Kubernetes
Version: 1.0
Authors: David Cervigni
Executive Summary
This section contains an executive summary of the identified threats and their mitigation status
There are 10 unmitigated threats without proposed operational controls.
| Threat ID | CVSS | Always valid? |
|---|---|---|
|
Kubernetes. UNAUTHORIZED_API_ACCESS | 9.8 (Critical) | Yes |
|
Kubernetes. SUPPLY_CHAIN_COMPROMISE | 9.1 (Critical) | Yes |
|
Kubernetes. NODE_ESCALATION | 8.2 (High) | Yes |
|
Kubernetes. RUNTIME_COMPROMISE | 7.8 (High) | Yes |
|
Kubernetes. DATA_LEAKAGE | 7.5 (High) | Yes |
|
Secrets. SECRETS_IN_TRANSIT | 7.5 (High) | Yes |
|
Secrets. UNAUTHORIZED_SECRET_ACCESS | 6.5 (Medium) | Yes |
|
Secrets. SECRET_INJECTION | 6.5 (Medium) | Yes |
|
Secrets. EXCESSIVE_SECRET_ACCESS | 4.9 (Medium) | Yes |
|
Secrets. NODE_STORAGE_EXPOSURE | 4.1 (Medium) | Yes |
Threats Summary
This section contains an executive summary of the threats and their mitigation status
There are a total of 10 identified threats of which 10 are not fully mitigated
by default, and 10 are unmitigated without proposed operational controls.
| Threat ID | CVSS | Valid when (condition) | Fully mitigated | Has Operational countermeasures |
|---|---|---|---|---|
|
Kubernetes. UNAUTHORIZED_API_ACCESS |
9.8 (Critical) | Always valid | ❌ | No |
|
Kubernetes. SUPPLY_CHAIN_COMPROMISE |
9.1 (Critical) | Always valid | ❌ | No |
|
Kubernetes. NODE_ESCALATION |
8.2 (High) | Always valid | ❌ | No |
|
Kubernetes. RUNTIME_COMPROMISE |
7.8 (High) | Always valid | ❌ | No |
|
Kubernetes. DATA_LEAKAGE |
7.5 (High) | Always valid | ❌ | No |
|
Secrets. SECRETS_IN_TRANSIT |
7.5 (High) | Always valid | ❌ | No |
|
Secrets. UNAUTHORIZED_SECRET_ACCESS |
6.5 (Medium) | Always valid | ❌ | No |
|
Secrets. SECRET_INJECTION |
6.5 (Medium) | Always valid | ❌ | No |
|
Secrets. EXCESSIVE_SECRET_ACCESS |
4.9 (Medium) | Always valid | ❌ | No |
|
Secrets. NODE_STORAGE_EXPOSURE |
4.1 (Medium) | Always valid | ❌ | No |
Kubernetes - scope of analysis
Overview
NOTE: this is an example of threat model created by training an LLM
This document outlines potential threats to Kubernetes, including its core components, workloads, and supporting infrastructure. It addresses threats to the API server, worker nodes, and the control plane, providing mitigations to secure the cluster.
Kubernetes security objectives
Access Control:
Workload Isolation:
Data Security:
Runtime Protection:
Supply Chain Protection:
Diagram:
Details:
API Server Security (API_SERVER_SECURITY)
Ensure the Kubernetes API server is secure, preventing unauthorized access and ensuring proper authentication and authorization.
Priority: High
Attack tree:
Data Confidentiality (DATA_CONFIDENTIALITY)
Ensure that sensitive data, such as secrets and configuration files, is protected in transit and at rest.
Priority: High
Attack tree:
Node Isolation (NODE_ISOLATION)
Maintain isolation between workloads running on the same or different nodes, ensuring one compromised workload cannot affect others.
Priority: High
Attack tree:
Runtime Security (RUNTIME_SECURITY)
Protect the runtime environment to prevent unauthorized actions or access by compromised containers.
Priority: High
Attack tree:
Supply Chain Security (SUPPLY_CHAIN_SECURITY)
Ensure that the Kubernetes environment and its components are free from malicious or compromised images, configurations, or code.
Priority: High
Attack tree:
Linked threat Models
- Secrets (ID: Kubernetes.Secrets)
Kubernetes Threat Actors
Actors, agents, users and attackers may be used as synonymous.
Unauthenticated or unauthorized users attempting t[...] (EXTERNAL_ACTORS)
- Description:
- Unauthenticated or unauthorized users attempting to exploit exposed APIs or services.
- In Scope as threat actor:
- Yes
A compromised container or workload attempting to [...] (MALICIOUS_WORKLOAD)
- Description:
- A compromised container or workload attempting to exploit cluster resources or affect other workloads.
- In Scope as threat actor:
- Yes
Attackers introducing vulnerabilities or malicious[...] (SUPPLY_CHAIN_ATTACKERS)
- Description:
- Attackers introducing vulnerabilities or malicious code into container images, Helm charts, or infrastructure configurations.
- In Scope as threat actor:
- Yes
Assumptions
- PUBLIC_CLUSTER_ACCESS
- Kubernetes clusters may be exposed to public networks, increasing the risk of external attacks.
- COMPROMISED_WORKLOAD
- A single workload may become compromised due to application-level vulnerabilities or malicious actors.
Kubernetes Attack tree
Kubernetes Threats
Note This section contains the threat and mitigations identified during the analysis phase.
Unauthorized API Access (UNAUTHORIZED_API_ACCESS)
- Threat actors:
- Threat Description
- Attackers exploit weak authentication mechanisms, API server misconfigurations, or exposed endpoints to access the Kubernetes API server.
- Impact
- Unauthorized users gain access to the Kubernetes API server, enabling them to perform privileged operations on the cluster.
API_SERVER_SECURITY
- CVSS
-
Base score: 9.8 (Critical)
Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Counter-measures for UNAUTHORIZED_API_ACCESS
-
Use Role-Based Access Control (RBAC) to limit access to Kubernetes resources based on user roles.
-
Countermeasure in place? ✔ Public and disclosable? ✔
RBAC_ENFORCEMENT Enforce RBAC Policies
Node-Level Escalation (NODE_ESCALATION)
- Threat actors:
- Threat Description
- Attackers exploit container runtime vulnerabilities or misconfigured pod security policies to escape container boundaries.
- Impact
- A compromised workload escapes its container and gains access to the underlying node, potentially affecting other workloads.
NODE_ISOLATION
- CVSS
-
Environmental score: 8.2 (High)
Vector:CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Counter-measures for NODE_ESCALATION
-
Use Pod Security Policies (PSPs) or Pod Security Admission (PSA) to restrict workload capabilities and enforce best practices.
-
Countermeasure in place? ✔ Public and disclosable? ✔
POD_SECURITY_POLICIES Apply Pod Security Policies
Sensitive Data Leakage (DATA_LEAKAGE)
- Threat actors:
- Threat Description
- Attackers gain access to improperly secured secrets or intercept data in transit due to missing encryption.
- Impact
- Exposure of sensitive information such as Kubernetes secrets, configuration files, or environment variables.
DATA_CONFIDENTIALITY
- CVSS
-
Base score: 7.5 (High)
Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Counter-measures for DATA_LEAKAGE
-
Enable encryption at rest for Kubernetes secrets and enforce HTTPS for communication between cluster components.
-
Countermeasure in place? ✔ Public and disclosable? ✔
ENCRYPT_SECRETS Encrypt Secrets and Data
Compromise of Runtime Environment (RUNTIME_COMPROMISE)
- Threat actors:
- Threat Description
- Attackers exploit misconfigured containers, runtime vulnerabilities, or privileged container permissions.
- Impact
- Attackers modify or tamper with running containers to execute unauthorized actions or escalate privileges.
RUNTIME_SECURITY
- CVSS
-
Base score: 7.8 (High)
Vector:CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Counter-measures for RUNTIME_COMPROMISE
-
Use runtime security tools to detect and block unauthorized actions within running containers.
-
Countermeasure in place? ❌ Public and disclosable? ✔
RUNTIME_MONITORING Monitor Runtime Behavior
Supply Chain Attack (SUPPLY_CHAIN_COMPROMISE)
- Threat actors:
- Threat Description
- Attackers inject vulnerabilities or malicious code into container images, third-party Helm charts, or infrastructure-as-code templates.
- Impact
- Malicious or vulnerable images, Helm charts, or configurations are introduced into the Kubernetes environment.
SUPPLY_CHAIN_SECURITY
- CVSS
-
Base score: 9.1 (Critical)
Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Counter-measures for SUPPLY_CHAIN_COMPROMISE
-
Use automated tools to scan container images for vulnerabilities or malicious code before deployment.
-
Countermeasure in place? ✔ Public and disclosable? ✔
IMAGE_SCANNING Scan Container Images
Secrets
Version: 1.0
Authors: David Cervigni
Secrets - scope of analysis
Overview
NOTE: this is an example if threat model created with by training an LLM
This document extends the Kubernetes security model to focus on threats specific to the handling, storage, and access of Kubernetes secrets. It includes detailed threats and mitigations to ensure the confidentiality, integrity, and secure management of secrets.
Secrets security objectives
Data Security:
System Integrity:
Access Management:
Monitoring and Audit:
Diagram:
Details:
Access Control for Secrets (ACCESS_CONTROL)
Restrict access to secrets based on the principle of least privilege.
Priority: High
Attack tree:
Secrets Auditability (AUDITABILITY)
Ensure all access to and modifications of secrets are auditable and logged for accountability.
Priority: High
Secrets Confidentiality (SECRET_CONFIDENTIALITY)
Ensure Kubernetes secrets are protected from unauthorized access both in transit and at rest.
Priority: High
Attack tree:
Secrets Integrity (SECRET_INTEGRITY)
Prevent unauthorized modification of Kubernetes secrets to maintain their integrity.
Priority: High
Attack tree:
Secrets Threat Actors
Actors, agents, users and attackers may be used as synonymous.
Authorized users who attempt to misuse their acces[...] (MALICIOUS_USER)
- Description:
- Authorized users who attempt to misuse their access to secrets for malicious purposes.
- In Scope as threat actor:
- Yes
Unauthorized external entities attempting to acces[...] (EXTERNAL_ATTACKER)
- Description:
- Unauthorized external entities attempting to access secrets through exposed APIs or workloads.
- In Scope as threat actor:
- Yes
A compromised container or workload attempting to [...] (COMPROMISED_WORKLOAD)
- Description:
- A compromised container or workload attempting to read or modify secrets it has access to.
- In Scope as threat actor:
- Yes
Assumptions
- CLUSTER_EXPOSURE
- The Kubernetes cluster may be exposed to external networks, increasing the risk of unauthorized access.
- NODE_COMPROMISE
- Individual cluster nodes or workloads may be compromised by attackers, potentially exposing stored secrets.
Secrets Analysis
While encryption of secrets at rest provides a layer of defense, it is not a complete solution since an attacker who gains access to etcd or the API server can often retrieve secrets at runtime.
Secrets Attack tree
Secrets Threats
Note This section contains the threat and mitigations identified during the analysis phase.
Unauthorized Access to Secrets (UNAUTHORIZED_SECRET_ACCESS)
- Threat actors:
- Threat Description
- Attackers exploit overly permissive access controls or stolen credentials to access secrets.
- Impact
- Exposure of sensitive information, such as credentials or API keys, stored as Kubernetes secrets.
SECRET_CONFIDENTIALITY
- CVSS
-
Base score: 6.5 (Medium)
Vector:CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Counter-measures for UNAUTHORIZED_SECRET_ACCESS
-
Apply strict Role-Based Access Control (RBAC) policies to ensure only authorized entities can access specific secrets.
-
Countermeasure in place? ✔ Public and disclosable? ✔
RBAC_FOR_SECRETS Enforce RBAC for Secrets
Secret Injection or Tampering (SECRET_INJECTION)
- Threat actors:
- Threat Description
- A malicious user or workload tampers with secrets through improperly secured API access.
- Impact
- Modification of secrets to introduce malicious values, potentially compromising applications relying on them.
SECRET_INTEGRITY
- CVSS
-
Base score: 6.5 (Medium)
Vector:CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Counter-measures for SECRET_INJECTION
-
Enable audit logs for all API interactions with secrets to detect and investigate unauthorized modifications.
-
Countermeasure in place? ✔ Public and disclosable? ✔
AUDIT_SECRET_ACCESS Audit Secret Access and Modifications
Secrets Exposure on Compromised Nodes (NODE_STORAGE_EXPOSURE)
- Threat actors:
- Threat Description
- Attackers extract secrets directly from node storage or memory, bypassing API server protections.
- Impact
- Secrets stored on a compromised node are exposed, potentially leading to cluster-wide compromise.
SECRET_CONFIDENTIALITY
- CVSS
-
Base score: 4.1 (Medium)
Vector:CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
Counter-measures for NODE_STORAGE_EXPOSURE
-
Use Kubernetes encryption providers to ensure secrets stored on disk are encrypted with strong encryption standards. Note that encryption at rest does not mitigate runtime access vulnerabilities; additional runtime protections are needed.
-
Countermeasure in place? ✔ Public and disclosable? ✔
ENCRYPT_SECRETS_AT_REST Encrypt Secrets at Rest
Secrets Intercepted in Transit (SECRETS_IN_TRANSIT)
- Threat actors:
- Threat Description
- Attackers intercept API server or etcd communication to extract secrets during transmission.
- Impact
- Secrets transmitted over the network are intercepted, leading to potential exposure of sensitive data.
SECRET_CONFIDENTIALITY
- CVSS
-
Base score: 7.5 (High)
Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Counter-measures for SECRETS_IN_TRANSIT
-
Enforce TLS encryption for all communications involving secrets, including API server and etcd interactions.
-
Countermeasure in place? ✔ Public and disclosable? ✔
ENCRYPT_SECRETS_IN_TRANSIT Encrypt Secrets in Transit
Excessive Permissions for Secrets (EXCESSIVE_SECRET_ACCESS)
- Threat actors:
- Threat Description
- Attackers leverage misconfigured RBAC policies or service account bindings to access secrets beyond their intended scope.
- Impact
- Unauthorized access or misuse of secrets due to overly broad permissions granted to workloads or users.
ACCESS_CONTROL
- CVSS
-
Base score: 4.9 (Medium)
Vector:CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Counter-measures for EXCESSIVE_SECRET_ACCESS
-
Audit and enforce least privilege access to secrets, ensuring users and workloads have access only to what they require.
-
Countermeasure in place? ❌ Public and disclosable? ✔
LEAST_PRIVILEGE_ACCESS Enforce Least Privilege Access
Requests For Information
Operational Security Hardening Guide
| Seq | Countermeasure Details |
|---|
Testing guide
This guide lists all testable attacks described in the threat model
| Seq | Attack to test | Pass/Fail/NA |
|---|---|---|