kubernetesebpfservicemesh

K8s Service Mesh (with Sidecar Proxy): Pod Security On Untrusted Node


Wondering if traffic between a pod's sidecar proxy and the pod's application(s) can be intercepted as it traverses the localhost network stack (perhaps using a eBPF module)?

Can a tenant guarantee the security of its traffic if it does not trust/control the nodes on which its pods are running?

Many thanks.

Edit: Is it possible to guarantee traffic security on untrusted infrastructure at all? And then, how to trust shared infrastructure?


Solution

  • Wondering if traffic between a pod's sidecar proxy and the pod's application(s) can be intercepted as it traverses the localhost network stack (perhaps using a eBPF module)?

    Yes, inspecting and even changing packets on the local interface is doable with a eBPF TC or XDP program.

    Though it should be noted that you can also inspect local traffic with a raw socket like used by tcpdump(this requires about the same privileges as eBPF).

    Can a tenant guarantee the security of its traffic if it does not trust/control the nodes on which its pods are running?

    This very much depends on your thread model. eBPF can only be used by users with root access or special capabilities. It is very hard if not impossible to protect against root level access since you such users can also access your applications memory.

    But it is never bad practice to use solid encryption, even over localhost.

    Is it possible to guarantee traffic security on untrusted infrastructure at all? And then, how to trust shared infrastructure?

    You have to draw a line somewhere, the exact location is totally up to you and depends on how important your secrets are and from whom you are trying to keep them. Perhaps you can trust your infrastructure provider, but do you trust the hypervisor software? or the actual hardware?. Both of which are most likely not manufactured by your infrastructure provider.