The current Kubernetes Podcast gives a great view into how to attack kubernetes clusters. I have been talking about this all the time when i see OpenShift or kubernetes clusters that are trying to protect the container infrastructure with tools made for protecting pods, but hardly protect the container orchestration platform itself.
Securing the container infrastructure is hard and not doing it may lead to things like cluster takeover or host escapes.
I like one of the quotes in the linked talks, the first law of inertia:
Defaults in use early tend to stay in use. Systems hardened late tend to break.
Network access to the kubernetes cluster is considered a low hanging fruit, so it would be essential to protect that on a least privilege level, there really does not need to be much access into a cluster.
There is a great presentation on SANS from Ian Coldwater about just this (@IanColdwater).
comments powered by Disqus