← Notes 목록

[Project: 330-playball-infra]

Penetration Test — Infrastructure Vulnerability Findings and Remediation

2026-04-15Security / Pentest / Remediation

Overview#

During a KT Cloud TechUp cybersecurity exercise, four red teams conducted a 72-hour penetration test against the PlayBall platform. 28 remediation actions were taken for vulnerabilities found in the infrastructure.

Item	Details
Period	2026-04-02 ~ 04 (72 hours)
Target	goormgb.space (Dev), staging.playball.one (Staging)
Red teams	4 teams (Team 5, 1, 4, 7)
Infrastructure fixes	28 completed

Major Successful Attacks#

Attack	Severity	Description
Kiali/kafka-ui takeover	CRITICAL	Unauthenticated admin tools exposed externally → cluster info exfiltrated
EKS API server exposed	HIGH	Public 0.0.0.0/0 → anyone could reach the API
Rate limiting absent	HIGH	10 consecutive login attempts succeeded; brute force feasible
Direct ALB access	HIGH	Requests reached ALB directly, bypassing CloudFront/WAF

Infrastructure Vulnerabilities Found#

CRITICAL#

ID	Vulnerability	Remediation
C-10	Kiali prod unauthenticated write access	Admin Tools IP Whitelist (#25)
C-11	kafka-ui unauthenticated, readOnly:false	Admin Tools IP Whitelist (#25)

HIGH#

ID	Vulnerability	Remediation
H-02	K8s API server externally exposed (0.0.0.0/0)	EKS Control Plane access restriction (#4)
H-03	K8s internal service DNS exposed	NetworkPolicy default-deny (#13)
H-05	Actuator fully exposed	Internal path block via AuthorizationPolicy (#24)
H-06	Internal routes + K8s URI exposed	Resolved by Actuator removal (#24)
H-08	Server resource info exposed	Resolved by Actuator removal (#24)
H-09	Unlimited thread pool DoS	Kyverno Require Resource Limits (#17)
H-10	IP blacklist bypass via direct ALB access	CloudFront migration + ALB SG restriction (#1, #2, #3)
H-11	SQLi app-level filter bypass risk	Istio WAF EnvoyFilter (#21)
H-12	Suspected OS Command Injection	Istio WAF EnvoyFilter (#21)

MEDIUM#

ID	Vulnerability	Remediation
M-01	Staging ALB directly exposed (no CDN)	CloudFront migration (#1)
M-02	Swagger UI externally accessible	Returns 404 (resolved)
M-05	Admin endpoint existence confirmed	JWT AuthorizationPolicy (#23)
M-07	Actuator RBAC mismatch	Internal path block (#24)
M-08	Gateway route count exposed	Resolved by Actuator removal (#24)
M-12	No origin validation + no rate limiting	Rate Limiting (#22)

Infrastructure Remediation (28 items)#

Network / Access Control#

#	Action	Addressed	Before	After
1	Staging API → CloudFront migration	M-01, H-10	Direct ALB exposure	CloudFront Alias
2	Prod API → CloudFront migration	M-01, H-10	Direct ALB / single Cloudflare	CloudFront Distribution
3	Staging ALB SG restriction	H-10, M-01	443 ← 0.0.0.0/0	CloudFront PL + team IPs only
4	EKS Control Plane access restriction	H-02	public_access 0.0.0.0/0	Bastion SG + team IPs, private_access=true
25	Admin Tools IP Whitelist	C-10, C-11	Unauthenticated external access	DENY for non-team IPs (kiali/kafka-ui/grafana etc.)

Istio Service Mesh Security#

#	Action	Addressed	Before	After
14	mTLS STRICT	General encryption	PERMISSIVE mixed	Mesh-wide STRICT
21	WAF (EnvoyFilter + Lua)	H-11, H-12	No L7 detection	10-pattern detection (SQLi/XSS/CmdInj etc.) + auto IP blacklist
22	Rate Limiting (Local + Global)	M-12	No limits	/auth 10/s, /payment 5/s, /signup 3/s
23	JWT RequestAuthentication + AuthZ	M-05	App-only JWT validation	Istio edge JWKS validation (unauthenticated → 401)
24	Internal path blocking	H-05, H-06, H-08, M-07	/actuator, /metrics accessible	DENY policy applied

IAM / Access Management#

#	Action	Addressed	Before	After
5	Node IMDSv2 enforcement	SSRF prevention	IMDSv1 allowed	IMDSv2 only
11	IAM IRSA least privilege	C-02	Long-lived Access Keys	OIDC-based per-SA IAM Role, static keys revoked
12	SSO Permission Set separation	Least privilege	Single Admin-Full	4 roles: DevOps/Developer/Security/ReadOnly

Kubernetes Policy (Kyverno)#

#	Action	Addressed	Effect
13	NetworkPolicy default-deny	H-03	Blocks lateral movement between namespaces
15	Disallow Privileged	Pod isolation	Blocks privileged=true
16	Disallow :latest Tag	Version tracking	Prohibits image:latest
17	Require Resource Limits	H-09	Enforces CPU/Memory limits
18	Require ArgoCD Management	GitOps enforcement	Blocks resources without ArgoCD labels
19	Protect Critical Namespaces	C-10, C-11	Blocks unauthorized changes to kube-system/argocd/istio-system
20	Policy Reporter	Violation visibility	Collects violations + Discord alerts

Audit / Monitoring#

#	Action	Effect
6	EKS Control Plane logging	api/audit/authenticator/scheduler all → CloudWatch
7	CloudTrail Multi-Region + Log Validation	Stronger audit trail
8	Audit log S3 security policy	AES256 + Versioning + Lifecycle
9	Real-time security event alerting	EventBridge → Lambda → Discord
10	S3 audit event summary alerts	S3 API monitoring → Discord

Data Protection#

#	Action	Addressed	Before	After
26	RDS encryption + Deletion Protection	C-05	Default settings	storage_encrypted=true, deletion_protection=true
27	RDS credentials migrated to Secrets Manager	C-05	Plaintext .env	Secrets Manager + External Secrets

Remediation Results#

Before vs After#

Item	Before	After
EKS API	Public 0.0.0.0/0	Bastion + team IPs only
ALB access	Directly exposed	CloudFront only
Admin tools (Kiali, kafka-ui)	Unauthenticated external access	IP Whitelist + authentication
Internal communication	mTLS PERMISSIVE	mTLS STRICT
L7 attack defense	None	WAF 10-pattern detection + auto IP block
Rate Limiting	None	Per-path limits (/auth 10/s etc.)
IAM key management	Long-lived Access Keys	IRSA (OIDC-based temporary credentials)
DB credentials	Plaintext .env	Secrets Manager
Audit logs	Not configured	CloudTrail + EventBridge → Discord real-time alerts
Pod security policy	None	Kyverno 6 policies + Policy Reporter