Cluster Grey Zone: Risks in Managed Cluster Middleware

The presentation discusses the exploitation of a feature on the scope called custom plugin monitor, which extends the core functionality on the NPD and allows for a chain of attack that can lead to persistency. The talk highlights the need for a multi-level approach to cluster security and the importance of understanding the components in worker nodes.

• The custom plugin monitor feature on the scope can be exploited to write a script into the circle folder node problem detector, which can lead to persistency.
• Misconfigurations and file writing abilities of the Pod can be exploited to execute scripts as root and establish persistence.
• Kubernetes security controls do not take into account middleware components, and permission and CSP-based methods may need to be rethought.
• A multi-level approach to cluster security is necessary, including understanding the impact of misconfigurations, log-based detection, agent-based detection, and sensor-based detection.
• It is important to understand the components in worker nodes to ensure cluster security.

The speaker demonstrates how the custom plugin monitor feature can be exploited to access a guestbook PHP file and perform DRC. The attacker can easily understand that this is a pod running in AKs and can update batch threes to establish persistence. The attack happens under the radar of the API server, and the attacker can eventually spread to other nodes through the usage of tokens.

With the increase in K8s and cloud popularity, cloud security providers (CSPs) realized the advantages of offering Kubernetes as a PaaS to their users. Today the default deployment of production workloads is through the cloud-managed Kubernetes services, where the responsibility for securing the cluster is shared between the user and the CSP. While users are generally aware of their own workloads, there is a less-documented set of components, automatically deployed by the CSPs and running on worker nodes. We call it Managed Cluster Middleware (abbreviated MCM). A freshly deployed EKS node will typically have 3 additional pods, AKS and GKE deploy even more pods. The number increases depending on the features and plugins one chooses to add to the defaults. MCM can introduce an additional threat surface, with a footprint on every node and carrying high privileges, additional network exposure and vulnerabilities. Therefore, MCM can be an attractive target for attackers, while frequently omitted by scanners and configuration tools. This talk follows up on our previous research on cloud grey zone. We analyze the MCM security posture as we would approach the non-trusted deployments. Consequently, we review how users should adjust their K8s threat model in light of this research.