Kubernetes From an Attacker's Perspective

Transcript

1. Kubernetes From an Attacker's Perspective Abhisek Datta Head, Security Products

   Appsecco

2. OWASP Bay Area Meetup Group https://www.meetup.com/Bay-Area-OWASP/

3. About Me – Abhisek Datta • Head, Security Products (appsecco.com)

   • Application & Cloud Security • Kubernetes Cluster Security Assessments • TechWing @ null0x00 (null.co.in) • An Open Security Community • Security Researcher • Discovered vulnerabilities in enterprise software and credited with CVE • Open Source Contributor • https://github.com/abhisek @abh1sek on Twitter

4. 1. A quick introduction to Kubernetes 2. Kubernetes from an

   Attacker's Perspective 3. Attacking Kubernetes (Scenarios) Key Take Away

5. My Environment I have a cluster setup on Google Kubernetes

   Engine (GKE) for demo

6. What is Kubernetes?

7. What is Kubernetes? https://www.youtube.com/watch?v=4ht22ReBjno

8. Kubernetes: The Container Orchestration Platform https://v1-16.docs.kubernetes.io/docs/concepts/overview/components/

9. Kubernetes from an Attacker's Perspective

10. Simple Threat Model WHO ARE THE ATTACKERS? WHAT CAN THEY

    ATTACK? HOW CAN THEY ATTACK?

11. 1. External attackers – No access to cluster 2. Internal

    attackers – Attacker in a Pod 3. Privileged attackers – Some access to cluster Who are the attackers?

12. • Etcd Database • Secrets • Credentials • Certificates •

    PKI Information • Volumes (Storage) • Container Images (May be) • Network Services • Etc. What can they attack?

13. How can they attack? 1. What is exposed outside the

    cluster? 2. What is exposed inside the cluster? 3. What is exposed in the cloud environment?

14. Kubernetes: From an Attacker's Perspective https://v1-16.docs.kubernetes.io/docs/concepts/overview/components/

15. Master OS Services API Server Other master components Node(s) OS

    Services Kubelet Container Runtimes Network Services Storage Volumes Apps Security Vulnerability Configuration Weaknesses External Exposure

16. Service Account Privileges Pod Network Service Network Volumes Configs &

    Secrets Environmental Information Internal Trust Internal Exposure – Attacker in a Pod Everything available to an External Attacker + Many More

17. 1. Identity & Access Management 2. Meta-data Service 3. Storage

    1. Object & Block storage services 2. Container Registry 4. Other cloud services Cloud Exposure

18. Attacking Kubernetes Cluster

19. 1. Namespace break-out using insecure hostPath volume mount 2. Lateral

    movement in the cloud – Exploit GKE Instance meta-data endpoint service Attacking Kubernetes

20. Hands-on Attacks Demo

21. Namespace Break-out using hostPath Volume Mount • I am a

    developer and have access to CRUD Pod in developers namespace • I am an attacker and just gained access to a Pod with CI/CD engine that needs to create more Pods to run build jobs Assume any one of the following • We can create Pod, but we are hopefully, greatly restricted to a single namespace Bottom line

22. Namespace Break-out using hostPath Volume Mount Kubernetes supports mounting hostPath

    inside a container This is known and documented to be insecure.. But who cares? We use this feature to access the underlying Node's filesystem from our Pod We can then interact with the Docker Daemon on host Usually its game over by now

23. Lateral Movement in the Cloud – Exploiting Instance Meta-data on

    GKE Assume • We have access to any Pod in a Kubernetes Cluster running in Google Kubernetes Engine (GKE) Why? • We can access the default instance metadata service available to instances in Google Cloud • We want to break-out of the cluster and access other cloud resources

24. • Generate access token using metadata service • Check token

    scopes • Access cloud resources using generated access token • Cloud Storage • Cloud Registry • Etc. Lateral Movement in the Cloud - Exploiting Instance Meta-data on GKE CIS GKE Benchmark Recommendation: 6.2.1. Prefer not running GKE clusters using the Compute Engine default service account

25. Kubernetes Attack Matrix https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/

26. • The Illustrated Children's Guide to Kubernetes • https://www.cncf.io/the-childrens-illustrated-guide-to-kubernetes/ •

    Get started with learning Docker (Containers) • https://www.katacoda.com/courses/docker • Get started with learning Kubernetes using Katacoda • https://www.katacoda.com/courses/kubernetes • Attacking and Auditing Docker Containers and Kubernetes Clusters – Our recently released training material • https://bit.ly/k8s-pentesting More Resources

27. • https://www.cisecurity.org/benchmark/docker/ • https://www.cisecurity.org/benchmark/kubernetes/ • https://cloud.google.com/kubernetes- engine/docs/concepts/cis-benchmarks • https://www.cisecurity.org/benchmark/ubuntu_linux/ (Relevant)

    CIS Benchmarks

28. Questions? [email protected] That’s all for now.. https://appsecco.com @abh1sek github.com/abhisek