SECRET PROTECTION IN KUBERNETES PODS BASED ON KUBEARMOR TOOL
Kubernetes is a leading orchestrator for container-based applications that addresses challenges in managing containerized applications. Referring to threat models from NCC and CNCF, compromised containers are one of the threat actors that can occur within Kubernetes. There have been incidents res...
Saved in:
| Main Author: | |
|---|---|
| Format: | Final Project |
| Language: | Indonesia |
| Online Access: | https://digilib.itb.ac.id/gdl/view/74123 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Institut Teknologi Bandung |
| Language: | Indonesia |
| Summary: | Kubernetes is a leading orchestrator for container-based applications that addresses
challenges in managing containerized applications. Referring to threat models from
NCC and CNCF, compromised containers are one of the threat actors that can occur
within Kubernetes. There have been incidents resulting in the emergence of such
threat actors, such as the Spring4Shell incident and misconfigured Kubernetes
console in Tesla. By default, there is no access control for secrets, allowing
attackers easy access to these secrets when containers are compromised. From a
user perspective, access controls can be implemented to secure these secrets using
Kubernetes' built-in feature called SecurityContext. However, the manual work
required for implementing access controls makes it challenging.
To address these issues, a proposed solution involving the use of KubeArmor tool,
Kubernetes controller, and init containers is introduced to restrict access to secrets
within containers, reduce the scope of secret access, and automate manual user
tasks. Based on test results, the proposed solution successfully secures and reduces
the scope of access to mounted files and secret environment variables, while
mitigating the impact of exposed secrets due to container compromise.
Additionally, this solution is user-friendly as users only need to add labels to the
Pod manifest. |
|---|