Objective: Gain unauthorized access to, control over, or exfiltration of data from, the Airflow DAGs, tasks, or underlying infrastructure managed by the Airflow instance deployed via the Helm chart.
+-----------------------------------------------------+
| Gain Unauthorized Access/Control/Data Exfiltration |
| from Airflow Instance (Deployed via Helm Chart) |
+-----------------------------------------------------+
|
+---------------------------------------------------------------------------------------------------------------------------------------+
| |
+--------+--------+ +-------------------------------+
| Exploit | | Misconfigure |
| Airflow | | Helm Chart / Kubernetes |
| Chart | | |
| Vulner- | | |
| abilities | | |
+--------+--------+ +-------------------------------+
| |
+--------+--------+ +-------------------------------+
| ***Default*** | | !!!Weak !!! |
| ***Credentials| | !!!RBAC !!! |
+--------+--------+ | !!!Permissions!!! |
+-------------------------------+
|
+-------------------------------+
| !!!Overly!!! |
| !!!Permissive!!! |
| !!!ServiceAccount!!! |
+-------------------------------+
- Description: The attacker attempts to gain access to the Airflow instance by using default or easily guessable credentials that were not changed during deployment. This is a common attack vector against many applications, and Helm charts are not immune if they are not designed with security in mind.
- Likelihood: Very Low (if the chart is properly designed) / High (if defaults are present and unchanged)
- Impact: High (full Airflow control)
- Effort: Very Low
- Skill Level: Novice
- Detection Difficulty: Easy (with credential scanning or basic monitoring)
- Mitigation:
- The Helm chart MUST NOT ship with default credentials.
- Force users to set strong, unique credentials during installation.
- Implement a mechanism to detect and warn about the use of default credentials.
- Provide clear documentation and warnings about the importance of changing default credentials.
- Description: The attacker leverages overly permissive Role-Based Access Control (RBAC) settings within the Kubernetes cluster. If the ServiceAccounts used by the Airflow components (webserver, scheduler, worker) have more permissions than necessary, an attacker who compromises any part of the deployment (or even another application in the cluster) can escalate privileges and gain broader control over the cluster.
- Likelihood: Medium
- Impact: High (privilege escalation within the cluster)
- Effort: Low
- Skill Level: Intermediate
- Detection Difficulty: Medium (with RBAC auditing tools)
- Mitigation:
- The Helm chart should follow the principle of least privilege.
- Create specific ServiceAccounts for each Airflow component with the minimum necessary permissions.
- Provide clear documentation and examples of secure RBAC configurations.
- Use tools like
kube-scoreto analyze the security posture of the deployed resources. - Regularly audit RBAC configurations.
Attack Tree Path: Misconfigure Helm Chart / Kubernetes -> Overly Permissive ServiceAccount (Critical Node)
- Description: The attacker leverages an overly permissive ServiceAccount assigned to Airflow pods. If this ServiceAccount has excessive privileges within the Kubernetes cluster, an attacker who compromises an Airflow pod can use those privileges to access other resources or perform actions they shouldn't be able to.
- Likelihood: Medium
- Impact: High (privilege escalation within the cluster)
- Effort: Low
- Skill Level: Intermediate
- Detection Difficulty: Medium (with RBAC auditing tools and Kubernetes API monitoring)
- Mitigation:
- The Helm chart should follow the principle of least privilege. Each Airflow component should have its own ServiceAccount with only the permissions it needs.
- Avoid using the
defaultServiceAccount. - Regularly review and audit ServiceAccount permissions.
- Use Kubernetes Pod Security Policies (or a successor like Kyverno or Gatekeeper) to enforce restrictions on ServiceAccount usage.