Saved in:
Bibliographic Details
Main Authors: Knob, Luis Augusto Dias, Franzil, Matteo, Siracusa, Domenico
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2401.10582
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866908481525645312
author Knob, Luis Augusto Dias
Franzil, Matteo
Siracusa, Domenico
author_facet Knob, Luis Augusto Dias
Franzil, Matteo
Siracusa, Domenico
contents Kubernetes (K8s) has grown in popularity over the past few years to become the de-facto standard for container orchestration in cloud-native environments. While research is not new to topics such as containerization and access control security, the Application Programming Interface (API) interactions between K8s and its runtime interfaces have not been studied thoroughly. In particular, the CRI-API is responsible for abstracting the container runtime, managing the creation and lifecycle of containers along with the downloads of the respective images. However, this decoupling of concerns and the abstraction of the container runtime renders K8s unaware of the status of the downloading process of the container images, obstructing the monitoring of the resources allocated to such process. In this paper, we discuss how this lack of status information can be exploited as a Denial of Service attack in a K8s cluster. We show how such attacks can impact worker nodes, generating up to 95% average CPU usage, prevent downloads of new container images, and increase I/O and network usage for a potentially unlimited amount of time. We argue that solving this problem would require a radical architectural change in the relationship between K8s and the CRI-API, which would be unfeasible in the short term. Thus, as a stopgap solution, we propose MAGI: an eBPF-based, proof-of-concept mitigation that detects and terminates potential attacks.
format Preprint
id arxiv_https___arxiv_org_abs_2401_10582
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle Exploiting Kubernetes' Image Pull Implementation to Deny Node Availability
Knob, Luis Augusto Dias
Franzil, Matteo
Siracusa, Domenico
Cryptography and Security
Kubernetes (K8s) has grown in popularity over the past few years to become the de-facto standard for container orchestration in cloud-native environments. While research is not new to topics such as containerization and access control security, the Application Programming Interface (API) interactions between K8s and its runtime interfaces have not been studied thoroughly. In particular, the CRI-API is responsible for abstracting the container runtime, managing the creation and lifecycle of containers along with the downloads of the respective images. However, this decoupling of concerns and the abstraction of the container runtime renders K8s unaware of the status of the downloading process of the container images, obstructing the monitoring of the resources allocated to such process. In this paper, we discuss how this lack of status information can be exploited as a Denial of Service attack in a K8s cluster. We show how such attacks can impact worker nodes, generating up to 95% average CPU usage, prevent downloads of new container images, and increase I/O and network usage for a potentially unlimited amount of time. We argue that solving this problem would require a radical architectural change in the relationship between K8s and the CRI-API, which would be unfeasible in the short term. Thus, as a stopgap solution, we propose MAGI: an eBPF-based, proof-of-concept mitigation that detects and terminates potential attacks.
title Exploiting Kubernetes' Image Pull Implementation to Deny Node Availability
topic Cryptography and Security
url https://arxiv.org/abs/2401.10582