book

Hacking Kubernetes

by Andrew Martin, Michael Hausenblas

October 2021

Intermediate to advanced

311 pages

7h 52m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
About YouAbout UsHow To Use This BookConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
1. Introduction
Setting the SceneStarting to Threat ModelThreat ActorsYour First Threat ModelAttack TreesExample Attack TreesPrior ArtConclusion
2. Pod-Level Resources
DefaultsThreat ModelAnatomy of the AttackRemote Code ExecutionNetwork Attack SurfaceKubernetes Workloads: Apps in a PodWhat’s a Pod?Understanding ContainersSharing Network and StorageWhat’s the Worst That Could Happen?Container BreakoutPod Configuration and ThreatsPod HeaderReverse UptimeLabelsManaged FieldsPod Namespace and OwnerEnvironment VariablesContainer ImagesPod ProbesCPU and Memory Limits and RequestsDNSPod securityContextPod Service AccountsScheduler and TolerationsPod Volume DefinitionsPod Network StatusUsing the securityContext CorrectlyEnhancing the securityContext with KubesecHardened securityContextInto the Eye of the StormConclusion
3. Container Runtime Isolation
DefaultsThreat ModelContainers, Virtual Machines, and SandboxesHow Virtual Machines WorkBenefits of VirtualizationWhat’s Wrong with Containers?User Namespace VulnerabilitiesSandboxinggVisorFirecrackerKata Containersrust-vmmRisks of SandboxingKubernetes Runtime ClassConclusion
4. Applications and Supply Chain
DefaultsThreat ModelThe Supply ChainSoftwareScanning for CVEsIngesting Open Source SoftwareWhich Producers Do We Trust?CNCF Security Technical Advisory GroupArchitecting Containerized Apps for ResilienceDetecting TrojansCaptain Hashjack Attacks a Supply ChainPost-Compromise PersistenceRisks to Your SystemsContainer Image Build Supply ChainsSoftware FactoriesBlessed Image FactoryBase ImagesThe State of Your Container Supply ChainsThird-Party Code RiskSoftware Bills of MaterialsHuman Identity and GPGSigning Builds and MetadataNotary v1sigstorein-toto and TUFGCP Binary AuthorizationGrafeasInfrastructure Supply ChainOperator PrivilegesAttacking Higher Up the Supply ChainTypes of Supply Chain AttackOpen Source IngestionApplication Vulnerability Throughout the SDLCDefending Against SUNBURSTConclusion
5. Networking
DefaultsIntra-Pod NetworkingInter-Pod TrafficPod-to-Worker Node TrafficCluster-External TrafficThe State of the ARPNo securityContextNo Workload IdentityNo Encryption on the WireThreat ModelTraffic Flow ControlThe SetupNetwork Policies to the Rescue!Service MeshesConceptOptions and UptakeCase Study: mTLS with LinkerdeBPFConceptOptions and UptakeCase Study: Attaching a Probe to a Go ProgramConclusion
6. Storage
DefaultsThreat ModelVolumes and DatastoresEverything Is a Stream of BytesWhat’s a Filesystem?Container Volumes and MountsOverlayFStmpfsVolume Mount Breaks Container IsolationThe /proc/self/exe CVESensitive Information at RestMounted SecretsAttacking Mounted SecretsStorage ConceptsContainer Storage InterfaceProjected VolumesAttacking VolumesThe Dangers of Host MountsOther Secrets and Exfiltraing from DatastoresConclusion
7. Hard Multitenancy
DefaultsThreat ModelNamespaced ResourcesNode PoolsNode TaintsSoft MultitenancyHard MultitenancyHostile TenantsSandboxing and PolicyPublic Cloud MultitenancyControl PlaneAPI Server and etcdScheduler and Controller ManagerData PlaneCluster Isolation ArchitectureCluster Support Services and Tooling EnvironmentsSecurity Monitoring and VisibilityConclusion
8. Policy
Types of PoliciesDefaultsNetwork TrafficLimiting Resource AllocationsResource QuotasRuntime PoliciesAccess Control PoliciesThreat ModelCommon ExpectationsBreakglass ScenarioAuditingAuthentication and AuthorizationHuman UsersWorkload IdentityRole-Based Access Control (RBAC)RBAC RecapA Simple RBAC ExampleAuthoring RBACAnalyzing and Visualizing RBACRBAC-Related AttacksGeneric Policy EnginesOpen Policy AgentKyvernoOther Policy OfferingsConclusion
9. Intrusion Detection
DefaultsThreat ModelTraditional IDSeBPF-Based IDSKubernetes and Container Intrusion DetectionFalcoMachine Learning Approaches to IDSContainer ForensicsHoneypotsAuditingDetection EvasionSecurity Operations CentersConclusion

10. Organizations
The Weakest LinkCloud ProvidersShared ResponsibilityAccount HygieneGrouping People and ResourcesOther ConsiderationsOn-Premises EnvironmentsCommon ConsiderationsThreat Model ExplosionHow SLOs Can Put Additional Pressure on YouSocial EngineeringPrivacy and Regulatory ConcernsConclusion
A. A Pod-Level Attack
FilesystemtmpfsHost MountsHostile ContainersRuntime
B. Resources
GeneralReferencesBooksFurther Reading by ChapterIntroPodsSupply ChainsNetworkingPolicyNotable CVEs
Index

Content preview from Hacking Kubernetes

Chapter 9. Intrusion Detection

In this chapter we will see how container intrusion detection operates with the new low-level eBPF interface, what forensics looks like for a container, and how to catch attackers who have evaded all other controls.

Defense in depth means limiting the trust you place in each security control you deploy. No solution is infallible, but you can use intrusion detection systems (IDS) to detect unexpected activity in much the same way that motion sensors detect movement. Your adversary has already accessed your system and may even have viewed confidential information already, so an IDS reviews your system in real time for unexpected behavior and observes or blocks it. Alerts can trigger further defensive actions from an IDS, like dumping compromised memory or recording network activity.

Intrusion detection can inspect file, network, and kernel reads and writes to verify or block them with an allowlist or a denylist (as seccomp-bpf configuration does). If Captain Hashjack’s Hard Hat Hacking Collective has remote access to your servers, an IDS might be triggered by their use of malware with known behavioral signatures, scan of networks or files for further targets, or any other program access that deviates from the expected “stable” baseline the IDS has learned about the process.

Some attackers’ campaigns are only discovered after the adversary has been on the system for weeks or months and finally inadvertently tripped the IDS detection.

Defaults

Stable ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781492081722Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Hacking Kubernetes

by Andrew Martin, Michael Hausenblas

Chapter 9. Intrusion Detection

Defaults

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.