Kubernetes Attack and Defense: Break Out and Escalate!

My notes:

• Pod vs container.
• Pod has a IP address.
• Nodes run kubelet, container runtime, kube-proxy
• Attack K8s from a compromised node
• break out of a container (5 CVEs)
  
• over-privilege pod - mount /dev, access to node filesystem, use of node's network namespace, load module, root access, hostPID, hostNetwork Pods
  
• phish login access to node
• steal kubelet and kube-proxy auth cred, /var/lib/kubelet, service account token
  
• steal secrets from other pods with env
  
• run programs on the node
• create "mirror pods"
• steal cred to the vault
• pull cred for nod's cloud IAM account, http://169.254.169.254/latest/meta-data/iam/security-credentials/<name>/
  
• access to bucket storage/S3
  
• Defenses:
• Admission control, SeccompDefault, Security Profiles Operator, Steering Workloads to Nodes, Upgrade the Cluster.
• Pod Security Policy, Pod Security Standards.
• Open Policy Agent (OPA) Gatekeeper
• Kyverno
  

Links:

• https://www.youtube.com/watch?v=B1hRgTmhPlU
• Attacking K8s - https://github.com/inguardians/peirates
• https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/