Initial Access refers to tactics an attacker may use to gain access to a Kubernetes cluster. They may do this either by compromising various resources deployed on the cluster or directly by compromising a component within the Kubernetes control plane that handles cluster management.
1- Using Cloud Credentials
If the Kubernetes cluster is deployed in a public cloud and if a cloud credential is compromised, attackers may get access to the cluster’s management layer. A compromised credential may lead to a compromise of the entire cluster, and may also lead to a cluster takeover.
2- Compromised Images in Registry
A compromised, untrusted or unsafe image running in a cluster can lead to its compromise. It may be downloaded from a public image registry (e.g. Docker Hub), built from untrusted base images, or added to a private registry by an attacker and pulled by a user. It may contain malicious code that allows an attacker to access a cluster.
3- Kubeconfig File
The kubeconfig file, used by kubectl, contains the location and credentials of clusters. A compromised client could issue cloud commands to download this file if the cluster is hosted as a cloud service. If a bad actor gets access to this file, they can use it to access the clusters.
4- Application Vulnerability
Containerized, public-facing applications with vulnerabilities leave an organization susceptible to exploits by threat actors. If they run in a cluster, the threat actor may gain initial access to the cluster. They may also exploit the vulnerability to reach other applications, access sensitive data, or launch a Denial of Service (DoS) attack.
5- Exposed Sensitive Interfaces
When a sensitive interface is exposed to the Internet, it creates a security risk. Frameworks that don’t require authentication by default are particularly vulnerable. Exposing such frameworks allows malicious actors to gain unauthenticated access to a sensitive interface and run code or deploy containers in the cluster. One such interface that has been exploited previously is the Kubernetes dashboard.