
Attack Matrix for Kubernetes - based2
https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
======
freehunter
We use the MITRE ATT&CK framework at my infosec consulting company quite
heavily. It's the structure we use to define security content, allowing us to
use the same language with our clients that auditors do, and allowing us to
use the same language between customers to assess client- or industry-specific
threats across all of our customers.

Having a high level framework to discuss threat helps, but so does the process
of laying out all the possible threats. It's a kind of checklist, have I
secured this properly? Have I thought about all the attack vectors?

I hope these MITRE-style attack matrices catch on more.

~~~
kitotik
The whole industry seems to be standardizing around it. It is quite awesome.

The main problem I’m already seeing is CXOs treating it like a
checklist/dashboard, which of course is futile as it’s meant to be prioritized
similar to a product backlog.

~~~
tmpz22
Is it better to conform natural human mental models to security practices or
to conform security practices to natural human mental models?

------
jrockway
Another thing to be mindful of is the service account token that each pod
gets. While these rarely have access to the entire cluster, it is relatively
easy to configure an application to bridge HTTP requests to the API server,
which would be a minor disaster. (I noticed this while writing a small Envoy
control plane. Everything exists in my config format to pick up the TLS
certificates that the Envoy pod already has to create a backend that points to
your API server, automatically giving any HTTP requests routed to that backend
the credentials of the Envoy pod itself. Add a route in the route table, and
now you have a publicly-available route to your API server. You would have to
go out of your way to do this, but it's something to keep in mind -- pods have
more privileges than just "run the program in the container".)

------
chvid
Openshift sells itself as a more secure Kubernetes ... anyone knows how much
of this it mitigates?

~~~
chrisfosterelli
I haven't administered an OpenShift cluster but I've used one and you notice
the difference in policy approach. OpenShift seems to have a lot of default
policies that are more aggressive than Kubernetes. A lot of container images
from Docker Hub just don't run at all on OpenShift without modification due to
this.

The biggest thing is that they don't allow containers to run as root, but they
also have other features like blocking hostPath mounts and offering SELinux
integration. Nearly all of this can be turned off (if you have permissions to
do that in the RBAC) but they generally take the "secure by default" approach.

~~~
freedomben
Correct. OpenShift by default will start your container with a "random" UID
(it's not technically random but to a user it will feel that way), so not only
is root disallowed but you also can't anticipate being any specific user. This
can feel annoying at times but has important implications for running on the
host. you can read more here if interested:
[https://cookbook.openshift.org/users-and-role-based-
access-c...](https://cookbook.openshift.org/users-and-role-based-access-
control/why-do-my-applications-run-as-a-random-user-id.html)

OpenShift also moves to CRI-O and rootless containers in later version, which
further protects hosts.

------
Legogris
Duplicate of

[https://news.ycombinator.com/item?id=22772179](https://news.ycombinator.com/item?id=22772179)

[https://news.ycombinator.com/item?id=22784713](https://news.ycombinator.com/item?id=22784713)

[https://news.ycombinator.com/item?id=22834195](https://news.ycombinator.com/item?id=22834195)

(Reposting is all good when things get buried, but this is the third time I
see this on the top front page with no comments)

~~~
merricksb
All the submissions are by different people, all of whom have a very solid
history on HN.

So it doesn't count as self-promotion or manipulation.

It just seems to be an article that multiple users found interesting, but that
has fallen through the cracks so far.

~~~
Legogris
Seems like it - when i posted my comment the post had 3 points and mine was
the only comment. Good to see that it eventually sparked some interesting
conversation!

------
Svip
Is it Hacker News that re-edits the headlines? At first I thought the headline
meant "attack Matrix", i.e. matrix.org, for the purpose of helping Kubernetes.
Like a call to arms. But then it made little sense to me that the origin
domain was microsoft.com. Man, capitalisation really matters, I guess.

