EKS Cluster Games is a decent cybersecurity CTF that revolves around Kubernetes on AWS & security. You get 5 challenges to solve. If you are new to Kubernetes security, this is a nice way to assess yourself.
I've completed all the challenges & got this certificate.
The challenges are fun & I don't want to spoil the thrill for you. Hence, we won't discuss the solutions here, instead, we will look at what are the types of misconfigurations in each challenge that lead to system compromise.
Challenge 1: Exposed Secrets
Vulnerability: Unrestricted access to Kubernetes secrets.
Root Cause: Overly permissive RBAC (Role-Based Access Control) settings that allow broader than necessary access rights revealed the Kubernetes secrets.
Patch: Restrict access to secrets using RBAC, ensuring only necessary roles have the 'get secrets' permission.
Challenge 2: Exposed Image Pull Secrets
Vulnerability: Improper management of container image pull secrets.
Root Cause: Lack of segregation and restriction on secret access, allowing unauthorized retrieval of sensitive data.
Patch: Regularly audit and restrict access to image pull secrets. Apply appropriate RBAC policies.
Challenge 3: Metadata Service Exploitation
Vulnerability: Unrestricted access to the EC2 instance metadata service (IMDSv1) from within the Kubernetes pod.
Root Cause: Default configuration of IMDSv1 allows any process within the instance to access sensitive IAM credentials.
Patch: Restrict or disable IMDSv1 access and migrate to IMDSv2 which requires a token to access metadata. Additionally, if not required, block pod access to instance metadata using network policies or iptables.
Challenge 4: IAM Role Misconfiguration
Vulnerability: The service account had zero permissions, but the ability to assume node’s IAM role led to exploitation.
Root Cause: Excessive IAM permissions granted to the node role, which can be misused if accessed.
Patch: Principle of least privilege should be enforced for IAM roles associated with Kubernetes nodes and services.
Challenge 5: Flawed IAM Trust Policy
Vulnerability: Flaws in the IAM role trust policy allowed unintended access.
Root Cause: The trust policy lacked an essential check on the subject claim, allowing any service account to assume a role in the cluster.
Patch: Revise IAM trust policies to include stringent conditions, like checking the
subclaim to match specific service accounts, so others cannot escalate the privileges.
These vulnerabilities are just the tip of the iceberg in containers, Kubernetes & cloud security space. It's always important to have automated systems to look for possible vulnerabilities & misconfigurations.
Want to learn more about EKS security? Make sure to subscribe to the newsletter. I've a series coming up soon!