MITRE, AllControls, YAML-scanning
When the cluster is deployed in the cloud, in some cases attackers can leverage their access to a container in the cluster to gain cloud credentials. For example, in AKS each node contains service principal credential.
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
Check which workloads have hostPath volumes to known cloud credentials files in node, like “/etc/kubernetes/azure.json” for Azure.
Refrain from using host path mount.
apiVersion: v1 kind: Pod metadata: name: test-pd spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume volumes: - name: test-volume hostPath: # This field triggers failure! path: /data type: Directory
Updated 11 days ago