Kubernetes is an open-source container-orchestration system for automating application deployment, scaling, and management. It was originally designed by Google and is now maintained by the Cloud Native Computing Foundation
Questions tagged [kubernetes]
37 questions
1
vote
4 answers
Ingress client certificate authenticate requires CA certificate to be stored in secret?
I want to enable client-certificate authentication in my AKS cluster and I have a basic question which I just don't seem to understand. As per the docs, ingress requires the CA certificate to be stored in a secret. My question is: Assuming that I…
sg1993
- 113
- 2
1
vote
2 answers
Hacking attemps from unkown source
I'm running a docker container in Kubernetes cluster running in aws, I exposed the container through LoadBalancer service and limited access to it just to my ip address using aws security groups, but I still getting GET/POST requests that seems…
Sadmi
- 153
- 6
1
vote
1 answer
How to implement zero trust concept on a pod running in Kubernetes?
Was thinking to use Ambassador design pattern and filter each request through Nginx with Waf (mod_security or Naxsi) in reverse proxy and ACL, authentication and authorization to pod.
What are the best practices?
How to prevent "soft belly" of each…
dev
- 937
- 1
- 8
- 23
1
vote
1 answer
Security loopholes while mapping .kube/config file on to docker as volume
I have a scenario where I have to install Kubernetes on a public cloud and access the Kubernetes via kubectl from a VM on my laptop.
Kubectl accesses .kube/config to connect K8S API-Server to do the required operation.
There is an application that…
B_B
- 111
- 2
1
vote
0 answers
Cost range of IPS solutions
We have a client web application running in Azure Kubernetes. There was an optional requirement to implement IPS for the application. It was considered optional, because the application that we are using is not of a complex network architecture. And…
Anonymous Platypus
- 1,392
- 3
- 18
- 33
1
vote
1 answer
URL rewrite spoofable
I am considering using URL rewrites in kubernetes nginx proxy to publish selected context paths in microservices which are run in a cluster running internal services. For example
https://public.mycompany.com/microserviceone/api/v4/resource1
would be…
Gudlaugur Egilsson
- 111
- 4
1
vote
0 answers
Instance metadata on IBM Cloud
Is there any way to get instance metadata on IMB Cloud (a.k.a Bluemix) K8s cluster, from a compromised pod?
Something like doing curl to http://metadata.google.internal/computeMetadata/v1/instance/... on GKE clusters, or…
mcruz2401
- 191
- 1
- 7
1
vote
1 answer
Security (IP discovering) on Kubernetes
I'm trying to improve my security knowledge on containers environments.
Recently I was playing around with Kubernetes cluster. I saw this absolutely awesome link:…
OscarAkaElvis
- 5,185
- 3
- 17
- 48
0
votes
1 answer
What is the easiest way to find non-vulnerable container images?
I am fairly new to container image vulnerability scanning. There seem to be a lot of tools (Snyk, Trivvy, Clair, e.g.) that can identify vulnerable packages in container images. They also do a good job identifying the fix version for the individual…
Scott McNeany
- 111
- 2
0
votes
1 answer
Capabilities DROP in container of Kubernetes pod running with specific UID
I am doing some security research on Kubernetes and I found something still mysterious to me, concerning capabilities.
Example of simple pod:
apiVersion: v1
kind: Pod
metadata:
name: my-pod-httpd
spec:
containers:
- name: my-pod-httpd-c1
…
cactuschibre
- 155
- 9
0
votes
2 answers
In practice, how should you run privileged or 'root' container?
Running a container as root is a big "no" but are there times we really need to run privileged pods, or sometimes as root?
If so (and feel free to disagree), what are the mitigation controls we can employ?
There are some which I can think of:
For…
transcend3nt
- 39
- 4
0
votes
1 answer
Why do we use SELinux Policies as it overlaps other controls such as Linux Namespaces, K8S/Container security?
While learning SELinux policies in the Container/Kubernetes environment, I realized that there are other layers of controls that overlap with SELinux.
In these cases, what additional value can I can obtain from using SELinux?
Examples are:
SELinux…
transcend3nt
- 39
- 4
0
votes
1 answer
What does default Seccomp, AppArmor and SELinux in Kubernetes Security mean?
What does default Seccomp, AppArmor, and SELinux in Kubernetes Security truly mean? Who and where provides the default profile? Does default mean it applies to containers, pods, or the Kubernetes administrator cluster itself?
I've seen numerous…
transcend3nt
- 39
- 4
0
votes
0 answers
Is it possible to exec pods in Kubernetes via a metrics server?
I am trying to exec arbitrary commands on a pod via the Kubernetes metrics server. I am doing so by sending HTTP requests to the metrics server endpoint.
These are the paths that I can send requests to:
{
"paths": [
"/apis",
…
0
votes
1 answer
Kubernetes user impersonation to obtain exec privileges
I am exploring CVE 2018-1002105 about privilege escalation vulnerabilities in Kubernetes. As a remote unuauthenticated user, I would want to make use of a metrics server deployed on my cluster to exec arbitrary commands on any pod.
I am quite…