book

Hacking Kubernetes

by Andrew Martin, Michael Hausenblas

October 2021

Intermediate to advanced

311 pages

7h 52m

English

O'Reilly Media, Inc.

Book available

Read now

Unlock full access

About YouAbout UsHow To Use This BookConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
Setting the SceneStarting to Threat ModelThreat ActorsYour First Threat ModelAttack TreesExample Attack TreesPrior ArtConclusion
DefaultsThreat ModelAnatomy of the AttackRemote Code ExecutionNetwork Attack SurfaceKubernetes Workloads: Apps in a PodWhat’s a Pod?Understanding ContainersSharing Network and StorageWhat’s the Worst That Could Happen?Container BreakoutPod Configuration and ThreatsPod HeaderReverse UptimeLabelsManaged FieldsPod Namespace and OwnerEnvironment VariablesContainer ImagesPod ProbesCPU and Memory Limits and RequestsDNSPod securityContextPod Service AccountsScheduler and TolerationsPod Volume DefinitionsPod Network StatusUsing the securityContext CorrectlyEnhancing the securityContext with KubesecHardened securityContextInto the Eye of the StormConclusion
DefaultsThreat ModelContainers, Virtual Machines, and SandboxesHow Virtual Machines WorkBenefits of VirtualizationWhat’s Wrong with Containers?User Namespace VulnerabilitiesSandboxinggVisorFirecrackerKata Containersrust-vmmRisks of SandboxingKubernetes Runtime ClassConclusion
DefaultsThreat ModelThe Supply ChainSoftwareScanning for CVEsIngesting Open Source SoftwareWhich Producers Do We Trust?CNCF Security Technical Advisory GroupArchitecting Containerized Apps for ResilienceDetecting TrojansCaptain Hashjack Attacks a Supply ChainPost-Compromise PersistenceRisks to Your SystemsContainer Image Build Supply ChainsSoftware FactoriesBlessed Image FactoryBase ImagesThe State of Your Container Supply ChainsThird-Party Code RiskSoftware Bills of MaterialsHuman Identity and GPGSigning Builds and MetadataNotary v1sigstorein-toto and TUFGCP Binary AuthorizationGrafeasInfrastructure Supply ChainOperator PrivilegesAttacking Higher Up the Supply ChainTypes of Supply Chain AttackOpen Source IngestionApplication Vulnerability Throughout the SDLCDefending Against SUNBURSTConclusion
DefaultsIntra-Pod NetworkingInter-Pod TrafficPod-to-Worker Node TrafficCluster-External TrafficThe State of the ARPNo securityContextNo Workload IdentityNo Encryption on the WireThreat ModelTraffic Flow ControlThe SetupNetwork Policies to the Rescue!Service MeshesConceptOptions and UptakeCase Study: mTLS with LinkerdeBPFConceptOptions and UptakeCase Study: Attaching a Probe to a Go ProgramConclusion
DefaultsThreat ModelVolumes and DatastoresEverything Is a Stream of BytesWhat’s a Filesystem?Container Volumes and MountsOverlayFStmpfsVolume Mount Breaks Container IsolationThe /proc/self/exe CVESensitive Information at RestMounted SecretsAttacking Mounted SecretsStorage ConceptsContainer Storage InterfaceProjected VolumesAttacking VolumesThe Dangers of Host MountsOther Secrets and Exfiltraing from DatastoresConclusion
DefaultsThreat ModelNamespaced ResourcesNode PoolsNode TaintsSoft MultitenancyHard MultitenancyHostile TenantsSandboxing and PolicyPublic Cloud MultitenancyControl PlaneAPI Server and etcdScheduler and Controller ManagerData PlaneCluster Isolation ArchitectureCluster Support Services and Tooling EnvironmentsSecurity Monitoring and VisibilityConclusion
Types of PoliciesDefaultsNetwork TrafficLimiting Resource AllocationsResource QuotasRuntime PoliciesAccess Control PoliciesThreat ModelCommon ExpectationsBreakglass ScenarioAuditingAuthentication and AuthorizationHuman UsersWorkload IdentityRole-Based Access Control (RBAC)RBAC RecapA Simple RBAC ExampleAuthoring RBACAnalyzing and Visualizing RBACRBAC-Related AttacksGeneric Policy EnginesOpen Policy AgentKyvernoOther Policy OfferingsConclusion
DefaultsThreat ModelTraditional IDSeBPF-Based IDSKubernetes and Container Intrusion DetectionFalcoMachine Learning Approaches to IDSContainer ForensicsHoneypotsAuditingDetection EvasionSecurity Operations CentersConclusion

The Weakest LinkCloud ProvidersShared ResponsibilityAccount HygieneGrouping People and ResourcesOther ConsiderationsOn-Premises EnvironmentsCommon ConsiderationsThreat Model ExplosionHow SLOs Can Put Additional Pressure on YouSocial EngineeringPrivacy and Regulatory ConcernsConclusion
FilesystemtmpfsHost MountsHostile ContainersRuntime
GeneralReferencesBooksFurther Reading by ChapterIntroPodsSupply ChainsNetworkingPolicyNotable CVEs

Content preview from Hacking Kubernetes

Chapter 1. Introduction

Join us as we explore the many perilous paths through a pod and into Kubernetes. See the system from an adversary’s perspective: get to know the multitudinous defensive approaches and their weaknesses, and revisit historical attacks on cloud native systems through the piratical lens of your nemesis: Dread Pirate Captain Hashjack.

Kubernetes has grown rapidly, and has historically not been considered to be “secure by default.” This is mainly due to security controls such as network and pod security policies not being enabled by default on vanilla clusters.

Note

As authors we are infinitely grateful that our arc saw the cloud native enlightenment, and we extend our heartfelt thanks to the volunteers, core contributors, and Cloud Native Computing Foundation (CNCF) members involved in the vision and delivery of Kubernetes. Documentation and bug fixes don’t write themselves, and the incredible selfless contributions that drive open source communities have never been more freely given or more gratefully received.

Security controls are generally more difficult to get right than the complex orchestration and distributed system functionality that Kubernetes is known for. To the security teams especially, we thank you for your hard work! This book is a reflection on the pioneering voyage of the good ship Kubernetes, out on the choppy and dangerous free seas of the internet.