Money Mitra Network Academy Logo

MONEY MITRA NETWORK ACADEMY

CKS Security Certification Path

Kubernetes Architecture & Threat Landscape

Understand the foundational architecture of Kubernetes and the security challenges that arise in container orchestration environments.

$ kubectl cluster-info
Kubernetes master is running at https://...
✓ Security context required

Kubernetes Architecture Overview

Control Plane Components

API Server

The front-end of the Kubernetes control plane. All cluster operations pass through the API server, making it a critical security boundary.

etcd

Distributed key-value store holding all cluster state. Compromise of etcd means complete cluster compromise.

Scheduler & Controller Manager

Makes decisions about pod placement and cluster state management. Requires proper authentication and authorization.

Worker Node Components

kubelet

Node agent that runs on every worker node. Communicates with API server and manages pod lifecycle.

Container Runtime

Responsible for pulling images and running containers. Common runtimes: containerd, CRI-O, Docker.

Pods

Smallest deployable units. A pod can contain one or more containers sharing network namespace.

Why Orchestration Increases Complexity

Container orchestration platforms like Kubernetes introduce significant operational complexity. While they provide scalability and automation benefits, they expand the attack surface exponentially. Multiple nodes, distributed state, multiple communication channels, and complex policy systems create numerous security challenges. Understanding this complexity is the first step toward building secure infrastructure.

Container Threat Landscape

Image Vulnerabilities

Container images are frequently built with known vulnerabilities in base layers and dependencies:

  • Outdated Base Images: Alpine, Ubuntu, or CentOS base layers with unpatched CVEs
  • Transitive Dependencies: Libraries pulled from public registries with unknown security posture
  • Unsigned Images: No verification that image comes from trusted source
  • Secrets in Layers: API keys, credentials baked into image layers
$ trivy image myapp:latest
Found 47 vulnerabilities
HIGH: 12, CRITICAL: 3

Privilege Escalation Risks

Containers often run with unnecessary elevated privileges, creating escalation pathways:

  • Running as Root: Default container behavior allows unrestricted access to kernel interfaces
  • Privileged Mode: Direct access to host kernel capabilities and devices
  • Host Path Mounts: Containers accessing sensitive host directories or /var/run/docker.sock
  • Kernel Vulnerabilities: Shared kernel creates attack surface for privilege escalation
$ kubectl run --rm -it bash --image=ubuntu
⚠ Running as UID 0 (root)
No security context applied

Cluster Attack Surface

API Server Exposure

The API server is the critical entry point to the cluster and a high-value target:

  • Unauthenticated Access: Misconfigured anonymous auth or missing auth webhooks
  • Weak TLS: Self-signed certificates or disabled certificate validation
  • Public Exposure: API server accessible from internet without firewall restrictions
  • Overly Permissive RBAC: Wildcard permissions allowing broad cluster access

Misconfigured Roles & RBAC

Incorrect RBAC policies create unintended privilege paths:

  • Cluster Admin Roles: Service accounts with cluster-admin binding for non-admin operations
  • Wildcard Verbs: Roles granting "*" permissions on resources
  • Service Account Tokens: Tokens with excessive permissions not rotated regularly
  • Cross-Namespace Access: Permissions allowing access to sensitive namespaces from user workloads

⚠️ Common Attack Patterns

❌ BAD: kubectl create rolebinding admin --clusterrole=cluster-admin --serviceaccount=default:myapp
✓ GOOD: kubectl create role pod-reader --verb=get --resource=pods

❌ BAD: apiVersion: rbac.authorization.k8s.io/v1
    resources: ["*"]
    verbs: ["*"]
✓ GOOD: apiVersion: rbac.authorization.k8s.io/v1
    resources: ["pods"]
    verbs: ["get", "list"]

Enterprise Security Perspective

Why K8s is a High-Value Target

  • Blast Radius

    Single compromise can affect hundreds or thousands of containerized applications

  • Data Access

    Cluster compromise grants access to all application data, secrets, and configurations

  • Lateral Movement

    Compromised pod can pivot to other services, the host, or external systems

  • Infrastructure Takeover

    Access to cluster resources for cryptocurrency mining, botnet deployment, or ransomware

Defense-First Architecture

  • Least Privilege

    Grant minimal necessary permissions to every component and service account

  • Defense in Depth

    Multiple security layers: network policies, admission controllers, runtime detection

  • Secure by Default

    Safe configurations out-of-the-box, security is not an afterthought

  • Continuous Monitoring

    Real-time detection and response to security events and anomalies

External Learning References

Deepen your understanding with official resources and community documentation:

Official Kubernetes Docs

kubernetes.io/docs/ →

Complete API reference and architecture documentation

Kubernetes Security Guide

kubernetes.io/docs/concepts/security/ →

Security architecture, best practices, and hardening guidelines

CIS Kubernetes Benchmark

cisecurity.org/benchmark/kubernetes →

Industry-standard security configuration benchmarks

OWASP Container Security

owasp.org/container-security →

Top 10 container and orchestration security risks

🎓 Verified Certificate Notice

Complete all 3 modules of this comprehensive Kubernetes Security course to unlock your Verified Cyber Security Certificate from MONEY MITRA NETWORK ACADEMY.

Each certificate includes:

  • Unique Certificate ID
  • QR Code Verification
  • LinkedIn-Ready Achievement Badge
QR Verification

Ready for the Next Module?

You've mastered the fundamental architecture and threat landscape. Now dive into practical cluster hardening and RBAC security implementation.

Module 2: Cluster Hardening & RBAC Security