Want to run your Kubernetes workloads safely and securely? This practical book provides a threat-based guide to Kubernetes security. Each chapter examines a particular component's architecture and potential default settings and then reviews existing high-profile attacks and historical Common Vulnerabilities and Exposures (CVEs). Authors Andrew Martin and Michael Hausenblas share best-practice configuration to help you harden clusters from possible angles of attack.
This book begins with a vanilla Kubernetes installation with built-in defaults. You'll examine an abstract threat model of a distributed system running arbitrary workloads, and then progress to a detailed assessment of each component of a secure Kubernetes system.
• Understand where your Kubernetes system is vulnerable with threat modelling techniques
• Focus on pods, from configurations to attacks and defenses
• Secure your cluster and workload traffic
• Define and enforce policy with RBAC, OPA, and Kyverno
• Dive deep into sandboxing and isolation techniques
• Learn how to detect and mitigate supply chain attacks
• Explore filesystems, volumes, and sensitive information at rest
• Discover what can go wrong when running multitenant workloads in a cluster
• Learn what you can do if someone breaks in despite you having controls in place
Author(s): Andrew Martin, Michael Hausenblas
Edition: 1
Publisher: O'Reilly Media
Year: 2021
Language: English
Commentary: Publisher's PDF | Published: October 2021 | Revision History: 2021-10-13: First Release
Pages: 311
City: Sebastopol, CA
Tags: Security; Intrusion Detection; Networking; Kubernetes; Threat Models
Cover
Copyright
Table of Contents
Preface
About You
About Us
How To Use This Book
Conventions Used in This Book
Using Code Examples
O’Reilly Online Learning
How to Contact Us
Acknowledgments
Chapter 1. Introduction
Setting the Scene
Starting to Threat Model
Threat Actors
Your First Threat Model
Attack Trees
Example Attack Trees
Prior Art
Conclusion
Chapter 2. Pod-Level Resources
Defaults
Threat Model
Anatomy of the Attack
Remote Code Execution
Network Attack Surface
Kubernetes Workloads: Apps in a Pod
What’s a Pod?
Understanding Containers
Sharing Network and Storage
What’s the Worst That Could Happen?
Container Breakout
Pod Configuration and Threats
Pod Header
Reverse Uptime
Labels
Managed Fields
Pod Namespace and Owner
Environment Variables
Container Images
Pod Probes
CPU and Memory Limits and Requests
DNS
Pod securityContext
Pod Service Accounts
Scheduler and Tolerations
Pod Volume Definitions
Pod Network Status
Using the securityContext Correctly
Enhancing the securityContext with Kubesec
Hardened securityContext
Into the Eye of the Storm
Conclusion
Chapter 3. Container Runtime Isolation
Defaults
Threat Model
Containers, Virtual Machines, and Sandboxes
How Virtual Machines Work
Benefits of Virtualization
What’s Wrong with Containers?
User Namespace Vulnerabilities
Sandboxing
gVisor
Firecracker
Kata Containers
rust-vmm
Risks of Sandboxing
Kubernetes Runtime Class
Conclusion
Chapter 4. Applications and Supply Chain
Defaults
Threat Model
The Supply Chain
Software
Scanning for CVEs
Ingesting Open Source Software
Which Producers Do We Trust?
CNCF Security Technical Advisory Group
Architecting Containerized Apps for Resilience
Detecting Trojans
Captain Hashjack Attacks a Supply Chain
Post-Compromise Persistence
Risks to Your Systems
Container Image Build Supply Chains
Software Factories
Blessed Image Factory
Base Images
The State of Your Container Supply Chains
Third-Party Code Risk
Software Bills of Materials
Human Identity and GPG
Signing Builds and Metadata
Notary v1
sigstore
in-toto and TUF
GCP Binary Authorization
Grafeas
Infrastructure Supply Chain
Operator Privileges
Attacking Higher Up the Supply Chain
Types of Supply Chain Attack
Open Source Ingestion
Application Vulnerability Throughout the SDLC
Defending Against SUNBURST
Conclusion
Chapter 5. Networking
Defaults
Intra-Pod Networking
Inter-Pod Traffic
Pod-to-Worker Node Traffic
Cluster-External Traffic
The State of the ARP
No securityContext
No Workload Identity
No Encryption on the Wire
Threat Model
Traffic Flow Control
The Setup
Network Policies to the Rescue!
Service Meshes
Concept
Options and Uptake
Case Study: mTLS with Linkerd
eBPF
Concept
Options and Uptake
Case Study: Attaching a Probe to a Go Program
Conclusion
Chapter 6. Storage
Defaults
Threat Model
Volumes and Datastores
Everything Is a Stream of Bytes
What’s a Filesystem?
Container Volumes and Mounts
OverlayFS
tmpfs
Volume Mount Breaks Container Isolation
The /proc/self/exe CVE
Sensitive Information at Rest
Mounted Secrets
Attacking Mounted Secrets
Storage Concepts
Container Storage Interface
Projected Volumes
Attacking Volumes
The Dangers of Host Mounts
Other Secrets and Exfiltraing from Datastores
Conclusion
Chapter 7. Hard Multitenancy
Defaults
Threat Model
Namespaced Resources
Node Pools
Node Taints
Soft Multitenancy
Hard Multitenancy
Hostile Tenants
Sandboxing and Policy
Public Cloud Multitenancy
Control Plane
API Server and etcd
Scheduler and Controller Manager
Data Plane
Cluster Isolation Architecture
Cluster Support Services and Tooling Environments
Security Monitoring and Visibility
Conclusion
Chapter 8. Policy
Types of Policies
Defaults
Network Traffic
Limiting Resource Allocations
Resource Quotas
Runtime Policies
Access Control Policies
Threat Model
Common Expectations
Breakglass Scenario
Auditing
Authentication and Authorization
Human Users
Workload Identity
Role-Based Access Control (RBAC)
RBAC Recap
A Simple RBAC Example
Authoring RBAC
Analyzing and Visualizing RBAC
RBAC-Related Attacks
Generic Policy Engines
Open Policy Agent
Kyverno
Other Policy Offerings
Conclusion
Chapter 9. Intrusion Detection
Defaults
Threat Model
Traditional IDS
eBPF-Based IDS
Kubernetes and Container Intrusion Detection
Falco
Machine Learning Approaches to IDS
Container Forensics
Honeypots
Auditing
Detection Evasion
Security Operations Centers
Conclusion
Chapter 10. Organizations
The Weakest Link
Cloud Providers
Shared Responsibility
Account Hygiene
Grouping People and Resources
Other Considerations
On-Premises Environments
Common Considerations
Threat Model Explosion
How SLOs Can Put Additional Pressure on You
Social Engineering
Privacy and Regulatory Concerns
Conclusion
Appendix A. A Pod-Level Attack
Filesystem
tmpfs
Host Mounts
Hostile Containers
Runtime
Appendix B. Resources
General
References
Books
Further Reading by Chapter
Intro
Pods
Supply Chains
Networking
Policy
Notable CVEs
Index
About the Authors
Colophon
