What is The Kubenomicon?

The Kubenomicon was born of a desire to understand more about Kubernetes from an offensive perspective. I found many great resources to aid in my journey, but I quickly realized:

  1. I will never be able to solely document every offensive and defensive Kubernetes technique on my own.
  2. Things in the Kubernetes world move really fast and there are constantly new attack surfaces to explore. My solution to this is to start the Kubenomicon -- a place where offensive security techniques and how to defend against them can easily be documented via pull requests to the Kubenomicon GitHub.

This project was heavily inspired by the Kubernetes Threat Matrix from Microsoft which is a great starting point as it provides a framework to help understand some of the concepts in a MITRE ATTACK style framework. The Microsoft Threat Matrix was explicitly not designed to be a playbook offensive for security professionals and thus it lacks the details necessary to actually exploit (and remediate) each attack in Kubernetes cluster.

The Kubenomicon Threat Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionImpact
Using Cloud CredentialsExec inside containerBackdoor ContainerPrivileged ContainerClear Container LogsList K8S secretsAccess Kubernetes API ServerAccess Cloud ResourcesImages from a private registryData Destruction
Compromised image in registryNew ContainerWritable hostPath mountCluster-admin bindingDelete EventsAccess Node InformationAccess Kubelet APIContainer Service AccountCollecting Data From PodResource Hijacking
Kubeconfig FileApplication Exploit (RCE)Kubernetes CronjobhostPath MountPod Name SimilarityContainer Service AccountNetwork MappingCluster Internal NetworkingDenial of Service
Application VulnerabilitySidecar InjectionMalicious Admission ControllerAccess Cloud ResourcesConnect From Proxy ServerApplication Credentials In Configuration FilesExposed Sensitive InterfacesApplication Credentials In Configuration Files
Exposed Sensitive InterfacesContainer Service AccountAccess Managed Identity CredentialsInstance Metadata APIWritable hostpath Mount
SSH server running inside containerStatic PodsMalicious Admission ControllerCoreDNS Poisoning
ARP Poisoning and IP Spoofing

Prior work

I am far from the first person to come up with the idea to document this information. Many great projects exist that take a similar approach to this. Most notably what inspired this project was the Microsoft Kubernetes Threat Matrix. Additionally, late into putting this project together I discovered this amazing Threat matrix from RedGuard. Some other projects that served as inspiration for this include: