Exploiting Kubernetes' Image Pull Implementation to Deny Node Availability
Luis Augusto Dias Knob, Matteo Franzil, Domenico Siracusa
TL;DR
This paper reveals a security vulnerability in Kubernetes' image pull process that can be exploited to cause denial of service, and proposes an eBPF-based mitigation to detect and stop such attacks.
Contribution
The paper identifies a novel security flaw in Kubernetes' CRI-API handling of image downloads and introduces MAGI, an eBPF-based tool to mitigate this vulnerability.
Findings
Attack can cause up to 95% CPU usage on nodes
Attack prevents new container image downloads
MAGI effectively detects and terminates attack processes
Abstract
Kubernetes (K8s) has grown in popularity over the past few years to become the de-facto standard for container orchestration in cloud-native environments. While research is not new to topics such as containerization and access control security, the Application Programming Interface (API) interactions between K8s and its runtime interfaces have not been studied thoroughly. In particular, the CRI-API is responsible for abstracting the container runtime, managing the creation and lifecycle of containers along with the downloads of the respective images. However, this decoupling of concerns and the abstraction of the container runtime renders K8s unaware of the status of the downloading process of the container images, obstructing the monitoring of the resources allocated to such process. In this paper, we discuss how this lack of status information can be exploited as a Denial of Service…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsSecurity and Verification in Computing · Advanced Data Storage Technologies · Cloud Data Security Solutions