AKS Uncategorized

Azure AKS – Reviewing recommendations from Security Center – Disabling Automounting API Credentials

You might see the following recommendation in Azure Security Center (Assuming you have enabled the security center add-on for AKS).

I did short write-up how such credentials are used from possibly compromised POD

[ASC] Kubernetes clusters should disable automounting API credentials

Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters.

How the feature works from POD side?

  • You should see credentials when checking: kubectl exec "yourPod" -n "namespace" cat /var/run/secrets/kubernetes.io/serviceaccount/token
  • if you see credentials then the default POD identity can query the api server
## --insecure if you dont want to read the CA cert...
curl --header "Authorization: Bearer ${TOKEN}" -X GET https://kubernetes.default.svc/api/v1/ --insecure

Investigation

  • You can read such events from Azure Log Analytics (Or Sentinel enabled workspace)
    • Example read where the attacker is using CURL from the compromised POD

AzureDiagnostics
| where TimeGenerated > now() - 10min
| extend auditL = parse_json(log_s)
| where auditL['requestURI'] contains "api"
| where auditL['userAgent'] contains "curl"
| project auditL
| evaluate bag_unpack(auditL)

Mitigation

Kubernetes versions since 1.6 allow settings the ”automountServiceAccountToken” to false

#From AKS documentation (Source below)
apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-robot
automountServiceAccountToken: false

Sources

MS Security Center

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server

https://kubernetes.io/docs/tasks/run-application/access-api-from-pod/

0 comments on “Azure AKS – Reviewing recommendations from Security Center – Disabling Automounting API Credentials

Vastaa

Täytä tietosi alle tai klikkaa kuvaketta kirjautuaksesi sisään:

WordPress.com-logo

Olet kommentoimassa WordPress.com -tilin nimissä. Log Out /  Muuta )

Google photo

Olet kommentoimassa Google -tilin nimissä. Log Out /  Muuta )

Twitter-kuva

Olet kommentoimassa Twitter -tilin nimissä. Log Out /  Muuta )

Facebook-kuva

Olet kommentoimassa Facebook -tilin nimissä. Log Out /  Muuta )

Muodostetaan yhteyttä palveluun %s

%d bloggaajaa tykkää tästä: