logo

Kubernetes Privilege Escalation: Container Escape == Cluster Admin?

Conference:  Black Hat USA 2022

2022-08-11

Summary

The presentation discusses the issue of container escape in Kubernetes and its potential impact on the entire cluster. The speaker emphasizes the importance of monitoring and limiting powerful permissions in the cluster to prevent container escape and recommends separating powerful pods from untrusted or publicly exposed pods.
  • Container escape is a vulnerability in Kubernetes that allows an attacker to take over the underlying host by exploiting a kernel vulnerability or misconfiguration.
  • Container escape can lead to the compromise of the entire node or even the entire cluster.
  • Monitoring and limiting powerful permissions in the cluster can help prevent container escape.
  • Separating powerful pods from untrusted or publicly exposed pods can also limit the impact of container escape.
  • Audit and admission policies can be used to detect and prevent some attacks.
  • Kubernetes uses authentication and authorization to control access to resources.
  • An anecdote is not provided.

Abstract

Kubernetes has become the de-facto way of running containerized applications on the cloud or on premise. Threat actors noticed, launching Kubernetes-tailored campaigns and releasing dedicated malware with the ultimate goal of compromising clusters. On the defensive side, hardening containers remains a top priority. Defenders hope to prevent container escapes, where a malicious container breaks out and gains control over its underlying node VM.Unfortunately, even with cutting-edge sandboxing techniques, it's inevitable that zero day vulnerabilities in container runtimes, the Linux Kernel, or Kubernetes itself, would allow sophisticated attackers to break out of a rogue container. That being said, an escape isn't necessarily game over! Defenders can still *contain* container breakouts: ensure a compromised node cannot take over the entire cluster. Kubernetes have done a great job at de-privileging the node agent, the Kubelet. But nodes also host other credentials - their pods' service account tokens. Following a container escape, the attacker can easily harvest and abuse tokens of neighboring pods. In other words, the impact of a container escape is largely dictated by the pods on the attacked node. Which pods run on the average node? Are powerful ones a rare sight or a common practice?In this talk, Yuval and Shaul will reveal the powerful system pods quietly installed by popular Kubernetes platforms. They'll show how attackers may abuse these pods, and demo new privilege escalation techniques. Covering managed Kubernetes services and common open-source add-ons, they'll demonstrate how on the most popular platforms today - a single container escape is often enough to take over the entire cluster.Looking ahead, they'll present tools that flush out powerful pods and identify privilege escalation paths in a cluster, alongside mitigations that can detect and prevent such attacks. Join them as they embark on the journey of ensuring container escape != cluster admin.

Materials:

Tags: