Kubernetes Penetration Testing

CREST Accredited, Cloud Native and Kubernetes Security Testing Specialists

Introduction

Kubernetes is a fantastic platform upon which to both develop and run your applications. It is also incredibly complex and easy to slip up from a security perspective. 4ARMED are one of very few providers worldwide who truly understand and specialise in Kubernetes penetration testing.

What is a Kubernetes Penetration Test?

Often this forms part of a wider scope of work looking at your application but a Kubernetes penetration test can certainly be delivered as a standalone engagement to give assurance over your cluster configurations.

We will review your clusters both from an external and internal perspective.

External Testing

The external review will focus on the cluster's Internet-facing services to assess whether they are protected as expected and whether any ingress points are exposed unexpectedly. This may include services like the Kubernetes Dashboard, misconfigured API services, vulnerable Kubernetes versions or, as is pretty common, internal cluster management and monitoring tools such as Prometheus, Grafana or Elasticsearch exposed to the Internet without adequate protection.

Internal Testing

Internal Kubernetes security testing takes things to a deeper level and looks at your cluster from inside, simulating the threat from an attacker who has either compromised a pod or found a vulnerability which enables them to make requests from inside a pod in the cluster.

There are a wide variety of security issues that can affect a cluster's configuration and even in the most recent versions of Kubernetes, some of these can still result in a total compromise of the cluster unless specific configuration is put in place to prevent this.

Some examples of issues we regularly encounter are:

  • Unsecured Kubelet API
  • Unprotected Helm Tiller service
  • Sensitive cloud metadata unrestricted
  • Secrets not protected adequately
  • Lack of Network Policy
  • Internal services unprotected without Ingress authentication
  • Unauthenticated etcd access
  • Privileged/root containers
  • Excessive service account privileges

We will work with your team, typically remotely though on-site is certainly an option, talking through the issues as we find them. Most of our testing utilises a private Slack channel to discuss progress and keep everyone up to speed. Unlike most testing companies we actively encourage resolution during the testing window where possible.

We can test your cluster whether it's managed (Google GKE, Amazon EKS, Microsoft AKS, DigitalOcean Kubernetes, etc) or unmanaged (Kubeadm, Kops, Typhoon, OpenShift, Tectonic, etc) where you control your own masters.

We've worked with many different organisations from FinTech startups to some of the biggest names in the Kubernetes landscape and we'd be happy to discuss what you need in more detail.

Benefits

Assurance

Security Testing helps you gain assurance over your risk. Your Kubernetes clusters should be configured correctly and securely but testing provides assurance that no mistakes have been made.

Compliance

Penetration Testing is required by a number of compliance standards such as PCI DSS. Our security testing services can help you achieve or maintain compliance for your Cloud Native environment.

Specialists

We're not generalists who can wing it with your Kubernetes cluster. We've been working with this technology for years, we use it day-in, day-out for our own IT infrastructure, have spoken at tech conferences on the subject, blogged and released open source testing tools for Kubernetes.

Continual Improvements

Each report contains a root cause analysis. We want to help you make meaningful improvements beyond just fixing the specific issues we find.

What To Expect

Scoping

A typical engagement process flow can be seen here. The most important part when considering a penetration test is getting the scope right.

In some cases this is relatively simple as it may be you require a test of a single system or application whose boundaries are clearly defined. In other cases the scope will be more complex. A good example of this is when conducting a penetration test to meet PCI DSS requirement 11.3 which will need us to verify the scope for testing actually covers all in-scope systems.

For simple requirements we can typically scope a test accurately via a phone call or email, more complex tests will require a scoping form to be completed.

Delivery

Communication is key to the delivery of a good security testing engagement. You will be assigned a project lead who will handle all of the logistics of testing with you and give you one point of contact should you need to discuss anything. We will keep you updated throughout testing as required and a free-of-charge wash-up call between our consultants and relevant parties from your organisation can be scheduled once you have reviewed the detailed report provided. This gives you the opportunity to discuss the findings and recommendations in more detail and evaluate further your best course of action.

Resources

A high level overview of a typical penetration testing engagement.


Next Steps

Want to discuss your requirements further? Wondering whether a Kubernetes Penetration Test is right for your business? There's an easy way to find out, give us a call or complete the contact form below to tell us where you're at and we will work with you to find the best solution for you.