Discover and read the best of Twitter Threads about #gke
Most recents (2)
Mounting a #Kubernetes service account to a pod with permissions to deploy other pods implies that if your app has RCE, a threat actor will be able to infect other Services in the cluster (yes, even if you use strict PSPs) #KubernetesSecurity #k8s #aks #gke #eks
#DevSecOps
🧵 👇
#DevSecOps
🧵 👇
Background:
▪︎ A Service in #k8s is an object that balances HTTP requests between pods belonging to that Service
▪︎ A Service identifies its pods through a set of labels (e.g. "fancy-app: prod", "db: users", etc)
▪︎ A Service in #k8s is an object that balances HTTP requests between pods belonging to that Service
▪︎ A Service identifies its pods through a set of labels (e.g. "fancy-app: prod", "db: users", etc)
▪︎ A pod with a label associated with a Service will become part of that Service automatically
Attack scenario:
1. A pod is mounting a service account with permissions to deploy other pods
2. A container in the pod is running a vulnerable app, providing RCE to an attacker
Attack scenario:
1. A pod is mounting a service account with permissions to deploy other pods
2. A container in the pod is running a vulnerable app, providing RCE to an attacker
Kubernetes and container security can be hard. We hear you. That's why #GKE now provides built in workload security posture management in public preview.
cloud.google.com/blog/products/…
🧵Let's dive in!
cloud.google.com/blog/products/…
🧵Let's dive in!
Once enabled for your clusters, GKE security posture scans your workloads on two dimensions:
- Misconfigurations (comparing against CNCF pod spec security standards
- OS level CVE vulnerabilities
These are surfaced in a snazzy dashboard with opinionated severity ratings
- Misconfigurations (comparing against CNCF pod spec security standards
- OS level CVE vulnerabilities
These are surfaced in a snazzy dashboard with opinionated severity ratings
Drill down and slice and dice to find the concerns that matter most.
