Note:
- Initial access with
- known vuln
- Exposed dashboard or
- Kube API server
- Exploitation / Execution
- API endpoint
- get a shell access
- Internal recon
- env | grep -i kube
- /var/run/secrets/kubernetes.io/serviceaccount
- container introspection
- Post-exploitation / Presistence
- privilege escalation
- pod/container escape via privileged pod
- Defending K8s
- curl -k https://192.168.1.1:6443
- CIS Kebernetes Benchmark (120+ security checks)
- kube-bench (golang)
- Image scan
- Clair, docker scan, smartcheck, snyk, Trivy
- Cloud-native runtime protection
- Falco (CNCF)
- The Pods
- AllowPrivilegeEscalation = false
- ReadOnlyRootFileSystem = true
- RunAsNonRoot = true
- Use Seccomp, AppArmor and SELinux
- Pod Security Policies (PSP) - applied at cluster level (deprecated)
- PSP replacement
- OPA / Gatekeeper
- Kyverno (yaml)
- PodSecurity
- RBAC (Role Based Access Control)
- --authorization-mode=Node,RBAC
- Secure those exposed etcd (cluster objects)
- Encryption at rest not default
- The Network Policy
- Among all the pods
- Pods with kube-system namespace
- The Audit Logs
- not enabled by default
- Update K8s !!
Links: