Microsoft warned that use pre -made templates such as leaving the box during the box for the way Kubernetes The deployment can open the door for incorrect conditions and valuable leaks.
“While these” connecting and players “options greatly simplify the process of setting, they often prefer the simplicity of security,” Michael Katchinsky and Josi Wezman from Defender for Cloud Research Team – Note.
“As a result, a large number of applications are ultimately unfolding in incorrect default setting, exposing the attackers that expose sensitive data, cloud resources, or even the whole environment.”
Helm is a package manager for Kubernetes, which allows developers to pack, customize and deploy applications and services on the kubernetes. This is part of the Cloud Native Computing Fund (CNCF).
Kubernetes app packets built in a packing helmet called graphswhich are manifestos of YAML and templates used to describe the resources and configurations of the Kubernetes required to deploy the application.
Microsoft noted that open source projects often include default manifestations or pre-defined helmets that prioritize prostate use in the field of security, in particular, leading to two major problems-
- Exposing services outside without proper network restrictions
- Lack of proper built -in authentication or default resolution
As a result, the organization that uses these projects without reviewing the images of YAML, and the charts of the helmet can be unintentional to expose their applications to the attackers. This may have serious consequences if the expanded application facilitates the sensitive API requests or allowing administrative actions.
Some of the identified projects that could subjugate the Cober -yadniya under threat of attacks – the following –
- Apache Pinot which expose Basic components of Datastore Datastore, Pinot Control and Pinot-Broker, online through Kubernetes Loadbalancer services without default default
- The net that expose Application interface through external IP -Drace, allowing anyone who has access to IP -Drace, subscribe with a new user, access the interface and deploy new pods, resulting in an arbitrary code
- Selevius network that expose NODEPORT Service at a certain port in all knots in the cluster kubernetes, making the external firewall rules a single line of defense
To mitigate the risks associated with such incorrect guidances, it is recommended to revise and change them according to the best security practices, periodically scanning the interfaces and control the work of containers for malicious and suspicious activities.
“Many input-exploiting container applications originate in the improperly tuned load, often when using the default settings,” the researchers said. “Based on” default on convenience “, they create a significant risk of safety.”
