Introducing Threat Modeling for K8s

Imagine building a fortress. We don’t just build walls. We also think about how someone might try to sneak in. Could they climb over? Dig under? Disguise themselves? This kind of thinking helps us protect the fortress better.

In the world of Kubernetes (K8s), we need the same smart thinking. That’s where a threat model comes in.

What Is a Threat Model? Why do we need one?

A threat model is a plan. It shows how something could be attacked. It also shows how we can stop those attacks. This model helps us think like an attacker. We look for weak points before someone else does.
When we create a threat model, we ask questions like:

• What are we trying to protect?
• What can go wrong?
• Who might try to break in?
• How might they try?
• What happens if they succeed?

These questions guide our security efforts. They help us make smart choices.

Without a threat model, we’re just guessing. We might spend time fixing things that don’t matter. Or we might miss something big. A threat model helps us stay focused. It gives us a clear picture of what’s at risk and how to guard it.
In Kubernetes, this is very important.

Let’s say we are building a new app. We can use a threat model to map out what could go wrong. For example:

• Can someone access the cluster without logging in?
• Can a pod talk to another pod it shouldn’t?
• Can a bad actor get to our secrets?

Once we know the risks, we can build defenses. We can set limits, add rules, and lock doors. In other words, a Threat model can help us to build our security model. Why?

A security model is our rulebook. It shows what’s allowed and what isn’t. But before we write the rules, we need to know what to protect. That’s where the threat model helps. It shows us:

• What to defend
• Who we’re defending against
• How they might attack

From that, we build strong, smart rules. We choose the right tools. We test our system. We stay alert. The threat model keeps us grounded.

What is a Kubernetes Threat Model?

Now that we understand what a Threat Model is and why it's important to have one, let's focus on our favourite platform - Kubernetes.

A Kubernetes threat model is a map of risks inside a Kubernetes environment. Therefore, first, it should look at all the parts of the system:

• Clusters
• Nodes
• Pods
• Containers
• APIs
• Network traffic
• Secrets and data

And then our threat model for K8s should try to identify the different attack vectors, that is, the different attack paths and risks. That would show us how an attacker might move through the system. For example, could someone use a misconfigured pod to break into another pod? Could they use a service account to reach the API server?

The goal of a Kubernetes threat model is to offer a comprehensive view of potential threats and corresponding mitigations, serving as a practical checklist to identify common attack vectors. It helps uncover how attackers might exploit misconfigurations or weaknesses in the cluster to achieve their objectives.

In other words, the model helps us find these paths before they become real problems in our K8s cluster. And with that information we can design the different mitigation strategies to block all those possible attacks. 

All of that sounds great, but building that threat model for K8s from scratch, on our own, would probably take a lot of time. Fortunately, we're not alone on this, there are some organizations and initiatives that have taken the challenge for us and defined some threat models in K8s for us. 

Among these initiatives we can find the Threat Modelling exercise released by the CNCF Financial User Group. That's a great starting point to threat modelling our own K8s clusters.

In our next post, we'll explore that CNCF threat model for Kubernetes.