Save 37% off PRO during our Black Friday Sale! »

Ship of Fools: Shoring Up Kubernetes Security

Ship of Fools: Shoring Up Kubernetes Security

Hackers gonna hack. They have their own motivations, and they don’t care about your constraints. As attackers, they want to find vulnerabilities and exploit them. As a defender, your mission is to stop them. Mistakes can be easy to make, but with the right configuration and attention to security best practices many attacks can be prevented.

This talk will give you practical advice about securing your Kubernetes clusters, from an attacker’s perspective. We’ll walk through the attack process from discovery to post-exploitation, and you’ll walk away with tools and techniques that can be used for prevention along the way. Learn how to keep your infrastructure safer by making a hacker’s job harder.

A6ff6fda1b44b5d02a970be24bd79f0b?s=128

Ian Coldwater

July 13, 2018
Tweet

Transcript

  1. SHIP OF FOOLS Shoring Up Kubernetes Security @IanColdwater

  2. WHO AM I? My name is Ian Coldwater. I do

    DevSecOps at Jamf Software, where I focus on container security and hardening cloud infrastructure. I’m also an ethical hacker. @IanColdwater
  3. AS AN ATTACKER, I WANT TO PWN YOU. @IanColdwater

  4. WHAT'S A CONTAINER? @IanColdwater

  5. WHAT IS KUBERNETES? • Kubernetes is an open-source system for

    automating deployment, scaling, and management of containerized applications. It groups containers that make up an application into logical units for easy management and discovery. @IanColdwater
  6. @IanColdwater

  7. @IanColdwater

  8. EVEN HACKERS AREN'T IMMUNE TO THIS @IanColdwater https://hackernoon.com/capturing-all-the-flags-in-bsidessf-ctf-by-pwning-our-infrastructure-3570b99b4dd0

  9. SOME CONSIDERATIONS • Kubernetes has a very active community of

    contributors who are pushing changes very quickly. Security features have vastly improved in the last several releases. • Older Kubernetes releases are still commonly found in production, and left a lot wide open by default. • Attack and defense can vary with individual configurations. @IanColdwater
  10. GOOD NEWS AND BAD NEWS • It is possible to

    secure your Kubernetes cluster. • It's probably not going to come that way by default. • Security doesn't end there. @IanColdwater
  11. None
  12. @IanColdwater

  13. WHAT IS YOUR THREAT MODEL? • What are you trying

    to protect? • Who are you trying to protect it from? • What capabilities do your adversaries have? • What capabilities do you have to defend against them? @IanColdwater
  14. KUBERNETES THREAT MODEL • External attacker • Application or container

    compromise • Compromised user or credentials @IanColdwater
  15. AN ATTACKER'S WORKFLOW • Discovery • Enumeration • Getting In

    • Post-Exploitation • Exfiltration • Privilege Escalation • Lateral Movement • Persistence? • Rinse and Repeat @IanColdwater
  16. EXTERNALLY VISIBLE PORTS • 2379/tcp open | etcd • 4194/tcp

    open | cAdvisor • 443/tcp open | API Server (sometimes this is port 6443 or 8443) • 8080/tcp open | Insecure API Server • 10250/tcp open | kubelet • 10255/tcp open | kubelet (read only) • ???/open | various network plugins @IanColdwater
  17. @IanColdwater

  18. PREVENTING EXTERNAL ATTACKERS • Don't leave your ports open if

    you don't have to • Make sure that all management ports that are visible externally require authentication • Limit SSH access to Kubernetes nodes @IanColdwater
  19. DEFENDERS THINK IN LISTS. ATTACKERS THINK IN GRAPHS. What’s in

    your graph? 19 @IanColdwater
  20. USER OR CREDENTIAL COMPROMISE @IanColdwater

  21. PREVENTING USER COMPROMISE • Don’t fall for social engineering! •

    Keep credentials encrypted and limit access to them. @IanColdwater
  22. CONTAINER COMPROMISE @IanColdwater

  23. KUBERNETES CONTROL PLANE @IanColdwater

  24. CONTAINER BREAKOUTS shit just got real @IanColdwater

  25. PREVENTING CONTAINER COMPROMISE • Write your own applications as securely

    as possible. • Treat other people’s code with caution! • Run static code analysis on your applications and containers to check for vulnerabilities. You can use open source tools for this such as Clair by CoreOS. • If you find vulnerabilities, patch or mitigate them. @IanColdwater
  26. DEFENSE IN DEPTH • Reduce your attack surface • Limit

    your blast radius @IanColdwater
  27. PRINCIPLE OF LEAST PRIVILEGE @IanColdwater

  28. CONTROLS • Network Policies • Admission Controllers • Role-Based Access

    Control • Pod Security Policies • Resource Quotas • Logging and Monitoring @IanColdwater
  29. GENERAL RECOMMENDATIONS • If you can upgrade, upgrade. If you

    can’t upgrade, mitigate. • Secure defaults are very important! • Be careful with your secrets • Log and monitor…outside your cluster. @IanColdwater
  30. TL;DR • A lot of this is standard security advice.

    • Practice good cyber hygiene, and get the basics right! @IanColdwater
  31. YOU GOT THIS! I believe in you! @IanColdwater

  32. RESOURCES • securing your cluster - goo.gl/gE9sj6 • hacking and

    hardening kubernetes by example - goo.gl/QJhsDb • a hacker's guide to kubernetes and the cloud - goo.gl/CZgG6V • preventing attacks at scale - goo.gl/Y7EeU7 • shipping in pirate-infested waters - 
 goo.gl/TRwXCu • CIS benchmarks - goo.gl/v2ZWXR • lessons from the cryptojacking attack at tesla - goo.gl/u4ucvo • analysis of a kubernetes hack - goo.gl/VKteVq • attackers think in graphs - goo.gl/imExzC • github.com/kelseyhightower/nocode - the best way to write secure and reliable applications! @IanColdwater