RBAC allows granularity over what components in the cluster a pod or user can access and, like networking policies, help limit the blast radius of a compromise. Both users and pods can be restricted to what they can view, update, delete and create within the cluster. Role-based access control: RBAC is not unique to Kubernetes, but as with the other items on this list, needs to be configured correctly to avoid cluster compromise. Encrypting the cluster state store secures a cluster against data-at-rest exfiltration. If anyone gets hold of the key-value store, usually Etcd, they will have access to everything in the cluster including all cluster secrets in plain text. Secrets encryption: Surprisingly to many, secrets are not encrypted at rest by default in base distributions of Kubernetes (managed services such as GKE do encrypt secrets at rest). Pod security policies allow administrators to limit the privilege and permissions a pod has to adhere to before being allowed deployment into the cluster. This includes running privileged containers which have root permissions on the host, usage of the host’s namespaces and filesystem, including sharing the host’s networking, and other configurations that are not necessary for most workloads. Pod Security Policy: Kubernetes by default allows pods to be run with a number of insecure configurations. For example, a front-end may only need to talk to the API which in turn can access the back-end. Network policies prevent this exact type of escalation by defining the networking rules for pod-to-pod communication. This is what happened in the infamous 2017 Equifax breach where attackers used a known vulnerability to compromise a web portal, and from there escalated to back-end servers which were not appropriately segmented. Missing isolation between pods means that a compromised workload can be the starting point of an attack on other components in the network. Network Policies (firewall rules): By default, all deployments on the Kubernetes’ flat network can reach all other deployments even across namespaces. While the default configuration of Kubernetes is not insecure, effort is needed to harden it for workloads including the initial best-practice recommendations that need to be explicitly enabled and configured: It’s no surprise that out of 540 IT professionals surveyed in the report, 44% recorded having to delay deployment due to security concerns. The perimeters and content of nodes, masters, core components, APIs, and public-facing pods all require inspection and hardening to properly defend against existing or potential vulnerabilities. The Kubernetes control plane is a juicy target for cluster attacks. CONTROLPLANE SIMULATORTools such as the Kubernetes Simulator hope to breach this gap by guiding users through specific attack scenarios. CONTROLPLANE HOW TOHowever, it would seem that the knowledge of how to implement the processes, tooling and configuration lags behind the wave of enthusiasm for containerised technology. Reprinted from The State of Container and Kubernetes Security, Winter 2020, by StackRox, retrieved from ĭevSecOps can bring operational advantages when leveraging the security abstractions provided by Kubernetes. Misconfigurations were by far the most common type of Kubernetes vulnerability, reported by seven out of ten companies. Kubernetes: The Threat of MisconfigurationĪ StackRox report from this year found that 94% of respondents had experienced a Kubernetes related security incident in the last year. Simulator to help engineers and managers learn about Kuberetnes INFO Building up Controller Plane.Kubernetes misconfiguration mistakes are easy to make. CONTROLPLANE UPGRADEINFO Attempting upgrade of controlplane components on following hosts in NotReady status: INFO Now checking status of node, try #1ĭEBU Checking node list for node, try #1ĭEBU Checking node list for node, try #2ĭEBU Checking node list for node, try #3ĭEBU Checking node list for node, try #4ĭEBU Checking node list for node, try #5 DEBU etcd version is higher than max version for advertising port 4001, not going to advertise port 4001ĭEBU etcd version is higher than max version for adding stricter TLS cipher suites, going to add stricter TLS cipher suites arguments to etcdĭEBU Version is equal or higher than version
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |