Kubernetes Penetration Testing
CREST Accredited, Cloud Native and Kubernetes Security Testing Specialists
Overview
Introduction
Kubernetes is a fantastic platform upon which to both develop and run your applications. It is also incredibly complex and easy to slip up from a security perspective. 4ARMED are one of very few providers worldwide who truly understand and specialise in Kubernetes penetration testing.
What is a Kubernetes Penetration Test?
Often this forms part of a wider scope of work looking at your application but a Kubernetes penetration test can certainly be delivered as a standalone engagement to give assurance over your cluster configurations.
We will review your clusters both from an external and internal perspective.
External Testing
The external review will focus on the cluster’s Internet-facing services to assess whether they are protected as expected and whether any ingress points are exposed unexpectedly. This may include services like the Kubernetes Dashboard, misconfigured API services, vulnerable Kubernetes versions or, as is pretty common, internal cluster management and monitoring tools such as Prometheus, Grafana or Elasticsearch exposed to the Internet without adequate protection.
Internal Kubernetes security testing takes things to a deeper level and looks at your cluster from inside, simulating the threat from an attacker who has either compromised a pod or found a vulnerability which enables them to make requests from inside a pod in the cluster.
Internal Testing
There are a wide variety of security issues that can affect a cluster’s configuration and even in the most recent versions of Kubernetes, some of these can still result in a total compromise of the cluster unless specific configuration is put in place to prevent this.
Some examples of issues we regularly encounter are:
- Unsecured Kubelet API
- Unprotected Helm Tiller service
- Sensitive cloud metadata unrestricted
- Secrets not protected adequately
- Lack of Network Policy
- Internal services unprotected without Ingress authentication
- Unauthenticated etcd access
- Privileged/root containers
- Excessive service account privileges
We will work with your team, typically remotely though on-site is certainly an option, talking through the issues as we find them. Most of our testing utilises a private Slack channel to discuss progress and keep everyone up to speed. Unlike most testing companies we actively encourage resolution during the testing window where possible.
We can test your cluster whether it’s managed (Google GKE, Amazon EKS, Microsoft AKS, DigitalOcean Kubernetes, etc) or unmanaged (Kubeadm, Kops, Typhoon, OpenShift, Tectonic, etc) where you control your own masters.
We’ve worked with many different organisations from FinTech startups to some of the biggest names in the Kubernetes landscape and we’d be happy to discuss what you need in more detail.
Benefits
Assurance
Security Testing helps you gain assurance over your risk. Your Kubernetes clusters should be configured correctly and securely but testing provides assurance that no mistakes have been made.
Compliance
Penetration Testing is required by a number of compliance standards such as PCI DSS. Our security testing services can help you achieve or maintain compliance for your Cloud Native environment.
Specialists
We’re not generalists who can wing it with your Kubernetes cluster. We’ve been working with this technology for years, we use it day-in, day-out for our own IT infrastructure, have spoken at tech conferences on the subject, blogged and released open source testing tools for Kubernetes.
Continual Improvement
Each report contains a root cause analysis and, if you take a Managed Security Testing contract we can help you implement a continuous improvement cycle focused on your specific problem areas.
What To Expect
Scoping
A typical engagement process flow can be seen here. The most important part when considering a penetration test is getting the scope right.
In some cases this is relatively simple as it may be you require a test of a single system or application whose boundaries are clearly defined. In other cases the scope will be more complex. A good example of this is when conducting a penetration test to meet PCI DSS requirement 11.3 which will need us to verify the scope for testing actually covers all in-scope systems.
For simple requirements we can typically scope a test accurately via a phone call or email, more complex tests will require a scoping form to be completed. A link to this can be found in the Resources section below.
Delivery
Pre-Test
- Confirmation of scope
- Escalation process agreed
- Test Authorisation
- Communication requirements agreed
Testing
- Enumeration
- Vulnerability Identification
- Exploitation
- Post-Exploitation
- Regular Testing Updates As Agreed
Reporting
- Report Completed By Lead Tester
- Issues Rated By Impact & Exploitability
- Root Cause Analysis
- Internal QA Prior To Issue
Review
- Optional Wash-up Call
- Post-Test Support For Recommendations
- Arrange Re-testing If Required
Client Stories
During the testing the communication was flawless and 4ARMED told us as they were testing of any gaps in security encountered so that we could work on fixes in parallel and deploy and retest them before the whole testing was completed. The final report was very comprehensive both from a business and technical point of view. The recommendations in the report were clear and concise and contained explicit steps on how to fix vulnerabilities effectively.
Ana
Systems Engineer at FinTech in Payments, Risk and Compliance
Ruby on Rails Application Penetration Test
Online Financial Services Company
Kubernetes Penetration Test
Large UK Tech Company in Insurance Sector
Resources
Security Testing Scoping Form
Next Steps
3 Warren Yard, Warren Park, Stratford Road, MILTON KEYNES MK12 5NW, England