Tampering

Learn about different kinds of tampering with Kubernetes.

We'll cover the following

Tampering is the act of changing something in a malicious way to cause one of the following:

  • Denial of service: Tampering with the resource to make it unusable

  • Elevation of privilege: Tampering with a resource to gain additional privileges

Tampering can be hard to avoid, so a common countermeasure is to make it obvious when something has been tampered with. A common non-Kubernetes example is packaging medication — most over-the-counter drugs are packaged with tamper-proof seals that make it obvious if the product has been tampered with.

Tampering with Kubernetes components

Tampering with any of the following Kubernetes components can cause problems:

  • etcd

  • Configuration files for the API server, controller-manager, scheduler, etcd, and kubelet

  • Container runtime binaries

  • Container images

  • Kubernetes binaries

Generally speaking, tampering happens either in transit or at rest. In transit refers to data while it is being transmitted over the network, whereas at rest refers to data stored in memory or on disk.

TLS is a great tool for protecting against in-transit tampering as it provides built-in integrity guarantees that warn us when data has been tampered with.

Data security in Kubernetes

The following recommendations can also help prevent tampering with data when it is at rest in Kubernetes:

  • Restrict access to the servers that are running Kubernetes components, especially control plane components

  • Restrict access to repositories that store Kubernetes configuration files

  • Only perform remote bootstrapping over SSH (remember to keep our SSH keys safe)

  • Always run SHA-2 checksums against downloads

  • Restrict access to our image registry and associated repositories

This isn’t an exhaustive list. However, implementing it will significantly reduce the chances of our data being tampered with while at rest.

As well as the items listed, it’s good production hygiene to configure auditing and alerting for important binaries and configuration files. If configured and monitored correctly, these can help detect potential tampering attacks.

The following example uses a common Linux audit daemon to audit access to the docker binary. It also audits attempts to change the binary’s file attributes.

Get hands-on with 1400+ tech skills courses.