This document provides an overview and best practices for securing Kubernetes (K8s) clusters. It discusses common threats like exposed dashboards, APIs, and etcd stores. It also covers risks from within the cluster like compromised nodes and pods or vulnerabilities in container images. The document recommends 10 essential practices for securing K8s like image scanning, role-based access control, security boundaries, upgrades, pod security policies, node hardening, audit logging, and host/container logging. It emphasizes the importance of a security-aware development process and provides resources for further information.
7. THREATS & RISKS FOR CLOUD WORKLOADS
Information
Disclosure
Service LossesAbuse & Nefarious
Use
Data leaks
8. MAJOR THRE AT VECTORS
Outside the Cluster Inside the Cluster
• Management Server UI
• API Service
• etcd
• Kubelet
• Compromised Nodes
• Compromised Pods
• Compromised Accounts
16. EXPOSED KUBERNETES API SERVER
• By default API server accepts discovery requests by anonymous users
• Twistlock PoC
• Leak information on all pods and namespaces for metrics server as
anonymous user
• @_evict PoC
• gain cluster-admin on servicecatalog as anonymous user
18. EXEC ON RUNNING CONTAINER THROUGH KUBELET
• PoC by Security Engineer @ Handy (K8 v1.9)
• Issue POST request to targeted Pod
• Follow with GET request via SPDY or websocket client
19. REPLAYING KUBELET CREDENTIALS
• SSRF in vulnerable service used by Shopify
• Kubelet credentials leaks via vulnerability
• Credentials replayed to gain root access in any container
23. • allows containers using subPath volume
mounts to access files or directories outside of
the volume, including the host’s filesystem
CVE-2017-
1002101
• allows containers using certain volumes to
trigger deletion of arbitrary files on the host
filesystem
CVE-2017-
1002102
• Options for accessing host system
Privileged
Containers
LATERAL MOVEMENT: NODES
24. • proxy request handling in kube-
apiserver can leave vulnerable TCP
connections
CVE-2018-
1002105
• Authorization to create pods,
deamonsets, etc.
Overprivileged
Service
Accounts
LATERAL MOVEMENT: CLUSTER
31. POD SECURITY POLICIES
Huge win in securing K8s
Allow centralized cluster level
security controls / configuration
Controls growing frequently
32. NODE SECURITY HARDENNING
Eliminate logins and “in-place” changes
Read-only file systems
Least Privilege
Consistent deployments
Atomic Deployment and Validation
Run as non-root
33. AUDIT LOGGING
Audit Logging for ALL API requests
API is largest attack surface
Log as much as you can afford
Store, glacier, have them avail/query
Audit logs big forensics firehouse
34. RT COMPLIANCE / CONFIG
Realtime / runtime auditing critical
Infrastructure as code = wider paper cuts
Security vulnerabilities often config’s
Identify, alert, fix, measure (repeat)
35. HOST LOGGING / HIDS / EDR
Ephemeral workloads make logging more
important
Understand process, applications, network
Building net “sensors” hard / blind
Correlate IOC’s + events (ML+)
Opensource + SaaS options
Build / buy centralized warehouse
Auditd, /proc, pcap,etc..
36. SECURITY SAAVY DEV :
DEV SAAVY SECURITY
The Firewall is the
security!
Least Privilege
Immutable for All
Window of
Opportunity
YESTERDAY TOMORROWTODAY
39. ABOUT LACEWORK
Automated security for cloud workloads
Purpose built for servers, containers, & Kubernetes
High fidelity detection and alerting
Engineered for massive scale
Unified security platform