K01:2022 Insecure Workload Configurations
The security context of a workload in Kubernetes is highly configurable which can lead to serious security misconfigurations propagating across and organization’s workloads and clusters.
K03:2022 Overly Permissive RBAC Configurations
RBAC is an extremely powerful security enforcement mechanism in Kubernetes when appropriately configured. Still, it can quickly become a massive risk to the cluster and increase the blast radius in case of a compromise.
K05:2022 Inadequate Logging and Monitoring
When logs are not captured, stored, or actively monitored attackers have the ability to exploit vulnerabilities while going largely undetected. The lack of logging and monitoring also presents challenges during incident investigation and response efforts.
K07:2022 Missing Network Segmentation Controls
Kubernetes networking is flat by default. Meaning that, when no additional controls are in place any workload can communicate to another without constraint. Attackers who exploit a running workload can leverage this default behavior to probe the internal network, traverse to other running containers, or invoke private APIs.
K09:2022 Misconfigured Cluster Components
Misconfigurations in core Kubernetes components can lead to complete cluster compromise. A Kubernetes cluster is compromised of many different components ranging from key-value storage within etcd, the kube-apiserver, the kubelet, and more.