Working with Kubernetes namespaces enables you to manage users spread across multiple teams and projects. Namespaces are essentially virtual clusters backed by the same physical single cluster. As Kubernetes clusters help in managing workloads and deployed objects, these numbers increase and can become unmanageable over time.
Kubernetes use is rising rapidly: 58% more respondents than last year - 78% of this years’ respondents - reported in the 2019 CNCF (Cloud Native Computing Foundation) survey that they use Kubernetes today. With numbers like those, it looks like everyone is headed towards the cloud.
Last month, the Microsoft Azure Security Center published a fully detailed Threat Matrix for Kubernetes. This article identifies attack vectors unique to a Kubernetes environment. This important contribution is derived from the more generalized MITRE ATT&CK® framework that offers a complex matrix of common attack vectors.
Process whitelisting is a simple concept. In the K8s context, the basic idea is to create a list for each pod of all the processes that the pod is expected to run. Every time a process runs in your cluster you check if it is in the list. If an attacker manages to gain access to your cluster and starts running a malicious process then you can identify it immediately because a new non-whitelisted process is running. It doesn’t matter whether that process is a known bitcoin miner, a custom RAT (Remote Access Tool), or even a legitimate process like ssh. If the new process isn’t in the whitelist and isn’t part of the pod’s regular behaviour then it should be flagged immediately.
