Kubernetes adoption has skyrocketed in recent years, but security often lagged behind. Not long ago, blatantly insecure settings were fairly common, allowing threat actors to compromise clusters with painfully simple attacks. Kubernetes platforms have made significant strides since those days, rooting out critical misconfiguration and establishing secure baselines. With fewer clusters vulnerable to straightforward attacks, threat actors are beginning to adapt and look for increasingly sophisticated attacks targeting subtler issues.
Recent malware samples indicate Kubernetes threat actors are beginning to target misconfigurations in Kubernetes Role-Based Access Control (RBAC). RBAC is an authorization scheme that governs the permissions of users, groups, pods and nodes over Kubernetes resources. When used correctly, RBAC can enforce least-privileged access and demoralize attackers. When misconfigured, it exposes the cluster to privilege escalation attacks and increases the blast radius of compromised credentials.
Security research group Unit 42 recently witnessed that trend in-the-wild as they caught a sample of Siloscape – a sophisticated malware that chained together multiple vulnerabilities and misconfigurations to compromise Pods, escape and take over the underlying nodes, and ultimately gain control over entire Kubernetes clusters. The Siloscape malware’s final automated step: checking whether the node it compromised had excessive permissions. As simpler privilege escalation techniques lose relevance, adversaries begin to target Role-Based Access Control (RBAC) misconfigurations.
Here are 3 reasons for you need to look out for and address RBAC misconfigurations and excessive permissions in your clusters:
Reason 1: RBAC misconfigurations are easy to miss
Seemingly restricted permissions can be surprisingly powerful, and in some cases on-par with cluster admin. As a result, open-source projects and infrastructure components inadvertently ask for highly powerful permissions. To help users identify powerful permissions, Kuberntes is releasing a list of powerful permissions that may be abused to attack the cluster – get familiar with them!
Reason 2: RBAC misconfigurations are impactful
The blast radius of breaches and compromised credentials drastically increase when excessive permissions are distributed across a cluster. For example, if a node compromised through a container escape hosts pods with excessive permissions, the attacker can continue his attack beyond the compromised node and take over the rest of the cluster.
Reason 3: RBAC misconfigurations are solvable
Through proper configuration, RBAC can be transformed from a risk to another layer of defense. Kubernetes users should consider the following best practices and hardenings for RBAC:
- Assign permissions at the namespace level where possible, rather than the cluster level.
- Avoid providing wildcard permissions when possible, especially over all resources.
- Ideally, pods shouldn’t be assigned service accounts granted powerful permissions. When required, minimize the distribution and exposure of powerful credentials: refrain from running powerful Daemonsets, and segregate powerful pods from less-trusted ones.
- Enable the NodeRestriction admission controller to limit the permissions of Kubelets to only the necessary ones.
RBAC misconfigurations may introduce new attack surfaces to a cluster. At the same time, proper configuration and best practice hardenings present an opportunity to contain and demoralize attackers. To learn more and gain a better understanding of RBAC risks and how you can address them in your clusters through open-source tools and best practices, consider joining us at our session on ‘Trampoline Pods: Node to Admin PrivEsc Built Into Popular K8s Platforms’ or visit the Prisma Cloud booth at KubeCon+CloudNativeCon Europe 2022, May 16-20.