Hacking Kubernetes (ebook) Żory

Want to run your Kubernetes workloads safely and securely? This practical book provides a threat-based guide to Kubernetes security. Each chapter examines a particular component's architecture and potential default settings and then reviews existing high-profile attacks and historical Common Vulnerabilities and Exposures (CVEs). Authors Andrew Martin and Michael Hausenblas share best-practice configuration to help you harden clusters from possible angles of attack.This book begins with a vanilla Kubernetes installation with built-in defaults. You'll examine an abstract threat model of a distributed system running arbitrary workloads, and then progress to a detailed assessment of each component of a secure Kubernetes system.Understand where your Kubernetes system is vulnerable with threat modelling techniquesFocus on pods, from configurations to attacks and defensesSecure your cluster and workload trafficDefine and enforce policy with RBAC, OPA, and KyvernoDive deep into sandboxing and isolation techniquesLearn how to detect and mitigate supply chain attacksExplore filesystems, volumes, and sensitive information at restDiscover what can go wrong when running multitenant workloads in a clusterLearn what you can do if someone breaks in despite you having controls in place Spis treści: Preface About You About Us How To Use This Book Conventions Used in This Book Using Code Examples OReilly Online Learning How to Contact Us Acknowledgments 1. Introduction Setting the Scene Starting to Threat Model Threat Actors Your First Threat Model Attack Trees Example Attack Trees Prior Art Conclusion 2. Pod-Level Resources Defaults Threat Model Anatomy of the Attack Remote Code Execution Network Attack Surface Kubernetes Workloads: Apps in a Pod Whats a Pod? Understanding Containers Sharing Network and Storage Whats the Worst That Could Happen? Container Breakout Pod Configuration and Threats Pod Header Reverse Uptime Labels Managed Fields Pod Namespace and Owner Environment Variables Container Images Pod Probes CPU and Memory Limits and Requests DNS Pod securityContext Pod Service Accounts Scheduler and Tolerations Pod Volume Definitions Pod Network Status Using the securityContext Correctly Enhancing the securityContext with Kubesec Hardened securityContext containers[] .securityContext .privileged .spec .hostPID .spec .hostNetwork .spec .hostAliases .spec .hostIPC containers[] .securityContext .runAsNonRoot containers[] .securityContext .runAsUser > 10000 containers[] .securityContext .readOnlyRootFilesystem containers[] .securityContext .capabilities .drop | index(ALL) containers[] .securityContext .capabilities .add | index(SYS_ADMIN) containers[] .resources .limits .cpu, .memory containers[] .resources .requests .cpu, .memory .spec .volumes[] .hostPath .path Into the Eye of the Storm Conclusion 3. Container Runtime Isolation Defaults Threat Model Containers, Virtual Machines, and Sandboxes How Virtual Machines Work Benefits of Virtualization Whats Wrong with Containers? User Namespace Vulnerabilities Sandboxing gVisor Firecracker Kata Containers rust-vmm Risks of Sandboxing Kubernetes Runtime Class Conclusion 4. Applications and Supply Chain Defaults Threat Model The Supply Chain Software Scanning for CVEs Ingesting Open Source Software Which Producers Do We Trust? CNCF Security Technical Advisory Group Architecting Containerized Apps for Resilience Detecting Trojans Captain Hashjack Attacks a Supply Chain Post-Compromise Persistence Risks to Your Systems Container Image Build Supply Chains Software Factories Blessed Image Factory Base Images The State of Your Container Supply Chains Third-Party Code Risk Software Bills of Materials Human Identity and GPG Signing Builds and Metadata Notary v1 sigstore in-toto and TUF GCP Binary Authorization Grafeas Infrastructure Supply Chain Operator Privileges Attacking Higher Up the Supply Chain Types of Supply Chain Attack Open Source Ingestion Application Vulnerability Throughout the SDLC Defending Against SUNBURST Conclusion 5. Networking Defaults Intra-Pod Networking Inter-Pod Traffic Pod-to-Worker Node Traffic Cluster-External Traffic The State of the ARP No securityContext No Workload Identity No Encryption on the Wire Threat Model Traffic Flow Control The Setup Network Policies to the Rescue! Service Meshes Concept Options and Uptake Case Study: mTLS with Linkerd eBPF Concept Options and Uptake Case Study: Attaching a Probe to a Go Program Conclusion 6. Storage Defaults Threat Model Volumes and Datastores Everything Is a Stream of Bytes Whats a Filesystem? Container Volumes and Mounts OverlayFS tmpfs Volume Mount Breaks Container Isolation The /proc/self/exe CVE Sensitive Information at Rest Mounted Secrets Attacking Mounted Secrets Storage Concepts Container Storage Interface Projected Volumes Attacking Volumes The Dangers of Host Mounts Other Secrets and Exfiltraing from Datastores Conclusion 7. Hard Multitenancy Defaults Threat Model Namespaced Resources Node Pools Node Taints Soft Multitenancy Hard Multitenancy Hostile Tenants Sandboxing and Policy Public Cloud Multitenancy Control Plane API Server and etcd Scheduler and Controller Manager Data Plane Cluster Isolation Architecture Cluster Support Services and Tooling Environments Security Monitoring and Visibility Conclusion 8. Policy Types of Policies Defaults Network Traffic Limiting Resource Allocations Resource Quotas Runtime Policies Access Control Policies Threat Model Common Expectations Breakglass Scenario Auditing Authentication and Authorization Human Users Workload Identity Service accounts Cryptographically strong identities Role-Based Access Control (RBAC) RBAC Recap A Simple RBAC Example Authoring RBAC Analyzing and Visualizing RBAC RBAC-Related Attacks Generic Policy Engines Open Policy Agent Using OPA directly Gatekeeper Kyverno Other Policy Offerings Conclusion 9. Intrusion Detection Defaults Threat Model Traditional IDS eBPF-Based IDS Kubernetes and Container Intrusion Detection Falco Machine Learning Approaches to IDS Container Forensics Honeypots Auditing Detection Evasion Security Operations Centers Conclusion 10. Organizations The Weakest Link Cloud Providers Shared Responsibility Account Hygiene Grouping People and Resources Other Considerations Dealing with root certificate authorities Avoid leaking credentials On-Premises Environments Common Considerations Threat Model Explosion How SLOs Can Put Additional Pressure on You Social Engineering Privacy and Regulatory Concerns Conclusion A. A Pod-Level Attack Filesystem tmpfs Host Mounts Hostile Containers Runtime B. Resources General References Books Further Reading by Chapter Intro Pods Supply Chains Networking Policy Notable CVEs Index