Stage 7 · Master
KCSA — Kubernetes & Cloud Native Security Associate
Kubernetes Threat Model (16%)
STRIDE framework, trust boundaries, and persistence threats — thinking like an attacker.
STRIDE Threat Model
STRIDE is a threat classification model developed by Microsoft. It provides a structured way to identify security threats by category. For each component, ask: could this be subject to STRIDE threats?
- Spoofing — Impersonating someone or something (fake identity).
- Tampering — Modifying data or code without authorization.
- Repudiation — Denying an action that actually occurred.
- Information Disclosure — Exposing data to unauthorized parties.
- Denial of Service — Making a system unavailable.
- Elevation of Privilege — Gaining unauthorized elevated access.
Go through each Kubernetes component (API server, etcd, kubelet, containers) and ask STRIDE questions for each. This systematic approach reveals threats that ad-hoc analysis misses.
Trust Boundaries
Trust boundaries are the lines between areas of different trust levels. Crossing a trust boundary requires authentication and authorization. In Kubernetes, there are several critical trust boundaries.
- Internet to cluster — Ingress controllers, LoadBalancers.
- User to API server — Authentication and RBAC.
- API server to kubelet — kubelet API authentication.
- Pod to Pod — Network Policies.
- Pod to external — Egress controls.
- Node to node — Cluster network encryption.
Common Attack Vectors
Understanding common attack vectors helps you prioritize defenses. The most dangerous attacks are those that allow privilege escalation or persistence.
- Exposed Kubernetes dashboard — Unauthenticated access to cluster management.
- Exposed etcd — Direct access to the cluster database.
- Running privileged containers — Containers with host access.
- Weak RBAC — Overly permissive roles or bindings.
- Container escape — Breaking out of container isolation to the host.
- Supply chain attacks — Malicious container images or dependencies.
Persistence Threats
Persistence is how an attacker maintains access after the initial compromise. Kubernetes provides several mechanisms that can be abused for persistence.
| Mechanism | How It Is Abused | Detection |
|---|---|---|
| Secrets | Store stolen credentials | Audit secret access |
| ServiceAccounts | Create long-lived tokens | Monitor SA usage |
| Pods | Deploy backdoor containers | Image scanning, admission control |
| CronJobs | Schedule recurring malicious tasks | Audit CronJob creation |
| RBAC | Create elevated bindings | Monitor ClusterRoleBinding changes |
Container-Specific Threats
Containers introduce unique threats that do not exist in traditional deployments. The shared kernel, image supply chain, and runtime behavior all present attack surfaces.
- Container escape — Exploiting kernel vulnerabilities to break out.
- Image poisoning — Using malicious base images from public registries.
- Secrets in environment variables — Exposed via /proc or kubectl describe.
- Privileged containers — Access to host devices and capabilities.
- Resource exhaustion — Crypto mining or DoS via resource abuse.
A privileged container has almost the same access as the host. It can load kernel modules, access all devices, and escape to the host. Only use privileged containers when absolutely necessary and with strict controls.
Mitigation Strategies
- Use Pod Security Standards to restrict privileged containers.
- Enable RBAC and follow least-privilege principles.
- Encrypt etcd at rest and in transit.
- Scan images for vulnerabilities before deployment.
- Enable audit logging and monitor for anomalies.
- Use Network Policies to segment traffic.
- Rotate certificates and credentials regularly.
Key Commands
kubectl get pods -o json | jq '.items[] | select(.spec.containers[].securityContext.privileged==true)'
kubectl get pods -o json | jq '.items[] | select(.spec.hostNetwork==true)'
kubectl get serviceaccounts -A
kubectl auth can-i create pods --as=system:anonymous
kubectl get events --field-selector reason=FailedCreateThese commands help you find privileged Pods, host network Pods, and anonymous access attempts. Use jq to filter JSON output for security auditing.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.