Please enable JavaScript.

Coggle requires JavaScript to display documents.

Kubernetes Attack Classification - Coggle Diagram

- - - - Mitigation
      - Using Overlays to bypass security barriers (for example NET_RAW capability that we dropped off)
  - - - Any type of access to the cluster's DNS service is a severe threat. Typically, CoreDNS will reside in the kube-system namespace and the config map that can be used to configure it. This means that an attacker will need kube-admin access to your cluster or privilege access through a vulnerable container. In this case, users should employ the principle of least privilege. RBAC monitoring and security context functionality should be applied.
  - - - Turn off NET_RAW Capability for apps that dosent need it
      - Use Layer 3 Plugin Calico whre pods arent on same broadcast domain
      - Setup firewall configs using iptables that wont allow the transfer of DNS responses from a pod that is not the DNS server to another pod
- - - - kernel exxpoints a great for elevating privileges and this becomes even more crucial with container bicuz they share the same kernel as the host and with kernel expoited we can escape directly to the host running the whole cluster.
- - - - RBAC
        The mitigation techniques remain the same. Make sure you remove any interfaces that are not necessary. If a dashboard is required, ensure RBAC permissions using a principle of least privilege and use ingress network policies to ensure that the dashboards are not publicly accessible.
        Network Policies
    - - etcd API
        
        Application secrets management (end encrypting them in etcd at rest)
      - kubelet API
      - cAdvisor
      - kube-apiserver
        
        RBAC authorization (access to kubernetes API)
  - - - Static / dynamic (DAST Dynamic Application Security Testing/Analysis)
        Securing the Application
        Access over TLS only (https)
        Limiting port ranges of communication (if its a database for example dont make it public facing or limited to only one ip address )
        3rd party dependency security (if we are using for example nodejs we might wanna check if all our dependencies are up to date or we can use for example snick to detect and report)
        Static Code Analysis / Code Review
        Dynamic Probing Attacks (Pentesting )
  - - - Container Vulnerability Scanning and OS dependency Security
        Image signing and Enforcement
        Use CR with stronger isolation
        Stronger isolation could be done for example by choosing virtualized container runtimes.
        Disallow privileged users
        Use CR with stronger isolation
- - - - IMDS is a REST API that is available at a well-known, non-routable IP address. Since the information is available only from inside the virtual machine, your containers must not have access to this information. First, prevent access to the container using principles of least privilege, security contexts, and containers without root permissions. Next, set up network policies to block the internal address of the REST API and ensure that your containers cannot mount any persistence from the host location.
- - - - The MutatingAdmissionWebhook can be used to manipulate deployments to configure resources in unintended ways. If you do not need the MutatingAdmissionWebhook functionality in your clusters, it is best to disable it altogether. >> Using RBAC controls with a principle of least privilege will limit an attackers' ability to use a MutatingAdmissionWebhook and generally lower your cluster’s attack surface.
- - - - An application that is deployed in the cluster and is vulnerable to a remote code execution vulnerability, or a vulnerability that eventually allows code execution, enables attackers to run code in the cluster. If service account is mounted to the container (default behavior in Kubernetes), the attacker will be able to send requests to the API server using this service account credentials.
        
        using the service account mounted into the container this application running on we can send requests to the API server
    - - The Kubelet service API is not documented, but for example once accessed anonymously we can use the following requests to do diffrent interacting with this API
  - - - We need to set the security at the pod level based on their meannng that containers inside pod . and set appropriate limits on all of the containers in a pod.