The Ten Most Common Kubernetes Security Misconfigurations & How to Address Them

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

Containerization has revolutionized the development, deployment, and management of applications. Open-source systems like Kubernetes have enabled organizations to build, ship, and run applications more efficiently. The rapid and widespread adoption of Kubernetes is so significant that many organizations use it without even realizing it. This underscores the critical need for robust container security practices, as Kubernetes and other container technologies are now deeply embedded in modern IT infrastructures.

In this blog, we examine the ten most common security misconfigurations associated with Kubernetes and explain how to address the possible risks associated with them.

Picus Platform Extends its Security Validation for Kubernetes and Containers

Misconfigurations in Kubernetes

One of the key security concerns with containers and Kubernetes is misconfigurations

Similar to misconfigurations in cloud environments, there is significant potential for containers and Kubernetes to be improperly configured. Many out-of-the-box settings in Kubernetes are not secure by default, creating a need for proactive governance to regularly identify and harden settings that could be exploited by attackers. Without this oversight, misconfigurations can pose serious security risks, compromising the integrity and resilience of containerized applications.

As new applications are continually deployed and scaled, the environment undergoes constant change, which increases the need for vigilant security teams.

  • Over 50% of Kubernetes users are concerned about misconfigurations and vulnerabilities, making it one of their biggest concerns when deploying and using this technology [1]. 

  • The 67% report that these security issues have negatively impacted their deployments [1]. 

Potential security risks can sometimes slow down application deployment, as teams must address concerns to ensure environments are secure and stable.

Ten Most Common Security Misconfigurations in Kubernetes & How to Mitigate Them?

In this section, we will discuss the ten most common security misconfigurations in Kubernetes and how to address them, starting with the overly permissive role-based access control (RBAC) assignments.

Misconfiguration 1: Overly Permissive Role-Based Access Control (RBAC)

Overly permissive RBAC in Kubernetes occurs when excessive permissions are granted to users, service accounts, or groups instead of adhering to the principle of least privilege. This misconfiguration can create significant security risks by allowing entities to perform more actions than necessary. 

When an account is granted broad permissions, such as the ability to manage all resources within a cluster, it increases the potential impact of a security breach. In the event of a compromise, an attacker can exploit these excessive permissions to gain control over the entire Kubernetes environment, leading to widespread disruptions and data breaches.

Consider a possible attack scenario in a Kubernetes cluster [2]. 

Granting the cluster-admin role to a default service account is particularly dangerous because this role has unrestricted access to all resources across the entire cluster. If a pod in the default namespace is compromised, for example, through a remote code execution vulnerability, an attacker can easily impersonate the service account bound to cluster-admin. This means the attacker can perform any action on any resource within the cluster, such as creating, deleting, or modifying resources, which could lead to a complete takeover of the cluster.

The provided RBAC configuration demonstrates this vulnerability:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: redacted-rbac
subjects:
- kind: ServiceAccount
  name: default
  namespace: default
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

Here, the ClusterRoleBinding binds the cluster-admin role to the default service account in the default namespace. If an attacker gains access to a pod running in this namespace, they can use the service account's token to interact with the Kubernetes API and execute any command across the cluster. This could include accessing sensitive data, shutting down services, or deploying malicious applications, thereby escalating the security breach from a single compromised pod to the entire cluster.

To mitigate this risk:

  1. Adhere to Least Privilege: Grant only necessary permissions.

  2. Avoid Broad Roles: Use custom roles instead of cluster-admin.

  3. Regular Audits: Continuously review and adjust RBAC policies.

  4. Network Policies: Limit pod communication to reduce attack surface.

  5. Namespace Isolation: Use namespaces with strict access controls.

  6. Scoped Role Bindings: Apply role bindings narrowly.

  7. Enable MFA: Use multi-factor authentication for API access.

Misconfiguration 2: Insecure Workload Configurations

Kubernetes provides a highly configurable security context for workloads, allowing for granular control over permissions and access [3]. This flexibility is advantageous for tailoring security to specific needs but can also lead to significant misconfigurations if not properly managed. Such misconfigurations can expose workloads and clusters to severe risks, including unauthorized access, data breaches, and complete system compromise.

Let's examine the following YAML file to understand the specific security issues present [4]: 

# OWASPKTop10-1-InsecureMisconfigurations.yaml
apiVersion: v1
kind: Pod
spec:
  hostPID: true
  hostIPC: true
  hostUsers: true
  hostNetwork: true
  containers:
  - name: nginx
    image: nginx:1.14.2
    securityContext:
      privileged: true
    volumeMounts:
      - mountPath: /host
        name: noderoot
  volumes:
  - name: noderoot
    hostPath:
      path: /

Key issues are as follows. 

  • Host Namespace Sharing: Enabling hostPID, hostIPC, hostUsers, and hostNetwork allows the pod to share the host's process, IPC, user, and network namespaces, respectively, leading to potential process enumeration, data leakage, privilege escalation, and unauthorized network access. 
  • Privileged Container: Setting privileged:true within the securityContext grants the container elevated privileges, essentially giving it root access to the host system. This significantly increases the risk of host compromise, as the container can perform any action that a root user can, including modifying critical system files and settings.
  • Host Path Volume Mount: The configuration hostPath: path: / mounts the root filesystem of the host into the pod. This is extremely dangerous as it allows the pod to access and modify any file on the host.

To mitigate these risks, avoid using host namespace sharing (hostPID, hostIPC, hostUsers, hostNetwork), refrain from running containers in privileged mode (privileged:false), and do not mount sensitive host paths (hostPath). 

Instead, use Kubernetes-native resources like ConfigMaps, Secrets, and persistent volumes for necessary access, and implement strict security policies to enforce these best practices.

Misconfiguration 3: Misconfigured Cluster Components

A Kubernetes cluster is made up of several critical components, including etcd (key-value storage), the kube-apiserver (API server), and the kubelet (node agent). Each of these components has specific security responsibilities and configuration settings essential for maintaining the security and integrity of the cluster. 

Misconfigurations in any of these core components can lead to severe security risks, potentially compromising the entire cluster. 

Example Misconfiguration Scenario: Unauthenticated Access to kube-apiserver

For example, consider the kube-apiserver, which serves as the central management point that handles RESTful requests for operations on containers, pods, and nodes. Kubernetes supports various authentication mechanisms, such as client certificates and bearer tokens, to secure these API endpoints [5]. However, improper configuration of the kube-apiserver can result in allowing anonymous access, leading to significant security risks.

Administrators may inadvertently configure the kube-apiserver to expose certain APIs to unauthenticated users. This misconfiguration can occur if 

  • The --anonymous-auth flag is set to true (default is true).

  • API server endpoints are exposed without proper access control.

  • Network policies are not enforced to restrict access to the API server.

Here are possible attack flows:

  • Information Gathering

An attacker can query the API server for information about the nodes in the cluster. If the API server is misconfigured to allow anonymous access, the attacker will receive detailed information about the nodes.

Example command to query node information:

curl http://<kube-apiserver-ip>:<port>/api/v1/nodes

  • Accessing Pod Information

The attacker can also attempt to access the list of pods using dummy credentials. If anonymous access or weak authentication mechanisms are enabled, the attacker might successfully retrieve this information.

Example command to get the list of pods using kubectl with dummy credentials:

kubectl --server=http://<kube-apiserver-ip>:<port> --username=dummy --password=dummy get pods

To mitigate the risk of unauthenticated access to the kube-apiserver, 

  • disable anonymous access by setting the --anonymous-auth flag to false

  • enforce Role-Based Access Control (RBAC) to restrict permissions, 

  • implement network policies to limit API server access to authorized IPs and services, 

  • conduct regular security audits and vulnerability scans to identify and fix misconfigurations promptly.

Misconfiguration 4: Ineffective Monitoring and Logging

Inadequate logging and monitoring in Kubernetes is a form of misconfiguration that can severely impact the security and manageability of the cluster. This misconfiguration occurs when relevant events such as failed authentication attempts, access to sensitive resources, or modifications to Kubernetes resources are not logged, or when logs and traces of running workloads are not actively monitored for suspicious activity. 

The provided log snippet, which includes details such as userAgent, sourceIPs, and requestURI, illustrates the type of information that should be captured and monitored.

{
  "kind": "Event",
  "stage": "ResponseComplete",
  "requestURI": "/api/v1/namespaces/inventory/endpoints/inventory",
  "verb": "get",
  "user": {
    "username": "serviceaccount:inventory:inventory"
  },
  "sourceIPs": [
    "10.22.8.11"
  ],
  "userAgent": "server/v0",
  "responseStatus": {
  },
  "requestReceivedTimestamp": "2022-10-26T11:21:45.115489Z",
  "stageTimestamp": "2022-10-26T11:21:45.212100Z",
  "annotations": {
    "authorization.k8s.io/decision": "allow"
  }
}

An attacker using a stolen service account token to delete critical resources might go unnoticed if such events aren't logged and monitored.

To mitigate the risk, you should enable and configure Kubernetes Audit Logs to record API actions and set up alerts for suspicious activities, especially authorization failures. Ensure logs are centrally stored and protected against tampering to facilitate effective monitoring and incident response.

Misconfiguration 5: Not Updating Kubernetes Versions

Not updating Kubernetes versions is a form of misconfiguration that can significantly impact the security and stability of the cluster. Regular updates are critical because they include patches for security vulnerabilities and improvements in functionality. Ignoring these updates can leave the cluster exposed to known exploits that have been addressed in newer versions. Ensuring your Kubernetes environment is up-to-date is vital for maintaining a secure and resilient system.

vulnerable-components

Figure 1. K10: Vulnerable Components by OWASP [6]

An attacker might exploit a vulnerability present in an outdated Kubernetes version to gain unauthorized access to the cluster, potentially leading to data breaches or service disruption.

To mitigate the risk, implement a comprehensive patch management strategy. This involves tracking vulnerabilities through CVE databases, continuously scanning for vulnerabilities, and minimizing the use of third-party software that might introduce additional risks. Regular audits and updates should be performed to ensure all clusters run the latest supported Kubernetes versions.

Misconfiguration 6: Broken Authentication

Broken authentication is a form of misconfiguration in Kubernetes that can lead to unauthorized access and significant security risks. Kubernetes supports various authentication methods to verify the identity of users and services accessing the API, but this flexibility can become a challenge if not managed properly. Authentication issues arise when these methods are incorrectly implemented, leaving the cluster vulnerable.

An example attack scenario might be the following:

A developer might accidentally commit a .kubeconfig file containing Kubernetes API credentials to a public Git repository. 

# .kubeconfig file
apiVersion: v1
clusters:
- cluster:
    server: https://my-cluster.example.com
  name: my-cluster
contexts:
- context:
    cluster: my-cluster
    user: developer
  name: my-context
current-context: my-context
kind: Config
preferences: {}
users:
- name: developer
  user:
    client-certificate: /path/to/cert
    client-key: /path/to/key

Next, the developer accidentally adds this file to their Git repository and commits it.

git add .kubeconfig
git commit -m "Add kubeconfig file for development"
git push origin main

The repository is public, and anyone can browse its contents. 

An attacker scanning public repositories might find the .kubeconfig file, retrieve the credentials.

export KUBECONFIG=path/to/downloaded/.kubeconfig
kubectl get pods --all-namespaces

The attacker can now perform any actions allowed by the credentials, such as viewing, modifying, or deleting resources within the cluster, as the cluster's authentication relies on certificates, which are difficult to revoke once compromised.

To mitigate the risk, you can follow the following best practices:

  • Avoid Storing Sensitive Files in Repositories: Use .gitignore to exclude sensitive files.

echo ".kubeconfig" >> .gitignore

  • Use Environment Variables for Configuration: Configure Kubernetes access using environment variables or external secrets management tools instead of hardcoding them into files.

  • Use Short-Lived Tokens: Avoid using long-lived certificates and tokens. Use short-lived, dynamically generated tokens whenever possible.

  • Monitor Public Repositories: Regularly scan your repositories for sensitive information using tools like GitGuardian or similar.

  • Revoke Compromised Credentials Immediately: If a credential leak is detected, revoke the compromised certificates or tokens immediately and rotate to new ones.

Misconfiguration 7: Missing Network Segmentation Controls

When operating Kubernetes with multiple microservices and tenants, a critical concern is the control of network traffic through network segmentation. Kubernetes networking is flat by default, meaning any workload can communicate with another without restriction [7]. This default behavior can be exploited by attackers who gain access to a running workload, allowing them to probe the internal network, traverse to other containers, or invoke private APIs. Effective network segmentation can mitigate these risks by isolating traffic at various levels within the cluster, such as between pods, namespaces, and labels.

For instance, consider a scenario where a WordPress pod is compromised on a Kubernetes cluster lacking network segmentation [8]. The attacker can use networking tools like dig and curl to explore the network, discovering an internally accessible Redis API running on port 6379. They can then probe this Redis service, which was meant to be internal and used only by backend APIs, and steal or modify data. This type of attack could have been prevented with a locked-down NetworkPolicy or service mesh implementation that would have restricted the WordPress pod's network access to Redis.

To mitigate the risk, enforce network policies and consider using service meshes or CNI plugins [8]

For example, a NetworkPolicy to block access to metadata URLs can be implemented as follows:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: block-1
spec:
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 169.254.169.254/32
  podSelector: {}
  policyTypes:
  - Egress

Misconfiguration 8: Use of Weak Passwords

When setting up authentication in Kubernetes, it is essential to enforce strong password policies. Weak passwords can be easily guessed by attackers, granting them unauthorized access to the cluster. This misconfiguration can result in a variety of security breaches, including unauthorized access to sensitive data, control over critical services, and the potential for lateral movement within the cluster. Ensuring robust password practices, such as using complex passwords, multi-factor authentication, and regular credential rotations, can significantly reduce the risk of compromise.

To mitigate the risk of weak passwords, enforce strong password policies across all authentication points within the Kubernetes cluster. This can be achieved by:

  • Using strong, complex passwords: Implement a policy that requires passwords to be a mix of upper and lower case letters, numbers, and special characters.

  • Implementing multi-factor authentication (MFA): Add an extra layer of security by requiring users to authenticate using a second factor, such as a mobile app or hardware token.

  • Regularly rotating credentials: Set up a schedule to periodically change passwords and update credentials to minimize the risk of long-term exposure.

  • Using password managers: Encourage the use of password managers to generate and store complex passwords securely.

Misconfiguration 9: Policy Enforcement Misconfiguration in Kubernetes

Managing security policies across multiple Kubernetes clusters, various cloud environments, and differing risk levels can quickly become an overwhelming task for security teams. The lack of a centralized mechanism for detecting, remediating, and preventing misconfigurations can leave clusters vulnerable to attacks. Effective policy enforcement is essential for maintaining governance, compliance, and security requirements across a multi-cluster or multi-cloud infrastructure.

Policy enforcement should be integrated throughout the software delivery lifecycle, ensuring that security and compliance measures are consistently applied. For instance, preventing the deployment of images from untrusted registries can be achieved by using admission control policies. An example of such a policy is an Open Policy Agent (OPA) Gatekeeper Rego policy, which blocks workloads that use images from registries other than those explicitly allowed, like "open-policy-agent" and "ubuntu".

Consider an attacker exploiting a misconfigured policy to create a highly privileged pod. 

By running the following command against the Kubernetes API, they can initiate a container breakout [9]:

kubectl run r00t --restart=Never -ti --rm --image lol \
  --overrides '{"spec":{"hostPID": true,
  "containers":[{"name":"1","image":"alpine",
  "command":["nsenter","--mount=/proc/1/ns/mnt","--","/bin/bash"],
  "stdin": true,"tty":true,"imagePullPolicy":"IfNotPresent",
  "securityContext":{"privileged":true}}]}}'

This command sets "hostPID" to true, breaking container isolation by allowing visibility of all host processes. It then uses the nsenter command to switch to the host's mount namespace and ensures the container runs in privileged mode, thus bypassing typical permission restrictions.

To mitigate the risk, implement robust policy enforcement mechanisms using Admission Controllers and open-source tools like Open Policy Agent Gatekeeper or Kyverno to ensure that only secure, compliant configurations are admitted to the cluster. Regularly review and update policies to address new threats and maintain security posture across all clusters and environments.

Misconfiguration 10: Not Running the Latest Version of Docker

Kubernetes relies heavily on Docker as its container runtime, making it essential to ensure that Docker is always running the latest version. Regular updates are critical as they often include important security patches and performance improvements. Running an outdated version of Docker can expose the entire Kubernetes cluster to vulnerabilities that have been addressed in more recent releases. Therefore, keeping both Kubernetes and Docker up to date is vital for maintaining a secure and efficient containerized environment.

To mitigate the risks of outdated Docker versions, schedule regular updates, use monitoring tools for alerts on new releases, and test updates in staging before production. Always have a backup plan and ensure your team is trained on update procedures to maintain a secure and efficient environment.

Security Validation for Kubernetes and Containers with Picus Platform

Picus Platform's recent extension of its validation capabilities to Kubernetes and containers signifies a major advancement in proactive security measures for cloud-native technologies. 

By incorporating Kubernetes validation, Picus now enables security and DevOps teams to proactively detect and address critical risks such as misconfigured policies, role-based access misconfigurations, and inadequate network segmentation. This ensures that containerized environments remain secure, preventing potential privilege escalation and lateral movement within clusters. The enhanced validation aligns with the Center for Internet Security benchmarks, providing mitigation recommendations that are crucial for maintaining a robust security posture in dynamic and complex container ecosystems.

cloud-security-validation

Figure 2: Picus Cloud Security Validation 

This strategic enhancement integrates seamlessly into the Picus Cloud Security Validation module, which already offers comprehensive security posture management and cloud attack simulation for major platforms like AWS, Azure, and GCP. By offering a unified dashboard, Picus allows users to view and mitigate security risks across various environments efficiently. The platform’s attack simulation capabilities, powered by GenAI, enable organizations to validate the effectiveness of their security measures continuously, ensuring resilience against evolving threats. 

This proactive approach not only addresses the high-security demands of Kubernetes but also supports the broader goal of enabling secure, agile, and scalable application deployments in multi-cloud environments.

Contact our team for more information about the benefits of cloud security validation for Kubernetes and to request a personal demonstration of the Picus Security Validation Platform.

References

[1] “State of Kubernetes security report 2023.” Available: https://www.redhat.com/rhdc/managed-files/cl-state-kubernetes-security-report-262667-202304-en.pdf. [Accessed: May 27, 2024]

[2] “K03: Overly Permissive RBAC.” Available: https://owasp.org/www-project-kubernetes-top-ten/2022/en/src/K03-overly-permissive-rbac.html. [Accessed: Jun. 03, 2024]

[3] “Pod Security Standards.” Available: https://kubernetes.io/docs/concepts/security/pod-security-standards/. [Accessed: May 30, 2024]

[4] “K01: Insecure Workload Configurations.” Available: https://owasp.org/www-project-kubernetes-top-ten/2022/en/src/K01-insecure-workload-configurations.html. [Accessed: May 30, 2024]

[5] “Controlling Access to the Kubernetes API.” Available: https://kubernetes.io/docs/concepts/security/controlling-access/. [Accessed: May 30, 2024]

[6] “K10: Vulnerable Components.” Available: https://owasp.org/www-project-kubernetes-top-ten/2022/en/src/K10-vulnerable-components.html. [Accessed: May 31, 2024]

[7] “Network Policies.” Available: https://kubernetes.io/docs/concepts/services-networking/network-policies/. [Accessed: May 31, 2024]

[8] “K07: Network Segmentation.” Available: https://owasp.org/www-project-kubernetes-top-ten/2022/en/src/K07-network-segmentation.html. [Accessed: May 31, 2024]

[9] “K04: Policy Enforcement.” Available: https://owasp.org/www-project-kubernetes-top-ten/2022/en/src/K04-policy-enforcement.html. [Accessed: May 31, 2024]