$30 off During Our Annual Pro Sale. View Details »

Kubernetes From an Attacker's Perspective

Kubernetes From an Attacker's Perspective

Kubernetes is everywhere, a container orchestration platform that is actively supported by all major cloud providers and adopted by companies across size and scale. However, the distributed nature of the system at its core has new and interesting security implications that cannot be tested using conventional tools and techniques.

This talk is aimed for anyone interested in exploring the depths of Kubernetes security from an attacker's perspective including DevSecOps Teams looking to defend against attacker tools and techniques.

The session will provide a high-level overview of Kubernetes architecture from an attacker's perspective i.e. what can be attacked. Subsequently look at, through demos, modern attacker tools and techniques using various real-world scenarios for attacking applications and components in a Kubernetes cluster.

Outline
- Attacker's intro to Kubernetes
- Kubernetes attack surfaces (Threat Model)
- Attacker in a Pod (Starting Point)
- Attack scenarios (live)
- Cloud infrastructure attack surface in Kubernetes (GKE)
- Namespace breakout using hostPath volume mounts

Abhisek Datta

May 29, 2020
Tweet

More Decks by Abhisek Datta

Other Decks in Technology

Transcript

  1. Kubernetes
    From an Attacker's Perspective
    Abhisek Datta
    Head, Security Products
    Appsecco

    View Slide

  2. OWASP Bay Area Meetup Group
    https://www.meetup.com/Bay-Area-OWASP/

    View Slide

  3. About Me – Abhisek Datta
    • Head, Security Products (appsecco.com)
    • Application & Cloud Security
    • Kubernetes Cluster Security Assessments
    • TechWing @ null0x00 (null.co.in)
    • An Open Security Community
    • Security Researcher
    • Discovered vulnerabilities in enterprise software
    and credited with CVE
    • Open Source Contributor
    • https://github.com/abhisek
    @abh1sek on
    Twitter

    View Slide

  4. 1. A quick introduction to Kubernetes
    2. Kubernetes from an Attacker's Perspective
    3. Attacking Kubernetes (Scenarios)
    Key Take Away

    View Slide

  5. My Environment
    I have a cluster setup on Google Kubernetes Engine (GKE) for demo

    View Slide

  6. What is
    Kubernetes?

    View Slide

  7. What is Kubernetes?
    https://www.youtube.com/watch?v=4ht22ReBjno

    View Slide

  8. Kubernetes: The Container Orchestration Platform
    https://v1-16.docs.kubernetes.io/docs/concepts/overview/components/

    View Slide

  9. Kubernetes from
    an Attacker's
    Perspective

    View Slide

  10. Simple Threat Model
    WHO ARE THE
    ATTACKERS?
    WHAT CAN
    THEY ATTACK?
    HOW CAN
    THEY ATTACK?

    View Slide

  11. 1. External attackers – No access to cluster
    2. Internal attackers – Attacker in a Pod
    3. Privileged attackers – Some access to cluster
    Who are the attackers?

    View Slide

  12. • Etcd Database
    • Secrets
    • Credentials
    • Certificates
    • PKI Information
    • Volumes (Storage)
    • Container Images (May be)
    • Network Services
    • Etc.
    What can they attack?

    View Slide

  13. How can they attack?
    1. What is exposed outside the cluster?
    2. What is exposed inside the cluster?
    3. What is exposed in the cloud environment?

    View Slide

  14. Kubernetes: From an Attacker's Perspective
    https://v1-16.docs.kubernetes.io/docs/concepts/overview/components/

    View Slide

  15. Master
    OS Services
    API Server
    Other master
    components
    Node(s)
    OS Services
    Kubelet
    Container Runtimes
    Network Services
    Storage Volumes
    Apps
    Security
    Vulnerability
    Configuration
    Weaknesses
    External Exposure

    View Slide

  16. Service
    Account
    Privileges
    Pod Network
    Service
    Network
    Volumes
    Configs &
    Secrets
    Environmental
    Information
    Internal Trust
    Internal Exposure – Attacker in a Pod
    Everything available to an External Attacker + Many More

    View Slide

  17. 1. Identity & Access Management
    2. Meta-data Service
    3. Storage
    1. Object & Block storage services
    2. Container Registry
    4. Other cloud services
    Cloud Exposure

    View Slide

  18. Attacking
    Kubernetes
    Cluster

    View Slide

  19. 1. Namespace break-out using insecure hostPath
    volume mount
    2. Lateral movement in the cloud – Exploit GKE
    Instance meta-data endpoint service
    Attacking Kubernetes

    View Slide

  20. Hands-on Attacks
    Demo

    View Slide

  21. Namespace
    Break-out
    using
    hostPath
    Volume
    Mount
    • I am a developer and have access to
    CRUD Pod in developers
    namespace
    • I am an attacker and just gained
    access to a Pod with CI/CD engine
    that needs to create more Pods to
    run build jobs
    Assume any one of the
    following
    • We can create Pod, but we are
    hopefully, greatly restricted to a
    single namespace
    Bottom line

    View Slide

  22. Namespace
    Break-out
    using
    hostPath
    Volume
    Mount
    Kubernetes supports
    mounting hostPath inside
    a container
    This is known and
    documented to be
    insecure.. But who
    cares?
    We use this feature to access the underlying
    Node's filesystem from our Pod
    We can then interact with the Docker
    Daemon on host
    Usually its game over by now

    View Slide

  23. Lateral
    Movement in
    the Cloud –
    Exploiting
    Instance
    Meta-data
    on GKE
    Assume
    • We have access to any Pod in a
    Kubernetes Cluster running in
    Google Kubernetes Engine (GKE)
    Why?
    • We can access the default instance
    metadata service available to
    instances in Google Cloud
    • We want to break-out of the cluster
    and access other cloud resources

    View Slide

  24. • Generate access token using metadata service
    • Check token scopes
    • Access cloud resources using generated access token
    • Cloud Storage
    • Cloud Registry
    • Etc.
    Lateral Movement in the Cloud -
    Exploiting Instance Meta-data on GKE
    CIS GKE Benchmark Recommendation: 6.2.1. Prefer not running GKE
    clusters using the Compute Engine default service account

    View Slide

  25. Kubernetes Attack Matrix
    https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/

    View Slide

  26. • The Illustrated Children's Guide to Kubernetes
    • https://www.cncf.io/the-childrens-illustrated-guide-to-kubernetes/
    • Get started with learning Docker (Containers)
    • https://www.katacoda.com/courses/docker
    • Get started with learning Kubernetes using Katacoda
    • https://www.katacoda.com/courses/kubernetes
    • Attacking and Auditing Docker Containers and Kubernetes Clusters – Our recently
    released training material
    • https://bit.ly/k8s-pentesting
    More Resources

    View Slide

  27. • https://www.cisecurity.org/benchmark/docker/
    • https://www.cisecurity.org/benchmark/kubernetes/
    • https://cloud.google.com/kubernetes-
    engine/docs/concepts/cis-benchmarks
    • https://www.cisecurity.org/benchmark/ubuntu_linux/
    (Relevant) CIS Benchmarks

    View Slide

  28. Questions?
    [email protected]
    That’s all for now..
    https://appsecco.com
    @abh1sek
    github.com/abhisek

    View Slide