Skip to main content

Risks

Protecting Important Directories in a Kubernetes Cluster

Top security risks

The Kubeconfig, Kubeletconfig, and Kubeadmconfig files contain crucial information about the Kubernetes cluster. Unauthorized access or modification of these configurations can severely impact the cluster's operation, potentially paralyzing it.

 

Key Directories Containing Critical Information

By default, the following directories contain important information about the cluster:

 

  • /etc/kubernetes/
  • /var/lib/kubelet/
  • /etc/sysconfig/kubelet
  • $HOME/.kube/config.yaml

These directories should be highly restricted as they are only relevant for troubleshooting by administrators.

 

Consequences of Unauthorized Access or Modification

Cluster Paralysis:

Modifying configuration files can disrupt the entire Kubernetes control plane. Changes to Kubeadmconfig can affect cluster initialization, upgrades, and version compatibility.

 

Service Disruption:

Unauthorized modifications to Kubeletconfig can impact the operation of the Kubelet, which is responsible for managing the lifecycle of pods on nodes. This can lead to node failures and service disruptions.

 

Security Breaches:

Accessing Kubeconfig can provide unauthorized users with cluster admin credentials, leading to potential security breaches. This can result in unauthorized deployments, data theft, and loss of control over the cluster.

 

Configuration Leakage:

Exposure of these configuration files can reveal sensitive cluster information, including cluster endpoints, certificates, and API server details. This information can be exploited to perform targeted attacks.

 

Stricter Access Controls

To mitigate the risks associated with unauthorized access, it is crucial to enforce strict access controls:

 

Restrict Directory Access:

Ensure that only cluster administrators have read and write permissions to the following directories:

  • chmod -R 700 /etc/kubernetes/
  • chmod -R 700 /var/lib/kubelet/
  • chmod -R 700 /etc/sysconfig/kubelet
  • chmod 700 $HOME/.kube/config.yaml

 

Limit systemctl Access:

The systemctl command can reveal configuration paths using systemctl cat kubelet. Limit access to systemctl so that only cluster administrators can execute it:

  • chmod 700 /bin/systemctl

 

Restrict ConfigMap Access:

Configuration files are often mounted in pods via ConfigMaps in the kube-system namespace. Restrict access to these ConfigMaps:

 

apiVersion: rbac.authorization.k8s.io/v1

kind: Role

metadata:

  namespace: kube-system

  name: configmap-reader

rules:

- apiGroups: [""]

  resources: ["configmaps"]

  verbs: ["get", "list", "watch"]




apiVersion: rbac.authorization.k8s.io/v1

kind: RoleBinding

metadata:

  namespace: kube-system

  name: configmap-reader-binding

subjects:

- kind: User

  name: <admin-username>

  apiGroup: rbac.authorization.k8s.io

roleRef:

  kind: Role

  name: configmap-reader

  apiGroup: rbac.authorization.k8s.io

Use Role-Based Access Control (RBAC):

Implement RBAC to manage access to resources based on user roles. Ensure that non-admin users have minimal permissions:

apiVersion: rbac.authorization.k8s.io/v1

kind: ClusterRole

metadata:

  name: view-only

rules:

- apiGroups: [""]

  resources: ["pods", "services"]

  verbs: ["get", "list", "watch"]




apiVersion: rbac.authorization.k8s.io/v1

kind: ClusterRoleBinding

metadata:

  name: view-only-binding

subjects:

- kind: User

  name: <non-admin-username>

  apiGroup: rbac.authorization.k8s.io

roleRef:

  kind: ClusterRole

  name: view-only

  apiGroup: rbac.authorization.k8s.io

follow these measures