C-0037 - CoreDNS poisoning

Framework

MITRE

Severity

Medium

Description of the the issue

CoreDNS is a modular Domain Name System (DNS) server written in Go, hosted by Cloud Native Computing Foundation (CNCF). CoreDNS is the main DNS service that is being used in Kubernetes. The configuration of CoreDNS can be modified by a file named corefile. In Kubernetes, this file is stored in a ConfigMap object, located at the kube-system namespace. If attackers have permissions to modify the ConfigMap, for example by using the container’s service account, they can change the behavior of the cluster’s DNS, poison it, and take the network identity of other services.

Related resources

ClusterRole, ClusterRoleBinding, Role, RoleBinding

What does this control test

Check who has update/patch RBAC permissions on ‘coredns’ configmaps, or to all configmaps.

Remediation

You should follow the least privilege principle. Monitor and approve all the subjects allowed to modify the 'coredns' configmap. It is also recommended to remove this permission from the users/service accounts used in the daily operations.

Example

No example