## Understanding the Security Implications of Kubernetes Networking unexpected threats model: 1. FirewallHole: Dos attack 繞過防火牆(將udp封包改成VXLAN-->即overlay network) 問題： > 可以直接從frontend 送packets到database 2. Hit and Spread(RCE):attacker 可利用RCE得到reverse shell on a container and then access sensitive information 問題: > attacker 可以透過compromised pod用kubectl與API server溝通 > 或是透過compromised pod去mount host file system到其他的pod上面 > 又或是透過API server修改其他container的內容 3. Replace&Propagate: Hacker可以假裝developers可以建立容器，於是部署一些惡意的容器在集群上 問題: > malicious image controlled by the attacker and able to open a reverse shell or communicate with a command-and-control server > 用這個rever shell之後就可以操縱其他pods,secrets,或是攔截網路 * kuberlet contacts the CNI plugin providing a JavaScript Object Notation config file containing the network specifications that a worker node should use (e.g., the network subnet) with its pods * security policy會觸發當k8s component queries the CNI for policy and interfaces mapping pod-to-pod networking: >如果是在同個worker node上面，pod跟pod間的傳遞就會是以ARP以及DNS的方式進行 >use bridge >layer2 的」network較常受到man-in-the-middle(中間人攻擊) pod netns be a pause container: > pod的network namspace是由pause container先建立起來的 * 如果hacker想要跳離pod network namespace的話，就需要跳離pause container的命名空間 network policy limitations: > K8s base network policies that do not depend on the particular CNI plugin do not support logs and drop/block options > 現在CNI沒有做到domain name filtering Dynamic Nature of K8s Objects: >需要根據CIDR調整networks ploicy 而不是單一的address Virtual Network Infra: > master nodes在k8s盡量不要是單一節點，不然會有single node failure Distibuted tacing: >可以幫助知道attack patterns是哪種，但是現在原生k8s沒有支援這種工具，都是需要靠外部工具來協助 ### No Audit of the Level of Security of Policies > authentica- tion and authorization such as role-based access control (RBAC) and service accounts, secrets management, net- work policies, pod security policies, general policies han- dling the use of namespaces, and security options >k8s沒有這類權限評估工具，在deploy前分析權限並給cluster外部使用 #### Mapping Attacks and Defenses >ATT&CK framework that has been widely adopted to study and secure K8s deployments