Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Advanced Persistence Threats: The Future of Kubernetes Attacks

Advanced Persistence Threats: The Future of Kubernetes Attacks

Presented with Brad Geesaman at KubeCon EU/Virtual 2020.

What would happen if your cluster was successfully compromised by an attacker who understands Kubernetes at a deep level? How could they attempt to avoid detection, cover their tracks, achieve full cluster access, obtain persistence, steal credentials, and launch additional attacks in your environment? As Kubernetes grows in popularity, the sophistication of attackers will improve, and security by obscurity will no longer be sufficient. Cluster operators need to be aware of what a skilled and knowledgeable attacker can be capable of.

Let’s explore the dark corners of clusters and shine a light on how features such as privileged containers and validating webhooks can be used to maliciously mutate pods, exfiltrate data, deploy “shadow” control planes, and more. The audience will learn how to detect these advanced approaches and how to prevent these attacks using practical, proven methods.

Ian Coldwater

August 20, 2020

More Decks by Ian Coldwater

Other Decks in Technology


  1. • Ian Coldwater is a Lead Platform Security Engineer at

    Salesforce, who specializes in hacking and hardening Kubernetes, containers and cloud infrastructure. • Brad Geesaman is the co-founder of Darkbit, who helps clients improve the security of their clusters in cloud-native environments. @bradgeesaman @IanColdwater
  2. DEMO Shadow API Server @bradgeesaman @IanColdwater • launch an in-cluster

 API server that silently bypasses 
 main API servers • no security policy • no logs • no crime!
  3. DEMO - C2BERNETES Use Kubernetes as a C2 infrastructure across

    multiple clusters @bradgeesaman @IanColdwater
  4. WHAT IS K3S? • A lightweight Kubernetes distribution designed for

    resource-constrained environments • Runs as a single <40MB binary • Has a simplified communication channel: only requires a single TLS connection outbound from nodes to the control plane • This is very likely to be available and blend in with other valid traffic :) @bradgeesaman @IanColdwater