You are here

Does Kubernetes have a target on its back?

public://pictures/Robert-Lemos-Technology-Journalist-Lemos-Associates.jpg
Robert Lemos, Freelance writer

The last year-plus has been hard for Kubernetes, the popular container orchestration platform. In October 2017, security firm RedLock found that companies including electric-car maker Tesla and smart-card maker Gemalto had left Kubernetes administrator access to hundreds of systems open to the Internet.

A few months later, security firm KromTech discovered a host of other Kubernetes systems allowing open access, including a cluster owned by weight-loss firm WeightWatchers.

In every case, the companies exposed their Amazon Web Services and Microsoft Azure cloud accounts to potential attackers, who—in some cases—obliged by installing crypto-mining software into the containers.

Last month, vulnerability hunters notified the Kubernetes project that two flaws in the Kubernetes API (application programming interface) server allow an attacker to authenticate to the server and then escalate their privileges to allow access to any container and data managed by the platform. Unfortunately, there was no way to determine if the attack had successfully been used.

While Kubernetes has become the top container management platform, the software is still a work in progress. It has solid security features, including role-based access control, which was made standard in October 2017. But companies often do not configure the security features correctly. And like other platforms, in its default state, Kubernetes is not always secure.

Here are three reasons why Kubernetes will continue to come under attack, and advice from experts on how to minimize risk.

[ Explore the challenges and opportunities facing SOCs in TechBeacon's new guide. Plus: Get the 2019 State of Security Operations report. ]

1. Attacks are rare but will increase

"It's likely that we will see more attacks against Kubernetes over time," said Chenxi Wang, managing partner at cybersecurity venture firm Rain Capital and a former security analyst.

While Kubernetes has not become a significant target, the popularity of the software will likely attract malicious attackers, just as it has drawn security researchers.

Kubernetes has dominated the field for container management, with about 80% of companies using the technology to orchestrate their deployment of applications into cloud infrastructure. This is according to the Cloud Native Computing Foundation's annual survey, published in August 2018. More than half of companies—58%—are using Kubernetes to manage their deployment of production applications.

"The trend indicates that more and more companies are moving to that environment, so the threat will move there too."
Chenxi Wang

2. Kubernetes security is already getting hammered

Security researchers already have Kubernetes in their crosshairs, and where security research goes, attackers follow.

During a lightning talk on Kubernetes hacking in March 2017, Dino Dai Zovi, then chief technology officer of Linux security firm Capsule8, demonstrated possible Kubernetes attacks. These included using ShellShock to get access to a container managed by Kubernetes, using the platform's services to move laterally. With its current security, Kubernetes makes it relatively easy for attackers to move around once inside a cluster.

"[Attackers] are going to look at your attack service. In Kubernetes, that is an exposed service via the load balance, ingress tool, or a node port—that is your overall risk. I don't really care about escalating privilege via the kernel, because I will have Kubernetes do it for me."
Dino Dai Zovi

This is exactly what happened to a worker at household-cleaning services firm Handy. In March 2018, an unknown attacker compromised the worker's personal Kubernetes cluster to run crypto-mining software. After an investigation, the technical team at Handy found that the worker's cluster was exposing API server ports to the Internet.

[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]

3. A lot of flavors exist

Adding to the complexity, there is not a single version of Kubernetes, in much the same way there is not a single version of Linux. Red Hat, Amazon, Microsoft Azure, and other groups have all created their own version of the software. Yet most of these versions have the same vulnerabilities as the software released by the Linux Foundation.

"Kubernetes has a core system, but there are a lot of flavors to it as well," said Pete Markowsky, co-founder and chief architect of Capsule8, a security firm.

Dealing with different flavors of Kubernetes means making sure that administrators know how to configure the software correctly and securely, he said. Yet Kubernetes is quickly maturing, and there are already a variety of plugins that can be used to enhance the platform's security.

Don't go it alone

For most companies, adopting Kubernetes should be similar to adding on features from their cloud providers. Every major provider supports a variant of the Kubernetes container orchestration technology, and they manage it and keep it updated, which means fewer headaches—and fewer potential security problems—for your company.

"We are just starting to dig into Kubernetes' architecture, and we are just starting to play with the authentication models, and it is fairly complex machinery. So I think attackers have to level themselves up at this point, but will find the vulnerabilities. In terms of security, there is a long road ahead of us."
Pete Markowsky

"Don't do it yourself." Figure out your company's core competencies and stick with those, said Markowsky.

[ Find out how to take control of credentials privilege in your organization in this Webinar. You'll learn best practices, more. ]