HackerTrans
TopNewTrendsCommentsPastAskShowJobs

lsandler

no profile record

comments

lsandler
·vor 5 Jahren·discuss
The problem is in intersection of nginx-ingress and kubernetes. Since ingress controller has access to secrets from all the namespaces (which is kubernetes side of the story) the nginx implementation with snippets added by users (the nginx contribution) may expose these secrets. The post also points to an open source tool that helps people to check if they are vulnerable, whether they want to get to the bottom of the issue or not.
lsandler
·vor 5 Jahren·discuss
While I understand the concern with curl | bash, this method is used in many different open source product installations. The sh file is coming from github - pretty trustful source. You can always watch it in the browser (github will not trick you into different version) but you can also curl it or just download the source from the repository (just half a page above). You can also always review and rebuild the entire tool - another beauty of the open source. But most people just want to use the tool as fast and as simple as it can be. I guess there are options for any possible taste.
lsandler
·vor 5 Jahren·discuss
while "official" hostPath feature is intended to provide the same result, it is being watched by practically all security and compliance tools, so such access can't go unnoticed. With the subPath abuse attackers can obtain complete host file system access undetected. So it is really urgent to start scanning for this vulnerability and potential exploits until your Kubernetes version is upgraded.
lsandler
·vor 5 Jahren·discuss
Any universal platform or toolkit is overengineered somewhat (or a lot), but this is the name of the game. Flexibility comes at the price forcing you to invest into configuration, automation, deployment and maintenance. Then security comes to close the gaps. Every player in this game is honestly trying to be better and help others. Kubernetes is a fact of life and rightfully so. It needs helper tools in several areas. Security is just one of them and Kubescape is just a one step of many...
lsandler
·vor 5 Jahren·discuss
Well, this is exactly why it's the open source. You can build everything yourself, check the scripts etc. At the end of the day all these tools are intended to help people find issues as early as possible.
lsandler
·vor 5 Jahren·discuss
CIS is very prescriptive. It gives you a list of very specific checks with very little context. NSA, on the other hand, explains the problems and potential attack vectors allowing you to adjust and extend the checks to your specific needs.