Overview Table: Kubernetes Threats

Overview Table: Kubernetes Threats.md

Security Threat	Description	Examples	Prevention and Mitigation
Misconfiguration	Unauthorized access, data leakage, denial of service, or cluster takeover due to improper configuration	- Exposing Kubernetes dashboard or API server to public internet without proper authentication and authorization - Running containers as root or with privileged access - Not enforcing resource limits or quotas for pods and namespaces - Not applying network policies or firewalls to restrict traffic between pods or clusters - Not encrypting sensitive data at rest or in transit	- Use a Kubernetes distribution or service that provides pre-configured security controls and updates - Use tools and frameworks that help automate and validate configuration, such as Helm, Kustomize, OPA, etc. - Use vulnerability scanners and configuration management tools that can detect and alert of any misconfiguration or compliance issues, such as Red Hat Advanced Cluster Security for Kubernetes, Snyk, etc. - Implement a security policy and governance model that defines roles, responsibilities, and permissions for Kubernetes users and resources - Review and audit configuration regularly and apply patches and updates as soon as possible
Vulnerabilities	Remote code execution, privilege escalation, data tampering, or information disclosure due to code or package flaws	- CVE-2020-8554: Man-in-the-middle vulnerability allowing interception of traffic from other pods or nodes in the cluster - CVE-2020-8558: Privilege escalation vulnerability allowing creation or deletion of custom resource definitions in the cluster - CVE-2019-5736: Container escape vulnerability allowing overwriting of host runc binary and gaining root access on the host - CVE-2018-1002105: Proxy request handling flaw allowing arbitrary requests to backend servers through Kubernetes API server	- Use trusted and verified container images from reputable sources and repositories - Scan container images for vulnerabilities before deploying them to the cluster - Use tools and frameworks that help automate and secure container build pipeline, such as Tekton, Jenkins X, etc. - Use tools and frameworks that help monitor and protect running containers and workloads, such as Falco, Sysdig Secure, etc. - Implement a vulnerability management process including identification, assessment, remediation, and verification of vulnerabilities
Attacks	Data theft, ransomware infection, cryptojacking, denial of service, or cluster compromise due to exploitation of vulnerabilities or misconfigurations	- Siloscape: Obfuscated malware operating in Windows containers that opens a backdoor when Kubernetes clusters are poorly configured - TeamTNT: Cybercrime group targeting cloud environments with exposed Docker APIs that deploys malicious containers performing cryptojacking and stealing cloud credentials - Cloud Snooper: Sophisticated attack using a rootkit to bypass firewall rules and communicate with a command-and-control server, targeting Linux servers running on AWS, Azure, or other cloud platforms	- Use strong authentication and authorization mechanisms for Kubernetes users and resources, such as RBAC, OIDC, mTLS, etc. - Use encryption techniques for data at rest and in transit, such as KMS, TLS, etc. - Use tools and frameworks that help detect and respond to anomalous or malicious activities in the cluster, such as Prometheus, Grafana Loki, Alertmanager, etc. - Implement an incident response plan including preparation, identification, containment, eradication, recovery, and lessons learned phases