TL;DR: a PoC demonstrating Spectre , the nasty CPU bug, running on Kubernetes. If you haven’t been living under a rock, you have heard about , two really nasty hardware bugs, affecting many if not all modern (desktop and server) CPUs. Meltdown and Spectre So, when reading up on those two fellas I was asking myself: how do they impact a cluster and/or apps running on it? Given there’s an , what would be easier to put it into a like so: Kubernetes example C source code available for Spectre container And then run it in Kubernetes, for example, using: $ kubectl run spectre \--image=quay.io/mhausenblas/spectre:0.1 \--restart=Never Turns out that works. Checking the logs with: $ kubectl logs spectre That’s it! Well, 2018 certainly started, erm, very interesting. We’ll have a lot of work in front of us—I’ve seen first being worked on—and for now the best we can do is not to pull random images from untrusted registries and run in our clusters, but I suppose you knew this already and (hopefully) don’t do it anyway. issues Some thoughts an a disclaimer: this PoC is a low-hanging fruit, it’s using a way too big image (heck, 500MB!), it doesn’t prove any general attack, just that the known exploit can be packaged as a container and run in a Kubernetes cluster. Also, I’m not speaking on behalf of my employer or in any official , I was just interested in how hard is it to carry out this exercise in a containerized environment. capacity

Too Long; Didn't Read

Making security fun one episode at a time

Spectre-on-Kubernetes, a proof of concept

Too Long; Didn't Read

Michael Hausenblas

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

Spectre-on-Kubernetes, a proof of concept

Too Long; Didn't Read

Michael Hausenblas

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES