Looking Back: CIS on Managed K8S

LOOKING BACK: CIS ON MANAGED K8S OWASP SAITAMA MTG. #6;
TALK #2

TEXT SESSION FLAGS ▸ ࿥Իɾ࿥ըɾ಺༰ެ։: OK Image by Nico Kaiser
on flickr, CC-BY 2.0

TEXT WHO I AM ▸ Takahiro Yoshimura (@alterakey)   https://keybase.io/alterakey
▸ Monolith Works Inc.   Co-founder, CTO   Security researcher ▸ ໌࣏େֶαΠόʔηΩϡϦςΟݚڀॴ   ٬һݚڀһ

TEXT WHAT I DO ▸ Security research and development ▸
iOS/Android Apps   →Financial, Games, IoT related, etc. (>200)   →trueseeing: Non-decompiling Android Application Vulnerability Scanner [2017] ▸ Windows/Mac/Web/HTML5 Apps   →POS, RAD tools etc. ▸ Network/Web penetration testing   →PCI-DSS etc. ▸ Search engine reconnaissance   (aka. Google Hacking) ▸ Whitebox testing ▸ Forensic analysis

TEXT WHAT I DO ▸ CTF ▸ Enemy10, Sutegoma2 ▸
METI CTFCJ 2012 Qual.: Won ▸ METI CTFCJ 2012: 3rd ▸ DEF CON 21 CTF: 6th ▸ DEF CON 22 OpenCTF: 4th ▸ ൃදɾߨԋͳͲ   DEF CON 25 Demo Labs (2017)   DEF CON 27 AI Village (2019)   CODE BLUE (2017, 2019)   CYDEF (2020) etc. Image by Wiyre Media on flickr, CC-BY 2.0

TEXT BACKGROUND ▸ CIS Benchmarks:   ઃఆͷ҆શੑΛ٬؍తʹධՁ͢ΔͨΊͷ໛ൣઃఆ ▸ ͍Ζ͍Ζͳίϯϙʔωϯτʹଘࡏ ▸
OS: Ubuntu, RHEL, FreeBSD, Windows, etc. ▸ Mobile: Android, iOS etc. ▸ Virtualizers: Docker, K8s, etc. ▸ Apps: Chrome, Safari, Firefox, MS Browsers, MS Of fi ce, Zoom etc. ▸ Daemons: nginx, httpd, postgres etc.

TEXT BACKGROUND ▸ K8s: ίϯςφΛޮ཰తʹӡ༻Ͱ͖ΔαʔϏε ▸ ޿͘࢖ΘΕ͓ͯΓɺઃఆ͸ॊೈͰ޿ൣ ▸ Ϋϥ΢υ؀ڥʹ΋ଘࡏ ▸
GKE (Google Cloud Platform) ▸ EKS (Amazon Web Services) ▸ AKS (Microsoft Azure)

TEXT DISCLAIMER ▸ ճސ࿥Ͱ͢ (2021/3) Image by Mike Finn on
flickr, CC-BY 2.0

TEXT PROBLEM ▸ ϕετϓϥΫςΟεΛద༻͍ͨ͠ͱ͍͏ґཔ ▸ Ϋϥ΢υ؀ڥͰӡ༻ ▸ GKE / EKS
/ AKS શͯ Image by Social Innovation Camp on flickr, CC-BY 2.0

TEXT SCORING SECURITY OF YOUR K8S ▸ Benchmark: ໿121߲໨ ▸
είΞϦϯά͸Ͳ͏ߦͳ͏ͷ͔ʁ ▸ ίϯςφͰ૸ΒͤΔ͚ͩͷπʔϧ͕ଘࡏ   https://github.com/aquasecurity/kube- bench (Active) ▸ ͋ͱ͸खಈͰͻͱͭͻͱͭ Image by Dr Case on flickr, CC-BY-NC 2.0

TEXT PROBLEM #1: K8S IN THE CLOUDS ▸ Ϋϥ΢υ؀ڥͰӡ༻͍ͯ͠Δ=managed ▸
มߋՄೳͳͷ͸Ұ෦ͷઃఆ஋ͷΈ   →Master Node͸·ͣख͕ग़ͳ͍   →Worker NodeʹखΛग़ͤΔέʔε΋ ▸ ϊʔυ͕ͦ΋ͦ΋͏ͭΖ͍มΘΔ   →Worker NodeؒͰͲͷΑ͏ʹҾ͖ܧ͙ͷͩ ▸ Master Node, API, Controller Manager, etcd, Worker Nodeܥ͸ద༻Ͱ͖ͳ͍ Image by Elliot Brown on flickr, CC-BY-SA 2.0

TEXT PROBLEM #2: SHATTERED SKIES ▸ Ϋϥ΢υ֤ࣾͱ΋ಛԽͨ͠ϊ΢ϋ΢͕͋Δ   →֤ࣾͱ΋Benchmarkͷଘࡏ͸ҙࣝɺҎԼ ▸
GKE: CIS GKE Benchmark 1.0.0/1.1.0 ▸ EKS: CIS Amazon EKS Benchmark 1.0.1 ▸ AKS: Kubernetes Benchmark 1.6.0 (?!) ▸ ౷੍͕શ͘औΕ͍ͯͳ͍ʂ ▸ ਏ͏ͯ͡ϕʔε͕໌ه͞Ε͍ͯΔ…͚ͩ ▸ ֤ࣾҙࣝ͢Δ͸͍͍͕ɺBenchmark͕ࢄࡏ͢Δҙຯͱ ͸ Image by the noggin_nogged on flickr, CC-BY-NC-ND 2.0

TEXT PROBLEM #3: TOOLCHAIN LIMITATIONS ▸ Kube-bench͕΄΅໾ʹཱͨͳ͔ͬͨ ▸ ݕ஌Մೳൣғ: ࣮࣭తʹ4.x.x
(Worker)ͷΈ   →introspectionϕʔεʹͳΔͷͰ౰વ ▸ ޡݕ஌: ΄΅શҬ   →managed؀ڥͰ͸ະ࢖༻͋Δ͍͸؀ڥ͔Β ಋೖ͞ΕΔͳͲͰؾ͚ͮͳ͍ ▸ πʔϧͷҙຯ͕…   ݁ہखͰ΍Δ͔͠ͳ͍ Image by Alexsandre PIRON on flickr, CC-BY-NC-ND 2.0

TEXT CASE STUDY ▸ σϑΥϧτͰ͔ͳΓରࡦ͞Ε͍ͯΔ ▸ ௥Ճରࡦ͕ඞཁͳ΋ͷͷΈ… ▸ جຊతʹLv. 1૬౰ʢҰ෦Lv.
2ʣ ▸ ߲൪͸CIS Google Kubernetes Engine Benchmark 1.0.0ʹ͍͍ͩͨ४ڌ Image by Cheryl Brind on flickr, CC-BY 2.0

TEXT S3.2: AUDIT LOGS ▸ ؂ࠪϩάͷ༗ޮԽ ▸ ؂ࠪϩάͷϙϦγʔ֬ೝ Image by
PSNH on flickr, CC-BY-ND 2.0

TEXT S5: POLICIES - RBAC AND SERVICE ACCTS. ▸ ݖݶͷ࠷খԽ
▸ cluster-adminΞΧ΢ϯτͷ࠷খԽ   →kubectl delete clusterrolebinding [name] ▸ ൿີͷอޢ ▸ Secret΁ΞΫηεͰ͖ΔΞΧ΢ϯτͷ࠷খԽ   →Secretͷget, list, watchݖݶϨϏϡʔ Image by tomislav medak on flickr, CC-BY 2.0

TEXT S5: POLICIES - RBAC AND SERVICE ACCTS. ▸ ඞཁݖݶͷ໌֬Խ
▸ σϑΥϧταʔϏεΞΧ΢ϯτ (DSA) ͷഇࢭ   →໌ࣔతSAͷ࡞੒͓Αͼ֤DSAʹ͓͍ͯ   automountServiceAccountToken: false ▸ ߈ܸαʔϑΣεͷ࠷খԽ ▸ αʔϏετʔΫϯͷෆཁͳϚ΢ϯτΛఀࢭ   →tokenΛmount͢Δඞཁ͕ͳ͍pod/service accountʹ͓͍ͯແޮʹ Image by tomislav medak on flickr, CC-BY 2.0

TEXT S5: POLICIES - POD SECURITY POLICIES ▸ ಛݖͷ੍ݶ ▸
ҎԼͷಛ௃Λ࣋ͭPSPͷ࢖༻   * .spec.privileged͕লུ͋Δ͍͸false   * .spec.hostPID͕লུ͋Δ͍͸false   * .spec.hostIPC͕লུ͋Δ͍͸false   * .spec.hostNetwork͕লུ͋Δ͍͸false   * .spec.allowPrivilegeEscalation͕লུ͋Δ͍͸false   * .spec.requiredDropCapabilitiesʹNET_RAW͋Δ ͍͸ALLΛؚΉ   * .allowedCapabilities͕লུ͋Δ͍͸ۭू߹ Image by SoulRider.222 on flickr, CC-BY-NC 2.0

TEXT S5: POLICIES - GENERAL POLICIES ▸ ݖݶͷ࠷খԽ ▸ ໊લۭؒʹΑΔݖݶ෼ׂ
  →NamespaceΛඞཁͳ͚ͩ࢖༻ͯ͠αʔϏε Λ෼ׂ͢Δ   →σϑΥϧτ໊લۭؒ͸ഇࢭ Image by Joan by flickr, CC-BY-NC 2.0

TEXT S6: MANAGED SERVICES ▸ ݖݶͷ࠷খԽ ▸ ϦϙδτϦΞΫηεͷϨϏϡʔ ▸ ϊʔυؒ௨৴ͷ੍໿
(N. Policy/Mesh N.) ▸ Serverlessϊʔυͷੵۃతར༻ ▸ Ϛϧ΢ΣΞରࡦ ▸ ϦϙδτϦεΩϟϯαʔϏεͷ༗ޮԽ Image by Zee on flickr, CC-BY-SA 2.0

TEXT S6: MANAGED SERVICES ▸ ඞཁݖݶͷ໌֬Խ ▸ ໌ࣔతαʔϏεΞΧ΢ϯτ΁ͷݖݶׂ෇ (e.g. IAM)
▸ ൿີͷอޢ ▸ ֎෦KMSΛ࢖༻ͨ͠҉߸Խ ▸ ߈ܸαʔϑΣεͷ࠷খԽ ▸ ࣗಈߋ৽ͷ༗ޮԽ ▸ ϗετ๷ޚػߏͷ࢖༻ (Shielded Nodes etc.) ▸ Control Plane Endpoint΁ͷΞΫηε੍ޚ Image by Guovanni Fasulo on flickr, CC-BY 2.0

TEXT TAKEAWAYS ▸ Ϋϥ΢υ؀ڥͰӡ༻͍ͯ͠Δ=managed ▸ มߋՄೳͳͷ͸Ұ෦ͷઃఆ஋ͷΈ ▸ ϊʔυ͕͏ͭΖ͍มΘΔ   →఻೻Ͱ͖ͳ͍΋ͷ͸࣮࣭తʹઃఆෆೳ
▸ ϚϧνΫϥ΢υ: ֤ࣾϊ΢ϋ΢͕͋Δ   →֤ࣾͱ΋Benchmarkͷଘࡏ͸ҙࣝ   →͕ͩ౷੍͕औΕ͍ͯͳ͍ʂ ▸ ݕূπʔϧ͸໾ʹཱͨͳ͍ Image by Elliot Brown on flickr, CC-BY-SA 2.0

TEXT TAKEAWAYS ▸ Benchmark͸ͱ͍͑͹ ▸ ݴ͍ͬͯΔ͜ͱ͸ۃΊͯଥ౰ ▸ ֬ೝ͢΂͖ࢹ఺͸֤ࣾڞ௨ ▸ ݖݶ/߈ܸαʔϑΣεͷ࠷খԽ
▸ ඞཁݖݶ͸໌֬Խ͠ೝՄػߏΛ࢖͏ ▸ ಛݖͷ੍໿: PSPେࣄ ▸ ؂ࠪࢹ໺ͷ֬อ Image by Dr Case on flickr, CC-BY-NC 2.0

TEXT TAKEAWAYS ▸ Benchmark͸ͱ͍͑͹ ▸ ଥ౰ੑʹٙ໰ූ͕͖͔ͭͶͳ͍هड़ ▸ ϊʔυ୯Ґͷઃఆ஋มߋ͕scoredѻ͍ ▸ ᐆດ͔ͭแׅతͰఆੑతͳهड़͕์ஔ
▸ ॻ͖͔͚͋Δ͍͸ෆਖ਼֬ͳهड़͕์ஔ ▸ ܁Γฦ͕͢͜Ε͸ճސ࿥…   ࠓ͸Ϛγʹͳ͍ͬͯΔ͜ͱΛئ͏͹͔Γ Image by Mike Finn on flickr, CC-BY 2.0

FIN. 24.1.2022 TAKAHIRO YOSHIMURA (@ALTERAKEY)

Looking Back: CIS on Managed K8S

Looking Back: CIS on Managed K8S

Takahiro Yoshimura

More Decks by Takahiro Yoshimura

Other Decks in Technology

Featured

Transcript

LOOKING BACK: CIS ON MANAGED K8S OWASP SAITAMA MTG. #6;

TEXT SESSION FLAGS ▸ ࿥Իɾ࿥ըɾ಺༰ެ։: OK Image by Nico Kaiser

TEXT WHO I AM ▸ Takahiro Yoshimura (@alterakey)   https://keybase.io/alterakey

TEXT WHAT I DO ▸ Security research and development ▸

TEXT WHAT I DO ▸ CTF ▸ Enemy10, Sutegoma2 ▸

TEXT BACKGROUND ▸ CIS Benchmarks:   ઃఆͷ҆શੑΛ٬؍తʹධՁ͢ΔͨΊͷ໛ൣઃఆ ▸ ͍Ζ͍Ζͳίϯϙʔωϯτʹଘࡏ ▸

TEXT BACKGROUND ▸ K8s: ίϯςφΛޮ཰తʹӡ༻Ͱ͖ΔαʔϏε ▸ ޿͘࢖ΘΕ͓ͯΓɺઃఆ͸ॊೈͰ޿ൣ ▸ Ϋϥ΢υ؀ڥʹ΋ଘࡏ ▸

TEXT DISCLAIMER ▸ ճސ࿥Ͱ͢ (2021/3) Image by Mike Finn on

TEXT PROBLEM ▸ ϕετϓϥΫςΟεΛద༻͍ͨ͠ͱ͍͏ґཔ ▸ Ϋϥ΢υ؀ڥͰӡ༻ ▸ GKE / EKS

TEXT SCORING SECURITY OF YOUR K8S ▸ Benchmark: ໿121߲໨ ▸

TEXT PROBLEM #1: K8S IN THE CLOUDS ▸ Ϋϥ΢υ؀ڥͰӡ༻͍ͯ͠Δ=managed ▸

TEXT PROBLEM #2: SHATTERED SKIES ▸ Ϋϥ΢υ֤ࣾͱ΋ಛԽͨ͠ϊ΢ϋ΢͕͋Δ   →֤ࣾͱ΋Benchmarkͷଘࡏ͸ҙࣝɺҎԼ ▸

TEXT PROBLEM #3: TOOLCHAIN LIMITATIONS ▸ Kube-bench͕΄΅໾ʹཱͨͳ͔ͬͨ ▸ ݕ஌Մೳൣғ: ࣮࣭తʹ4.x.x

TEXT CASE STUDY ▸ σϑΥϧτͰ͔ͳΓରࡦ͞Ε͍ͯΔ ▸ ௥Ճରࡦ͕ඞཁͳ΋ͷͷΈ… ▸ جຊతʹLv. 1૬౰ʢҰ෦Lv.

TEXT S3.2: AUDIT LOGS ▸ ؂ࠪϩάͷ༗ޮԽ ▸ ؂ࠪϩάͷϙϦγʔ֬ೝ Image by

TEXT S5: POLICIES - RBAC AND SERVICE ACCTS. ▸ ݖݶͷ࠷খԽ

TEXT S5: POLICIES - RBAC AND SERVICE ACCTS. ▸ ඞཁݖݶͷ໌֬Խ

TEXT S5: POLICIES - POD SECURITY POLICIES ▸ ಛݖͷ੍ݶ ▸

TEXT S5: POLICIES - GENERAL POLICIES ▸ ݖݶͷ࠷খԽ ▸ ໊લۭؒʹΑΔݖݶ෼ׂ

TEXT S6: MANAGED SERVICES ▸ ݖݶͷ࠷খԽ ▸ ϦϙδτϦΞΫηεͷϨϏϡʔ ▸ ϊʔυؒ௨৴ͷ੍໿

TEXT S6: MANAGED SERVICES ▸ ඞཁݖݶͷ໌֬Խ ▸ ໌ࣔతαʔϏεΞΧ΢ϯτ΁ͷݖݶׂ෇ (e.g. IAM)

TEXT TAKEAWAYS ▸ Ϋϥ΢υ؀ڥͰӡ༻͍ͯ͠Δ=managed ▸ มߋՄೳͳͷ͸Ұ෦ͷઃఆ஋ͷΈ ▸ ϊʔυ͕͏ͭΖ͍มΘΔ   →఻೻Ͱ͖ͳ͍΋ͷ͸࣮࣭తʹઃఆෆೳ

TEXT TAKEAWAYS ▸ Benchmark͸ͱ͍͑͹ ▸ ݴ͍ͬͯΔ͜ͱ͸ۃΊͯଥ౰ ▸ ֬ೝ͢΂͖ࢹ఺͸֤ࣾڞ௨ ▸ ݖݶ/߈ܸαʔϑΣεͷ࠷খԽ

TEXT TAKEAWAYS ▸ Benchmark͸ͱ͍͑͹ ▸ ଥ౰ੑʹٙ໰ූ͕͖͔ͭͶͳ͍هड़ ▸ ϊʔυ୯Ґͷઃఆ஋มߋ͕scoredѻ͍ ▸ ᐆດ͔ͭแׅతͰఆੑతͳهड़͕์ஔ

Q?

FIN. 24.1.2022 TAKAHIRO YOSHIMURA (@ALTERAKEY)