10_threat_model_k8s_telecom
Part 10: Threat Model - Kubernetes + Telecom
Learning Objective: Apply STRIDE threat modeling to Kubernetes-based telecom deployments.
K8s + Telecom Attack Surface
graph TB
subgraph "K8s Control Plane"
API[API Server]
etcd[(etcd)]
Scheduler[Scheduler]
end
subgraph "Worker Nodes"
subgraph "Namespace: open5gs"
AMF_Pod[AMF Pod]
SMF_Pod[SMF Pod]
UPF_Pod[UPF Pod]
end
subgraph "Namespace: ueransim"
gNB_Pod[gNB Pod]
end
end
Attacker[🔴 Attacker]
Attacker -.->|❌ 1. Exploit
unauth API| API
Attacker -.->|❌ 2. Container
escape| AMF_Pod
Attacker -.->|❌ 3. etcd
access| etcd
Attacker -.->|❌ 4. Network
policy bypass| UPF_Pod
Attacker -.->|❌ 5. Malicious
Helm chart| SMF_Pod
style Attacker fill:#ff9999
style API fill:#ffcccc
style etcd fill:#ffcccc
style AMF_Pod fill:#ffccccThreat Catalog
1. Container Escape from NF Pods (E)
Attack Vector:
- Exploit kernel vulnerability (e.g., dirty pipe, runc)
- Escape from AMF/SMF/UPF container to host
Impact:
- Elevation of Privilege: Root access on worker node
- Access to all pods on the node
Mitigation:
- ✅ Use read-only root filesystem
- ✅ Run as non-root user (UID > 1000)
- ✅ Enable seccomp profiles (restrict syscalls)
- ✅ Use AppArmor/SELinux
- ✅ Keep kernel updated
Example Pod Security:
securityContext:
runAsNonRoot: true
runAsUser: 1000
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
STRIDE Score: E=Critical
2. K8s RBAC Misconfiguration (E, I)
Attack Vector:
- Overly permissive RBAC roles
- Service account with
cluster-adminprivileges
Impact:
- Elevation of Privilege: Attacker gains cluster-admin
- Information Disclosure: Read all secrets (subscriber data, TLS certs)
Mitigation:
- ✅ Principle of least privilege (minimal RBAC)
- ✅ Separate service accounts per NF
- ✅ Audit RBAC with
kubectl auth can-i --list
Example Minimal RBAC:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: amf-role
namespace: open5gs
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list"]
STRIDE Score: E=High, I=High
3. NetworkPolicy Bypass (I, T)
Attack Vector:
- Missing NetworkPolicy allows cross-namespace traffic
- UE pod in
ueransimnamespace accesses AMF pod inopen5gsnamespace
Impact:
- Information Disclosure: Intercept SBI traffic
- Tampering: Modify NF-to-NF communication
Mitigation:
- ✅ Default-deny NetworkPolicy
- ✅ Explicit allow rules for N2, N3, SBI
Example NetworkPolicy:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: amf-ingress
namespace: open5gs
spec:
podSelector:
matchLabels:
app: amf
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: ueransim
ports:
- protocol: TCP
port: 38412 # N2 NGAP
STRIDE Score: I=High, T=Medium
4. Supply Chain: Malicious Helm Chart (T, E)
Attack Vector:
- Use untrusted Helm chart repository
- Chart contains backdoored container image
Impact:
- Tampering: Malicious code in NF pods
- Elevation of Privilege: Backdoor with cluster access
Mitigation:
- ✅ Use trusted Helm repos (Gradiant, official Open5GS)
- ✅ Verify chart signatures (
helm verify) - ✅ Scan images with Trivy/Grype
- ✅ Use admission controllers (OPA Gatekeeper) to block unsigned images
Example OPA Policy:
package kubernetes.admission
deny[msg] {
input.request.kind.kind == "Pod"
image := input.request.object.spec.containers[_].image
not startswith(image, "open5gs/")
msg := sprintf("Untrusted image: %v", [image])
}
STRIDE Score: T=Critical, E=Critical
5. etcd Exposure Leaking Subscriber Data (I)
Attack Vector:
- etcd exposed without authentication
- Attacker reads all K8s secrets (MongoDB credentials, subscriber data)
Impact:
- Information Disclosure: All secrets, ConfigMaps, subscriber profiles
Mitigation:
- ✅ Enable etcd authentication and TLS
- ✅ Encrypt secrets at rest (
EncryptionConfiguration) - ✅ Network isolation (etcd only accessible from control plane)
Example Encryption Config:
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key1
secret: <base64-encoded-32-byte-key>
- identity: {}
STRIDE Score: I=Critical
6. Service Mesh for NF-to-NF mTLS (S, T, I)
Attack Vector:
- No service mesh → SBI traffic in plaintext
- Attacker intercepts AMF ↔ SMF communication
Impact:
- Spoofing: Rogue NF impersonates SMF
- Tampering: Modify SBI messages
- Information Disclosure: Read subscriber data
Mitigation:
- ✅ Deploy Istio/Linkerd service mesh
- ✅ Enforce mTLS for all SBI traffic
- ✅ Use SPIFFE/SPIRE for NF identity
Example Istio PeerAuthentication:
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: open5gs
spec:
mtls:
mode: STRICT
STRIDE Score: S=High, T=High, I=High
7. Pod Security Standards (E)
Attack Vector:
- Privileged pod with
hostNetwork: true - Attacker gains access to host network stack
Impact:
- Elevation of Privilege: Access to all node traffic
Mitigation:
- ✅ Enforce Pod Security Standards (PSS)
- ✅ Use
Restrictedprofile for all NF pods - ✅ Disable
hostNetwork,hostPID,hostIPC
Example PSS Enforcement:
apiVersion: v1
kind: Namespace
metadata:
name: open5gs
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restricted
STRIDE Score: E=High
8. Secrets Management (I)
Attack Vector:
- Secrets stored in plaintext ConfigMaps
- Attacker reads MongoDB password, TLS private keys
Impact:
- Information Disclosure: Database credentials, certificates
Mitigation:
- ✅ Use K8s Secrets (not ConfigMaps)
- ✅ External secrets manager (HashiCorp Vault, AWS Secrets Manager)
- ✅ Rotate secrets regularly
Example External Secrets Operator:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: mongodb-creds
namespace: open5gs
spec:
secretStoreRef:
name: vault-backend
target:
name: mongodb-secret
data:
- secretKey: password
remoteRef:
key: mongodb/password
STRIDE Score: I=Critical
9. Resource Exhaustion (D)
Attack Vector:
- No resource limits on UPF pod
- UPF consumes all node CPU/memory
Impact:
- Denial of Service: Other NF pods evicted
Mitigation:
- ✅ Set resource requests and limits
- ✅ Use LimitRanges and ResourceQuotas
Example Resource Limits:
resources:
requests:
memory: "512Mi"
cpu: "500m"
limits:
memory: "2Gi"
cpu: "2000m"
STRIDE Score: D=High
10. Admission Control (T, E)
Attack Vector:
- No admission controller
- Attacker deploys pod with privileged: true
Impact:
- Tampering: Modify cluster state
- Elevation of Privilege: Root on node
Mitigation:
- ✅ Enable PodSecurityPolicy (deprecated) or Pod Security Admission
- ✅ Use OPA Gatekeeper for custom policies
- ✅ Deny privileged containers
Example Gatekeeper Policy:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
name: deny-privileged
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
STRIDE Score: T=High, E=Critical
Threat Summary Table
| Threat | S | T | R | I | D | E | Severity |
|---|---|---|---|---|---|---|---|
| Container Escape | ✅ | Critical | |||||
| RBAC Misconfiguration | ✅ | ✅ | High | ||||
| NetworkPolicy Bypass | ✅ | ✅ | High | ||||
| Malicious Helm Chart | ✅ | ✅ | Critical | ||||
| etcd Exposure | ✅ | Critical | |||||
| No Service Mesh | ✅ | ✅ | ✅ | High | |||
| Pod Security | ✅ | High | |||||
| Secrets Exposure | ✅ | Critical | |||||
| Resource Exhaustion | ✅ | High | |||||
| No Admission Control | ✅ | ✅ | Critical |
Defense-in-Depth Checklist
Summary
- ✅ K8s adds new attack surface (container escape, RBAC, NetworkPolicy)
- ✅ Telecom workloads require strict isolation (slices = namespaces)
- ✅ Service mesh is critical for SBI mTLS
- ✅ Defense-in-depth: combine multiple security layers
Congratulations! You've completed the entire Open5GS Telecom Security Lab Guide. 🎉
Return to: Index