Trend Micro has created a guide to Kubernetes threats that categorizes the threats into three broad categories: external attacks, misconfiguration issues and vulnerable applications.
Mark Nunnikhoven, vice president of cloud research at Trend Micro, says adoption of Kubernetes is exacerbating an existing shortage of cybersecurity expertise by introducing into enterprise IT environments a platform that is as complex as it is powerful. As a result, the opportunities for cybersecurity mistakes to be made are considerable, he notes.
Most external attacks directed at Kubernetes clusters are aimed at the kube-api-server, a component of the control plane that exposes the application programming interface (API) through which users define and control all Kubernetes management functions. Cybercriminals that find a way to access that API can, for example, install malicious containers to extract information from databases or consume resources to drive a cryptocurrency-mining campaign.
There are two ports through which a Kubernetes API is accessed: port 8080, on the localhost, and port 6443. Defending the Kubernetes API requires cybersecurity teams to strictly maintain control over any request being made via either of these ports. The three methods to secure those ports outlined by Trend Micro include adding a firewall rule to ensure access to the API only by machines that need it; not employing an insecure-bind-address option that opens the plain-text port on non-localhost; and employing an intrusion prevention systems (IPS) with Secure Sockets Layer (SSL) decryption capabilities.
Kubernetes is one of the most complex platforms ever deployed in a production environment, so it’s relatively easy to make mistakes. More troubling still from a cybersecurity perspective is the fact that the default policy for Kubernetes is to allow all traffic to and from all pods in the same namespace. Every pod can talk to every other pod, so if an attacker can get into a public-facing one then the attacker can use it to connect to other pods. This makes lateral movement much easier in case of a breach, notes Nunnikhoven.
In fact, he says, the most common cybersecurity issues organizations experience with Kubernetes involves misconfigurations. The best practice is to deny access by default and allow explicit traffic—or, at the very least, create a default policy to deny ingress traffic.
Finally, ensuring that updates are applied everywhere to address vulnerabilities can be difficult because every containerized application has its own copy of every library, according to the Trend Micro report. The same library may be installed in multiple images, from different base images. They all need to be updated. including applying security patches. In addition to making sure container images are current, cybersecurity teams should make sure they are all regularly scanned, as new vulnerabilities are discovered frequently.
Overall, Nunnikhoven says the adoption of containers and Kubernetes inevitably pushes organizations further down the path toward adopting best DevSecOps processes. The challenge, of course, will be bridging the cultural divide that historically has existed between developers and cybersecurity professionals to define the workflows that eventually should reduce the current cybersecurity burden for all concerned.