GKE supports two cluster network modes: routes-based and VPC-native. VPC-native clusters use alias IP address ranges to route traffic from one Pod in a node to another Pod. This allows precise IP-based policies and firewall rules for Pods. In contrast, an entire node is the finest granularity level of control in routes-based clusters.

Example 1: The following example Terraform configuration does not enable a VPC-native cluster by setting networking_mode to ROUTES.

resource "google_container_cluster" "cluster_demo" {
...
  networking_mode = "ROUTES"
..
}

Encryption at rest is not enabled. This exposes data to unauthorized access and potential theft.

Reconnaissance is a necessary precursor to any successful attack against an application. Attackers can successfully identify applications installed by:
1. Matching against client-side code patterns e.g. JavaScript function definitions or variable declarations
2. Probing for resources and interfaces specific to the application being fingerprinted
3. Matching against textual content on web pages that could identify the application underlying the target
4. Locating references to logo image files with identifiable names
This information could aid the attacker in constructing exploits to target known vulnerabilities against the application.

CAPTCHAs are commonly used by web applications to thwart automated form submissions that could have an adverse effect on their operation. Poorly written CAPTCHA implementations can provide a false sense of security. Attackers can fingerprint for implementations with known vulnerabilities and use this information to bypass an application's anti-automation protections. CAPTCHA implementations can be identified by:
1. Matching against known client-side code patterns. For instance, HTML tags and attributes with specific values.
2. Matching against textual content identifying the CAPTCHA implementation

Example: Powered by Animated Gif Captcha
3. Matching against references to known resources and image files

Using fingerprinting probes, attackers can often identify the web server used to host the target application. This information can be used to:
1. Devise attacks focused on exploiting known vulnerabilities reported against the detected server
2. Test for default configuration properties that could lead to security weaknesses

Example 1: Directory listing enabled
3. Exploit known services exposed by the server

Example 2: WebDAV enabled on IIS
4. Customize attacks for the detected server
5. Enumerate known sensitive resources such as installation, setup and configuration files

Kubernetes namespaces divide a cluster into manageable chunks. Namespaces provide a scope for names and facilitate the specification of various policies to a subsection of a cluster. By default, Kubernetes allocates a resource to a default namespace. Using a different namespace than the default reduces the impact of mistakes or malicious activities.

Example 1: The following configuration sets the namespace of a resource to default.

...
kind: ...
metadata:
...
namespace: default
spec:
...

Path manipulation errors occur when the following two conditions are met:

1. An attacker can specify a path used in an operation on the filesystem.
2. By specifying the resource, the attacker gains a capability that would not otherwise be permitted.

An attacker can acquire absolute paths to sensitive resources via information disclosed in error messages. The attacker can use this information to specify arbitrary files to read via unfiltered input. This can lead to a sensitive information disclosure and the recovery of sensitive data such as application source code, database authentication credentials, etc. In certain cases, attackers can also use this flaw to execute arbitrary commands remotely.