SECRET PROTECTION IN KUBERNETES PODS BASED ON KUBEARMOR TOOL
Kubernetes is a leading orchestrator for container-based applications that addresses challenges in managing containerized applications. Referring to threat models from NCC and CNCF, compromised containers are one of the threat actors that can occur within Kubernetes. There have been incidents res...
Saved in:
| Main Author: | |
|---|---|
| Format: | Final Project |
| Language: | Indonesia |
| Online Access: | https://digilib.itb.ac.id/gdl/view/74123 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Institut Teknologi Bandung |
| Language: | Indonesia |
| id |
id-itb.:74123 |
|---|---|
| spelling |
id-itb.:741232023-06-26T13:20:23ZSECRET PROTECTION IN KUBERNETES PODS BASED ON KUBEARMOR TOOL Surya Mahardika, Kadek Indonesia Final Project Kubernetes, container security, secrets, KubeArmor, controller, access control, automation. INSTITUT TEKNOLOGI BANDUNG https://digilib.itb.ac.id/gdl/view/74123 Kubernetes is a leading orchestrator for container-based applications that addresses challenges in managing containerized applications. Referring to threat models from NCC and CNCF, compromised containers are one of the threat actors that can occur within Kubernetes. There have been incidents resulting in the emergence of such threat actors, such as the Spring4Shell incident and misconfigured Kubernetes console in Tesla. By default, there is no access control for secrets, allowing attackers easy access to these secrets when containers are compromised. From a user perspective, access controls can be implemented to secure these secrets using Kubernetes' built-in feature called SecurityContext. However, the manual work required for implementing access controls makes it challenging. To address these issues, a proposed solution involving the use of KubeArmor tool, Kubernetes controller, and init containers is introduced to restrict access to secrets within containers, reduce the scope of secret access, and automate manual user tasks. Based on test results, the proposed solution successfully secures and reduces the scope of access to mounted files and secret environment variables, while mitigating the impact of exposed secrets due to container compromise. Additionally, this solution is user-friendly as users only need to add labels to the Pod manifest. text |
| institution |
Institut Teknologi Bandung |
| building |
Institut Teknologi Bandung Library |
| continent |
Asia |
| country |
Indonesia Indonesia |
| content_provider |
Institut Teknologi Bandung |
| collection |
Digital ITB |
| language |
Indonesia |
| description |
Kubernetes is a leading orchestrator for container-based applications that addresses
challenges in managing containerized applications. Referring to threat models from
NCC and CNCF, compromised containers are one of the threat actors that can occur
within Kubernetes. There have been incidents resulting in the emergence of such
threat actors, such as the Spring4Shell incident and misconfigured Kubernetes
console in Tesla. By default, there is no access control for secrets, allowing
attackers easy access to these secrets when containers are compromised. From a
user perspective, access controls can be implemented to secure these secrets using
Kubernetes' built-in feature called SecurityContext. However, the manual work
required for implementing access controls makes it challenging.
To address these issues, a proposed solution involving the use of KubeArmor tool,
Kubernetes controller, and init containers is introduced to restrict access to secrets
within containers, reduce the scope of secret access, and automate manual user
tasks. Based on test results, the proposed solution successfully secures and reduces
the scope of access to mounted files and secret environment variables, while
mitigating the impact of exposed secrets due to container compromise.
Additionally, this solution is user-friendly as users only need to add labels to the
Pod manifest. |
| format |
Final Project |
| author |
Surya Mahardika, Kadek |
| spellingShingle |
Surya Mahardika, Kadek SECRET PROTECTION IN KUBERNETES PODS BASED ON KUBEARMOR TOOL |
| author_facet |
Surya Mahardika, Kadek |
| author_sort |
Surya Mahardika, Kadek |
| title |
SECRET PROTECTION IN KUBERNETES PODS BASED ON KUBEARMOR TOOL |
| title_short |
SECRET PROTECTION IN KUBERNETES PODS BASED ON KUBEARMOR TOOL |
| title_full |
SECRET PROTECTION IN KUBERNETES PODS BASED ON KUBEARMOR TOOL |
| title_fullStr |
SECRET PROTECTION IN KUBERNETES PODS BASED ON KUBEARMOR TOOL |
| title_full_unstemmed |
SECRET PROTECTION IN KUBERNETES PODS BASED ON KUBEARMOR TOOL |
| title_sort |
secret protection in kubernetes pods based on kubearmor tool |
| url |
https://digilib.itb.ac.id/gdl/view/74123 |
| _version_ |
1822279787630034944 |