The use of container technology has become an incredibly effective way for companies to deploy applications, regardless of runtime environment peculiarities. It brings together code, its libraries, configuration files, and dependencies to eliminate operating system barriers and network architecture restrictions.
Recent research found that 88% of organizations leverage the open-source system called Kubernetes to manage containerized code. Unsurprisingly, cybercriminals are busy looking for ways to exploit this hugely popular container orchestration tool. Such hacks can be fertile soil for cryptocurrency mining, DDoS attacks, and data theft.
Kubernetes threat landscape
Threat actors can execute compromises from both inside and outside an organization. Overall, Kubernetes-based infrastructures are on the receiving end of attacks that stem from the following sources of offense:
Supply chain incursions. This foul play boils down to breaching a Kubernetes cluster element that contributes to delivering the end product – for instance, a third-party application or a specific container.
Cybercriminals. Gaining an unauthorized foothold in the control plane, applications, and worker nodes has become the top exploitation scenario. Crooks typically do it by accessing crudely secured application programming interfaces (APIs) used by Kubernetes.
Insider threats. Company employees or representatives of a third-party service provider who have access to some Kubernetes components can also precipitate compromises. This can pose as deliberate sucker-punches or accidental leaks of sensitive data due to weak digital hygiene.
How to safeguard a Kubernetes setup
The organization should focus on protecting five areas of Kubernetes deployment. Here are the relevant techniques:
- Fortify the pods.
A pod functions as the elementary deployable unit of a Kubernetes environment. If hackers access one or several containers that form a pod, they may try to extend their reach to other segments of the organization’s network.
The use of non-root containers restricts the privileges of applications to pull the plug on this abuse. It’s also a good idea to leverage containers with immutable file systems – this tactic prevents malefactors from modifying code or executing malware.
- Harden the network’s security.
Interoperability between containers and pods within a Kubernetes cluster is the prerequisite for proper operation of the system, but it may also facilitate a threat actor’s lateral movement across the company’s digital assets. A properly configured firewall and network policies can help prevent this adverse situation. Encryption can shield the most important data at rest and in transit.
The Kubernetes namespaces feature lets security teams define access rights for different user roles, applications, and departments. In addition, enhance the protection of the “etcd” server that retains confidential information such as cluster Secrets. Make sure it interacts with APIs over an encrypted protocol.
- Rein in on access permissions.
Attackers often take advantage of ineffective user verification practices. They may scan your Kubernetes installation for open ports to obtain data without having to authenticate in the system. Since weak sign-in credentials pose another major vulnerability, network admins need to enforce the use of hard-to-guess passwords or multi-factor authentication.
The role-based access control (RBAC) feature helps implement the principle of least privilege. Available in Kubernetes version 1.6 and above, it lets IT personnel align user access rights with their positions in the corporate hierarchy.
- Stay on top of the logs.
System logs can offer visibility across Kubernetes services, and their informative potential goes beyond maintenance purposes. They are often verbose in terms of malicious configuration changes and other discrepancies that are telltale signs of abuse.
Unfortunately, Kubernetes lacks advanced monitoring capabilities. While keeping a record of server CPU and RAM usage, it doesn’t supervise network traffic, permission tweaks, and API requests on its own.
To bridge the gap, consider installing a Security Information and Event Management (SIEM) system equipped with such functionality. It’s also worthwhile to use a custom software development services to create a personalized solution that will keep tabs on your logs and alert you to risk if an anomaly is spotted.
- Take updates seriously.
Make sure all the building blocks of the Kubernetes ecosystem are up-to-date. This applies to the underlying operating system, plug-ins, virtualization software, and every deployed application. Timely updates close security gaps that may turn the organization into low-hanging fruit. Also, tidy up the containerized infrastructure by eliminating entities no longer needed.
Malicious actors think of Kubernetes as a juicy target because it’s so widely used by organizations around the world. Therefore, taking its protection a step further would never go amiss. Keep in mind that it’s not enough to fend off external adversaries because insider threats are gearing up for a rise these days. These tips can point security teams in the right direction with their defense efforts. By using a managed Kubernetes service, the company will save the hassle of applying updates and vulnerability patches.
David Balaban, owner, Privacy-PC
