Hacking Kubernetes
Published on 13. October 2021
314 pages
978-1-4920-8170-8 (ISBN)
Description
Want to run your Kubernetes workloads safely and securely? This practical book provides a threat-based guide to Kubernetes security. Each chapter examines a particular component''s architecture and potential default settings and then reviews existing high-profile attacks and historical Common Vulnerabilities and Exposures (CVEs). Authors Andrew Martin and Michael Hausenblas share best-practice configuration to help you harden clusters from possible angles of attack.
This book begins with a vanilla Kubernetes installation with built-in defaults. You''ll examine an abstract threat model of a distributed system running arbitrary workloads, and then progress to a detailed assessment of each component of a secure Kubernetes system.
- Understand where your Kubernetes system is vulnerable with threat modelling techniques
- Focus on pods, from configurations to attacks and defenses
- Secure your cluster and workload traffic
- Define and enforce policy with RBAC, OPA, and Kyverno
- Dive deep into sandboxing and isolation techniques
- Learn how to detect and mitigate supply chain attacks
- Explore filesystems, volumes, and sensitive information at rest
- Discover what can go wrong when running multitenant workloads in a cluster
- Learn what you can do if someone breaks in despite you having controls in place
More details
Other editions
Additional editions
Book
10/2021
O'Reilly
€61.50
Shipment within 15-20 days
Content
- Cover
- Copyright
- Table of Contents
- Preface
- About You
- About Us
- How To Use This Book
- Conventions Used in This Book
- Using Code Examples
- O'Reilly Online Learning
- How to Contact Us
- Acknowledgments
- Chapter 1. Introduction
- Setting the Scene
- Starting to Threat Model
- Threat Actors
- Your First Threat Model
- Attack Trees
- Example Attack Trees
- Prior Art
- Conclusion
- Chapter 2. Pod-Level Resources
- Defaults
- Threat Model
- Anatomy of the Attack
- Remote Code Execution
- Network Attack Surface
- Kubernetes Workloads: Apps in a Pod
- What's a Pod?
- Understanding Containers
- Sharing Network and Storage
- What's the Worst That Could Happen?
- Container Breakout
- Pod Configuration and Threats
- Pod Header
- Reverse Uptime
- Labels
- Managed Fields
- Pod Namespace and Owner
- Environment Variables
- Container Images
- Pod Probes
- CPU and Memory Limits and Requests
- DNS
- Pod securityContext
- Pod Service Accounts
- Scheduler and Tolerations
- Pod Volume Definitions
- Pod Network Status
- Using the securityContext Correctly
- Enhancing the securityContext with Kubesec
- Hardened securityContext
- Into the Eye of the Storm
- Conclusion
- Chapter 3. Container Runtime Isolation
- Defaults
- Threat Model
- Containers, Virtual Machines, and Sandboxes
- How Virtual Machines Work
- Benefits of Virtualization
- What's Wrong with Containers?
- User Namespace Vulnerabilities
- Sandboxing
- gVisor
- Firecracker
- Kata Containers
- rust-vmm
- Risks of Sandboxing
- Kubernetes Runtime Class
- Conclusion
- Chapter 4. Applications and Supply Chain
- Defaults
- Threat Model
- The Supply Chain
- Software
- Scanning for CVEs
- Ingesting Open Source Software
- Which Producers Do We Trust?
- CNCF Security Technical Advisory Group
- Architecting Containerized Apps for Resilience
- Detecting Trojans
- Captain Hashjack Attacks a Supply Chain
- Post-Compromise Persistence
- Risks to Your Systems
- Container Image Build Supply Chains
- Software Factories
- Blessed Image Factory
- Base Images
- The State of Your Container Supply Chains
- Third-Party Code Risk
- Software Bills of Materials
- Human Identity and GPG
- Signing Builds and Metadata
- Notary v1
- sigstore
- in-toto and TUF
- GCP Binary Authorization
- Grafeas
- Infrastructure Supply Chain
- Operator Privileges
- Attacking Higher Up the Supply Chain
- Types of Supply Chain Attack
- Open Source Ingestion
- Application Vulnerability Throughout the SDLC
- Defending Against SUNBURST
- Conclusion
- Chapter 5. Networking
- Defaults
- Intra-Pod Networking
- Inter-Pod Traffic
- Pod-to-Worker Node Traffic
- Cluster-External Traffic
- The State of the ARP
- No securityContext
- No Workload Identity
- No Encryption on the Wire
- Threat Model
- Traffic Flow Control
- The Setup
- Network Policies to the Rescue!
- Service Meshes
- Concept
- Options and Uptake
- Case Study: mTLS with Linkerd
- eBPF
- Concept
- Options and Uptake
- Case Study: Attaching a Probe to a Go Program
- Conclusion
- Chapter 6. Storage
- Defaults
- Threat Model
- Volumes and Datastores
- Everything Is a Stream of Bytes
- What's a Filesystem?
- Container Volumes and Mounts
- OverlayFS
- tmpfs
- Volume Mount Breaks Container Isolation
- The /proc/self/exe CVE
- Sensitive Information at Rest
- Mounted Secrets
- Attacking Mounted Secrets
- Storage Concepts
- Container Storage Interface
- Projected Volumes
- Attacking Volumes
- The Dangers of Host Mounts
- Other Secrets and Exfiltraing from Datastores
- Conclusion
- Chapter 7. Hard Multitenancy
- Defaults
- Threat Model
- Namespaced Resources
- Node Pools
- Node Taints
- Soft Multitenancy
- Hard Multitenancy
- Hostile Tenants
- Sandboxing and Policy
- Public Cloud Multitenancy
- Control Plane
- API Server and etcd
- Scheduler and Controller Manager
- Data Plane
- Cluster Isolation Architecture
- Cluster Support Services and Tooling Environments
- Security Monitoring and Visibility
- Conclusion
- Chapter 8. Policy
- Types of Policies
- Defaults
- Network Traffic
- Limiting Resource Allocations
- Resource Quotas
- Runtime Policies
- Access Control Policies
- Threat Model
- Common Expectations
- Breakglass Scenario
- Auditing
- Authentication and Authorization
- Human Users
- Workload Identity
- Role-Based Access Control (RBAC)
- RBAC Recap
- A Simple RBAC Example
- Authoring RBAC
- Analyzing and Visualizing RBAC
- RBAC-Related Attacks
- Generic Policy Engines
- Open Policy Agent
- Kyverno
- Other Policy Offerings
- Conclusion
- Chapter 9. Intrusion Detection
- Defaults
- Threat Model
- Traditional IDS
- eBPF-Based IDS
- Kubernetes and Container Intrusion Detection
- Falco
- Machine Learning Approaches to IDS
- Container Forensics
- Honeypots
- Auditing
- Detection Evasion
- Security Operations Centers
- Conclusion
- Chapter 10. Organizations
- The Weakest Link
- Cloud Providers
- Shared Responsibility
- Account Hygiene
- Grouping People and Resources
- Other Considerations
- On-Premises Environments
- Common Considerations
- Threat Model Explosion
- How SLOs Can Put Additional Pressure on You
- Social Engineering
- Privacy and Regulatory Concerns
- Conclusion
- Appendix A. A Pod-Level Attack
- Filesystem
- tmpfs
- Host Mounts
- Hostile Containers
- Runtime
- Appendix B. Resources
- General
- References
- Books
- Further Reading by Chapter
- Intro
- Pods
- Supply Chains
- Networking
- Policy
- Notable CVEs
- Index
- About the Authors
- Colophon
