Jul 25, 2022

Kubernetes Attack and Defense: Break Out and Escalate!



My notes:

  • Pod vs container.
  • Pod has a IP address.
  • Nodes run kubelet, container runtime, kube-proxy
  • Attack K8s from a compromised node
    • break out of a container (5 CVEs)
    • over-privilege pod - mount /dev, access to node filesystem, use of node's network namespace, load module, root access, hostPID, hostNetwork Pods
    • phish login access to node
  • steal kubelet and kube-proxy auth cred, /var/lib/kubelet, service account token
  • steal secrets from other pods with env
  • run programs on the node
  • create "mirror pods"
  • steal cred to the vault
  • pull cred for nod's cloud IAM account, http://169.254.169.254/latest/meta-data/iam/security-credentials/<name>/
  • access to bucket storage/S3
  • Defenses:
    • Admission control, SeccompDefault, Security Profiles Operator, Steering Workloads to Nodes, Upgrade the Cluster.
    • Pod Security Policy, Pod Security Standards.
    • Open Policy Agent (OPA) Gatekeeper
    • Kyverno


Links: