Hacking Kubernetes

Hacking Kubernetes

by Andrew Martin, Michael Hausenblas
Released October 2021
Publisher(s): O'Reilly Media, Inc.
ISBN: 9781492081739

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Buy on Amazon Buy on ebooks.com
Start your free trial

Book description

Want to run your Kubernetes workloads safely and securely? This practical book provides a threat-based guide to Kubernetes security. Each chapter examines a particular component's architecture and potential default settings and then reviews existing high-profile attacks and historical Common Vulnerabilities and Exposures (CVEs). Authors Andrew Martin and Michael Hausenblas share best-practice configuration to help you harden clusters from possible angles of attack.

This book begins with a vanilla Kubernetes installation with built-in defaults. You'll examine an abstract threat model of a distributed system running arbitrary workloads, and then progress to a detailed assessment of each component of a secure Kubernetes system.

  • Understand where your Kubernetes system is vulnerable with threat modelling techniques
  • Focus on pods, from configurations to attacks and defenses
  • Secure your cluster and workload traffic
  • Define and enforce policy with RBAC, OPA, and Kyverno
  • Dive deep into sandboxing and isolation techniques
  • Learn how to detect and mitigate supply chain attacks
  • Explore filesystems, volumes, and sensitive information at rest
  • Discover what can go wrong when running multitenant workloads in a cluster
  • Learn what you can do if someone breaks in despite you having controls in place

Publisher resources

View/Submit Errata

Table of contents

  1. Preface
    1. About You
    2. About Us
    3. How To Use This Book
    4. Conventions Used in This Book
    5. Using Code Examples
    6. O’Reilly Online Learning
    7. How to Contact Us
    8. Acknowledgments
  2. 1. Introduction
    1. Setting the Scene
    2. Starting to Threat Model
      1. Threat Actors
      2. Your First Threat Model
    3. Attack Trees
    4. Example Attack Trees
    5. Prior Art
    6. Conclusion
  3. 2. Pod-Level Resources
    1. Defaults
    2. Threat Model
    3. Anatomy of the Attack
      1. Remote Code Execution
      2. Network Attack Surface
    4. Kubernetes Workloads: Apps in a Pod
    5. What’s a Pod?
    6. Understanding Containers
      1. Sharing Network and Storage
      2. What’s the Worst That Could Happen?
      3. Container Breakout
    7. Pod Configuration and Threats
      1. Pod Header
      2. Reverse Uptime
      3. Labels
      4. Managed Fields
      5. Pod Namespace and Owner
      6. Environment Variables
      7. Container Images
      8. Pod Probes
      9. CPU and Memory Limits and Requests
      10. DNS
      11. Pod securityContext
      12. Pod Service Accounts
      13. Scheduler and Tolerations
      14. Pod Volume Definitions
      15. Pod Network Status
    8. Using the securityContext Correctly
      1. Enhancing the securityContext with Kubesec
      2. Hardened securityContext
    9. Into the Eye of the Storm
    10. Conclusion
  4. 3. Container Runtime Isolation
    1. Defaults
    2. Threat Model
    3. Containers, Virtual Machines, and Sandboxes
      1. How Virtual Machines Work
      2. Benefits of Virtualization
      3. What’s Wrong with Containers?
      4. User Namespace Vulnerabilities
    4. Sandboxing
      1. gVisor
      2. Firecracker
      3. Kata Containers
      4. rust-vmm
    5. Risks of Sandboxing
    6. Kubernetes Runtime Class
    7. Conclusion
  5. 4. Applications and Supply Chain
    1. Defaults
    2. Threat Model
    3. The Supply Chain
      1. Software
      2. Scanning for CVEs
      3. Ingesting Open Source Software
      4. Which Producers Do We Trust?
    4. CNCF Security Technical Advisory Group
      1. Architecting Containerized Apps for Resilience
      2. Detecting Trojans
    5. Captain Hashjack Attacks a Supply Chain
      1. Post-Compromise Persistence
      2. Risks to Your Systems
    6. Container Image Build Supply Chains
      1. Software Factories
      2. Blessed Image Factory
      3. Base Images
    7. The State of Your Container Supply Chains
      1. Third-Party Code Risk
      2. Software Bills of Materials
      3. Human Identity and GPG
    8. Signing Builds and Metadata
      1. Notary v1
      2. sigstore
      3. in-toto and TUF
      4. GCP Binary Authorization
      5. Grafeas
    9. Infrastructure Supply Chain
      1. Operator Privileges
      2. Attacking Higher Up the Supply Chain
    10. Types of Supply Chain Attack
      1. Open Source Ingestion
      2. Application Vulnerability Throughout the SDLC
    11. Defending Against SUNBURST
    12. Conclusion
  6. 5. Networking
    1. Defaults
      1. Intra-Pod Networking
      2. Inter-Pod Traffic
      3. Pod-to-Worker Node Traffic
      4. Cluster-External Traffic
      5. The State of the ARP
      6. No securityContext
      7. No Workload Identity
      8. No Encryption on the Wire
    2. Threat Model
    3. Traffic Flow Control
      1. The Setup
      2. Network Policies to the Rescue!
    4. Service Meshes
      1. Concept
      2. Options and Uptake
      3. Case Study: mTLS with Linkerd
    5. eBPF
      1. Concept
      2. Options and Uptake
      3. Case Study: Attaching a Probe to a Go Program
    6. Conclusion
  7. 6. Storage
    1. Defaults
    2. Threat Model
    3. Volumes and Datastores
      1. Everything Is a Stream of Bytes
      2. What’s a Filesystem?
      3. Container Volumes and Mounts
      4. OverlayFS
      5. tmpfs
      6. Volume Mount Breaks Container Isolation
      7. The /proc/self/exe CVE
    4. Sensitive Information at Rest
      1. Mounted Secrets
      2. Attacking Mounted Secrets
    5. Storage Concepts
      1. Container Storage Interface
      2. Projected Volumes
      3. Attacking Volumes
      4. The Dangers of Host Mounts
      5. Other Secrets and Exfiltraing from Datastores
    6. Conclusion
  8. 7. Hard Multitenancy
    1. Defaults
    2. Threat Model
    3. Namespaced Resources
      1. Node Pools
      2. Node Taints
    4. Soft Multitenancy
    5. Hard Multitenancy
      1. Hostile Tenants
      2. Sandboxing and Policy
      3. Public Cloud Multitenancy
    6. Control Plane
      1. API Server and etcd
      2. Scheduler and Controller Manager
    7. Data Plane
    8. Cluster Isolation Architecture
    9. Cluster Support Services and Tooling Environments
    10. Security Monitoring and Visibility
    11. Conclusion
  9. 8. Policy
    1. Types of Policies
    2. Defaults
      1. Network Traffic
      2. Limiting Resource Allocations
      3. Resource Quotas
      4. Runtime Policies
      5. Access Control Policies
    3. Threat Model
    4. Common Expectations
      1. Breakglass Scenario
      2. Auditing
    5. Authentication and Authorization
      1. Human Users
      2. Workload Identity
    6. Role-Based Access Control (RBAC)
      1. RBAC Recap
      2. A Simple RBAC Example
      3. Authoring RBAC
      4. Analyzing and Visualizing RBAC
      5. RBAC-Related Attacks
    7. Generic Policy Engines
      1. Open Policy Agent
      2. Kyverno
      3. Other Policy Offerings
    8. Conclusion
  10. 9. Intrusion Detection
    1. Defaults
    2. Threat Model
    3. Traditional IDS
    4. eBPF-Based IDS
      1. Kubernetes and Container Intrusion Detection
      2. Falco
    5. Machine Learning Approaches to IDS
    6. Container Forensics
    7. Honeypots
    8. Auditing
    9. Detection Evasion
    10. Security Operations Centers
    11. Conclusion
  11. 10. Organizations
    1. The Weakest Link
    2. Cloud Providers
      1. Shared Responsibility
      2. Account Hygiene
      3. Grouping People and Resources
      4. Other Considerations
    3. On-Premises Environments
    4. Common Considerations
      1. Threat Model Explosion
      2. How SLOs Can Put Additional Pressure on You
      3. Social Engineering
      4. Privacy and Regulatory Concerns
    5. Conclusion
  12. A. A Pod-Level Attack
    1. Filesystem
    2. tmpfs
    3. Host Mounts
      1. Hostile Containers
      2. Runtime
  13. B. Resources
    1. General
      1. References
      2. Books
    2. Further Reading by Chapter
      1. Intro
      2. Pods
      3. Supply Chains
      4. Networking
      5. Policy
    3. Notable CVEs
  14. Index

Product information

  • Title: Hacking Kubernetes
  • Author(s): Andrew Martin, Michael Hausenblas
  • Release date: October 2021
  • Publisher(s): O'Reilly Media, Inc.
  • ISBN: 9781492081739