As Kubernetes gains more prominence, concern is mounting over how we gauge its effectiveness and mitigate container security vulnerabilities. Such vulnerabilities could leave a cluster unsecured or a container compromised, open to misuse by malicious users for things such as cryptomining. I recently spoke with Rory McCune, principal security consultant at NCC Group, to discover what common vulnerabilities exist in today’s containers and container orchestration environments. McClune will be leading the Mastering Container Security IV training, a deep two-day dive into mastering container security, during the Black Hat virtual conference Aug. 3–4.
Common Docker Security Issues
McCune notes that hackers are finding new methods to escalate access and invoke Docker commands. Remote container command execution is especially worrisome. If left open to the internet without the proper configurations, container ecosystems become very vulnerable.
One strategy hackers have used for years is to insert malicious code into Docker images on Docker Hub. But as companies become more aware of this tactic, black hats are quick to adapt, finding ways to build nefarious software directly on compromised machines.
Docker has a rather dangerous installation model, McCune says. Docker Image installers are inherently at risk and should vet packages carefully before allowing any new installation privileged access to a Docker socket or daemon.
Another issue is patching. Many container images simply haven’t been updated in five to seven years. These images may not intentionally hold malicious code, yet they may be just as vulnerable. As we’ve covered before, container images require continual updates and auditing to keep pace with the constant flow of new exploits and security benchmarks.
Therefore, McCune believes that, ideally, engineers “should always maintain their own images.” Yet, he acknowledges that image reusability is necessary and that developers may not always have the resources available. “There’s an inevitable trade-off here.”
“Docker is quite simple,” says McCune. “At the end of the day, you could understand it.” Kubernetes, on the other hand, is a whole different story.
The complexity of Kubernetes does limit its accessibility quite a bit. The disconnect is even spurring new UX layers to address K8s visibility hangups.
Security issues inherently arise when a technical subject matter is only partially understood. Kubernetes bandwagon-ers may not realize its maintenance hurdles upfront. This confusion can lead to complications around patches and upgrades, thus decreasing security.
A surefire way to welcome a hack is by using outdated software. “You need to upgrade every nine months,” McCune says. Kubernetes Deprecation Policy clearly states that GA API versions are only supported for 12 months, and Beta releases are actively supported for nine months. Traditional companies unaccustomed to that sort of release frequency should take stock of Kubernetes best practices before diving in.
Kubernetes also has a large attack service. “You could have a half a dozen services on a network,” says McCune. If one service is compromised, it could affect an entire cluster or machine. Kubernetes’ networking insecurities were a severe problem two to three years ago, but McCune acknowledges that they are improving.
What is still a prevalent threat is the possibility of Privileged Escalation. K8s is a multi-user system, designed to have many groups of developers working on independent applications. Not all should have access to manage an entire cluster. Also, since Kubernetes allows every application access to talk with the main API, permissions could be escalated quickly if misconfigured.
To help lock down your network, Kubernetes does supply network policies with a native access control system. However, manually analyzing permissions is tedious. Commercial solutions from Aqua Security, Twistlock, NeuVector and others could help manage access control from a friendlier web GUI.
In general, be careful not to supply more rights than intended. Authorization is key.
“Kubernetes is very complicated, and it’s very easy to make a mistake on how you configure it,” says McCune. If unpatched, Kubernetes and container vulnerabilities could result in catastrophic breaches.
Nowadays, it doesn’t take much effort to discover vulnerable online systems. For example, the Shodan search engine analyzes the entire internet for exploits, and could easily be utilized to locate vulnerable Internet-connected devices.
Attackers value Kubernetes as a means to access compute power to crypto mine on machines. “If you have a cluster that is misconfigured, you will be compromised quite quickly.”