Comments (2)
I think there's a cert pinning finding here too... reading through the docs, we get this:
Trusting the cluster root CA from an application running as a pod usually requires some extra application configuration. You will need to add the CA certificate bundle to the list of CA certificates that the TLS client or server trusts. For example, you would do this with a golang TLS config by parsing the certificate chain and adding the parsed certificates to the RootCAs field in the tls.Config struct.
So, there's likely to be certain portions of keys in the PKI that aren't within the known certs and can't be verified; likewise, there isn't really cert pinning or the like for components, and bundles are copied over. Therefore, attackers who can request certs, attackers who can modify the bundle, &c. could all attack the above that Dominik pointed out. Clearly they need to have some level of self-signed certs (for the root), but if they're copying over the bundles they can pretend to have a real PKI with CA/IA, so why InsecureSkipVerify
and not cert pin (or at least TOFU ala HSTS/HPKP).
So, how do they fix:
- Don't use
InsecureSkipVerify
, instead head in the direction that kubeadm is going and download certs as part of the install - Use an actual PKI: if the Root CA is to be the cluster CA then make it the cluster CA and have an actual process for handling certs via the same
- Use Cert Pinning, HSTS, HPKP, TOFU, whatever, and enforce it for critical components like the API server and kube-proxy
- Implement OCSP Stapling to minimize contact with root CA
@tomsteele @btonic @disconnect3d thoughts?
from audit-kubernetes.
TOA-K8S-013
from audit-kubernetes.
Related Issues (20)
- Kubelet crash if a command fails to yield an stdout value
- Kubelet can be used to enumerate the host network via liveness probes
- Wrong isKernelPid check HOT 2
- Directory traversal of /var/log/ on a host running kube-apiserver HOT 1
- Potential overflows in DaemonSet status
- Potential method of preventing a Deployment from completing via ReplicationController interference
- As a Malicious Internal User… HOT 1
- As an Internal Attacker... HOT 5
- As An External Attacker… HOT 1
- Encryption recommendations not in accordance with best practices HOT 1
- `kubectl cp` has insecurities when communicating with a malicious pod HOT 2
- Network tracking issue
- Custom tempFile code HOT 2
- Go services seed math/random from system time
- iSCSI Volume Storage Cleartext Secrets in Logs HOT 2
- Kubernetes does not facilitate certificate revocation HOT 1
- Excessive Resource Consumption - kube-apiserver HOT 1
- HTTPS not authenticated in many communication channels HOT 1
- Improper Chunked Response Handling
- Excessive Resource Consumption - CoreDNS
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from audit-kubernetes.