Questions tagged [kubernetes]
Kubernetes is an open-source container-orchestration system for automating application deployment, scaling, and management. It was originally designed by Google and is now maintained by the Cloud Native Computing Foundation
54 questions
2
votes
1
answer
84
views
Can strtok()'s static buffer enable cross-container attacks in Kubernetes when containers share libc through copy-on-write?
Can strtok()'s static buffer enable cross-container attacks in Kubernetes when containers share libc through copy-on-write?
In Kubernetes, containers running on the same node often share memory pages ...
0
votes
0
answers
131
views
Need help with Query String parameters - GET Request
I have impletemed modsecurity/owasp in my Kubernetes environment. Most of it works but I am facing issue whenever there are query parameters in the URL. Even though the page and request is/looks valid,...
- 1
1
vote
1
answer
166
views
Root takeover attack on Kubernetes host despite Vault agent
HashiCorp Vault Agent creates a sidecar that talks to the Vault server and injects secrets as files into containers, where the files are located under /vault/secrets/.
"render all defined ...
- 111
3
votes
2
answers
780
views
What are the risks of disabling issuer URL validation?
According to the OIDC specification:
The issuer value returned MUST be identical to the Issuer URL that was
used as the prefix to /.well-known/openid-configuration to retrieve
the configuration ...
- 45
1
vote
0
answers
119
views
How to manage temporary AWS credentials for on-premises Kubernetes clusters?
We have several on-premises Kubernetes clusters that need to utilize AWS services. Currently, we use traditional IAM Users with static credentials, but we recognize this is a bad practice. We want to ...
0
votes
1
answer
392
views
How do AWS "Pod Identities" compare to (OIDC) IRSA?
In Kubernetes clusters, we often wish to provide temporary credentials to the containerised processes running in a particular pod, usually marked by associating the pod with a service account.
...
- 195
2
votes
0
answers
111
views
What can an attacker with root access on a GKE node do on the network?
Let’s say that an attacker, through some chain of exploits, manages to get root on a Kubernetes node. Can they disable network policies on that node? I know that to a large extent this depends on the ...
- 141
1
vote
1
answer
1k
views
Can kubernetes pods in the same or different namespace sniff the packets of other pods?
Since the pods share the same subnet, is it possible that one pod can sniff the network packets of other pods? Please explain the reason.
Note: I created 3 pods in the same namespace, on one pod I ran ...
- 73
1
vote
0
answers
203
views
Encryption and storing/managing private key in hosted cluster
I am working on an application running in/on a hosted Kubernetes cluster. All services are built using a Java based stack.
For a new feature it is required to temporarily store notifications (email ...
- 67
4
votes
1
answer
4k
views
Mounting secrets with proper access control in kubernetes pods
I am trying to mount a secret in the pod securely. I have created the secrets with defaultMode: 0400 and runAsUser:1000. However when i am trying to access the secret in the container after doing exec ...
- 73
0
votes
1
answer
195
views
How to store ClientID and ClientSecret in a K8 Env
I am trying integrate our service with SSO. I have generated the ClientID and ClientSecret.
Is it a good security practice to store the ClientID and ClientSecret as a configmap? If not, what are the ...
- 73
2
votes
1
answer
217
views
What're the most common vulnerabilities/weaknesses an attacker would exploit to gain SSH access to a container?
Fair warning - I am a security newbie.
In all container escape/breakout vulnerability scenarios I've read (CVE-2022-0185), the author assumes or states that the attacker already had shell or SSH ...
1
vote
1
answer
340
views
Keeping customer secrets safe from sysadmins and devs in Kubernetes
I've spent a few weeks on GCP and GKE (Kubernetes) trying to figure out how to store customer secrets. The secrets are used by some application even when the user is not logged on so I want to ensure ...
5
votes
2
answers
2k
views
Traditional SIEM in Kubernetes environments
How do companies manage SIEM for Kubernetes environments? I am specifically interested in running CIS benchmarks and auditing OS events on the nodes.
I already have a Wazuh cluster and agents rolled ...
- 151
1
vote
1
answer
198
views
Kubernetes: Should the API port be exposed as a recommended security practice
Judging from what I can see, exposure of the API kubernetes can be especially risky. It seems there are be methods for protecting this, but I am hesitant to consider these as adequate solutions .
I am ...
- 846
