by the service POD SERVICE “backend” CONTAINER 10.110.1.11 role: backend POD CONTAINER 10.120.2.22 role: backend POD CONTAINER 10.130.3.33 role: backend POD CONTAINER 10.140.4.44 role: frontend role: backend Pods and Services
Plane Kubernetes Architecture 24 API Server Controller Scheduler etcd Kubelet Containers Applications Attack Vector Attack Vector Risk Mitigation Access to node Compromise entire cluster SSH on secure ports, authn, authz Access to etcd Access secrets, labels and resources, understand system layout Run a private network, within a VPC, employ secure comms channels Access to K8s API server Compromise entire cluster TLS, use certificates, authn Inject control plane traffic Replace authentic K8s modules TLS, rotate credentials, patches, upgrades Access Kubelet Apply malicious actions to workloads Closed to external networks Container runtime Compromising workloads, escalate privileges to host Use hardened container runtimes Escape container to host Compromise entire cluster No root privileges, prevent escalation Intercept app traffic Compromise user data, potentially escape container to host if root is used Limit ports, persisted data are scanned for malware and viruses, good app sec hygiene Platform’s responsibilities Dev’s responsibilities Admin’s responsibilities As a platform, OpenShift handles these for you Source: OpenShift Security Guide
26 Source: OpenShift Security Guide A Practical Introduction to Container Terminology CRI-O is a container engine. It implements the Container Runtime Interface (CRI), to use OCI. CRI-O stands for Container Runtime Interface for OpenShift. runc is the container runtime that actually create containers. It’s OCI runtime standard reference implementation.
27 Sources: Configure a Security Context for a Pod or Container Managing Security Context Constraints SecurityContext defines privilege and access control settings for a Pod or Container, including but not limited to: • Permission to access an object based on UID and GID • Running as privileged or unprivileged • Give a process some additional Linux capabilities (privileges) • Filter a process’ system calls with Seccomp • AllowPrivilegeEscalation: control if a process can gain more privileges than its parents These are set with SecurityContextConstraints (SCC) can only be managed by users with cluster-admin Guidelines for application developers: • Don’t use root • Do use Red Hat Universal Base Image (UBI) as the base image – touched in Application Hardening section. Commander Data