Completek8s Classroom notes 23/Oct/2023

Protecting Node Metadata and Endpoints

Scenario: Attacker gains access to pod and trying to fetch cloud provider environment details

  • To avoid this, we need to reduce the attack surface so disabling the access to IMDS
  • Lets write a network policy to disable egress to IMDS
    • AWS: 169.254.169.254
    • Azure: 169.254.169.254
  • Lets create a network policy to deny all egress access
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-egress-metadata-server
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
        ipBlock:
          cidr: 0.0.0.0/0
          except:
            - 169.254.169.254/32

Scenario: Attacker Gains access to dashboard functionaliy

  • This has happened in Tesla in 2018, where the attacker gained access to K8s via dashboards and started mining cryptocurrencies
  • We need to provide a user with restricted acces to our dev team or other team members to view k8s dashboards
  • Lets install k8s dashboard. Refer Here
  • Now lets try to create an admin permission for admin-user
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: admin-user
    namespace: kubernetes-dashboard
  • Its not recommened to generate a service account with admin permissions and sharing those tokens to the users.
  • Recommended practice:
    • Create a service account
    • assign restricted access
    • generate token and share the token
  • Steps
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: dev-user
  namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-dev
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
rules:
  - apiGroups:
      - "*"
    resources:
      - "*"
    verbs:
      - get
      - list
      - watch
  - nonResourceURLs:
      - "*"
    verbs:
      - get
      - list
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: dev-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-dev
subjects:
  - kind: ServiceAccount
    name: dev-user
    namespace: kubernetes-dashboard
  • Now with this configuration, the users will be able to only view the dashboards.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About continuous learner

devops & cloud enthusiastic learner