<img src="https://ws.zoominfo.com/pixel/JHVDdRXH2uangmUMQBZd" width="1" height="1" style="display: none;">
weaveworks_logo_headerstrip
magalix_logo_headerstrip

Weaveworks 2022.03 release featuring Magalix PaC | Learn more

MITRE ATT&CK Matrix for Kubernetes

These pages cover what Magalix is, how to get started using it, and reference materials for its features and supported cloud providers.

Get started quickly, and get all your questions answered now!

Talk to an Expert

    Discovery

    MITRE ATTACK - Discovery

    Overview

    Attackers use numerous Discovery techniques to explore the Kubernetes environment to which they have gained access. Their aim may be to achieve lateral movement across the environment and gain access to additional resources within or beyond the cluster. Some techniques allow them to gain access to the Kubernetes API server or Kubelet API, while others enable them to map the cluster network or compromise resources via the Kubernetes Dashboard or cloud instance metadata.

    Access the K8s API Server

    The Kubernetes API server is a critical component that serves as the front end or gateway of the Kubernetes control plane. It exposes the Kubernetes RESTful API that allows various actions to be performed in the cluster. The API server also retrieves the status of the cluster, including all components deployed on it. An attacker who gains access to this API server can send API requests to probe the cluster and retrieve information and secrets about its resources.

    Access Kubelet API

    The Kubelet is an agent installed on every Kubernetes node that ensures that pods assigned to the node execute properly. It exposes a read-only API service that does not require authentication on TCP port 10255. An attacker with network access to the host can query the Kubelet API with API requests to retrieve the running pods on the host and information about the host, such as CPU and memory consumption.

    Network Mapping

    By default, Kubernetes does not restrict network traffic (communication) between pods. An attacker can take advantage of this fact. If they gain access to a single container, they may use it to probe the cluster network, map it, and discover information about running pods/applications, including scanning for known vulnerabilities.

    MITRE ATTACK - Network Mapping

    Access Kubernetes Dashboard

    The Kubernetes Dashboard is used to monitor and manage the Kubernetes cluster. Users can perform actions in the cluster with the permissions that are determined by the binding or cluster-binding for its service account. However, an attacker with access to a single container in the cluster can subsequently access the Kubernetes Dashboard, and use its identity to retrieve information about the cluster resources.

    Instance Metadate API

    Cloud providers provide a metadata service to retrieve information about a virtual machine (VM), including its network configuration, underlying hosts, disks, SSH public keys, and sensitive credentials. VMs can access this service via a non-routable IP address from within the VM only. If an attacker is able to access this metadata, they may be able to leverage it to access or compromise container or cloud resources.

     
    arrow