Google Cloud Run ImageRunner Vulnerability & Tackling Kubernetes Network Security Across Multiple Cloud Providers

Hello from the Cloud-verse!

Incase, this is your 1st Cloud Security Newsletter! You are in good company!
You are reading this issue along with your friends and colleagues from companies like Netflix, Citi, JP Morgan, Linkedin, Reddit, Github, Gitlab, CapitalOne, Robinhood, HSBC, British Airways, Airbnb, Block, Booking Inc & more who subscribe to this newsletter, who like you want to learn what’s new with Cloud Security each week from their industry peers like many others who listen to Cloud Security Podcast & AI CyberSecurity Podcast every week.

Welcome to this week's edition of the Cloud Security Newsletter!

We're diving deep into the world of Kubernetes networking security with some fantastic insights from our featured experts - Nimisha Mehta and Alvaro Aleman from Confluent share their experiences migrating to Cilium across multiple cloud platforms, while Liz Rice from Isovalent provides valuable context on the evolution of container networking security and the latest developments in the Cilium ecosystem. 

THIS WEEK'S SECURITY NEWS

🚨 ImageRunner: New GCP Cloud Run Privilege Escalation Vulnerability Fixed

Tenable Researcher (Liv Matan) has discovered a privilege escalation vulnerability in Google Cloud Platform (GCP) dubbed "ImageRunner" that affected Cloud Run. The vulnerability allowed identities with edit permissions on Google Cloud Run revisions (but lacking registry permissions) to pull private Google Artifact Registry and Google Container Registry images in the same account. This highlights the importance of least privilege access in cloud environments. Google has fully resolved the issue as of January 28, 2025. Tenable Blog

Why it matters: This vulnerability demonstrates what the researcher called the "Jenga concept" - when cloud providers build services on top of other services, vulnerabilities in one can cascade to others. Security teams should review their Cloud Run permissions to ensure they align with the principle of least privilege.

🔍 MistakenVMtity: Cloud Image Confusion Attack Found in Azure CLI

Cloud Security researcher (Ian Mckay) discovered a vulnerability in Azure similar to an AWS cloud image confusion attack found by Datadog Security Labs. The vulnerability affects the Azure CLI's image search functionality, where users might inadvertently deploy malicious VM images due to partial name matching in the az vm image list command. Ian’s Blog

Why it matters: Organizations using wildcarded searches to find VM images in Azure could be vulnerable to deploying compromised images. Security teams should ensure their image deployment workflows use exact publisher name matching through tools like grep rather than relying solely on Azure CLI's built-in filtering.

💥 CopyObjection: AWS S3 Ransomware Prevention Through Automation

Jesse Griggs from Red Canary has detailed a methodology for defending against ransomware attacks targeting AWS S3 buckets. The attack technique, called CopyObjection, involves attackers abusing server-side encryption with customer-managed keys (SSE-C) to encrypt objects in place, making them unrecoverable by victims. Automated response is critical as manual intervention adds precious minutes to recovery time. Blog with Test Environment Setup

Why it matters: Traditional endpoint-focused ransomware defenses aren't sufficient in cloud environments. Organizations should implement automated detection and remediation for suspicious S3 operations, as Red Canary's testing revealed that alert-only approach extends the window of compromise by several minutes.

CLOUD SECURITY TOPIC OF THE WEEK

Lessons from Navigating Multi-Cloud Kubernetes Network Security

As organizations deploy Kubernetes across multiple cloud providers, they face unique challenges in implementing consistent network security controls. Our experts share their experiences with using Cilium to create a unified networking layer across AWS, GCP, and Azure.

Featured Experts This Week 🎤

• Nimisha Mehta - Kubernetes Platform Team Engineer at Confluent

• Alvaro Aleman - Software Engineer on Confluent's Kubernetes Platform Team

• Liz Rice - Chief Open Source Officer at Isovalent, creator of the Cilium project and CNCF advocate

Definitions and Core Concepts 📚

Before diving into the analysis, let's clarify some key terms referenced throughout the discussion:

• CNI (Container Network Interface) - A specification and libraries for configuring network interfaces in Linux containers. It's a crucial component for Kubernetes networking, allowing different plugins (like Cilium) to implement network functionality.

• Cilium - An open-source project that uses eBPF to provide networking, security, and observability for container workloads. Cilium implements the CNI specification and offers additional features like network policies, DNS-based filtering, transparent encryption, and kube-proxy replacement.

• eBPF (extended Berkeley Packet Filter) - A technology that allows custom programs to run in the Linux kernel, enabling advanced networking, security, and observability capabilities without modifying kernel source code or loading kernel modules.

• Cluster Mesh - A Cilium feature that allows workloads in different Kubernetes clusters to communicate securely, enabling multi-cluster and multi-cloud connectivity.

• Service Mesh - A dedicated infrastructure layer for facilitating service-to-service communications between microservices, typically providing features like traffic management, security, and observability.

        This week's Issue is sponsored by Tines

The new IDC Voice of Security 2025 results are in! And on March 26, join Tines and AWS for an in-depth look into the most important findings from the 900+ security leaders surveyed, including: 

🔸 How AI and automation are transforming security strategies

🔸 The biggest challenges leaders face - and what’s holding them back

🔸 What drives job satisfaction (and frustration) in security leadership

🔸 Where tooling helps vs. where it’s adding to the pain

🔸 What leaders look for when hiring security analysts

🧠 Our Insights from These Practitioners

1 - The Challenge of Multi-Cloud Kubernetes Networking

Organizations like Confluent that operate across multiple cloud providers face significant challenges in maintaining consistent network security policies. Each cloud provider has its own default CNI plugin with limitations that can hinder cross-cloud deployments.

Nimisha and Alvaro shared that Confluent offers data streaming products as managed services across AWS, GCP, and Azure, and these services need to run in the same regions as their customers. This geographic distribution requires managing vast amounts of infrastructure across multiple clouds, creating complexity that's difficult to manage without a consistent networking layer.

"Since it's across multiple clouds, we are also trying to abstract the clouds themselves away from our internal teams as much as we can, which is a great fit for us." - Alvaro Aleman

Liz Rice had shared reasons for Cilium adoption:

"Your ability to seamlessly connect to those legacy workloads without having to worry about whether it's in Kubernetes, if you're the application developer, you shouldn't have to care, is it running on a VM or Kubernetes? It shouldn't really be your concern because you're writing code that does business logic. That's the kind of goal of Cilium is to get all of that networking super efficiently with network policies across wherever you're running your workloads." - Liz Rice

Cloud-Specific Implementation Challenges

The Confluent team faced unique challenges implementing Cilium & Cloud Native network security across each cloud provider:

Azure Challenges

Nimisha detailed the migration challenges on Azure:

"On Azure, we had this issue with the race conditions because in some cases the connectivity would just break and restarting the Cilium pods fixed it. And it was traced down to incorrect IP table rule ordering. Not even what IP table rules, but the ordering itself. And basically boiling down to the kube-proxy IP table rules and the Cilium IP table rules." - Nimisha Mehta

For Azure to work correctly, Cilium IP table rules must be loaded first, followed by the kube-proxy IP table rules. However, since both components prepend their rules, whichever starts last wins. Azure's configuration to use hostnames rather than virtual IPs for reliability sometimes caused the ordering to be incorrect.

GCP Challenges

Alvaro described a different issue on Google Cloud:

"The problem in GKE specifically is this is baked into the image the nodes come up with, so you cannot actually disable this and that in turn then means that it's possible that pods get scheduled to a node before Cilium is up... but then what happens is that they get an IP address, but Cilium doesn't know anything about this, which can lead to Cilium later handing out the same IP address to another pod, at which point these other pods is not going to have working network connectivity." - Alvaro Aleman

Their solution was to develop a component that detects pods scheduled before Cilium is ready and deletes them to prevent IP address conflicts.

AWS Challenges

On AWS, the team faced complications with internet connectivity for pods:

"In some of our AWS clusters we use an internet gateway. And what that means is in order to have internet connectivity, you need to reach this internet gateway from the primary IP address of the primary network interface. The problem with network interfaces on AWS is they have a limit in terms of how many IP addresses you can add to them. And Cilium basically allocates additional IP addresses for each pod, but at some point it has to allocate a second interface because the first one is full." - Alvaro Aleman

When pods on secondary interfaces need to reach resources in peered VPCs, the traffic routing gets complicated because AWS's reverse path filtering would drop the packets. The team had to implement node port services as a workaround.

Insight Learned - This perspective highlights the unique challenges each cloud service provider has on top of the existing open source tools your kubernetes clusters may be using. I will recommend listening to whole episode to find which CSP makes most sense to start your network troubleshooting with.

2 - Security Benefits of Cilium Beyond Connectivity

While solving networking challenges was the primary driver, the security benefits of Cilium became increasingly important. Liz Rice highlighted several security features:

1. Layer 7 Network Policies: Beyond basic IP-based filtering, Cilium enables filtering based on application-layer information.
   

2. FQDN Policies: Enables allowing or denying network connections based on domain names.
   "You can do things like FQDN policies. So you can say my workload is allowed to speak to example.com, but it's not allowed to speak to cryptocurrency miner dot com." - Liz Rice
   

3. Transparent Encryption: Secures pod-to-pod communication without application changes.
   

4. eBPF-based Efficiency: Replaces kube-proxy with more efficient eBPF programs for better performance and security.
   

Tetragon for Runtime Security: Confluent can also leverage Cilium's sub-project, Tetragon, for runtime security monitoring:
"Tetragon... is now 1.0 with Tetragon I think that was just about around the time of the Chicago graduation period. The idea from it was from conversations with some of our enterprise customers." - Liz Rice

Insight Learned - There is no detection without logs. Starting with even the most fundamental logs can be a great way to start building a Detection engineering practice irrespective of cloud provider.

3- Lessons for Implementation

The experts shared several key lessons from their experience implementing Cilium across multiple clouds:

1. Documentation Is Essential: Nimisha emphasized the value of Cilium's documentation:
   "The documentation is great for Cilium. Making sure you read all of that. Making sure you keep an eye on the GitHub repo as well, because sometimes people will report issues in the newer versions, which you might be facing too. That helps."
   

2. Vendor Support Matters: Working with the provider of your networking solution helps navigate complex integration challenges.
   

3. Testing Is Crucial: The Confluent team found that some issues only emerge in production environments, highlighting the importance of careful testing.
   

Consider Kube-Proxy Replacement: Alvaro noted that they might have avoided some issues by using Cilium's kube-proxy replacement from the beginning:
"One thing that might have helped a bit is if we actually would have used kube-proxy replacement the whole time. The reason we didn't do it is that there just wasn't the motivation for us in the sense that it didn't have features we needed because this whole performance thing, it's not as much of a practical issue for us."

This collaborative approach leads to more effective detection capabilities that accurately reflect the organization's environment and expected behaviors.

📚 Related Resources

• Cilium Documentation

• Getting Started with eBPF Lab

• Cilium Cluster Mesh Documentation

• Multi-cloud Kubernetes Security Best Practices

• AWS EC2 IP Addresses and Networking Guide

• Azure CNI Powered by Cilium

• GCP Dataplane V2 (based on Cilium)

Related Podcast Episodes 🎧

Question for you? (Reply to this email)

Next week, we'll explore another critical aspect of cloud security. Stay tuned!

We would love to hear from you📢 for a feature or topic request or if you would like to sponsor an edition of Cloud Security Newsletter.

Thank you for continuing to subscribe and Welcome to the new members in tis newsletter community💙

Peace!

Shilpi Bhattacharjee

Was this forwarded to you? You can Sign up here, to join our growing readership.

Want to sponsor the next newsletter edition! Lets make it happen

Have you joined our FREE Monthly Cloud Security Bootcamp yet?

checkout our sister podcast AI Cybersecurity Podcast