book

Hacking Kubernetes

by Andrew Martin, Michael Hausenblas

October 2021

Intermediate to advanced

311 pages

7h 52m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
About YouAbout UsHow To Use This BookConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
1. Introduction
Setting the SceneStarting to Threat ModelThreat ActorsYour First Threat ModelAttack TreesExample Attack TreesPrior ArtConclusion
2. Pod-Level Resources
DefaultsThreat ModelAnatomy of the AttackRemote Code ExecutionNetwork Attack SurfaceKubernetes Workloads: Apps in a PodWhat’s a Pod?Understanding ContainersSharing Network and StorageWhat’s the Worst That Could Happen?Container BreakoutPod Configuration and ThreatsPod HeaderReverse UptimeLabelsManaged FieldsPod Namespace and OwnerEnvironment VariablesContainer ImagesPod ProbesCPU and Memory Limits and RequestsDNSPod securityContextPod Service AccountsScheduler and TolerationsPod Volume DefinitionsPod Network StatusUsing the securityContext CorrectlyEnhancing the securityContext with KubesecHardened securityContextInto the Eye of the StormConclusion
3. Container Runtime Isolation
DefaultsThreat ModelContainers, Virtual Machines, and SandboxesHow Virtual Machines WorkBenefits of VirtualizationWhat’s Wrong with Containers?User Namespace VulnerabilitiesSandboxinggVisorFirecrackerKata Containersrust-vmmRisks of SandboxingKubernetes Runtime ClassConclusion
4. Applications and Supply Chain
DefaultsThreat ModelThe Supply ChainSoftwareScanning for CVEsIngesting Open Source SoftwareWhich Producers Do We Trust?CNCF Security Technical Advisory GroupArchitecting Containerized Apps for ResilienceDetecting TrojansCaptain Hashjack Attacks a Supply ChainPost-Compromise PersistenceRisks to Your SystemsContainer Image Build Supply ChainsSoftware FactoriesBlessed Image FactoryBase ImagesThe State of Your Container Supply ChainsThird-Party Code RiskSoftware Bills of MaterialsHuman Identity and GPGSigning Builds and MetadataNotary v1sigstorein-toto and TUFGCP Binary AuthorizationGrafeasInfrastructure Supply ChainOperator PrivilegesAttacking Higher Up the Supply ChainTypes of Supply Chain AttackOpen Source IngestionApplication Vulnerability Throughout the SDLCDefending Against SUNBURSTConclusion
5. Networking
DefaultsIntra-Pod NetworkingInter-Pod TrafficPod-to-Worker Node TrafficCluster-External TrafficThe State of the ARPNo securityContextNo Workload IdentityNo Encryption on the WireThreat ModelTraffic Flow ControlThe SetupNetwork Policies to the Rescue!Service MeshesConceptOptions and UptakeCase Study: mTLS with LinkerdeBPFConceptOptions and UptakeCase Study: Attaching a Probe to a Go ProgramConclusion
6. Storage
DefaultsThreat ModelVolumes and DatastoresEverything Is a Stream of BytesWhat’s a Filesystem?Container Volumes and MountsOverlayFStmpfsVolume Mount Breaks Container IsolationThe /proc/self/exe CVESensitive Information at RestMounted SecretsAttacking Mounted SecretsStorage ConceptsContainer Storage InterfaceProjected VolumesAttacking VolumesThe Dangers of Host MountsOther Secrets and Exfiltraing from DatastoresConclusion
7. Hard Multitenancy
DefaultsThreat ModelNamespaced ResourcesNode PoolsNode TaintsSoft MultitenancyHard MultitenancyHostile TenantsSandboxing and PolicyPublic Cloud MultitenancyControl PlaneAPI Server and etcdScheduler and Controller ManagerData PlaneCluster Isolation ArchitectureCluster Support Services and Tooling EnvironmentsSecurity Monitoring and VisibilityConclusion
8. Policy
Types of PoliciesDefaultsNetwork TrafficLimiting Resource AllocationsResource QuotasRuntime PoliciesAccess Control PoliciesThreat ModelCommon ExpectationsBreakglass ScenarioAuditingAuthentication and AuthorizationHuman UsersWorkload IdentityRole-Based Access Control (RBAC)RBAC RecapA Simple RBAC ExampleAuthoring RBACAnalyzing and Visualizing RBACRBAC-Related AttacksGeneric Policy EnginesOpen Policy AgentKyvernoOther Policy OfferingsConclusion
9. Intrusion Detection
DefaultsThreat ModelTraditional IDSeBPF-Based IDSKubernetes and Container Intrusion DetectionFalcoMachine Learning Approaches to IDSContainer ForensicsHoneypotsAuditingDetection EvasionSecurity Operations CentersConclusion

10. Organizations
The Weakest LinkCloud ProvidersShared ResponsibilityAccount HygieneGrouping People and ResourcesOther ConsiderationsOn-Premises EnvironmentsCommon ConsiderationsThreat Model ExplosionHow SLOs Can Put Additional Pressure on YouSocial EngineeringPrivacy and Regulatory ConcernsConclusion
A. A Pod-Level Attack
FilesystemtmpfsHost MountsHostile ContainersRuntime
B. Resources
GeneralReferencesBooksFurther Reading by ChapterIntroPodsSupply ChainsNetworkingPolicyNotable CVEs
Index

Content preview from Hacking Kubernetes

Appendix B. Resources

General

References

The official Kubernetes documentation
The Kubernetes community on GitHub

Books

Container Security by Liz Rice (O’Reilly)
Kubernetes: Up and Running by Kelsey Hightower, Brendan Burns, and Joe Beda (O’Reilly)
Cloud Native DevOps with Kubernetes by John Arundel and Justin Domingus (O’Reilly)
Managing Kubernetes by Brendan Burns and Craig Tracey (O’Reilly)
Kubernetes Cookbook by Sébastien Goasguen and Michael Hausenblas (O’Reilly)
Cybersecurity Ops with bash by Paul Troncone and Carl Albing (O’Reilly)

Further Reading by Chapter

Intro

For Chapter 1 we suggest the following resources:

Threat Modeling Manifesto
Open Source Intelligence Methods and Tools: A Practical Guide to Online Intelligence by Nihad Hassan and Rami Hijazi (Apress)
The Tao of Open Source Intelligence by Stewart Bertram (IT Governance Publishing)
“SANS SEC487: Open-Source Intelligence (OSINT) Gathering and Analysis”

Pods

For Chapter 2 we suggest the following resources:

Further, tooling relevant in this context:

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781492081722Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills