C-0037 - CoreDNS poisoning
Framework
MITRE
Severity
Medium
Description of the the issue
CoreDNS is a modular Domain Name System (DNS) server written in Go, hosted by Cloud Native Computing Foundation (CNCF). CoreDNS is the main DNS service that is being used in Kubernetes. The configuration of CoreDNS can be modified by a file named corefile. In Kubernetes, this file is stored in a ConfigMap object, located at the kube-system namespace. If attackers have permissions to modify the ConfigMap, for example by using the container’s service account, they can change the behavior of the cluster’s DNS, poison it, and take the network identity of other services.
Related resources
ClusterRole, ClusterRoleBinding, Role, RoleBinding
What does this control test
Check who has update/patch RBAC permissions on ‘coredns’ configmaps, or to all configmaps.
Remediation
You should follow the least privilege principle. Monitor and approve all the subjects allowed to modify the 'coredns' configmap. It is also recommended to remove this permission from the users/service accounts used in the daily operations.
Example
No example
Updated 3 months ago