Completek8s Classroom notes 23/Oct/2023

Protecting Node Metadata and Endpoints

Scenario: Attacker gains access to pod and trying to fetch cloud provider environment details

  • To avoid this, we need to reduce the attack surface so disabling the access to IMDS
  • Lets write a network policy to disable egress to IMDS
    • AWS: 169.254.169.254
    • Azure: 169.254.169.254
  • Lets create a network policy to deny all egress access
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-egress-metadata-server
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
        ipBlock:
          cidr: 0.0.0.0/0
          except:
            - 169.254.169.254/32

Scenario: Attacker Gains access to dashboard functionaliy

  • This has happened in Tesla in 2018, where the attacker gained access to K8s via dashboards and started mining cryptocurrencies
  • We need to provide a user with restricted acces to our dev team or other team members to view k8s dashboards
  • Lets install k8s dashboard. Refer Here
  • Now lets try to create an admin permission for admin-user
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: admin-user
    namespace: kubernetes-dashboard
  • Its not recommened to generate a service account with admin permissions and sharing those tokens to the users.
  • Recommended practice:
    • Create a service account
    • assign restricted access
    • generate token and share the token
  • Steps
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: dev-user
  namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-dev
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
rules:
  - apiGroups:
      - "*"
    resources:
      - "*"
    verbs:
      - get
      - list
      - watch
  - nonResourceURLs:
      - "*"
    verbs:
      - get
      - list
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: dev-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-dev
subjects:
  - kind: ServiceAccount
    name: dev-user
    namespace: kubernetes-dashboard
  • Now with this configuration, the users will be able to only view the dashboards.

Published
Categorized as Uncategorized Tagged

By continuous learner

devops & cloud enthusiastic learner

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please turn AdBlock off
Social Network Integration by Acurax Social Media Branding Company

Discover more from Direct DevOps from Quality Thought

Subscribe now to keep reading and get access to the full archive.

Continue reading

Visit Us On FacebookVisit Us On LinkedinVisit Us On Youtube