Dynatrace Inc.

04/22/2025 | Press release | Distributed by Public on 04/22/2025 16:35

Kubernetes security essentials: Understanding Kubernetes security misconfigurations

The flexibility and configurability of Kubernetes is also what makes it susceptible to security misconfigurations that can lead to devastating exploits. Discover how security misconfigurations affect the different components of your Kubernetes infrastructure and how you can mitigate against them.

Picture this: A notification appears on a monitoring dashboard indicating the production Kubernetes cluster has been compromised. An attacker has gained access through security misconfigurations in an API server, escalated privileges, and deployed cryptocurrency mining pods that consume massive resources. The DevOps team spends the day containing the damage and now faces tough questions from leadership about how this happened.

Unfortunately, this scenario is all too common. According to Red Hat's State of Kubernetes Security Report 2024, a staggering 89% of organizations experienced at least one security incident related to Kubernetes, with 40% of respondents detecting security issues specifically in their container or Kubernetes configurations.

The hidden dangers in your Kubernetes clusters

Kubernetes has revolutionized how we deploy, scale and manage containerized applications. Its remarkable flexibility and scalability have made it the de facto standard for container orchestration. However, this power comes with a price: complexity that can lead to security blind spots.

When we talk about security misconfigurations in Kubernetes, we're referring to settings that are either incorrectly configured or left at their insecure defaults. These seemingly minor oversights can create significant security gaps, making your cluster an easy target for potential attacks.

Think of Kubernetes security misconfigurations as unlocked doors in your otherwise well-secured building. You might have state-of-the-art surveillance systems and guards at the main entrance, but if a side door is left unlocked, all the security becomes meaningless.

Anatomy of a security misconfiguration: The components of a vulnerable cluster

To truly understand how security misconfigurations manifest, we need to examine the key components of Kubernetes and see how each one can be a potential point of vulnerability. Like pieces of a puzzle, these components must fit together securely to create a properly protected cluster.

Kubernetes architecture and how security misconfigurations can affect each component.

The control plane: How security misconfigurations affect the cluster's command center

At the heart of every Kubernetes cluster lies the control plane, which includes several critical components. Here's what they are and what's at stake if a misconfiguration exposes a vulnerability.

API server

  • The API server is the gateway to your Kubernetes kingdom. Security misconfigurations can leave your entire cluster exposed.
  • Common security misconfiguration. Overly permissive role-based access control (RBAC) that gives users and service accounts more privileges than they need.
  • Real-world impact. In many security incidents, overly permissive RBAC configurations have allowed attackers who gained initial access to easily escalate privileges and gain control over multiple cluster resources.
  • Security principle. Least privilege isn't just best practice; it's your first line of defense. Every permission granted should be scrutinized and justified.

etcd database

The etcd Database is the brain of your cluster, storing all configuration data that the API server uses to verify and maintain the cluster state.

  • Common security misconfiguration. Insecure storage of secrets such as API keys and passwords, as well as workload configurations.
  • Real-world impact. Exposed secrets can be harvested by attackers, giving them access to databases, cloud resources, and more. Once an attacker accessed your etcd, they effectively have keys to your kingdom.
  • Security principle. Treat secrets with the highest level of protection. What seems like an innocuous config file could contain the access credentials to your most sensitive systems.

Scheduler and controller manager

These components are the conductors of your Kubernetes cluster, ensuring that your applications run smoothly and efficiently. The scheduler assigns pods to nodes whereas the controller maintains the desired state of the cluster.

  • Common misconfiguration. While recent Kubernetes versions encrypt control plane communications by default using TLS, many organizations run older versions or custom configurations where encryption might be missing. Additionally, administrators sometime override secure defaults with custom flags during component initialization.
  • Real-world impact. When communications aren't properly encrypted, attackers who gain network access can intercept traffic between components. This could expose pod placement decisions, resource allocation information, service account tokens, and deployment strategies. Beyond passive eavesdropping, attackers could potentially alter requests in transit, manipulating scheduling decisions to force pods onto compromised nodes.
  • Security principle. Even with improved defaults in recent versions, verify that all control plane communications use proper TLS encryption with strong cypher suites, and implement regular certificate rotation to maintain robust security.

The worker nodes: Security misconfigurations where your applications live

While securing the control plane is crucial, worker nodes are often the entry point for attacks.

Kubelet

This agent runs on each node and ensures containers are running in a pod.

  • Common misconfiguration. Running the kubelet with excessive permissions or with authentication disabled.
  • Real-world impact. An exposed kubelet can allow attackers to execute arbitrary commands on nodes, modifying configuration, potentially compromising your entire infrastructure.
  • Security principle. Always authenticate and authorize kubelet access. An unprotected kubelet is like giving attackers direct access to your servers.

Container runtime

The container runtime is the software responsible for running your containers (like Docker or contained).

  • Common misconfiguration. Running containers as root and without proper resource constraints.
  • Real-world impact. Privileged containers that escape their confines can gain access to the host system, compromise other containers, or cause denial-of-service by consuming excessive resources.
  • Security principle. Containers should run with the least privilege necessary. Root access should be the exception, not the default.

In post-incident analyses, teams often discover multiple containers running as root without any need for those privileges-a common oversight that creates significant risk.

Network layers

Network layers are the fabric connecting all components of your Kubernetes cluster.

  • Common misconfiguration. Not implementing network policies, allowing unrestricted communication between pods and services
  • Real-world impact. Without proper network boundaries, attackers can move laterally within the cluster once they've gained initial access, potentially reaching sensitive workloads form a compromised low-security application
  • Security principle. Treat each namespace and pod as its own security domain. Just because containers are in the same cluster doesn't mean they should all talk to each other.

It is quite common for teams to often discover network policies that are overly permissive or completely absent-another example of a common oversight that can lead to exploitation.

Up next: From vulnerabilities to attack vectors

In the second part of this series, we'll map Kubernetes security misconfigurations to specific attack techniques using the MITRE ATT&CK framework. We'll explore real-world Kubernetes security incidents, including the recent IngressNightmare vulnerability, demonstrate typical attack paths that malicious actors follow, and outline comprehensive security approaches to protect your clusters from these threats.

To learn more about the attack paths threat actors use to exploit these security misconfigurations, see part 2 of this Kubernetes security essentials series, Kubernetes misconfiguration attack paths and mitigation strategies.

Learn more about how Dynatrace can help you automate Kubernetes security with the Kubernetes security and compliance automation guide.