DIY Kubernetes Pen Testing

Transcript

1. View Slide

2. ●
   ●
   ●
   ●
   Image Jefferson Santos on Unsplash
   

   View Slide

3. Image nmap.org
   

   View Slide

4. View Slide

5. ■
   ■
   ■ github.com/aquasecurity/kube-hunter
   

   View Slide

6. Image mario on Flick
   

   View Slide

7. Welcome to
   Club KubeCon
   Free entry!
   Show me
   your ID
   If you’re not on
   the list, you’re
   not coming in
   Image Channel 4
   

   View Slide

8. Image Foundry Co from Pixabay
   

   View Slide

9. Image Kerstin Riemer from Pixabay
   

   View Slide

10. ●
    curl :8080
    curl :8080/api/v1
    curl :8080/api/v1/namespaces
    curl :8080/api/v1/namespaces/default/pods
    

    View Slide

11. ●
    curl -k https://:6443
    

    View Slide

12. Image Pixabay
    

    View Slide

13. ●
    curl -k https://:6443/swaggerapi
    curl -k https://:6443/healthz
    curl -k https://:6443/api/v1
    

    View Slide

14. Image Rudy and Peter Skitterians on Pixabay
    

    View Slide

15. Kubernetes cluster
    pod
    token
    API server
    

    View Slide

16. →
    Image cocoparisienne on Pixabay
    

    View Slide

17. View Slide

18. curl -k https://:2379
    curl -k https://:2379/version
    

    View Slide

19. View Slide

20. curl -k https://:10250
    curl -k https://:10250/metrics
    curl -k https://:10250/pods
    

    View Slide

21. View Slide

22. View Slide

23. Kubernetes cluster
    pod
    token
    API server
    

    View Slide

24. ■
    ■
    

    View Slide

25. Image Free-Photos on Pixabay
    

    View Slide

26. Image IAOM-US on Pixabay
    

    View Slide

27. @handler.subscribe(NewHostEvent)
    class PortDiscovery(Hunter):
    def execute(self):
    for p in default_ports:
    if self.test_connection(self.host, p):
    self.publish_event(OpenPortEvent(port=p))
    

    View Slide

28. @handler.subscribe(OpenPortEvent, predicate= lambda x: x.port ==
    10255 or x.port == 10250)
    class KubeletDiscovery(Hunter):
    def get_read_access(self):
    r = requests.get("http://{host}:{port}/metrics")
    if r.status_code == 200:
    self.publish_event(ReadKubeletEvent())
    

    View Slide

29. @handler.subscribe(ReadKubeletEvent)
    class ReadKubeletPortHunter(Hunter):
    def execute(self):
    k8s_version = self.get_k8s_version()
    if k8s_version:
    self.publish_event(K8sVersionDisclosure(
    version=k8s_version))
    

    View Slide

30. class K8sVersionDisclosure(Vulnerability, Event):
    def __init__(self, version):
    Vulnerability.__init__(self, Kubelet,
    "K8s Version Disclosure", category=InformationDisclosure)
    self.evidence = version
    

    View Slide

31. Image Rolf Johansson on Pixabay
    

    View Slide

32. View Slide