Kubernetes hacking

Tools

1. Kube-bench

   • Checks Kubernetes deployment against the CIS Kubernetes Benchmark.
   • GitHub Repository

2. Popeye

   • Scans live Kubernetes clusters for potential issues with resources and configurations.
   • Popeye CLI

3. Kube-hunter

   • Hunts for security weaknesses in Kubernetes clusters by checking for open ports and accessible information.
   • Can be run inside a pod to access the Kubernetes API token.
   • GitHub Repository

4. Sonobuoy

   • Certifies Kubernetes clusters.
   • Sonobuoy Documentation

Security Practices

Container Best Practices

• Run containers as non-root users.
• Use distroless images (only include language runtimes).
• Isolate the network for enhanced security.

Admission Controllers

• Open Policy Agent
  • A powerful policy engine for enforcing security and compliance.
  • Open Policy Agent

Activity Monitoring

• Set up alerts for unusual activities, such as:
  • Container executions
  • Creation of new services
• Monitoring Tools:
  • Falco

Image Scanning

1. Clair - Static analysis for vulnerabilities.
2. Trivy - User-friendly vulnerability scanner.
3. Copacetic - Used to patch vulnerabilities reported by Trivy.
4. Sysdig - Another option for image scanning.

Access Control

• Every pod can access its service account token, allowing it to call the Kubernetes API at:
  • https://kubernetes/api/v1/namespaces/default

Playground

• Kubernetes Goat: A “Vulnerable by Design” cluster environment to learn and practice Kubernetes security.
  • Kubernetes Goat GitHub

Security Enhancements

• Set automountServiceAccountToken to false in ServiceAccount configurations.

  apiVersion: v1
  kind: ServiceAccount
  metadata:
    name: beta
  automountServiceAccountToken: false

• Ensure that pods do not run as root users.
• Encrypt secrets before storing them, using tools like HashiCorp Vault.
• Secure etcd.
• Configure network policies to restrict pod communication across namespaces.

Pod Security Admission

• Implement the Pod Security Standards to define pod isolation levels.

Security Context for Pods

Set the following security context in the pod YAML file:

securityContext:
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  runAsUser: 1000 # (userId)

• Avoid using privileged: true in a Kubernetes securityContext, as it grants the container access to the node’s resources.

---

Additional Best Practices for AKS

1. Block IP access to the API server.
2. Use Microsoft Defender for AKS.
3. Rotate kubelet certificates.

Finding Container Services on the Internet

1. Censys
2. BinaryEdge
3. Shodan

Tools for Attacking and Scanning

• KubeHound - Automated calculation of attack paths in a cluster.
• Netfetch - Scans clusters for network policies and identifies unprotected workloads.

Docker Security

• The command docker run -ti --privileged --net=host --pid=host --ipc=host --volume /:/host busybox chroot /host gives the container unrestricted access to the host’s resources.

Resources

• Kubernetes Pod Security Admission
• Kubernetes Security Footgun in etcd
• K8s SIG-Security
• CNCF TAG-Security
• K8s SIG-Network
• OpenSSF
• Kubernetes Network Policy Recipes
• Attack MITRE ATT&CK®
• OWASP Kubernetes Top Ten
• CyberArk: Attacking Kubelet
• Armosec Blog
• HackTricks: Pentesting Cloud Kubernetes Security