file may define rules for detecting suspicious activities
within containers:
COPY
apiVersion: falco.org/v1
kind: FalcoRule
metadata:
name: suspicious-executable
spec:
description: Detects execution of suspicious executables
condition: >
(proc.name = bash or proc.name = sh) and
(fd.name contains /tmp/evil)
output: "Suspicious executable detected: %{proc.name} executing %
{fd.name}"
priority: WARNING
enabled: true
In executing this command, the attacker edits the ConfigMap kube-apiserver in the
kube-system namespace, where the configuration settings for the kube-apiserver
In the edited configuration, the attacker may disable certain admission controllers or
add new ones to allow the admission of resources that would otherwise be rejected
by default controls. For example, disabling the PodSecurityPolicy admission controller
can allow the admission of pods that violate security policies.
By manipulating admission controller settings, attackers can potentially bypass
security controls and introduce malicious resources or execute unauthorized actions
within the Kubernetes cluster. This can lead to a variety of security risks, including
privilege escalation, data exfiltration, or the execution of malicious code.
Hardcoded Credential
Attackers may exploit hardcoded credentials in Kubernetes configurations to gain
unauthorized access to sensitive resources, such as databases, and execute
malicious activities. By embedding credentials directly into configuration files,
attackers can easily extract and abuse these credentials if they gain access to the
configuration files.
COPY
apiVersion: v1
kind: Deployment
metadata:
name: my-app
spec:
replicas: 3
template:
metadata:
labels:
app: my-app
spec:
containers:
- name: my-app-container
image: my-app:v1
ports:
- containerPort: 8080
env:
- name: DATABASE_URL
value: "mysql://root:password@localhost:3306/my_database"
apiVersion: v1
kind: Deployment
metadata:
name: my-app
spec:
replicas: 3
template:
metadata:
labels:
app: my-app
spec:
containers:
- name: my-app-container
image: my-app:v1
ports:
- containerPort: 8080
env:
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: my-app-secrets
key: database-url
In the compliant code, the hardcoded database connection string is replaced with a
reference to a Kubernetes Secret named my-app-secrets . The Secret contains the
sensitive information such as the database URL, username, and password. The
valueFrom field in the env section instructs Kubernetes to retrieve the value of the
apiVersion: v1
kind: Pod
metadata:
name: privileged-pod
spec:
containers:
- name: privileged-container
image: my-image
securityContext:
privileged: true
In this noncompliant code, the Pod definition sets the privileged flag to true, allowing
the container to run with extended privileges. This configuration increases the attack
surface and makes it easier for an attacker to escape the container and compromise
the underlying host system.
To mitigate container escape attacks, Kubernetes provides security features such as
the securityContext field, which allows administrators to control the security settings
of containers.
COPY
apiVersion: v1
kind: Pod
metadata:
name: restricted-pod
spec:
containers:
- name: restricted-container
image: my-image
securityContext:
privileged: false
In the compliant code, the privileged flag is set to false, restricting the container from
running with extended privileges. By enforcing this security measure, organizations
can reduce the risk of container escape attacks and enhance the security of their
Kubernetes deployments.
apiVersion: v1
kind: ServiceAccount
metadata:
name: privileged-service-account
namespace: default
apiVersion: v1
kind: ServiceAccount
metadata:
name: restricted-service-account
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: restricted-role
namespace: default
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: restricted-role-binding
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: restricted-role
subjects:
- kind: ServiceAccount
name: restricted-service-account
namespace: default
named restricted-role is defined, granting permissions to get, list, and watch pods.
A RoleBinding named restricted-role-binding associates the Role with the restricted
service account.
apiVersion: v1
kind: Pod
metadata:
name: unsecured-pod
spec:
containers:
- name: container-a
image: image-a
- name: container-b
image: image-b
apiVersion: v1
kind: Pod
metadata:
name: secured-pod
spec:
containers:
- name: container-a
image: image-a
- name: container-b
image: image-b
networkPolicy:
podSelector:
matchLabels:
app: secured-pod
ingress:
- from:
podSelector:
matchLabels:
app: secured-pod
can initiate ingress traffic to this pod. This setup effectively limits the attack surface
and prevents unauthorized access or interception of network traffic from other pods.
apiVersion: v1
kind: Pod
metadata:
name: privileged-pod
spec:
containers:
- name: privileged-container
image: my-image
securityContext:
runAsUser: 0
In this noncompliant code, the runAsUser field is set to 0, which runs the container as
the root user. Running containers as root grants extensive privileges within the
container, making it easier for attackers to exploit privilege escalation vulnerabilities
and gain unauthorized access to sensitive resources or the underlying host system.
To mitigate the risk of privilege escalation attacks, Kubernetes provides security
features such as the securityContext field, which allows administrators to specify
security settings for containers.
COPY
apiVersion: v1
kind: Pod
metadata:
name: restricted-pod
spec:
containers:
- name: restricted-container
image: my-image
securityContext:
runAsUser: 1000
In the compliant code, the runAsUser field is set to a non-root user (e.g., UID 1000),
reducing the container's privileges and mitigating the risk of privilege escalation
attacks. By running containers with non-root users, organizations can enforce the
principle of least privilege, limiting the impact of potential security breaches and
enhancing the overall security posture of their Kubernetes deployments.
apiVersion: v1
kind: Deployment
metadata:
name: resource-hungry-app
spec:
replicas: 5
template:
spec:
containers:
- name: resource-hungry-container
image: my-image
resources:
requests:
cpu: "1000m"
memory: "2Gi"
In this noncompliant code, the resource requests for the container are set
significantly higher than necessary, with requests of 1000 milliCPU and 2 gigabytes of
memory. Such excessive resource requests can lead to inefficient resource utilization
and potential DoS vulnerabilities, as the containers may consume more resources
than required, leading to resource exhaustion and service disruption.
To mitigate the risk of DoS attacks, it's crucial to set resource requests to more
appropriate values that accurately reflect the actual resource requirements of the
containers.
COPY
apiVersion: v1
kind: Deployment
metadata:
name: optimized-app
spec:
replicas: 5
template:
spec:
containers:
- name: optimized-container
image: my-image
resources:
requests:
cpu: "100m"
memory: "256Mi"
In the compliant code, resource requests are set to more appropriate values, with
requests of 100 milliCPU and 256 megabytes of memory. By accurately specifying
resource requests based on the actual resource requirements of the containers,
organizations can mitigate the risk of DoS attacks and ensure efficient resource
utilization within the Kubernetes cluster.
Initial access
As organizations embrace containerized environments like Kubernetes, it becomes
essential to understand the potential vulnerabilities and attack vectors that
adversaries may exploit. The initial access tactic poses a significant threat, serving as
the entry point for unauthorized actors into Kubernetes clusters. In this article, we will
explore some common techniques used to gain initial access and discuss proactive
measures to secure your Kubernetes environment.
USING CLOUD CREDENTIALS
The kubeconfig file, which contains cluster details and credentials, is used by
Kubernetes clients like kubectl. If an attacker gains access to this file, they can exploit
it to gain unauthorized access to the Kubernetes clusters. Securing the kubeconfig
file through secure distribution channels, enforcing access controls, and employing
secure client environments are essential steps to mitigate this risk.
VULNERABLE APPLICATION
Running a vulnerable application within a cluster can open the door to initial access.
Exploiting remote code execution vulnerabilities in containers can allow attackers to
execute arbitrary code. If a service account is mounted to the compromised
container, the attacker can use its credentials to send requests to the Kubernetes API
server. Regularly patching and updating container images, along with implementing
strong network segmentation, are crucial to mitigating this risk.
EXPOSED DASHBOARD
Execution
Once attackers gain initial access to a Kubernetes cluster, the execution tactic
becomes their next focus. By leveraging various techniques, attackers attempt to run
their malicious code within the cluster, potentially causing widespread damage. In this
article, we will explore common execution techniques in Kubernetes and discuss key
strategies to mitigate the associated risks.
EXEC INTO CONTAINER:
Attackers with sufficient permissions can exploit the “exec” command (“kubectl
exec”) to run malicious commands inside containers within the cluster. By using
legitimate images, such as popular OS images, as a backdoor container, attackers can
remotely execute their malicious code through “kubectl exec.” Limiting permissions
and enforcing strict access controls will help prevent unauthorized execution within
containers.
NEW CONTAINER:
In some cases, attackers may discover containers running SSH servers. If attackers
acquire valid credentials, either through brute-force attempts or phishing, they can
exploit these SSH servers to gain remote access to the container. To mitigate this
risk, it is essential to employ strong authentication mechanisms, enforce secure
credential management practices, and regularly audit containers for unauthorized
SSH servers.
Persistence
In the context of Kubernetes security, persistence refers to the techniques employed
by attackers to maintain access to a cluster even after their initial entry point has
been compromised. By understanding and addressing the persistence tactics used by
adversaries, organizations can strengthen their security posture and protect their
Kubernetes environments. In this article, we will explore common persistence
techniques in Kubernetes and discuss strategies to mitigate these risks.
BACKDOOR CONTAINER:
The hostPath volume allows mounting a directory or file from the host to a container.
Attackers with permissions to create containers within the cluster can exploit this
feature by creating a container with a writable hostPath volume. This provides them
with persistence on the underlying host and potential avenues for unauthorized
access. Implementing strict access controls and regular auditing of container
configurations can help identify and mitigate this risk.
KUBERNETES CRONJOB:
Privilege escalation
A privileged container possesses all the capabilities of the host machine, allowing
unrestricted actions within the cluster. Attackers who gain access to a privileged
container, or have permissions to create one, can exploit the host’s resources. It is
essential to enforce strict container security policies, limit the creation of privileged
containers, and regularly monitor for unauthorized access or configuration changes.
CLUSTER-ADMIN BINDING
Attackers can leverage the hostPath volume mount to gain access to the underlying
host, breaking out of the container’s isolated environment. This allows them to
escalate privileges from the container to the host. Implementing strict access
controls, conducting regular vulnerability scans, and monitoring for suspicious
hostPath mount configurations are essential for mitigating this risk.
ACCESSING CLOUD RESOURCES:
Defense evasion
Defense evasion techniques are employed by attackers to evade detection and
conceal their activities within Kubernetes environments. By actively evading security
measures, attackers can prolong their presence, increase the likelihood of successful
attacks, and bypass traditional security controls. Understanding common defense
evasion techniques is crucial for organizations to enhance threat detection
capabilities and bolster overall Kubernetes security. In this article, we will explore
common defense evasion tactics and discuss strategies to mitigate these risks
effectively.
CLEAR CONTAINER LOGS:
Kubernetes events play a critical role in logging state changes and failures within the
cluster. Attackers may seek to delete Kubernetes events to avoid detection of their
activities. Organizations should ensure proper event logging and implement log
integrity checks to detect any tampering or deletion of events. Retaining logs in a
secure and immutable manner can aid in the identification of anomalous behavior.
POD/CONTAINER NAME SIMILARITY:
Attackers may attempt to hide their malicious activities by naming their backdoor
pods in a way that resembles legitimate pods created by controllers like Deployments
or DaemonSets. By blending in with existing pod naming conventions, attackers aim
to avoid suspicion. Organizations should implement strict naming conventions and
conduct regular audits to identify any discrepancies or suspicious pod/container
names.
CONNECT FROM PROXY SERVER
To obfuscate their origin IP addresses, attackers may employ proxy servers, including
anonymous networks like TOR, to communicate with applications or the Kubernetes
API server. Organizations should consider implementing network security measures to
monitor and restrict access from suspicious IP ranges or anonymous networks.
Implementing intrusion detection and prevention systems (IDPS) and conducting
regular threat intelligence analysis can aid in identifying proxy server usage by
attackers.
Credential access
The security of credentials is of paramount importance in Kubernetes environments.
Attackers employ various techniques to steal credentials, including application
credentials, service accounts, secrets, and cloud credentials. Safeguarding credential
access is crucial to prevent unauthorized access, data breaches, and potential
compromise of sensitive information. In this article, we will explore common credential
access tactics and discuss strategies to enhance identity protection and mitigate the
risks associated with credential theft in Kubernetes.
LIST KUBERNETES SECRETS:
Kubernetes secrets are used to store sensitive information, such as passwords and
connection strings, within the cluster. Attackers with appropriate permissions can
retrieve these secrets from the API server, potentially gaining access to critical
credentials. Organizations should adopt a defense-in-depth approach to secure
secrets, including strong access controls, encryption, and regular auditing of secret
configurations. Implementing fine-grained RBAC policies and limiting access to
secrets based on the principle of least privilege can help mitigate the risk of
unauthorized access.
MOUNT SERVICE PRINCIPAL:
In cloud deployments, attackers may exploit their access to a container in the cluster
to gain unauthorized access to cloud credentials. For example, in Azure Kubernetes
Service (AKS), each node contains a service principal credential. Organizations
should implement robust security measures, such as secure cluster configurations,
strict access controls, and regular rotation of service principal credentials, to prevent
unauthorized access to cloud resources.
ACCESS CONTAINER SERVICE ACCOUNT:
Service accounts (SAs) are used to represent application identities within Kubernetes.
By default, SAs are mounted to every pod in the cluster, allowing containers to
interact with the Kubernetes API server. Attackers who gain access to a pod can
extract the SA token and potentially perform actions within the cluster based on the
SA’s permissions. It is crucial to implement RBAC and enforce strong authentication
mechanisms to mitigate the risk of unauthorized SA access. Regular audits and
monitoring of SA permissions can help identify and remediate any potential security
gaps.
APPLICATION CREDENTIALS IN CONFIGURATION FILES:
The Kubernetes API server acts as the gateway to the cluster, enabling interactions
and resource management. Attackers may attempt to access the API server to gather
information about containers, secrets, and other resources. Protecting the API server
is paramount, and organizations should implement strong authentication mechanisms,
robust access controls, and secure communication channels (TLS) to prevent
unauthorized access and unauthorized retrieval of sensitive data.
ACCESS KUBELET API:
Kubelet, running on each node, manages the execution of pods and exposes a read-
only API service. Attackers with network access to the host can probe the Kubelet API
to gather information about running pods and the node itself. To mitigate this risk,
organizations should implement network segmentation and restrict network access to
the Kubelet API, employing firewalls or network policies to allow communication only
from trusted sources.
NETWORK MAPPING:
Attackers may attempt to map the cluster network to gain insights into running
applications and identify potential vulnerabilities. Implementing network
segmentation, network policies, and utilizing network security solutions can help limit
unauthorized network exploration within the cluster, reducing the attack surface and
minimizing the impact of network mapping attempts.
ACCESS KUBERNETES DASHBOARD:
The Kubernetes dashboard provides a web-based interface for managing and
monitoring the cluster. Attackers who gain access to a container in the cluster may
attempt to exploit the container’s network access to access the dashboard pod.
Organizations should secure the Kubernetes dashboard by implementing strong
authentication, role-based access controls (RBAC), and secure network access
policies to prevent unauthorized access and information leakage.
INSTANCE METADATA API:
Cloud providers offer instance metadata services that provide information about
virtual machine configurations and network details. Attackers who compromise a
container may attempt to query the instance metadata API to gain insights into the
underlying node. Protecting the metadata API is crucial, and organizations should
implement network-level security controls, such as restricting access to the metadata
service from within the VM only, to prevent unauthorized access and limit the
exposure of sensitive information.
Lateral movement
The Kubernetes API server acts as the gateway to the cluster, enabling interactions
and resource management. Attackers may attempt to access the API server to gather
information about containers, secrets, and other resources. Protecting the API server
is paramount, and organizations should implement strong authentication mechanisms,
robust access controls, and secure communication channels (TLS) to prevent
unauthorized access and unauthorized retrieval of sensitive data.
ACCESS CLOUD RESOURCES:
Attackers who compromise a container in the cluster may attempt to move laterally
into the cloud environment itself. Organizations must implement strong access
controls, employ least privilege principles, and regularly monitor cloud resources to
detect and prevent unauthorized access attempts.
CONTAINER SERVICE ACCOUNT:
Attackers with access to a compromised container can leverage the mounted service
account token to send requests to the Kubernetes API server and gain access to
additional resources within the cluster. Securing container service accounts through
RBAC and regularly rotating credentials can help mitigate the risk of lateral movement
through compromised containers.
CLUSTER INTERNAL NETWORKING:
Attackers with access to the Kubernetes dashboard can manipulate cluster resources
and execute code within containers using the built-in “exec” capability. Securing the
Kubernetes dashboard through strong authentication, access controls, and
monitoring for suspicious activities can minimize the risk of unauthorized lateral
movement through the dashboard.
ACCESS TILLER ENDPOINT:
Tiller, the server-side component of Helm, may expose internal gRPC endpoints that
do not require authentication. Attackers who can access a container connected to the
Tiller service may exploit this vulnerability to perform unauthorized actions within the
cluster. Organizations should consider migrating to Helm version 3, which removes
the Tiller component and eliminates this specific risk.
Impact
Attackers may target Kubernetes deployments to destroy critical data and resources.
This can involve deleting deployments, configurations, storage volumes, or compute
resources. To mitigate the risk of data destruction, it is essential to implement robust
backup and disaster recovery mechanisms. Regularly backing up critical data,
verifying backup integrity, and employing proper access controls can help in
minimizing the impact of data destruction attacks.
RESOURCE HIJACKING:
Compromised resources within a Kubernetes cluster can be abused by attackers for
malicious activities such as digital currency mining. Attackers who gain access to
containers or have the permissions to create new containers may exploit these
resources for unauthorized tasks. Implementing strict pod security policies,
monitoring resource utilization, and regularly auditing containers for unauthorized
activities can help detect and prevent resource hijacking attempts.
DENIAL OF SERVICE (DOS):
Attackers may launch DoS attacks to disrupt the availability of Kubernetes services.
This can involve targeting containers, nodes, or the API server. To mitigate the impact
of DoS attacks, it is crucial to implement network-level security measures such as
ingress and egress filtering, rate limiting, and traffic monitoring. Additionally,
implementing resource quotas, configuring horizontal pod autoscaling, and monitoring
resource utilization can help in maintaining service availability and mitigating the
impact of DoS attacks.
References
https://devsecopsguides.com/docs/attacks/cloud/
https://github.com/center-for-threat-informed-defense/mappings-explorer/
https://center-for-threat-informed-defense.github.io/security-stack-
mappings/Azure/README.html
https://medium.com/mitre-engenuity/security-control-mappings-a-starting-
point-for-threat-informed-defense-a3aab55b1625
https://github.com/0xJs/CARTP-cheatsheet/
Written by
Reza Rashidi Follow
Published on
DevSecOpsGuides Follow
MORE ARTICLES
Reza Rashidi Reza Rashidi
Reza Rashidi
Attacking Docker
Docker has revolutionized the way
software is developed, deployed, and
managed by providing a lightw…