Restrict over permissive containers
Info
ID: MS-M9013
MITRE mitigation: M1038
Use admission controller to prevent deploying containers with over-permissive capabilities or configuration in the cluster. This can include restricting privileged containers, containers with sensitive volumes, containers with excessive capabilities, and other signs of over permissive containers.
In AKS clusters which are configured to use service principal, the service principal credentials are stored in the /etc/kubernetes/azure.json file on the cluster nodes. Containers with access to a volume containing this file are considered as containers with sensitive mount.
Techniques Addressed by Mitigation
| ID | Name | Use |
|---|---|---|
| MS-TA9008 | New container | Restrict over permissive containers in the cluster using admission controller. |
| MS-TA9011 | Sidecar injection | Restrict over permissive containers in the cluster using admission controller. |
| MS-TA9012 | Backdoor container | Restrict over permissive containers in the cluster using admission controller. |
| MS-TA9013 | Writable hostPath mount | Block sensitive volume mounts using admission controller. |
| MS-TA9014 | Kubernetes CronJob | Check cronjob pod template for sensitive mounts and excessive permissions. |
| MS-TA9018 | Privileged container | Block Privileged containers using admission controller. |
| MS-TA9020 | Access cloud resources | Block mounting volumes with access to cloud credentials. |
| MS-TA9026 | Mount service principal | Block sensitive volume mounts using admission controller |
| MS-TA9036 | ARP poisoning and IP spoofing | Avoid NET_RAW capability in containers which would enable sending crafted packets that perform ARP poisoning. |