Hacking Kubernetes: Threat-Driven Analysis and Defense
Running cloud native workloads on Kubernetes can be challenging–keeping them secure is even more so. Kubernetes’s complexity offers malicious in-house users and external attackers alike a large assortment of attack vectors. Hacking Kubernetes reviews defaults and threat models and shows how to protect against attacks.
Securing your workloads is both essential and urgent, so this invaluable hands-on guide is available to you in an early release edition before it’s available to the general public. It covers topics critical for cloud native security, detailing how to:
- Run Kubernetes securely, on both a strategic and an operational level
- Exploit Kubernetes default configurations and defend against these kinds of attacks
- Review Kubernetes clusters for security weaknesses
- Securely run arbitrary and untrusted code
- Harden the Kubernetes setup to defend against any and all possible threats
Preface About You About Us How To Use This Book Conventions Used in This Book Using Code Examples O’Reilly Online Learning How to Contact Us Acknowledgments 1. Introduction Setting the Scene Starting to Threat Model Threat Actors Your First Threat Model Attack Trees Example Attack Trees Prior Art Conclusion 2. Pod-Level Resources Defaults Threat Model Anatomy of the Attack Remote Code Execution Network Attack Surface Kubernetes Workloads: Apps in a Pod What’s a Pod? Understanding Containers Sharing Network and Storage What’s the Worst That Could Happen? Container Breakout Pod Configuration and Threats Pod Header Reverse Uptime Labels Managed Fields Pod Namespace and Owner Environment Variables Container Images Pod Probes CPU and Memory Limits and Requests DNS Pod securityContext Pod Service Accounts Scheduler and Tolerations Pod Volume Definitions Pod Network Status Using the securityContext Correctly Enhancing the securityContext with Kubesec Hardened securityContext Into the Eye of the Storm Conclusion 3. Container Runtime Isolation Defaults Threat Model Containers, Virtual Machines, and Sandboxes How Virtual Machines Work Benefits of Virtualization What’s Wrong with Containers? User Namespace Vulnerabilities Sandboxing gVisor Firecracker Kata Containers rust-vmm Risks of Sandboxing Kubernetes Runtime Class Conclusion 4. Applications and Supply Chain Defaults Threat Model The Supply Chain Software Scanning for CVEs Ingesting Open Source Software Which Producers Do We Trust? CNCF Security Technical Advisory Group Architecting Containerized Apps for Resilience Detecting Trojans Captain Hashjack Attacks a Supply Chain Post-Compromise Persistence Risks to Your Systems Container Image Build Supply Chains Software Factories Blessed Image Factory Base Images The State of Your Container Supply Chains Third-Party Code Risk Software Bills of Materials Human Identity and GPG Signing Builds and Metadata Notary v1 sigstore in-toto and TUF GCP Binary Authorization Grafeas Infrastructure Supply Chain Operator Privileges Attacking Higher Up the Supply Chain Types of Supply Chain Attack Open Source Ingestion Application Vulnerability Throughout the SDLC Defending Against SUNBURST Conclusion 5. Networking Defaults Intra-Pod Networking Inter-Pod Traffic Pod-to-Worker Node Traffic Cluster-External Traffic The State of the ARP No securityContext No Workload Identity No Encryption on the Wire Threat Model Traffic Flow Control The Setup Network Policies to the Rescue! Service Meshes Concept Options and Uptake Case Study: mTLS with Linkerd eBPF Concept Options and Uptake Case Study: Attaching a Probe to a Go Program Conclusion 6. Storage Defaults Threat Model Volumes and Datastores Everything Is a Stream of Bytes What’s a Filesystem? Container Volumes and Mounts OverlayFS tmpfs Volume Mount Breaks Container Isolation The /proc/self/exe CVE Sensitive Information at Rest Mounted Secrets Attacking Mounted Secrets Storage Concepts Container Storage Interface Projected Volumes Attacking Volumes The Dangers of Host Mounts Other Secrets and Exfiltraing from Datastores Conclusion 7. Hard Multitenancy Defaults Threat Model Namespaced Resources Node Pools Node Taints Soft Multitenancy Hard Multitenancy Hostile Tenants Sandboxing and Policy Public Cloud Multitenancy Control Plane API Server and etcd Scheduler and Controller Manager Data Plane Cluster Isolation Architecture Cluster Support Services and Tooling Environments Security Monitoring and Visibility Conclusion 8. Policy Types of Policies Defaults Network Traffic Limiting Resource Allocations Resource Quotas Runtime Policies Access Control Policies Threat Model Common Expectations Breakglass Scenario Auditing Authentication and Authorization Human Users Workload Identity Role-Based Access Control (RBAC) RBAC Recap A Simple RBAC Example Authoring RBAC Analyzing and Visualizing RBAC RBAC-Related Attacks Generic Policy Engines Open Policy Agent Kyverno Other Policy Offerings Conclusion 9. Intrusion Detection Defaults Threat Model Traditional IDS eBPF-Based IDS Kubernetes and Container Intrusion Detection Falco Machine Learning Approaches to IDS Container Forensics Honeypots Auditing Detection Evasion Security Operations Centers Conclusion 10. Organizations The Weakest Link Cloud Providers Shared Responsibility Account Hygiene Grouping People and Resources Other Considerations On-Premises Environments Common Considerations Threat Model Explosion How SLOs Can Put Additional Pressure on You Social Engineering Privacy and Regulatory Concerns Conclusion A. A Pod-Level Attack Filesystem tmpfs Host Mounts Hostile Containers Runtime B. Resources General References Books Further Reading by Chapter Intro Pods Supply Chains Networking Policy Notable CVEs Index
How to download source code?
1. Go to:
2. Search the book title:
Hacking Kubernetes: Threat-Driven Analysis and Defense, sometime you may not get the results, please search the main title
3. Click the book title in the search results
Publisher resources section, click
Download Example Code.
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.