Blog
        

May 30, 2022

Why Trampoline DaemonSets are the stuff of nightmares, KubeCon & CloudNativeCon Europe 2022

A few simple approaches to protecting your K8s

 

Contributed by Itay Talmi, Cloud Native Applications Senior Consultant, following his attendance at KubeCon & CloudNativeCon Europe 2022.

 

“A single container escape was enough to take over the entire cluster.” This line has kept me awake at night, ever since I heard it at KubeCon 2022 in Valencia. There, I had the opportunity to attend the session led by Yuval Avrahami, Principal Security Researcher at Prisma Cloud. The session focused on the concept of ‘Trampoline Pods.’ Trampoline Pods are powerful pods without a least-privilege approach, and can be used by attackers to take over the entire cluster! The takeaway? If you are running K8s, you absolutely must be aware of this security vulnerability!

  • Containers are an undoubtedly great tool, but a shared kernel makes containers a weak security boundary
  • The main impact of concern is a compromised node
  • Trampoline DaemonSets, which ensure that some or all Nodes run a copy of a Pod, guarantee that an attacker will hit the jackpot and take over the entire cluster. If you take only one thing away from this discussion, it is this: keep them the least privileged!
  • Know your nodes and which kind of pods they are running (Applications, Add-ons, System)
  • Most of the common infra components managed K8s services & K8s distributions, and CNIs are installed by default with powerful DaemonSets
  • A general recommendation: Better RBAC Posture and Stronger Node Isolation

 

The discussion highlighted the value of RBAC Police and Checkov (by Bridgecrew) open-source tools, and it could all easily be managed (including CSPM & CWPP) by an all-in-one solution that I love to recommend: Prisma Cloud by Palo Alto Networks. Yuval’s session was incredibly valuable, with an enlightening demonstration.

 

I look forward to continuing to explore this issue and invite you to reach out to me if you have any questions or would like to talk about a Prisma Cloud demo.

Want more info?

Tags:
Kubernetes
Containers
Prisma
Prisma Cloud
DevSecOps
Share:

Next Articles

Blog
      

23 May, 2024

TeraSky Lights Up Google Cloud Summit Tel Aviv 2024
Read Entry
Blog
      

22 May, 2024

Insights & Connections at NYC’s Cloud Native Conference
Read Entry
Blog
      

8 May, 2024

Purify Your Backup: Building a Fortress Against Ransomware
Read Entry
Skip to content