Kubernetes API publicly accessible

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1133-external-remote-services

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when multiple external connections are made to the port for the Kubernetes API (6443) or Kubelet API (10250).

Strategy

Kubernetes should not be publicly-accessible. This poses a risk of an attacker gaining access to the entire container platform. Incoming connections from multiple public IP addresses indicate an exposed instance.

Triage and response

  1. Determine if the service running on the port is Kubernetes.
  2. Review all events for connections from unexpected IP addresses.
  3. Review running containers and audit logs for malicious activity.
  4. Move the API to an interface that is not publicly-accessible. If you must expose Kubernetes to external hosts, configure secure authentication and restrict access with a security group.

This detection is based on data from Network Performance Monitoring.

PREVIEWING: may/unit-testing