Kubernetes, as one of the most well-known tools for containerizing application deployment, is of interest to cybercriminals. Learn about the main attack vectors, vulnerabilities, and tools to ensure Kubernetes security against hacking and network attacks.
What Is Kubernetes?
Probably almost everyone who has ever encountered the DevOps world has a general idea of what Kubernetes is. This is a fairly popular container orchestration system, that is, essentially the management of data containers. K8s, as it is often Kubernetes named, is an open source software automation and deployment system for containerized applications and their management.
Want to have an in-depth understanding of all modern aspects of Kubernetes Security? Read carefully this article and bookmark it to get back later, we regularly update this page.
The original version of the project was developed relatively not long ago by Google for the internal needs of the company itself but was subsequently transferred to the management of the Cloud Native Computing Foundation, from where it came to the masses. Initially, it was conceived as a tool for managing clusters from containers. The system is dynamic, it responds to events in real-time and allows you to easily start your project that will work without any tricks and scale on-demand, that is, be flexible, work quickly and cost-effectively.
Kubernetes administration practices use the concept of pods. Each pod is a group of containers united by a common task, which can be both a microservice and a massive application, spaced into several machines running in parallel. Kubernetes aims to solve problems with efficient distribution of container execution among cluster nodes depending on load changes and current demand for services. In other words, it is a system of flexible management of containerization infrastructure with the possibility of load balancing.
With Kubernetes, you can launch a large number of containers like Docker or Rocket on a large number of hosts, monitor the status of the run-time environment, and respond to changes in a timely manner, manage running containers, ensure their joint placement and replication, and also scale and balance a large number hosts within the cluster.
Today Kubernetes has become a kind of standard for modern DevOps environments both in large companies and among start-ups. It is actively used in cloud services like AWS, Microsoft Azure, or Google Cloud. At its core, Kubernetes is one of the strategic components of the entire DevOps process, which is why attacks on it have always been and remain relevant. After hacking this system, the hacker will gain access to all the nodes and containers running inside K8s, and this is a direct way to compromise or leak sensitive data.
Most importantly, the system’s main place, it is likely that the network is still full of public K8s-servers, access to which can be obtained from the Internet. For example, a service like Shodan, which allows you to search for vulnerable versions of software available from the Internet. From such open vulnerabilities in their time tens of thousands of public bases suffered. If you want to test how Shodan works in practice, this can be done using a search script, which is just on GitHub.
Major Security Dangers for Kubernetes
As with any complex system invented by people, the infrastructure of the K8s cluster has typical security problems that experts often encounter. These include Explosion of East-West Traffic. The essence of this attack is that containers can be dynamically deployed in several independent clouds, which significantly increases the traffic of data exchange within a logical cluster. Remote container locations can be used by cybercriminals, for example, to implement DDoS attacks.
Problem of Increased Attack Surface. It is based on the fact that each container can have a different attack surface and its own unique vulnerabilities that are used by hackers. For example, vulnerabilities for Docker or AWS authorization systems can be used.
Unauthorized connections between containers, when compromised pods can connect to other containers on the same or different hosts to launch an attack. Despite the fact that filtering is at the L3 level, that is, ACLs are provided by the network equipment according to the configured rules, some unauthorized calls can be detected only by filtering.
Container compromise - is an attack, the essence of which is to use the wrong configuration for all containers of the cluster, which indirectly contribute to compromise or include application vulnerabilities. Container compromises include manipulation of internal switching, process control, or file system access.
Like any application and system software, Kubernetes has a number of critical vulnerabilities, the presence of which endangers the entire cluster, from running containers in general to specific data stored inside the database on a separate server. According to statistics compiled from the vulnerability registry NIST, the most critical errors were found in 2018-2019 - eight and four vulnerabilities, respectively.
The first, which was discovered in 2019, allows a malicious container to overwrite the runC executable on the host system, and no user interaction is required. As a result of such an attack, an attacker can gain root access to the host and the ability to execute arbitrary code on it. In February 2019, an exploit for this vulnerability was published on GitHub. Another bug detected in March of the same year allows an attacker to deliver files from the hearth to the operator’s computer or modify them using tar binary spoofing using the regular kubectl cp internal command.
Another mistake discovered in 2018 is related to the escalation of privileges. It allows a hacker to increase privileges in the cluster and gain access to it due to a logical error processing API calls. According to cybersecurity experts, this flaw has a high level of threat, since it does not require preliminary authentication and is easy to operate. Unauthorized access is opened after sending a specific request to the Kubernetes API server.
All vulnerable Kubernetes assemblies do not correctly handle a malicious request, allowing one to access the back-end using the TLS credentials specified in the API server settings. The PoC exploit was published on GitHub just a few days after the problem was discovered. They later released a patch for this vulnerability.
Top Kubernetes Attacks
Kubernetes has a rather complex architecture and incorporates many components. Therefore, the types of attacks and their directions to the system also vary. So, the general scheme of attacks includes:
- Pods is an indivisible elementary unit of deployment and addressing in Kubernetes. A pod has its own IP address and may contain one or more containers;
- Services - network services that provide data exchange within the cluster, balancing, replication, processing requests, and so on;
- System Components - the key system components that are used to manage the Kubernetes cluster: API server, Kubelet and others.
- Worker Node - production servers that run application containers and other Kubernetes components, for example, such as K8s agents and proxy servers;
- Master Node is the main master server that manages the entire cluster of work nodes (pods) and the deployment of modules on these nodes.
Kubernetes Security Solutions
To solve these problems of container information security in DevOps systems, engineers use specialized tools for monitoring and automatic cyber security management. Network and system administration techniques such as TSL encryption, role-based access control (RBAC), firewall, third-party authentication, privilege restriction, and other methods of protecting cluster resources are still widely used.
In addition, an integrated approach to ensuring the cyber security of your company significantly increases the chances to successfully eliminate vulnerabilities. For example, a complete inventory of all your digital assets will provide an additional advantage in Kubernetes security because it not only identifies and verifies all digital assets, but also monitors repositories, cloud storages, and even Dark Web for the presence of any of your data obtained illegally by hackers.