Kubernetes is essentially a framework of various services that make up its typical architecture, which can be divided into two roles: the control-plane, which serves as a central control hub and hosts most of the components, and the nodes or workers, where containers and their respective workloads a
The article discusses the attack surface of a Kubernetes cluster and the potential risks associated with a compromised etcd. It explains how an attacker can tamper with the timestamp of a newly created pod to make it appear as if it had been running in the cluster for a certain period of time, as well as how to manipulate the pod name and its path in the database to prevent it from being deleted by the kube-apiserver. It also explains how to create inconsistencies in pods by manipulating the namespace entry in etcd, making them semi-hidden and difficult to identify or manage effectively.
The article then goes on to discuss the Admission Controllers, which are used to enforce the deployment of hardened pods. It explains the three predefined levels of security, known as the Pod Security Standard, which are Privileged, Baseline, and Restricted. It also explains that these PSAs apply equally to all roles, so even a cluster admin could not circumvent these restrictions unless they regenerated the namespace by disabling these policies.
Finally, the article explains how it is possible to inject privileged pods into namespaces restricted by PSAs using etcd, and how this could be used to gain access to the underlying nodes. It also explains that, despite the capabilities of this post-exploitation technique, it would be easily detectable, especially if we seek to obtain shells on the nodes, mainly by third-party runtime security solutions with good log ingest times.
The article concludes by emphasizing the need to rethink the implementation of etcd and its reliability within the cluster by implementing additional mechanisms that ensure data integrity. It suggests enabling user namespace, using container sandboxing technologies or setting the container engine to rootless mode to mitigate the threat of a compromised etcd. Ultimately, this article provides an in-depth analysis of the attack surface of a Kubernetes cluster and the potential risks associated with a compromised etcd, as well as suggestions on how to mitigate these risks and ensure the security of the cluster and its underlying infrastructure.
📓 Post-exploiting a compromised etcd – Full control over the cluster and its nodes
👉🏽 Kubernetes is essentially a framework of various services that make up its typical architecture, which can be divided into two roles: the control-plane, which serves as a central control hub and hosts most of the components, and the nodes or workers, where containers and their respective workloads a 👉🏽 Discusses the attack surface and risks of a compromised etcd in Kubernetes. 👉🏽 Explains how attackers can manipulate pod timestamps and names to evade detection. 👉🏽 Highlights the manipulation of the namespace entry in etcd to hide and manage pods. 👉🏽 Explores Admission Controllers and the Pod Security Standard for hardened pod deployment. 👉🏽 Explains the three levels of security (Privileged, Baseline, Restricted) in PSAs. 👉🏽 Shows that PSAs apply universally, even a cluster admin cannot bypass them. 👉🏽 Discusses injecting privileged pods into restricted namespaces through etcd. 👉🏽 Describes the potential for gaining access to underlying nodes through privileged pods. 👉🏽 Mentions the detectability of post-exploitation techniques by security solutions. 👉🏽 Concludes with suggestions to enhance etcd's reliability and mitigate compromised etcd risks.
#KubernetesSecurity #CompromisedEtcd #DataIntegrity #PodSecurityStandard #MitigatingRisks