book

Hacking Kubernetes

by Andrew Martin, Michael Hausenblas

October 2021

Intermediate to advanced

311 pages

7h 52m

English

O'Reilly Media, Inc.

Book available

Read now

Unlock full access

About YouAbout UsHow To Use This BookConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
Setting the SceneStarting to Threat ModelThreat ActorsYour First Threat ModelAttack TreesExample Attack TreesPrior ArtConclusion
DefaultsThreat ModelAnatomy of the AttackRemote Code ExecutionNetwork Attack SurfaceKubernetes Workloads: Apps in a PodWhat’s a Pod?Understanding ContainersSharing Network and StorageWhat’s the Worst That Could Happen?Container BreakoutPod Configuration and ThreatsPod HeaderReverse UptimeLabelsManaged FieldsPod Namespace and OwnerEnvironment VariablesContainer ImagesPod ProbesCPU and Memory Limits and RequestsDNSPod securityContextPod Service AccountsScheduler and TolerationsPod Volume DefinitionsPod Network StatusUsing the securityContext CorrectlyEnhancing the securityContext with KubesecHardened securityContextInto the Eye of the StormConclusion
DefaultsThreat ModelContainers, Virtual Machines, and SandboxesHow Virtual Machines WorkBenefits of VirtualizationWhat’s Wrong with Containers?User Namespace VulnerabilitiesSandboxinggVisorFirecrackerKata Containersrust-vmmRisks of SandboxingKubernetes Runtime ClassConclusion
DefaultsThreat ModelThe Supply ChainSoftwareScanning for CVEsIngesting Open Source SoftwareWhich Producers Do We Trust?CNCF Security Technical Advisory GroupArchitecting Containerized Apps for ResilienceDetecting TrojansCaptain Hashjack Attacks a Supply ChainPost-Compromise PersistenceRisks to Your SystemsContainer Image Build Supply ChainsSoftware FactoriesBlessed Image FactoryBase ImagesThe State of Your Container Supply ChainsThird-Party Code RiskSoftware Bills of MaterialsHuman Identity and GPGSigning Builds and MetadataNotary v1sigstorein-toto and TUFGCP Binary AuthorizationGrafeasInfrastructure Supply ChainOperator PrivilegesAttacking Higher Up the Supply ChainTypes of Supply Chain AttackOpen Source IngestionApplication Vulnerability Throughout the SDLCDefending Against SUNBURSTConclusion
DefaultsIntra-Pod NetworkingInter-Pod TrafficPod-to-Worker Node TrafficCluster-External TrafficThe State of the ARPNo securityContextNo Workload IdentityNo Encryption on the WireThreat ModelTraffic Flow ControlThe SetupNetwork Policies to the Rescue!Service MeshesConceptOptions and UptakeCase Study: mTLS with LinkerdeBPFConceptOptions and UptakeCase Study: Attaching a Probe to a Go ProgramConclusion
DefaultsThreat ModelVolumes and DatastoresEverything Is a Stream of BytesWhat’s a Filesystem?Container Volumes and MountsOverlayFStmpfsVolume Mount Breaks Container IsolationThe /proc/self/exe CVESensitive Information at RestMounted SecretsAttacking Mounted SecretsStorage ConceptsContainer Storage InterfaceProjected VolumesAttacking VolumesThe Dangers of Host MountsOther Secrets and Exfiltraing from DatastoresConclusion
DefaultsThreat ModelNamespaced ResourcesNode PoolsNode TaintsSoft MultitenancyHard MultitenancyHostile TenantsSandboxing and PolicyPublic Cloud MultitenancyControl PlaneAPI Server and etcdScheduler and Controller ManagerData PlaneCluster Isolation ArchitectureCluster Support Services and Tooling EnvironmentsSecurity Monitoring and VisibilityConclusion
Types of PoliciesDefaultsNetwork TrafficLimiting Resource AllocationsResource QuotasRuntime PoliciesAccess Control PoliciesThreat ModelCommon ExpectationsBreakglass ScenarioAuditingAuthentication and AuthorizationHuman UsersWorkload IdentityRole-Based Access Control (RBAC)RBAC RecapA Simple RBAC ExampleAuthoring RBACAnalyzing and Visualizing RBACRBAC-Related AttacksGeneric Policy EnginesOpen Policy AgentKyvernoOther Policy OfferingsConclusion
DefaultsThreat ModelTraditional IDSeBPF-Based IDSKubernetes and Container Intrusion DetectionFalcoMachine Learning Approaches to IDSContainer ForensicsHoneypotsAuditingDetection EvasionSecurity Operations CentersConclusion

The Weakest LinkCloud ProvidersShared ResponsibilityAccount HygieneGrouping People and ResourcesOther ConsiderationsOn-Premises EnvironmentsCommon ConsiderationsThreat Model ExplosionHow SLOs Can Put Additional Pressure on YouSocial EngineeringPrivacy and Regulatory ConcernsConclusion
FilesystemtmpfsHost MountsHostile ContainersRuntime
GeneralReferencesBooksFurther Reading by ChapterIntroPodsSupply ChainsNetworkingPolicyNotable CVEs

Content preview from Hacking Kubernetes

Chapter 5. Networking

In this chapter we will focus on networking aspects of your workloads. We will first review the defaults that Kubernetes proper comes equipped with and what else is readily available due to integrations. We cover networking topics including East-West and North-South traffic—that is, intra-pod and inter-pod communication, communication with the worker node (hosts), cluster-external communication, workload identity, and encryption on the wire.

In the second part of this chapter we have a look at two more recent additions to the Kubernetes networking toolbox: service meshes and the Linux kernel extension mechanism eBPF. We try to give you a rough idea if, how, and where you can, going forward, benefit from both.

As you can see in Figure 5-1, there are many moving parts in the networking space.

The good news is that most if not all of the protocols should be familiar to you, since Kubernetes uses the standard Internet Engineering Task Force (IETF) suite of networking protocols, from the Internet Protocol to the Domain Name System (DNS). What changes, really, is the scope and generally the assumptions about how the protocols are used. For example, when deployed on a worldwide scale, it makes sense to make the time-to-live (TTL) of a DNS record months or longer.

In the context of a container that may run for hours or days at best, ...