OWASP Top 10 for Kubernetes

THREATS, TACTICS AND PROCEDURES TTP
OWASP® Top 10
Kubernetes Pen Test
K01:2022 Insecure Workload Configurations
The security context of a workload in Kubernetes is highly configurable which can lead to serious security misconfigurations propagating across and organization’s workloads and clusters.
K02:2022 Supply Chain Vulnerabilities
Image integrity, image composition, and known software vulnerabilities.
K03:2022 Overly Permissive RBAC Configurations
RBAC is an extremely powerful security enforcement mechanism in Kubernetes when appropriately configured. Still, it can quickly become a massive risk to the cluster and increase the blast radius in case of a compromise.
K04:2022 Lack of Centralized Policy Enforcement
Disallowing Images from Untrusted Registries: To prevent rogue images from running in certain clusters, it is recommended to distribute a blocking admission control policy that explicitly allows image registries.
K05:2022 Inadequate Logging and Monitoring
When logs are not captured, stored, or actively monitored attackers have the ability to exploit vulnerabilities while going largely undetected. The lack of logging and monitoring also presents challenges during incident investigation and response efforts.
K06:2022 Broken Authentication Mechanisms
Avoid using certificates for end-user authentication.
Never roll your own authentication.
Enforce MFA when possible.
Don’t use Service Account tokens from outside of the cluster.
Authenticate users and external services using short-lived tokens.



K07:2022 Missing Network Segmentation Controls
Kubernetes networking is flat by default. Meaning that, when no additional controls are in place any workload can communicate to another without constraint. Attackers who exploit a running workload can leverage this default behavior to probe the internal network, traverse to other running containers, or invoke private APIs.
K08:2022 Secrets Management Failures
Kubernetes secrets are a standalone API object in Kubernetes used to store small objects. They are created like any other Kubernetes object.
K09:2022 Misconfigured Cluster Components
Misconfigurations in core Kubernetes components can lead to complete cluster compromise. A Kubernetes cluster is compromised of many different components ranging from key-value storage within etcd, the kube-apiserver, the kubelet, and more.
K10:2022 Outdated and Vulnerable Kubernetes Components
A Kubernetes cluster is a highly complex software ecosystem that can present challenges to traditional patch and vulnerability management.