Chapter 2. Pod-Level Resources
This chapter concerns the atomic unit of Kubernetes deployment: a pod. Pods run apps, and an app may be one or more containers working together in one or more pods.
We’ll consider what bad things can happen in and around a pod, and look at how you can mitigate the risk of getting attacked.
As with any sensible security effort, we’ll begin by defining a lightweight threat model for your system, identifying the threat actors it defends against, and highlighting the most dangerous threats. This gives you a solid basis to devise countermeasures and controls, and take defensive steps to protect your customer’s valuable data.
We’ll go deep into the security model of a pod and look at what is trusted by default, where we can tighten security with configuration, and what an attacker’s journey looks like.
Kubernetes has historically not been security hardened out of the box, and sometimes this may lead to privilege escalation or container breakout.
If we zoom in on the relationship between a single pod and the host in Figure 2-1, we can see the services offered to the container by the
kubelet and potential security boundaries that may keep an adversary at bay.
By default much of this is sensibly configured with least privilege, but where user-supplied configuration is more common (pod YAML, cluster policy, container images) there are more opportunities for accidental or malicious misconfiguration. Most defaults are sane—in this chapter we will show ...