My notes:
- Pod vs container.
- Pod has a IP address.
- Nodes run kubelet, container runtime, kube-proxy
- Attack K8s from a compromised node
- break out of a container (5 CVEs)
- over-privilege pod - mount /dev, access to node filesystem, use of node's network namespace, load module, root access, hostPID, hostNetwork Pods
- phish login access to node
- steal kubelet and kube-proxy auth cred, /var/lib/kubelet, service account token
- steal secrets from other pods with env
- run programs on the node
- create "mirror pods"
- steal cred to the vault
- pull cred for nod's cloud IAM account, http://169.254.169.254/latest/meta-data/iam/security-credentials/<name>/
- access to bucket storage/S3
- Defenses:
- Admission control, SeccompDefault, Security Profiles Operator, Steering Workloads to Nodes, Upgrade the Cluster.
- Pod Security Policy, Pod Security Standards.
- Open Policy Agent (OPA) Gatekeeper
- Kyverno
Links: