Attack methods and defenses on Kubernetes
Μέθοδοι επίθεσης και άμυνας στο Kubernetes
Master Thesis
Author
Μυτιληνάκης, Παναγιώτης
Mytilinakis, Panagiotis
Date
2020-06View/ Open
Keywords
Kubernetes ; Docker ; Docker security ; Kubernetes securityAbstract
The increasing rate of adoption of containers and container orchestration in cloud computing and on premise arises a number of questions about their security. Kubernetes combined with Docker is by far the most frequently adopted solution for implementing containerized workloads. Kubernetes is divided on two planes the control plane and the data plane. The control plane includes the components that are required for Kubernetes to function and manage the cluster state while the data plane the components that are responsible for the actual workloads. Furthermore, Kubernetes includes several objects that are necessary for describing the cluster’s desired state. In this thesis, specific attacks were conducted into a Kubernetes cluster, that can be divided into four categories. (a) Attacks on a Kubernetes engine and components. (b) Attacks on Kubernetes network layer where MITM and DNS spoofing attacks are possible under circumstances. (c) Attacks that concern the containers inside a pod and how an attacker can inject malicious code and upload it, on a container registry or a container with one or more vulnerabilities that can be exploited. (d) Finally, attacks that are bases on Infrastructure as code vulnerabilities that a malicious actor can take advantage of. Correspondingly to the attacks a number of defenses where recommended as countermeasures depending on the layer that each of the attacks can take place. For the attacks that concern the Kubernetes engine, kube-bench was recommended as a tool that detects misconfigurations and entry points that an attacker can take advantage of. In order for network layer to be protected, network policies are taking the place of a layer 3 firewall compared to a typical infrastructure in addition with the use of service meshes that are operating in layer 7. Containers inside pods can be scanned before being upload on a registry. On this thesis Clair scanner was used for his purpose. Eventually, Pod Security policies were used to block vulnerable code from being deployed.