The problem is in intersection of nginx-ingress and kubernetes. Since ingress controller has access to secrets from all the namespaces (which is kubernetes side of the story) the nginx implementation with snippets added…
while "official" hostPath feature is intended to provide the same result, it is being watched by practically all security and compliance tools, so such access can't go unnoticed. With the subPath abuse attackers can…
CIS is very prescriptive. It gives you a list of very specific checks with very little context. NSA, on the other hand, explains the problems and potential attack vectors allowing you to adjust and extend the checks to…
The problem is in intersection of nginx-ingress and kubernetes. Since ingress controller has access to secrets from all the namespaces (which is kubernetes side of the story) the nginx implementation with snippets added…
while "official" hostPath feature is intended to provide the same result, it is being watched by practically all security and compliance tools, so such access can't go unnoticed. With the subPath abuse attackers can…
CIS is very prescriptive. It gives you a list of very specific checks with very little context. NSA, on the other hand, explains the problems and potential attack vectors allowing you to adjust and extend the checks to…