Container orchestration systems, including Kubernetes, are increasingly being deployed in the cloud, but not all those deployments are being done in a secure manner, according to a new report from Lacework, set to be released on June 19,
Lacework conducted an analysis of cloud-hosted container orchestration deployments and discovered 21,169 publicly facing container orchestration platforms. Of these, 300 deployments were found to have open administrative dashboards without any required access credentials.
“We used Shodan and our own crawler and port scanning in order to discover and fingerprint servers and then discover ones that were truly open versus authenticated,” Dan Hubbard, Chief Security Architect, told eWEEK.
Shodan.io is a popular search service for discovering internet connected resources. Lacework, founded in 2015, is in the business of cyber-security visibility. The company’s Polygraph platform provides security visibility into potential misconfigurations, threats and breaches inside of application infrastructure residing in data centers or in the cloud.
The issue of open container orchestration dashboards is not a new one and was also highlighted by security firm RedLock in a February 2018 report. RedLock found that electric automobile vendor Telsa had left its Kubernetes cluster open without any credentials and was being used by fraudsters to mine crypto-currency. More recently, security firm Kromtech reported on June 8 that a Kubernetes cluster operated by Weight Watchers was left open without authentication.
Kubernetes wasn’t the only container orchestration system discovered by Lacework, but it was the most broadly deployed. Kubernetes represented 76 percent of the container orchestrators discovered in the cloud by Lacework, while 19 percent of clusters were running Docker Swarm.
AWS Hosts Most Discoverable Dashboards
Lacework’s analysis found that 95 percent of the discoverable container orchestration system dashboards were hosted on Amazon Web Services (AWS). Lacework conducted its scanning during the first week of June, which coincidentally is also the week that Amazon made its managed Elastic Container Service for Kubernetes (EKS) service generally available. Kubernetes can be deployed by organizations on their own in AWS, or they can now choose to run EKS. For the Kubernetes clusters found with open dashboards on AWS, Hubbard said that they were installations outside of Amazon’s EKS managed service.
“EKS deploys with a secure dashboard and management plane by default and I’m pretty sure you cannot edit that unless you run your own management,” Hubbard said.
While discovering 300 entirely open container orchestration system dashboard is not a good thing, Hubbard agreed that it’s safe to say that a large percentage of deployed container orchestration platforms are not open.
“This of course is only one aspect of security so hard to say if they are secure,” Hubbard said. “Also an important note, we did not perform any brute force password or dictionary attacks so we cannot comment on how secure the authentication process is.”
The Lacework report observed that the cluster orchestration system dashboards that were open to discovery on the internet could potentially disclose information that might be useful to attackers.
“Within most discovered systems, the company name could be derived from certificates and hostnames even without access,” the report states. “These organizations, and the others who will replicate their mistakes, are opening themselves up to brute force password and dictionary attacks. “
Best Practices
Looking specifically at Kubernetes, Hubbard recommended organizations take the following measures to improve security:
- Configure Kubernetes pods to run read-only file systems
- Restrict privilege escalation in Kubernetes
- Build a pod security policy
- Run Role Based Access Control (RBAC)
Overall, Hubbard suggests that organizations understand their inventory of applications with public clouds and perform continual audit and configuration scanning with compliance checks, for workloads and security zone policies
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.