PodBeater: Exploiting Multi-value Affinity for Efficient Co-location Attacks in Kubernetes
摘要
Kubernetes supports multi-tenancy by allowing multiple users to share physical infrastructure. However, this design leads to co-location attacks, where an attacker deploys attack pods onto the same node as victim pods to exploit shared hardware resources. While previous work demonstrates the feasibility of such attacks, it assumes that the attacker has sufficient knowledge of the victim pod’s configuration. This paper presents PodBeater, a novel co-location attack that exploits Kubernetes’s multi-value affinity feature to steer the scheduler’s pod placement decisions. Unlike previous work, PodBeater is designed to operate even under a realistic threat model where the attacker lacks knowledge of the victim pod’s configuration. We evaluate PodBeater on both a small-scale cluster with 20 nodes and 350 pods and a large-scale cluster with 40 nodes and 800 pods, demonstrating its effectiveness under both previous and more realistic threat models. Our results show that PodBeater achieves co-location with fewer attack pods compared to previous works.