In this blog post, the focus is on thelateral movement risks from the cloud to Kubernetes clusters,andthepotential attack vectors that attackers can leverage to exploit them.
Adversaries can exploit IAM cloud keys, kubeconfig files, and container registry images to conduct lateral movement attacks from cloud environments to managed Kubernetes clusters. The attack vectors differ between the major CSPs, depending on their default cluster configurations and integrations with IAM/AAD identities.
To mitigate the risks, organizations should consider implementing the following best practices:
- Avoid storing long-term cloud keys in workloads and instead use IAM roles/service accounts/managed identities to define minimum required permissions.
- Remove kubeconfig files from publicly exposed cloud workloads and consider configuring K8s API server endpoint as private and strictly configuring security group access to specific IP addresses.
- Restrict access to container registries by defining a strict resource-based policy for each repository, enabling the "Tag immutability" flag, limiting network access with firewall rules or private endpoint connection, and avoiding exposure to allUsers and allAuthenticatedUsers principals.
