Blog
        

May 30, 2022

Why Trampoline DaemonSets are the stuff of nightmares, KubeCon & CloudNativeCon Europe 2022

A few simple approaches to protecting your K8s

 

Contributed by Itay Talmi, Cloud Native Applications Senior Consultant, following his attendance at KubeCon & CloudNativeCon Europe 2022.

 

“A single container escape was enough to take over the entire cluster.” This line has kept me awake at night, ever since I heard it at KubeCon 2022 in Valencia. There, I had the opportunity to attend the session led by Yuval Avrahami, Principal Security Researcher at Prisma Cloud. The session focused on the concept of ‘Trampoline Pods.’ Trampoline Pods are powerful pods without a least-privilege approach, and can be used by attackers to take over the entire cluster! The takeaway? If you are running K8s, you absolutely must be aware of this security vulnerability!

  • Containers are an undoubtedly great tool, but a shared kernel makes containers a weak security boundary
  • The main impact of concern is a compromised node
  • Trampoline DaemonSets, which ensure that some or all Nodes run a copy of a Pod, guarantee that an attacker will hit the jackpot and take over the entire cluster. If you take only one thing away from this discussion, it is this: keep them the least privileged!
  • Know your nodes and which kind of pods they are running (Applications, Add-ons, System)
  • Most of the common infra components managed K8s services & K8s distributions, and CNIs are installed by default with powerful DaemonSets
  • A general recommendation: Better RBAC Posture and Stronger Node Isolation

 

The discussion highlighted the value of RBAC Police and Checkov (by Bridgecrew) open-source tools, and it could all easily be managed (including CSPM & CWPP) by an all-in-one solution that I love to recommend: Prisma Cloud by Palo Alto Networks. Yuval’s session was incredibly valuable, with an enlightening demonstration.

 

I look forward to continuing to explore this issue and invite you to reach out to me if you have any questions or would like to talk about a Prisma Cloud demo.

Want more info?




    Tags:
    Kubernetes
    Containers
    Prisma
    Prisma Cloud
    DevSecOps
    Share:

    Next Articles

    Blog
          

    20 September, 2022

    TeraSky Achieves Palo Alto Networks’ Prisma Cloud Specialization
    Read Entry
    Blog
          

    18 September, 2022

    Application Integration and Digital Transformation Go Hand in Hand. Do Both Better with TeraSky.
    Read Entry
    Blog
          

    26 August, 2022

    Achieving the Best of Both Worlds Takes a World of Expertise
    Read Entry