Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Interactive Kubernetes Security Learning Playground - Kubernetes Goat @ Black Hat Asia 2023 Arsenal

Interactive Kubernetes Security Learning Playground - Kubernetes Goat @ Black Hat Asia 2023 Arsenal

Kubernetes Goat is an interactive Kubernetes security learning playground. It has intentionally vulnerable by design scenarios to showcase the common misconfigurations, real-world vulnerabilities, and security issues in Kubernetes clusters, containers, and cloud native environments.

It's tough to learn and understand Kubernetes security safely, practically, and efficiently. So here we come to solve this problem not only for security researchers but also to showcase how we can leverage it for attackers, defenders, developers, DevOps teams, and anyone interested in learning Kubernetes security. We are also helping products & vendors to showcase their product or tool's effectiveness by using these playground scenarios and also help them to use this to educate their customers and organizations. This project is a place to share knowledge with the community in well-documented quality content in hands-on scenario approaches.

Madhu Akula

May 11, 2023
Tweet

More Decks by Madhu Akula

Other Decks in Technology

Transcript

  1. #BHASIA @BlackHatEvents
    Interactive Kubernetes Security Learning
    Playground - Kubernetes Goat
    Madhu Akula
    @madhuakula

    View full-size slide

  2. # BHASIA @BlackHatEvents
    Information Classification: General
    👉 Pragmatic Security Leader, working on Cloud Native Infra, Security, & Startups
    👉 Creator of Kubernetes Goat, Hacker Container, tools.tldr.run, other projects.
    👉 Speaks & Trains at Black Hat (USA, EU, Asia), DEF CON, GitHub, USENIX,
    OWASP, All Day DevOps, SANS, DevSecCon, CNCF, c0c0n, Nullcon, null, many
    others around the globe.
    👉 Author of Security Automation with Ansible2, OWASP KSTG, whitepapers, etc.
    👉 Technical reviewer (multiple books) & Review board member of multiple
    conferences, organizations, communities, advisory, etc.
    👉 Found security vulnerabilities in 200+ organizations & products: Google,
    Microsoft, AT&T, Adobe, WordPress, Ntop, Cloudflare, Yahoo, LocalBitcoins, etc.
    👉 Certified Kubernetes(CKA/CKS), Offensive Security Certified Professional, etc.
    👉 Never ending learner!
    About Me 😊
    @madhuakula

    View full-size slide

  3. # BHASIA @BlackHatEvents
    Information Classification: General
    What is Docker?
    https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/#going-back-in-time
    @madhuakula

    View full-size slide

  4. # BHASIA @BlackHatEvents
    Information Classification: General
    What is Docker?
    ● Docker is an open source platform for building, deploying, and
    managing containerized applications
    ● Docker became the de facto standard to build and share
    containerized apps - from desktop, to the cloud, even edge
    devices
    ● Docker enables developers to easily pack, ship, and run any
    application as a lightweight, portable, self-sufficient container,
    which can run virtually anywhere
    https://docs.docker.com/get-started/overview/
    @madhuakula

    View full-size slide

  5. # BHASIA @BlackHatEvents
    Information Classification: General
    What is Kubernetes?
    Kubernetes is a portable, extensible, open-source platform for
    managing containerized workloads and services, that
    facilitates both declarative configuration and automation. It
    has a large, rapidly growing ecosystem. Kubernetes services,
    support, and tools are widely available.
    https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/
    @madhuakula

    View full-size slide

  6. # BHASIA @BlackHatEvents
    Information Classification: General
    What is Kubernetes?
    @madhuakula

    View full-size slide

  7. # BHASIA @BlackHatEvents
    Information Classification: General
    The illustrated children's guide to Kubernetes
    https://www.youtube.com/watch?v=3I9PkvZ80BQ
    @madhuakula

    View full-size slide

  8. # BHASIA @BlackHatEvents
    Information Classification: General
    Why Kubernetes Security?
    @madhuakula
    @madhuakula

    View full-size slide

  9. # BHASIA @BlackHatEvents
    Information Classification: General
    📚 Kubernetes Security - Layers & Areas
    @madhuakula

    View full-size slide

  10. # BHASIA @BlackHatEvents
    Information Classification: General
    How can we learn and practice this?
    @madhuakula

    View full-size slide

  11. # BHASIA @BlackHatEvents
    Information Classification: General
    What is Kubernetes Goat 🐐
    @madhuakula

    View full-size slide

  12. # BHASIA @BlackHatEvents
    Information Classification: General
    Kubernetes Goat has intentionally created vulnerabilities, applications, and configurations to attack and
    gain access to your cluster and workloads. Please DO NOT run alongside your production environments
    and infrastructure. So we highly recommend running this in a safe and isolated environment.
    Kubernetes Goat is used for educational purposes only, do not test or apply these attacks on any
    systems without permission. Kubernetes Goat comes with absolutely no warranties, by using it you take
    full responsibility for all the outcomes.
    🚨 Disclaimer
    @madhuakula

    View full-size slide

  13. # BHASIA @BlackHatEvents
    Information Classification: General
    Can I use Kubernetes Goat 🤔
    Kubernetes Goat is intended for a variety of audiences and end-users.
    Which includes hackers, attackers, defenders, developers, architects,
    DevOps teams, engineers, researchers, products, vendors, and anyone
    interested in learning about Kubernetes Security.
    Below are some of the very high-level categories of audience
    💥 Attackers & Red Teams 🛡 Defenders & Blue Teams
    🧰 Products & Vendors
    🔐 Developers & DevOps Teams
    💡 Interested in Kubernetes Security
    @madhuakula

    View full-size slide

  14. # BHASIA @BlackHatEvents
    Information Classification: General
    🔥 Kubernetes Goat Audience
    @madhuakula

    View full-size slide

  15. # BHASIA @BlackHatEvents
    Information Classification: General
    Scenarios 🚀
    1. Sensitive keys in codebases
    2. DIND (docker-in-docker) exploitation
    3. SSRF in the Kubernetes (K8S) world
    4. Container escape to the host system
    5. Docker CIS benchmarks analysis
    6. Kubernetes CIS benchmarks analysis
    7. Attacking private registry
    8. NodePort exposed services
    9. Helm v2 tiller to PwN the cluster - [Deprecated]
    10. Analyzing crypto miner container
    11. Kubernetes namespaces bypass
    12. Gaining environment information
    13. DoS the Memory/CPU resources
    14. Hacker container preview
    15. Hidden in layers
    16. RBAC least privileges misconfiguration
    17. KubeAudit - Audit Kubernetes clusters
    18. Falco - Runtime security monitoring & detection
    19. Popeye - A Kubernetes cluster sanitizer
    20. Secure network boundaries using NSP
    21. Cilium Tetragon - eBPF-based Security
    Observability and Runtime Enforcement
    22. Securing Kubernetes Clusters using Kyverno Policy
    Engine
    More scenarios releasing soon… ❤
    @madhuakula

    View full-size slide

  16. # BHASIA @BlackHatEvents
    Information Classification: General
    ☸ Vanilla Kubernetes Cluster
    ☁ AWS Kubernetes (EKS)
    ☁ GCP Kubernetes (GKE)
    ☁ Azure Kubernetes (AKS)
    ☸ Kubernetes IN Docker (KiND)
    ☸ Lightweight Kubernetes (K3S) - Coming soon 👀
    ☸ Digital Ocean, Vagrant, Many others…
    ⚙ How can I setup
    @madhuakula

    View full-size slide

  17. # BHASIA @BlackHatEvents
    Information Classification: General
    ● Make sure you have Kubernetes cluster with cluster-admin privileges. Also kubectl and
    helm installed in your system before running the following commands to setup the
    Kubernetes Goat
    ⎈ Setting up in your Cluster
    ● Now you can access the Kubernetes Goat by navigating to http://127.0.0.1:1234
    @madhuakula

    View full-size slide

  18. # BHASIA @BlackHatEvents
    Information Classification: General
    ⚡ Getting Started
    @madhuakula

    View full-size slide

  19. # BHASIA @BlackHatEvents
    Information Classification: General
    ⚡ Getting Started
    @madhuakula

    View full-size slide

  20. # BHASIA @BlackHatEvents
    Information Classification: General
    ⚡ Getting Started
    https://madhuakula.com/kubernetes-goat
    @madhuakula

    View full-size slide

  21. # BHASIA @BlackHatEvents
    Information Classification: General
    OWASP Kubernetes Top 10
    https://owasp.org/www-project-kubernetes-top-ten/
    @madhuakula

    View full-size slide

  22. # BHASIA @BlackHatEvents
    Information Classification: General
    🛡 MITRE ATT&CK - Kubernetes Goat
    https://madhuakula.com/kubernetes-goat/docs/mitre/mitre-attack
    @madhuakula

    View full-size slide

  23. # BHASIA @BlackHatEvents
    Information Classification: General
    ☸ 🐐 Demo Time 🤞
    🙏
    @madhuakula

    View full-size slide

  24. # BHASIA @BlackHatEvents
    Information Classification: General
    🥳 Kubernetes Goat Adoption
    https://youtu.be/62_Cj6yseno?t=352
    @madhuakula

    View full-size slide

  25. # BHASIA @BlackHatEvents
    Information Classification: General
    🏁 What’s Next
    🏆 Go to Kubernetes Security resources for anyone (from a variety experience and skills)
    🔥 All scenarios will be updated with Defenders, Developers, Tools & Vendors sections
    🚀 10+ more real-world hands-on scenarios coming (more and more will come 🏃…)
    ☸ One-click setups, various vendor related product testbeds, many more integrations
    📝 Various OSS & Vendor tools (working with security vendors to bridge the gap 👋)
    💥 Heavy push towards Developers, DevOps, Architects learning experience
    🎉 Sponsors, roadmap, support, contributors, more global scope around Cloud Native
    @madhuakula

    View full-size slide

  26. # BHASIA @BlackHatEvents
    Information Classification: General
    🙌 Give it a try
    🚀 Contribute ideas & suggestions
    🤝 Work with the project & improve
    🙏 Share your valuable feedback
    🌟 Star in our GitHub
    🎉 Spread word #KubernetesGoat
    Spread the ❤ #KubernetesGoat
    https://madhuakula.com/kubernetes-goat/docs/wall-of-love
    @madhuakula

    View full-size slide

  27. # BHASIA @BlackHatEvents
    Information Classification: General
    Thank you 🙏
    https://madhuakula.com
    @madhuakula
    https://madhuakula.com
    Want to learn more, have some idea, or just wanted to say 👋

    View full-size slide