Information Disclosure
Information disclosure is when sensitive data is leaked. There are lots of ways it can happen, from leaving an insecure USB drive on a plane, all the way to data stores being hacked and APIs that unintentionally expose sensitive data.
Protecting Cluster Data
In the Kubernetes world, the entire configuration of the cluster is stored in the cluster store (currently etcd
). This includes network and storage configuration, as well as passwords and other sensitive data stored in Secrets. For obvious reasons, this makes the cluster store a prime target for information disclosure attacks.
As a minimum, you should limit and audit access to the nodes hosting the cluster store. As will be seen in the next paragraph, gaining access to a cluster node can allow the logged-on user to bypass some of the security layers.
Kubernetes 1.7 introduced encryption of Secrets but doesn't enable it by default. Even when this becomes default, the Data Encryption Key (DEK...