Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kubernetes From an Attacker's Perspective

Kubernetes From an Attacker's Perspective

Kubernetes is everywhere, a container orchestration platform that is actively supported by all major cloud providers and adopted by companies across size and scale. However, the distributed nature of the system at its core has new and interesting security implications that cannot be tested using conventional tools and techniques.

This talk is aimed for anyone interested in exploring the depths of Kubernetes security from an attacker's perspective including DevSecOps Teams looking to defend against attacker tools and techniques.

The session will provide a high-level overview of Kubernetes architecture from an attacker's perspective i.e. what can be attacked. Subsequently look at, through demos, modern attacker tools and techniques using various real-world scenarios for attacking applications and components in a Kubernetes cluster.

- Attacker's intro to Kubernetes
- Kubernetes attack surfaces (Threat Model)
- Attacker in a Pod (Starting Point)
- Attack scenarios (live)
- Cloud infrastructure attack surface in Kubernetes (GKE)
- Namespace breakout using hostPath volume mounts

Abhisek Datta

May 29, 2020

More Decks by Abhisek Datta

Other Decks in Technology


  1. About Me – Abhisek Datta • Head, Security Products (appsecco.com)

    • Application & Cloud Security • Kubernetes Cluster Security Assessments • TechWing @ null0x00 (null.co.in) • An Open Security Community • Security Researcher • Discovered vulnerabilities in enterprise software and credited with CVE • Open Source Contributor • https://github.com/abhisek @abh1sek on Twitter
  2. 1. A quick introduction to Kubernetes 2. Kubernetes from an

    Attacker's Perspective 3. Attacking Kubernetes (Scenarios) Key Take Away
  3. 1. External attackers – No access to cluster 2. Internal

    attackers – Attacker in a Pod 3. Privileged attackers – Some access to cluster Who are the attackers?
  4. • Etcd Database • Secrets • Credentials • Certificates •

    PKI Information • Volumes (Storage) • Container Images (May be) • Network Services • Etc. What can they attack?
  5. How can they attack? 1. What is exposed outside the

    cluster? 2. What is exposed inside the cluster? 3. What is exposed in the cloud environment?
  6. Master OS Services API Server Other master components Node(s) OS

    Services Kubelet Container Runtimes Network Services Storage Volumes Apps Security Vulnerability Configuration Weaknesses External Exposure
  7. Service Account Privileges Pod Network Service Network Volumes Configs &

    Secrets Environmental Information Internal Trust Internal Exposure – Attacker in a Pod Everything available to an External Attacker + Many More
  8. 1. Identity & Access Management 2. Meta-data Service 3. Storage

    1. Object & Block storage services 2. Container Registry 4. Other cloud services Cloud Exposure
  9. 1. Namespace break-out using insecure hostPath volume mount 2. Lateral

    movement in the cloud – Exploit GKE Instance meta-data endpoint service Attacking Kubernetes
  10. Namespace Break-out using hostPath Volume Mount • I am a

    developer and have access to CRUD Pod in developers namespace • I am an attacker and just gained access to a Pod with CI/CD engine that needs to create more Pods to run build jobs Assume any one of the following • We can create Pod, but we are hopefully, greatly restricted to a single namespace Bottom line
  11. Namespace Break-out using hostPath Volume Mount Kubernetes supports mounting hostPath

    inside a container This is known and documented to be insecure.. But who cares? We use this feature to access the underlying Node's filesystem from our Pod We can then interact with the Docker Daemon on host Usually its game over by now
  12. Lateral Movement in the Cloud – Exploiting Instance Meta-data on

    GKE Assume • We have access to any Pod in a Kubernetes Cluster running in Google Kubernetes Engine (GKE) Why? • We can access the default instance metadata service available to instances in Google Cloud • We want to break-out of the cluster and access other cloud resources
  13. • Generate access token using metadata service • Check token

    scopes • Access cloud resources using generated access token • Cloud Storage • Cloud Registry • Etc. Lateral Movement in the Cloud - Exploiting Instance Meta-data on GKE CIS GKE Benchmark Recommendation: 6.2.1. Prefer not running GKE clusters using the Compute Engine default service account
  14. • The Illustrated Children's Guide to Kubernetes • https://www.cncf.io/the-childrens-illustrated-guide-to-kubernetes/ •

    Get started with learning Docker (Containers) • https://www.katacoda.com/courses/docker • Get started with learning Kubernetes using Katacoda • https://www.katacoda.com/courses/kubernetes • Attacking and Auditing Docker Containers and Kubernetes Clusters – Our recently released training material • https://bit.ly/k8s-pentesting More Resources