Overview : |
Kubernetes helps the enterprises to automate their application deployment for the business benefits. Now-a-days Kubernetes security can be considered as a critical component for all deployments because the new deployments might be vulnerable to attacks and exploits from hackers or insiders. Different kind of attacks will be launched against new container based virtualized environments. (in both private and public clouds.) Kubernetes is an open source tool that automates the deployment, and for the management of containerized applications. All major container management and cloud platforms such as Red Hat OpenShift, Docker EE, Rancher, IBM Cloud, AWS EKS, Azure, SUSE CaaS, and Google Cloud are supported by Kubernetes. Here are some of the key things to know about Kubernetes:
How Kubernetes Works The basic idea of Kubernetes networking is that every pod has its own routable IP address and its network plug-in takes care of routing all requests internally between hosts to its corresponding pod. External access to Kubernetes pods can be provided through a service, load balancer, or ingress controller, which Kubernetes routes to the appropriate pod. Using network overlay and load balancing, Pods communicate with each other. DNAT takes place to get the connections to the appropriate pod. Packets may be encapsulated with appropriate headers to get them to the appropriate destination. it is very difficult to monitor network traffic with the overlay networking which being dynamically handled by Kubernetes. The dynamic nature of containers creates some Kubernetes security challenges.They are:
Kubernetes Vulnerabilities and Attack Vectors Attacks on Kubernetes containers running in pods can originate externally through the network or internally by insiders. Some examples are:
‘Kill Chain’ Attacks To achieve the attacker’s goal, the attacker involve a series of malicious activities which results in most damaging attacks . These events can occur dramatically, within a span of seconds, or can be spread out over days, weeks or even months. Different resources needs to be used in multiple layers of security monitoring to Detect kill chain events. The most critical vectors to monitor includes:
Attacks on the Kubernetes Infrastructure Itself Attackers can attempt to compromise Kubernetes resources like API Server or Kubelets to disable or disrupt applications or to gain access to the underlying resources used to run containers. There are some published privilege escalation mechanisms in Kubernetes, via the Kubelet, access to etcd or service tokens. This can enable an attacker to gain cluster admin privilege rights from a compromised container. Pre-Deployment Kubernetes Security Steps It is recommended to lock down the Kubernetes worker nodes, before deploying any application containers. Some effective steps to lock down the hosts are:
Real-Time & Run-Time Kubernetes Security The three critical security vectors for protecting running containers in production are network filtering, container inspection, and host security. Inspect and Secure the Network Container Firewall feature provides a possibility to control the nodes availability both from inside and outside of the Platform. It analyzes various parameters like incoming request source, protocol, target node port and so on to flexibly manage access to the containers through necessary connection rules. Different approaches to secure a container network with a firewall are:
Host Security If the Kubernetes worker node on which containers run is compromised, it is difficult to predict the after effect, all kinds negative things can happen. These include:
The host system are needed to be monitored for these kind of suspicious activities.. Together, the combination of network inspection, container inspection, and host security offer the best way to detect a kill chain from several vectors. Container Inspection Attacks utilize privilege escalations and malicious processes to carry out an attack or spread it. Exploits in the Linux kernel, packages, libraries or applications can result in suspicious activity within a container. The critical element of container security is inspecting all the container processes and file system activity to detect the suspicious behavior. Suspicious processes such as port scanning and reverse shells, or privilege escalations should all be detected. There are combination of built-in detection as well as a baseline behavioral learning process which can identify unusual processes. The applications with containers which are designed with microservices principles can detect the suspicious processes and file system activity more easier and will be more accurate. Securing the Kubernetes System and Resources If not protected, orchestration tools like Kubernetes and the management platforms can be vulnerable to attacks. These expose a new attack surface for container deployments and thus will be attempted to be exploited by hackers. It is critical to properly setup the RBACs for system resources to protect Kubernetes and management platforms . The areas to configure properly to have the access controls are:
It is recommended to track access to infrastructure services to detect unauthorized connection attempts and potential attacks using the monitoring tools. Real-time, policy based monitoring of the containers, hosts, network and system resources would have detected suspicious processes as well as unauthorized external connections. Auditing and Compliance for Kubernetes Environments Kubernetes, enterprises are getting constantly updating, upgrading, and migrating the container environment. Running a set of security tests designed for Kubernetes environments will ensure that security does not regress with each change. As more enterprises migrate to containers, the changes in the infrastructure, tools, and topology may require re-certification for compliance standards like PCI. Already we have a comprehensive set of Kubernetes security and Docker security health checks through the CIS Benchmarks for Kubernetes and the Docker Bench tests and confirms expected results are automated. These test focus on the below areas:
Vulnerability scanning of containers in production is a core component for preventing known exploits to achieve compliance. However, it is not enough to provide the multiple vectors of security needed to protect runtime container deployments. |
Recent Posts
Follow Us
zzcms 2018 template_user.php ml/title code injection
A vulnerability was found in zzcms 2018 (Content Management System) and classified as critical. This issue affects an unknown function
ZyXEL VPN2S 1.12 Web Server path traversal
A vulnerability classified as problematic was found in ZyXEL VPN2S 1.12. Affected by this vulnerability is an unknown part of
Zyxel VPN2S 1.12 CGI Program os command injection
A vulnerability has been found in Zyxel VPN2S 1.12 and classified as critical. This vulnerability affects some unknown processing of
Zyxel USG/USG Flex/Zywall/ATP/VPN up to 4.64 Web-based Management Interface improper authentication
A vulnerability was found in Zyxel USG, USG Flex, Zywall, ATP and VPN up to 4.64 (Firewall Software). It has
ZyXEL GS1900-8 2.60 LLDP Packet cross site scripting
A vulnerability was found in ZyXEL GS1900-8 2.60. It has been classified as problematic. This affects an unknown code of
Zynamics BinDiff up to 6 i64 File use after free
A vulnerability, which was classified as critical, has been found in Zynamics BinDiff up to 6. This issue affects an
Web Application Firewall Solution
CVE-2024-53290 : DELL WYSE PROPRIETARY OS 2408 COMMAND INJECTION
Description Dell ThinOS version 2408 contains an Improper Neutralization of Special Elements used in a Command (‘Command Injection’) vulnerability. An
CVE-2024-35117 : IBM OPENPAGES WITH WATSON 9.0 TRACING LOG FILE CLEARTEXT STORAGE
Description IBM OpenPages with Watson 9.0 may write sensitive information, under specific configurations, in clear text to the system tracing
CVE-2024-54198 : SAP NETWEAVER APPLICATION SERVER ABAP UP TO KRNL64UC 7.22 RFC REQUEST IMPROPER CONTROL OF DYNAMICALLY-IDENTIFIED VARIABLES
Description In certain conditions, SAP NetWeaver Application Server ABAP allows an authenticated attacker to craft a Remote Function Call (RFC)