This week's articles
82% of companies unknowingly give 3rd parties access to all their cloud data
#aws, #gcp, #azure, #iam
The Wiz team conducted a research of permissions provided to 3rd party vendors in cloud environments and the results should be a wake-up call. In the majority of cases these permissions are there for no reason: the vendor doesn't actually need them, and the customers aren't even aware that they gave them to the vendor.
Bad Pods: Kubernetes Pod Privilege Escalation
What are the risks associated with overly permissive pod creation in Kubernetes? This post describes 8 insecure pod configurations and the corresponding methods to perform privilege escalation. The accompanying repository
can also help penetration testers and administrators better understand common misconfiguration scenarios.
Getting into a bind with Kubernetes
The "bind" verb is a useful piece of Kubernetes RBAC configuration, but it's also one of the lesser known. As it can enable privilege escalation, it's an important thing to check for when creating or auditing roles.
The Power of Kubernetes RBAC LIST
One of the potential surprises for newcomers to Kubernetes RBAC is what the subtle, but extremely important differences are between the GET and LIST verbs. This even translates to Google Cloud's IAM permission model with GKE clusters with opportunities for unintended consequences.
Google Kubernetes Engine IAM Roles
#k8s, #gcp, #iam
What separates the GKE IAM Roles "Kubernetes Engine Developer" from "Kubernetes Engine Admin"? In most cases, not that much.
A Deeper Look at GKE Basic Auth
If you are running GKE Clusters with Basic Authentication, you'll want to consider removing those credentials from your clusters. This post aims to outline the risks and considerations for remediation.