Blog
27 March, 2024
A few simple approaches to protecting your K8s
Contributed by Itay Talmi, Cloud Native Applications Senior Consultant, following his attendance at KubeCon & CloudNativeCon Europe 2022.
“A single container escape was enough to take over the entire cluster.” This line has kept me awake at night, ever since I heard it at KubeCon 2022 in Valencia. There, I had the opportunity to attend the session led by Yuval Avrahami, Principal Security Researcher at Prisma Cloud. The session focused on the concept of ‘Trampoline Pods.’ Trampoline Pods are powerful pods without a least-privilege approach, and can be used by attackers to take over the entire cluster! The takeaway? If you are running K8s, you absolutely must be aware of this security vulnerability!
- Containers are an undoubtedly great tool, but a shared kernel makes containers a weak security boundary
- The main impact of concern is a compromised node
- Trampoline DaemonSets, which ensure that some or all Nodes run a copy of a Pod, guarantee that an attacker will hit the jackpot and take over the entire cluster. If you take only one thing away from this discussion, it is this: keep them the least privileged!
- Know your nodes and which kind of pods they are running (Applications, Add-ons, System)
- Most of the common infra components managed K8s services & K8s distributions, and CNIs are installed by default with powerful DaemonSets
- A general recommendation: Better RBAC Posture and Stronger Node Isolation
The discussion highlighted the value of RBAC Police and Checkov (by Bridgecrew) open-source tools, and it could all easily be managed (including CSPM & CWPP) by an all-in-one solution that I love to recommend: Prisma Cloud by Palo Alto Networks. Yuval’s session was incredibly valuable, with an enlightening demonstration.
I look forward to continuing to explore this issue and invite you to reach out to me if you have any questions or would like to talk about a Prisma Cloud demo.