By Wei Fu, R&D director, and Steve Hoenisch, writer, Cloud-Native Apps BU
An unsecured Kubernetes Dashboard on the Internet is an open invitation for hackers to hijack your cloud compute resources to mine cryptocurrency.
According to RedLock, Tesla is one of the latest victims of cryptojacking. Attackers used Tesla’s Kubernetes Dashboard, which was not password protected, to find credentials in a Kubernetes pod for AWS, and then the attackers very subtly hijacked compute resources but kept resource utilization low to avoid detection.
Unfortunately, unsecured Kubernetes Dashboards are common, and they can give attackers the keys to your cloud resources and your data, which attackers can hijack while hiding on the Internet behind proxy servers and other methods that mask their whereabouts. In a review of 21,000 cloud environments, Lacework found more than 22,000 open container administration dashboards on the Internet.
For Kubernetes in particular, Lacework discovered that many dashboards on the Internet had no authentication, exposed brute-force attack vectors, and openly disclosed information that could aid an attacker, such as internal DNS names and IP addresses.
Preventing Dashboard Infiltration
How can you protect your cloud-based Kubernetes system from hijackers? Here are some suggestions:
- Secure access to the dashboard with authentication.
- Implement role-based access control and limit permissions by using the principle of least privilege.
- Require the use of HTTPS and SSL/TLS for all connections to the dashboard.
- Control access to the Kubernetes API.
- Monitor cluster and network utilization.
- Monitor for suspicious activity and analyze failed login and RBAC events.
- Keep your system patched and use recent versions of Kubernetes, which have stronger security than older versions.
- Monitor configurations, such as dashboard access, for risks and vulnerabilities.
- Routinely test for vulnerabilities and attack vectors by using standard tools.
A Kubernetes service that secures the dashboard and other components from the moment you begin using the service can protect against infiltration and compute hijacking.
VMware Kubernetes Engine: Locked Down by Default
VMware Kubernetes Engine, a VMware Cloud Service that runs on AWS, locks down the Kubernetes Dashboard by default. As part of fully managing Kubernetes for you, VKE is set up to be highly secure from the get-go. To gain access to the Kubernetes Dashboard, you must authenticate with your VMware Cloud Services credentials and connect over HTTPS. Any attempt to access the Kubernetes Dashboard in VKE routes you to the VMware Cloud Services login screen, where you must enter your credentials:
Similarly, Pivotal Container Service (PKS) secures access to the Kubernetes Dashboard by requiring authentication. Users need the
kubectl credentials in order to access Dashboard. This requirement prevents unauthorized access to the Kubernetes cluster through a browser.
OIDC Authentication and Kubernetes Role-Based Access Control
With VKE, the Kubernetes Dashboard is configured to use an OIDC token for authentication. VKE implements a proxy that runs as a Kubernetes pod on the master node in front of the dashboard. The proxy is responsible for authenticating with the OIDC identity provider, which is VMware Cloud Services, and passing an OIDC token in the request header to the dashboard.
In addition, role-based access control constrains what a user can see and do in the dashboard. The authorization takes place by using the native RBAC in Kubernetes. What the user sees in the dashboard depends on the user’s role and authorization:
In VKE, the Kubernetes Dashboard and other components undergo regular patching as well as penetration testing to make sure they are and continue to be secure. The penetration testing uses a variety of tools and techniques, such as kube-bench, which validates whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.
Put a Lid on It: Security for Containers at VMworld
To find out more about how VKE secures Kubernetes and containers, join us and our colleague Nolan Karpinski at VMworld US for our presentation, Put a Lid on It: Securing Containers on vSphere and AWS [CNA1656BU]. VMworld US takes place Aug. 26-30, 2018, in Las Vegas.