K06: Broken Authentication

Overview

Authentication in Kubernetes takes on my many forms and is extremely flexible. This emphasis on being highly configurable makes Kubernetes work in a number of different environments but also presents challenges when it comes to cluster and cloud security posture.

Broken Authentication - Illustration

Description

Several entities need to access the Kubernetes API. Authentication is the first hurdle for these requests. Authentication to the Kubernetes API is via HTTP request and the authentication method can vary from cluster to cluster. If a request cannot be authenticated, it is rejected with an HTTP status of 401.

Kubernetes Authentication

Source: https://kubernetes.io/docs/concepts/security/controlling-access/

Let’s dive into the different types of subjects who need to authenticate to the Kubernetes API.

Human Authentication

People need to interact with Kubernetes for a number of reasons. Developers debugging their running application in a staging cluster, platform engineers building and testing new infra, and more. There are several methods available to authenticate to a cluster as a human such as OpenID Connect (OIDC), Certificates, cloud IAM, and even ServiceAccount tokens. Some of these offer much more robust security than others as we will explore in the prevention section below.

Service Account Authentication

Service account (SA) tokens can be presented to the Kubernetes API as an authentication mechanism when configured with RBAC appropriately. A SA is a simple authentication mechanism typically reserved for container-to-api authentication from inside the cluster.

How to Prevent

Avoid using certificates for end user authentication

Certificates are convenient to use for authenticating to the Kubernetes API but should be used with extreme caution. At this time, the API has no way to revoke certificates making for a scramble to re-key the cluster in the event of a compromise or leak of private key material. Certificates are also more cumbersome to configure, sign, and distribute. A certificate may be used as a “Break Glass” authentication mechanism but not for primary auth.

Never roll your own authentication

Just like crypto, you should not build something novel when it isn’t necessary. Use what is supported and widely adopted.

Enforce MFA when possible

No matter the auth mechanism chosen, force humans to provide a second method of authentication (typically part of OIDC).

Don’t use Service Account tokens from outside of the cluster

For use inside the cluster, Kubernetes Service Account tokens are obtained directly using the TokenRequest API, and are mounted into Pods using a projected volume. For use outside the cluster, these tokens must be manually provisioned via a Kubernetes Secret and have no expiration. Using long-lived SA tokens from outside of the cluster opens your cluster up to significant risk.

If a token based approach is required, short-lived tokens can be provisioned by the TokenRequest API or using kubectl create token with the --duration flag.

Authenticate users and external services using short-lived tokens

All authentication tokens should be as short-lived as tolerable. This way if (and when) a credential is leaked, it is possible that it may not be replayed in the time necessary to compromise the account.

Broken Authentication -
Mitigations

Example Attack Scenarios

Accidental Git Leak: A developer accidentally checks their .kubeconfig file from their laptop which holds Kubernetes authentication credentials for their clusters at work. Someone scanning GitHub finds the credentials and replays them to the target API (unfortunately, sitting on the internet) and because the cluster is configured to authenticate using certificates, the leaked file has all of the information needed to successfully authenticate to the target cluster.

References

Tremlo Blog Post: https://www.tremolosecurity.com/post/what-the-nsa-and-cisa-left-out-of-their-kubernetes-hardening-guide

Kubernetes Authentication: https://kubernetes.io/docs/concepts/security/controlling-access/