$30 off During Our Annual Pro Sale. View Details »

Kubernetes From an Attacker's Perspective

Abhisek Datta
May 29, 2020
Technology
4
7k

Kubernetes From an Attacker's Perspective

Kubernetes is everywhere, a container orchestration platform that is actively supported by all major cloud providers and adopted by companies across size and scale. However, the distributed nature of the system at its core has new and interesting security implications that cannot be tested using conventional tools and techniques.

This talk is aimed for anyone interested in exploring the depths of Kubernetes security from an attacker's perspective including DevSecOps Teams looking to defend against attacker tools and techniques.

The session will provide a high-level overview of Kubernetes architecture from an attacker's perspective i.e. what can be attacked. Subsequently look at, through demos, modern attacker tools and techniques using various real-world scenarios for attacking applications and components in a Kubernetes cluster.

Outline
- Attacker's intro to Kubernetes
- Kubernetes attack surfaces (Threat Model)
- Attacker in a Pod (Starting Point)
- Attack scenarios (live)
- Cloud infrastructure attack surface in Kubernetes (GKE)
- Namespace breakout using hostPath volume mounts

Abhisek Datta

May 29, 2020
Tweet

More Decks by Abhisek Datta

See All by Abhisek Datta
Kubernetes from an Attacker's Perspective - fwd:CloudSec 2020
abhisek
0
330
Kubernetes 101 for Penetration Testers - null Mumbai
abhisek
5
3.6k
Securing Microservices at API Gateway using Cloud Native Solutions
abhisek
1
370
Application Security Workflow Automation using Docker and Kubernetes
abhisek
0
420
Application Security Workflow Automation using Docker and Kubernetes
abhisek
0
570
Towards Verifiable Infrastructure Security
abhisek
0
170
Your Internet Exposure the Makes You Vulnerable
abhisek
0
140
Towards Verifiable Infrastructure Security
abhisek
0
48
Mobile Appsec from an attacker's perspective
abhisek
0
430

Other Decks in Technology

See All in Technology
Intlの今までとこれから
sajikix
7
2.7k
Vertex AI Feature Store に 機械学習エンジニアが涙した 理由
asei
3
1.2k
プライベートプロダクト戦略 - フロントエンドカンファレンス沖縄 / private_product_frontend
rdlabo
3
2.3k
DMMプラットフォームにおける GKE を利用した プラットフォームエンジニアリングへの 取り組み
pospome
1
150
GraphQLクライアントの技術選定 2023冬
kazukihayase
6
2.6k
分散型SNS最新状況
kojira
0
180
機械学習システム構築実践ガイド
shibuiwilliam
0
240
Cloud Security Day 2023パネルディスカッション資料
coconala_engineer
0
140
APIテスト導入から2年。アジャイルな組織で見えてきたmabl活用の道
bengo4com
0
1.9k
3つの⽴場で考える技術的負債への組織的アプローチ
sansantech
PRO
16
4.7k
20年以上続くサービスの 管理画面リプレイスを行いながら 技術的負債と向き合った話
radkmb
0
2k
太田博三
otanet
0
160

Featured

See All Featured
What's in a price? How to price your products and services
michaelherold
236
10k
The Pragmatic Product Professional
lauravandoore
23
5.4k
4 Signs Your Business is Dying
shpigford
172
21k
Making the Leap to Tech Lead
cromwellryan
120
8.2k
Designing on Purpose - Digital PM Summit 2013
jponch
108
6.2k
Navigating Team Friction
lara
177
13k
Designing for Performance
lara
601
66k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
0
260
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
16
1.5k
Put a Button on it: Removing Barriers to Going Fast.
kastner
56
2.8k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
12
1k
A Tale of Four Properties
chriscoyier
150
22k

Transcript

  1. Kubernetes
    From an Attacker's Perspective
    Abhisek Datta
    Head, Security Products
    Appsecco

    View Slide

  2. OWASP Bay Area Meetup Group
    https://www.meetup.com/Bay-Area-OWASP/

    View Slide

  3. About Me – Abhisek Datta
    • Head, Security Products (appsecco.com)
    • Application & Cloud Security
    • Kubernetes Cluster Security Assessments
    • TechWing @ null0x00 (null.co.in)
    • An Open Security Community
    • Security Researcher
    • Discovered vulnerabilities in enterprise software
    and credited with CVE
    • Open Source Contributor
    • https://github.com/abhisek
    @abh1sek on
    Twitter

    View Slide

  4. 1. A quick introduction to Kubernetes
    2. Kubernetes from an Attacker's Perspective
    3. Attacking Kubernetes (Scenarios)
    Key Take Away

    View Slide

  5. My Environment
    I have a cluster setup on Google Kubernetes Engine (GKE) for demo

    View Slide

  6. What is
    Kubernetes?

    View Slide

  7. What is Kubernetes?
    https://www.youtube.com/watch?v=4ht22ReBjno

    View Slide

  8. Kubernetes: The Container Orchestration Platform
    https://v1-16.docs.kubernetes.io/docs/concepts/overview/components/

    View Slide

  9. Kubernetes from
    an Attacker's
    Perspective

    View Slide

  10. Simple Threat Model
    WHO ARE THE
    ATTACKERS?
    WHAT CAN
    THEY ATTACK?
    HOW CAN
    THEY ATTACK?

    View Slide

  11. 1. External attackers – No access to cluster
    2. Internal attackers – Attacker in a Pod
    3. Privileged attackers – Some access to cluster
    Who are the attackers?

    View Slide

  12. • Etcd Database
    • Secrets
    • Credentials
    • Certificates
    • PKI Information
    • Volumes (Storage)
    • Container Images (May be)
    • Network Services
    • Etc.
    What can they attack?

    View Slide

  13. How can they attack?
    1. What is exposed outside the cluster?
    2. What is exposed inside the cluster?
    3. What is exposed in the cloud environment?

    View Slide

  14. Kubernetes: From an Attacker's Perspective
    https://v1-16.docs.kubernetes.io/docs/concepts/overview/components/

    View Slide

  15. Master
    OS Services
    API Server
    Other master
    components
    Node(s)
    OS Services
    Kubelet
    Container Runtimes
    Network Services
    Storage Volumes
    Apps
    Security
    Vulnerability
    Configuration
    Weaknesses
    External Exposure

    View Slide

  16. Service
    Account
    Privileges
    Pod Network
    Service
    Network
    Volumes
    Configs &
    Secrets
    Environmental
    Information
    Internal Trust
    Internal Exposure – Attacker in a Pod
    Everything available to an External Attacker + Many More

    View Slide

  17. 1. Identity & Access Management
    2. Meta-data Service
    3. Storage
    1. Object & Block storage services
    2. Container Registry
    4. Other cloud services
    Cloud Exposure

    View Slide

  18. Attacking
    Kubernetes
    Cluster

    View Slide

  19. 1. Namespace break-out using insecure hostPath
    volume mount
    2. Lateral movement in the cloud – Exploit GKE
    Instance meta-data endpoint service
    Attacking Kubernetes

    View Slide

  20. Hands-on Attacks
    Demo

    View Slide

  21. Namespace
    Break-out
    using
    hostPath
    Volume
    Mount
    • I am a developer and have access to
    CRUD Pod in developers
    namespace
    • I am an attacker and just gained
    access to a Pod with CI/CD engine
    that needs to create more Pods to
    run build jobs
    Assume any one of the
    following
    • We can create Pod, but we are
    hopefully, greatly restricted to a
    single namespace
    Bottom line

    View Slide

  22. Namespace
    Break-out
    using
    hostPath
    Volume
    Mount
    Kubernetes supports
    mounting hostPath inside
    a container
    This is known and
    documented to be
    insecure.. But who
    cares?
    We use this feature to access the underlying
    Node's filesystem from our Pod
    We can then interact with the Docker
    Daemon on host
    Usually its game over by now

    View Slide

  23. Lateral
    Movement in
    the Cloud –
    Exploiting
    Instance
    Meta-data
    on GKE
    Assume
    • We have access to any Pod in a
    Kubernetes Cluster running in
    Google Kubernetes Engine (GKE)
    Why?
    • We can access the default instance
    metadata service available to
    instances in Google Cloud
    • We want to break-out of the cluster
    and access other cloud resources

    View Slide

  24. • Generate access token using metadata service
    • Check token scopes
    • Access cloud resources using generated access token
    • Cloud Storage
    • Cloud Registry
    • Etc.
    Lateral Movement in the Cloud -
    Exploiting Instance Meta-data on GKE
    CIS GKE Benchmark Recommendation: 6.2.1. Prefer not running GKE
    clusters using the Compute Engine default service account

    View Slide

  25. Kubernetes Attack Matrix
    https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/

    View Slide

  26. • The Illustrated Children's Guide to Kubernetes
    • https://www.cncf.io/the-childrens-illustrated-guide-to-kubernetes/
    • Get started with learning Docker (Containers)
    • https://www.katacoda.com/courses/docker
    • Get started with learning Kubernetes using Katacoda
    • https://www.katacoda.com/courses/kubernetes
    • Attacking and Auditing Docker Containers and Kubernetes Clusters – Our recently
    released training material
    • https://bit.ly/k8s-pentesting
    More Resources

    View Slide

  27. • https://www.cisecurity.org/benchmark/docker/
    • https://www.cisecurity.org/benchmark/kubernetes/
    • https://cloud.google.com/kubernetes-
    engine/docs/concepts/cis-benchmarks
    • https://www.cisecurity.org/benchmark/ubuntu_linux/
    (Relevant) CIS Benchmarks

    View Slide

  28. Questions?
    [email protected]
    That’s all for now..
    https://appsecco.com
    @abh1sek
    github.com/abhisek

    View Slide