Last year in June, the Unit 42 threat research team discovered multiple bugs in Google Kubernetes Engine (GKE). The vulnerabilities primarily impacted GKE Autopilot, and the latest offering by Google Cloud for managing Kubernetes clusters.
Earlier this week, Unit 42 researchers published details regarding these vulnerabilities and attack techniques to help organizations understand potential threats in securing Kubernetes and how they can be patched.
Kubernetes also known as K8s, is an open-source system for automating deployment, managing, and scaling of containerized applications. The yearly survey conducted by the Cloud Native Computing Foundation highlighted that the majority of firms (83% percent) run Kubernetes in production.
The shift to the cloud benefited multiple organizations but also attracted threat actors. Researchers at Unit 42 discovered several pieces of malware designed to attack Kubernetes. Therefore, it is vital that organizations, cloud security vendors, and the cybersecurity industry continue to work together to address issues like vulnerabilities and misconfigurations in order to help secure work in the cloud.
The bugs in GKE Autopilot permitted malicious attackers with a restricted initial foothold to escalate privileges and gain access to an entire cluster. This allowed threat actors to covertly exfiltrate secrets, install malware and cryptominers, or disrupt workloads, while the victim remains unknown of the attacker’s activity.
As the adoption of Kubernetes continues to rise, simple misconfigurations and flaws are becoming less common, forcing attackers to launch more sophisticated assaults. According to Unit 42, even a small bug in Kubernetes can amount to very impactful attacks. Only a comprehensive cloud-native security platform can empower defenders and protect clusters against similar threats.
How to mitigate the risks?
Following the discovery of vulnerabilities and attack techniques in Google Kubernetes Engine, Google automatically pushed patches across GKE to Autopilot clusters. No customer action is needed. Researchers encourage Kubernetes administrators to enable policy and audit engines that monitor for, detect and prevent suspicious activity and privilege escalation in their clusters.
Powerful pods are still common in production clusters and are usually installed by the underlying Kubernetes platform or introduced through popular open-source add-ons. Unit 42 researchers recommend using Taints, NodeAffinity, or PodAntiAffinity rules to separate powerful pods from untrusted or publicly exposed ones, ensuring they do not run on the same node.