Kubernetes security targeted by perfect storm of threats
As Kubernetes prepares to phase out Docker upstream, attackers shift their focus to the container orchestration platform, where complexity creates its own vulnerabilities.
Enterprise IT has moved beyond individual Docker containers into distributed applications based on Kubernetes container orchestration -- and so have attackers.
Container images remain prone to IT security risks, but as enterprises move "up the stack" into microservices and multi-cluster Kubernetes management, cybersecurity threats are pivoting in a similar direction, according to recent market research on Kubernetes security.
"Although attackers are becoming more sophisticated, they're equally on the search for easy, broad targets -- and Kubernetes is delivering such a target," read the 2022 "Cloud Native Threat Report" published last week by container runtime security vendor Aqua.
Aqua researchers found that 19% of malicious container images detected in public repositories targeted Kubernetes components, including kubelet control planes and API servers, up from 9% in 2020. This marks a shift away from attackers' past focus on misconfigured Docker APIs, according to the report.
Moreover, these attacks were progressively more sophisticated, according to Aqua's research.
"With increasing frequency, we discovered backdoors, rootkits, and credential stealers -- signs that intruders have more than cryptomining in their plans," the report stated. "We encountered backdoors in roughly 54% of incidents in 2021, a 9 percentage point increase from 45% in 2020, [that] permit a threat actor to access a system remotely."
Wider deployment means a fairly common configuration vulnerability can be identified, and attack methods refined and commoditized.
Daniel KennedyAnalyst, 451 Research
A confluence of trends now places Kubernetes at the center of the cybersecurity landscape. Most importantly, the platform has become the standard for cloud-native infrastructure automation in the industry, which means its vulnerabilities are widely exploitable.
"It's of little surprise ... that bad actors are moving in greater volume toward leveraging vulnerabilities in poorly configured Kubernetes clusters and related management tools," said Daniel Kennedy, an analyst at 451 Research, a division of S&P Global. "First, it's a larger target, and second, wider deployment means a fairly common configuration vulnerability can be identified, and attack methods refined and commoditized."
Because Kubernetes is open source, and its rise coincides with the growing enterprise use of open source software, embedding malicious code and packages in obscure libraries buried deep within many layers of dependencies can be a fruitful infiltration path for attackers. Kubernetes also tends to be a part of automated application deployment systems, which can be used to carry out far-reaching software supply chain attacks.
Amid all of this, significant upstream changes are coming for Kubernetes security this year, such as the removal of Pod Security Policies for pod access control and the end of support for the Docker runtime in favor of CRI-O.
In the wake of these changes, enterprises will need to transition to new access control tools, in some cases adjust to a different container runtime and potentially contend with unmonitored legacy Docker components in their environments, all of which create opportunities for attackers.
Kubernetes complexity spurs vulnerabilities
Kubernetes infrastructure has always been complex, and increasingly sophisticated types of attacks exploit this, becoming difficult to detect given the often massive scale of Kubernetes deployments.
The 2021 "State of Kubernetes Security Report" by Red Hat found that 94% of the more than 500 DevOps, security and engineering pros it surveyed had experienced a security incident in the past year, and that misconfiguration was the cause of such incidents in nearly 60% of cases.
Most respondents to a Red Hat Kubernetes security survey in 2021 had experienced a security incident in the last year, most as a result of misconfigurations.
"Kubernetes and containers, while powerful, increase this risk substantially," the Red Hat report stated. "A single workload may require significant configuration to ensure a more secure and scalable application. Add on technical debt and organizational hurdles, and it is a challenge even for experienced Kubernetes professionals to get everything right all the time."
Misconfigured Kubernetes UIs were a favorite target of attackers, according to Aqua's report.
"An attacker who connects to such an environment gains full visibility, considerable control, and access to secrets," Aqua's report said. "Moreover, there are many other ways for an attacker to cause damage, such as changing settings and obtaining Kubernetes volumes."
The cybersecurity blast radius around Kubernetes widens even further given the interconnected nature of Kubernetes-based microservices apps via APIs, which attackers can use to subtly steal valuable data. For example, this month, Salt Labs researchers reported that they discovered a vulnerability that allowed them to use a misconfigured cryptographic key and a technique called server-side request forgery (SSRF) to gain administrative access to a fintech company's banking system. This unauthorized access included users' banking details and financial transactions. Salt Labs researchers informed the company about the vulnerability, which was fixed, but said the fintech company did not pick up on their activity while it was going on.
"[SSRF attacks] existed before we even had APIs," said Yaniv Balmas, vice president of research at Salt Labs, in an interview about the research. "The point here is that APIs [not only] introduce new vulnerabilities, but they also echo almost all of the previous vulnerabilities. ... But since we've changed the infrastructure, it may be harder to detect things now."
Sophisticated automation cuts both ways
The good news for enterprises is that advanced automation can be used to mitigate attacks as well as conduct them. Software tools are emerging from vendors such as Anchore and Sonrai Security that detect misconfigurations in container images and Kubernetes deployments, and suggest remediations. API security automation is a nascent field, but new AI-driven tools detect anomalous behavior on API-driven networks. Awareness is growing about the fact that "shift left" approaches to DevSecOps must be complemented by "shift right" improvements to Kubernetes security post-deployment.
Infrastructure automation utilities commonly used with Kubernetes, such as service mesh, match up well against complex security threats when used properly. At one large enterprise company in the Midwest, for example, fine-grained authentication and authorization rules in Istio service mesh make Pod Security Policies deprecation a nonissue.
"Pod access is really locked down well here, especially in production," said the senior director of technology operations, who requested anonymity when discussing sensitive IT security practices. "For applications, we have a pretty nice setup in our auth providers, Istio and ingress/egress rules in the platform."
Some organizations choose to bypass Kubernetes security headaches by using cloud provider services, such as serverless computing, that handle container infrastructure details on behalf of the user.
"Moving up the stack, leveraging platform-as-a-service and serverless capabilities, can reduce the attack surface that a company needs to own," said David Strauss, co-founder and CTO of Pantheon.io, a web operations service provider in San Francisco that runs primarily in Google Cloud, including its Google Cloud Run serverless containers. "It's a lot easier to focus on just the immediate dependencies of an application or service than the entire stack down to the kernel."
Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.
