DIY Kubernetes Pen Testing

DIY Kubernetes Pen Testing

Check for insecure configurations with kube-hunter! This talk shows what kube-hunter is doing and how an attacker might take advantage of insecure configurations in a kubernetes cluster. You can watch a recording of this talk from KubeCon Barcelona here: https://www.youtube.com/watch?v=fVqCAUJiIn0

676c8aec28ade455c442e648abfa1db5?s=128

Liz Rice

May 23, 2019
Tweet

Transcript

  1. None
  2. • • • • Image Jefferson Santos on Unsplash

  3. Image nmap.org

  4. None
  5. ▪ ▪ ▪ github.com/aquasecurity/kube-hunter

  6. Image mario on Flick

  7. Welcome to Club KubeCon Free entry! Show me your ID

    If you’re not on the list, you’re not coming in Image Channel 4
  8. Image Foundry Co from Pixabay

  9. Image Kerstin Riemer from Pixabay

  10. • curl <IP address>:8080 curl <IP address>:8080/api/v1 curl <IP address>:8080/api/v1/namespaces

    curl <IP address>:8080/api/v1/namespaces/default/pods
  11. • curl -k https://<IP address>:6443

  12. Image Pixabay

  13. • curl -k https://<IP address>:6443/swaggerapi curl -k https://<IP address>:6443/healthz curl

    -k https://<IP address>:6443/api/v1
  14. Image Rudy and Peter Skitterians on Pixabay

  15. Kubernetes cluster pod token API server

  16. → Image cocoparisienne on Pixabay

  17. None
  18. curl -k https://<IP address>:2379 curl -k https://<IP address>:2379/version

  19. None
  20. curl -k https://<IP address>:10250 curl -k https://<IP address>:10250/metrics curl -k

    https://<IP address>:10250/pods
  21. None
  22. None
  23. Kubernetes cluster pod token API server

  24. ▪ ▪

  25. Image Free-Photos on Pixabay

  26. Image IAOM-US on Pixabay

  27. @handler.subscribe(NewHostEvent) class PortDiscovery(Hunter): def execute(self): for p in default_ports: if

    self.test_connection(self.host, p): self.publish_event(OpenPortEvent(port=p))
  28. @handler.subscribe(OpenPortEvent, predicate= lambda x: x.port == 10255 or x.port ==

    10250) class KubeletDiscovery(Hunter): def get_read_access(self): r = requests.get("http://{host}:{port}/metrics") if r.status_code == 200: self.publish_event(ReadKubeletEvent())
  29. @handler.subscribe(ReadKubeletEvent) class ReadKubeletPortHunter(Hunter): def execute(self): k8s_version = self.get_k8s_version() if k8s_version:

    self.publish_event(K8sVersionDisclosure( version=k8s_version))
  30. class K8sVersionDisclosure(Vulnerability, Event): def __init__(self, version): Vulnerability.__init__(self, Kubelet, "K8s Version

    Disclosure", category=InformationDisclosure) self.evidence = version
  31. Image Rolf Johansson on Pixabay

  32. None