K
Q

How to avoid role escalation when using kube2iam

2/16/2017

When attempting to setup a kube cluster on AWS we wanted to be able to associate IAM Roles with certain containers and therefore looked into using one of the many tools that will allow you to do this such as kube2iam. All the tools seem to work the same way by proxying the assume role based on an annotation in the deployment. Doesn't this allow for role escalation by allowing a container to assume a role from any other container by just changing the annotation?

From the kube2iam README:

The problem is that in a multi-tenanted containers based world, multiple containers will be sharing the underlying nodes. Given containers will share the same underlying nodes, providing access to AWS resources via IAM roles would mean that one needs to create an IAM role which is a union of all IAM roles. This is not acceptable from a security perspective.

From my understanding the issue that is being described still exists if a malicious pod is introduced. How are people currently solving this issue/is this something i should be worried about?

-- amaffei
amazon-iam
amazon-web-services
kubernetes

Similar Questions

How to set up alert on a custom metric in Stackdriver Monitoring?
K8s pods affinity & anti-affinity, soft (preferredDuringScheduling) not respected in 1.4?
rkt discovery failed error while bringing flannel up (Kubernetes setup)
Kubernetes deployment name from within a pod?

1 Answer

6/9/2017

You can restrict the consumed roles by namespaces.

apiVersion: v1
kind: Namespace
metadata:
  annotations:
    iam.amazonaws.com/allowed-roles: |
      ["role-arn"]
  name: default

With k8s RBAC enabled your deployment shouldn't have the permissions to update the namespace annotations.

-- testtesttest
Source: StackOverflow