Container Orchestration - A platform for Security deliberation

Shakshi ShiviHead Of Content
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a single click.
DC/OS (data centric operating system) which is running on top of the Apache Mesos kernel, is one orchestration platform which is gaining popularity. For data center operations, it is an appropriated operating system that employs Apache Mesos as a central kernel. With accessible resources, Mesos jobs can be conveyed from a Mesos master to servers for processing. And it is done when the Mesos operators/slaves have been set up on servers all through a datacenter.

A risk blended with the slave and Mesos master revolves around the Mesos services authentication. Most of the Mesos deployments by default don't require any verification if an attacker can communicate with default TCP (Transmission Control Protocol) port 5050 (Mesos master service) or default TCP port 5051 (Mesos slave service). 

Frameworks such as the Marathon Framework are usually installed within DC/OS environs to offer wide data center services. This framework helps in performing container orchestration, as well as, ensuring that a container specific number of instances within the DC/OS cluster are running continually. Moreover, Chronos Framework is likewise deployed regularly to provide tolerant distributed job scheduling all through the cluster.

In the present days, numerous frameworks by default don't implement authentication on the API interface and management web UIs (User Interfaces) both. However, if an attacker interacts with the framework then on servers they can gain RCE (Remote Code Execution) within the clusters.

There is one obstacle linked to the framework services exploitation where numerous implementations would deploy framework services. These framework services would be deployed on arbitrary servers within the cluster to some random high TCP ports. Thus, making it somewhat more troublesome for an ignorant attacker to discover the services within the data center.  This obstacle can be overcome by forcing a few built-in services within the DC/OS environment. Firstly, for the Mesos cluster, a unique TLD (top level domain) is built up for the services to find frameworks within the cluster. On another note, if the Mesos master service is questioned, then a complete rundown of Mesos slaves is obtained to possibly reduce the attack space. Secondly, a Mesos DNS service is built up commonly which will empower a remote attacker to play out an enumerate API (Application program interface) call. Last, this is what might as well be called playing out a DNS (Domain Name Servers) zone transfer – it will give an itemized guide of all services and arbitrary high ports back to the attacker.

Defenders can find a way to keep the above exploitation paths through compromise:
  • Empowering verification on all Mesos Masters and Agents
  • Empowering verification on all APIs services and Framework Web UIs
  • Incapacitating the list API call for the Mesos DNS service
  • Logging verification demands along with the jobs execution for the suspicious events recognition

As the orchestration platform reputation increases, attackers will keep on spending more resources building tools and strategies to exploit these services and frameworks. The companies utilizing these advances would be smart to spend the additional cycles in advance to set up sensible security controls before utilizing these stages to host the production apps.

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.