Threat Model
The Kubernetes Security Special Interest Group (SIG) has defined an Admission Control Threat Model for Kubernetes. The Kubewarden team continuously evaluates Kubewarden against this threat model, and works to provide secure defaults. It’s recommended that Kubewarden administrators read and understand the threat model, and use it to devise their own circumstance specific threat model as needed.
Details about each threat is provided in the document published by SIG Security.
Kubernetes threats
Threat 1 - Attacker floods webhook with traffic preventing its operation
Scenario
An attacker who has access to the Webhook endpoint, at the network level, could send large quantities of traffic, causing an effective denial of service to the admission controller.
Mitigation
Webhook fails closed. if the webhook doesn’t respond in time, for any reason, the API server should reject the request. This is Kubewarden’s default behavior.
Failing closed means that if, for any reason, Kubewarden stops responding or crashes, the API server rejects the request by default. This is even if the request would normally be accepted by Kubewarden.
Threat 2 - Attacker passes workloads which require complex processing causing timeouts
Threat 3 - Attacker exploits mis-configuration of webhook to bypass
Threat 4 - Attacker has rights to delete or modify the Kubernetes webhook object
Threat 7 - Attacker sniffs traffic on the container network
Threat 8 - Attacker carries out a MITM attack on the webhook
Scenario
An attacker on the container network, who has access to the NET_RAW capability can try to use MITM tooling to intercept traffic between the API server and admission controller webhook.
Mitigation
Webhook mTLS authentication should be used. You should also use capabilities-psp and configure it to drop NET_RAW capabilities.
Threat 9 - Attacker steals traffic from the webhook via spoofing
Threat 10 - Abusing a mutation rule to create a privileged container
Threat 11 - Attacker deploys workloads to namespaces that are exempt from admission control
Threat 12 - Block rule can be bypassed due to missing match (for example, missing initcontainers)
Threat 13 - Attacker exploits bad string matching on a blocklist to bypass rules
Threat 14 - Attacker uses new/old features of the Kubernetes API which have no rules
Scenario
An attacker, with rights to create workloads, uses new features of the Kubernetes API (for example, a changed API version) to bypass a rule.
Mitigation
All rules should be reviewed and tested. There is a policy that tests for the use of deprecated resources. It’s available from the deprecated-api-versions-policy.
deprecated-api-versions-policy only deals with Custom Resources known to it. The threat is both deprecated resource versions, and new unknown ones that are misused, hence the policy only covers part
of the problem.
|
Threat 15 - Attacker deploys privileged container to node running Webhook controller
Threat 16 - Attacker mounts a privileged node hostpath allowing modification of Webhook controller configuration
Kubewarden threats
Kubewarden threat 1 - Bootstrapping of trust for admission controller
Scenario
Assuming a trusted but new Kubernetes cluster, an attacker is able to compromise the Kubewarden stack before any of the policies securing it are deployed and enforced.
For example, by:
-
using unsigned and malicious images for:
-
Kubewarden-controller
-
policy-server
-
any of the Kubewarden dependencies (cert-manager)
-
any optional dependencies (Grafana, Prometheus, and others)
-
-
by compromising the Helm charts payload
Mitigation
-
Kubewarden provides a Software Bill Of Materials, which lists all images needed. This aids with Zero-Trust. The Kubernetes Administrator must verify the Kubewarden images, its dependencies' images, and charts out of the Kubernetes cluster, in a trusted environment. This can be done with
cosign
, for example. Incidentally, this is part of the implementation needed for air-gapped installations. -
Use signed Helm charts, and verified digests instead of tags for Kubewarden images in those Helm charts. This doesn’t secure dependencies though.