Threat Model

An attacker who has access to the Webhook endpoint, at the network level, could send large quantities of traffic, causing an effective denial of service to the admission controller.

Webhook fails closed. if the webhook doesn’t respond in time, for any reason, the API server should reject the request. This is Kubewarden’s default behavior.

Failing closed means that if, for any reason, Kubewarden stops responding or crashes, the API server rejects the request by default. This is even if the request would normally be accepted by Kubewarden.

An attacker, who can access the admission controller at a network level, passes requests to the admission controller requiring complex processing and causing timeouts as the admission controller uses compute power to process the workloads.

Webhook fails closed and authenticate callers. This is Kubewarden’s default behavior.

An attacker, who has rights to create workloads in the cluster, is able to exploit a mis-configuration to bypass the intended security control.

Regular reviews of webhook configuration can help catch issues.

An attacker who has Kubernetes API access, has sufficient privileges to delete the webhook object in the cluster.

RBAC rights should be strictly controlled.

Most of RBAC isn’t within the scope of the current discussion. However, the following will be provided in due course for helping Kubewarden users:

An attacker gains access to valid client credentials for the admission controller webhook.

Webhook fails closed. This is Kubewarden’s default behavior.

An attacker gains access to a cluster-admin level credential in the Kubernetes cluster.

N/A

An attacker who has access to the container network is able to sniff traffic between the API server and the admission controller webhook.

Since the webhook uses TLS encryption for all traffic, Kubewarden is safe.

An attacker on the container network, who has access to the NET_RAW capability can try to use MITM tooling to intercept traffic between the API server and admission controller webhook.

Webhook mTLS authentication should be used. You should also use capabilities-psp and configure it to drop NET_RAW capabilities.

Implement mutual TLS authentication. Additionally, it would be possible to add a policy within the recommended policies section in the kubewarden-defaults which drops the NET_RAW capability.

An attacker is able to redirect traffic from the API server which is intended for the admission controller webhook by spoofing.

Webhook mTLS authentication is used.

Kubewarden should implement mutual TLS authentication

An attacker is able to cause a mutating admission controller to modify a workload, such that it allows for privileged container creation.

All rules should be reviewed and tested.

An attacker is able to deploy workloads to Kubernetes namespaces that are exempt from the admission controller configuration.

RBAC rights are strictly controlled

Most of the RBAC is out of scope with respect to this decision. However, the Kubewarden team aims to:

An attacker created a workload manifest which uses a feature of the Kubernetes API which is not covered by the admission controller

All rules should be reviewed and tested. You should review PRs changing any rules in policies deployment.

An attacker, who has rights to create workloads, bypasses a rule by exploiting bad string matching.

All rules should be reviewed and tested.

Introduce tests to cover this rule. As always, you should review PRs changing the rules in the policies deployment.

An attacker, with rights to create workloads, uses new features of the Kubernetes API (for example, a changed API version) to bypass a rule.

All rules should be reviewed and tested. There is a policy that tests for the use of deprecated resources. It’s available from the deprecated-api-versions-policy.

An attacker, who has rights to deploy privileged containers to the cluster, creates a privileged container on the cluster node where the admission controller webhook operates.

Admission controller uses restrictive policies to prevent privileged workloads.

An attacker, who has rights to deploy hostPath volumes with workloads, creates a volume that allows for access to the admission controller pod’s files.

Admission controller uses restrictive policies to prevent privileged workloads

Add a recommended policy in the kubewarden-default Helm chart to prevent this.

An attacker is able to log into cluster nodes as a privileged user via SSH.

N/A

An attacker is able to configure a policy that listens to admission requests and sends sensitive data to an external system.

Strictly control external access for webhook Kubewarden policies run in a restrictive environment. They don’t have network access.

Assuming a trusted but new Kubernetes cluster, an attacker is able to compromise the Kubewarden stack before any of the policies securing it are deployed and enforced.

For example, by: