paint-brush
Spectre-on-Kubernetes, a proof of conceptby@mhausenblas
4,067 reads
4,067 reads

Spectre-on-Kubernetes, a proof of concept

by Michael HausenblasJanuary 5th, 2018
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

<em>TL;DR: a PoC demonstrating </em><a href="https://spectreattack.com/" target="_blank"><em>Spectre</em></a><em>, the nasty CPU bug, running on Kubernetes.</em>
featured image - Spectre-on-Kubernetes, a proof of concept
Michael Hausenblas HackerNoon profile picture

TL;DR: a PoC demonstrating Spectre, the nasty CPU bug, running on Kubernetes.

If you haven’t been living under a rock, you have heard about Meltdown and Spectre, two really nasty hardware bugs, affecting many if not all modern (desktop and server) CPUs.

So, when reading up on those two fellas I was asking myself: how do they impact a Kubernetes cluster and/or apps running on it? Given there’s an example C source code available for Spectre, what would be easier to put it into a container like so:

And then run it in Kubernetes, for example, using:



$ kubectl run spectre \--image=quay.io/mhausenblas/spectre:0.1 \--restart=Never

Turns out that works. Checking the logs with:

$ kubectl logs spectre

That’s it!

Well, 2018 certainly started, erm, very interesting. We’ll have a lot of work in front of us—I’ve seen first issues being worked on—and for now the best we can do is not to pull random images from untrusted registries and run in our clusters, but I suppose you knew this already and (hopefully) don’t do it anyway.

Some thoughts an a disclaimer: this PoC is a low-hanging fruit, it’s using a way too big image (heck, 500MB!), it doesn’t prove any general attack, just that the known exploit can be packaged as a container and run in a Kubernetes cluster. Also, I’m not speaking on behalf of my employer or in any official capacity, I was just interested in how hard is it to carry out this exercise in a containerized environment.