CSI Volume Attacks – The SRE Strikes Back

The presentation discusses the security concerns around dynamically provisioned storage volumes with CSI and how to prevent unauthorized access.

• CSI orchestrates the creation of volumes, snapshots, and clones but does not protect data from unauthorized access
• Kubernetes provides inherent security models for protecting data
• Namespaces can be used to separate resources within a cluster
• The PVC is namespace, but the underlying PV and storage class are global resources
• Kubernetes attaches the PV to the namespace once it's bound to a volume plane
• The claim graph contains a reference to the PVC's namespace and UID, protecting the PV from being accessed by anyone outside the namespace
• Deleting the PVC changes the PV's status to release, but it is still protected by the claim ref
• The PV can be reused by patching the claim ref and removing the UID reference of the old claim
• The inherent security model of Kubernetes protects the PV even though it's not part of the namespace

The presenter demonstrates how the claim graph protects the PV from being accessed by anyone outside the namespace by creating a PVC and a simple Alpine pod that mounts the volume. The PV is bound to the volume plane and has a reclaim policy of retain. When the presenter deletes the PVC, the PV's status changes to release, but it is still protected by the claim ref. The presenter then patches the PV and removes the UID reference of the old claim, making the PV available for reuse.

Container Storage Interface (CSI) has made it easy for stateful workloads to consume storage - but does it protect your data from unauthorized access? The CSI standard only orchestrates the creation of volumes, snapshots or clones. How do you ensure that neither other workloads in the same Kubernetes cluster nor someone outside the cluster can access your data? You will learn the inherent security models provided by Kubernetes as well as additional configurations you can and should apply. Beyond concepts and architecture, a series of short demos will cover topics such as: - Security of Persistent Volume Claims and Persistent Volumes throughout their lifecycle - Pod Security Policies and volume types - File system permissions on your volumes - Securing common storage protocols such as iSCSI and NFS - Securing CSI drivers in your cluster