Interactive Playground to Learn Kubernetes and Cloud Native Security - KubeCon + CloudNativeCon EU 2023

Transcript

1. Madhu Akula Interactive Playground to Learn Kubernetes and Cloud Native

   Security https://sched.co/1HyQj

2. 👋 Whoami - Madhu Akula 👉 Pragmatic Security Leader, working

   on Cloud Native Infra, Security, and Startups 👉 Creator of Kubernetes Goat, Hacker Container, tools.tldr.run, many other OSS projects. 👉 Speaks & Trains at Black Hat (USA, EU, Asia), DEF CON, GitHub, USENIX, OWASP, All Day DevOps, SANS, DevSecCon, CNCF, c0c0n, Nullcon, null, many others around the globe. 👉 Author of Security Automation with Ansible2, OWASP KSTG, whitepapers, etc. 👉 Technical reviewer (multiple books) & Review board member of multiple conferences, organizations, communities, advisory, etc. 👉 Found security vulnerabilities in 200+ organizations and products including Google, Microsoft, AT&T, Adobe, eBay, WordPress, Ntop, Cloudflare, Yahoo, LocalBitcoins, etc. 👉 Certified Kubernetes(CKA/CKS), Offensive Security Certified Professional, etc. 👉 Never ending learner! @madhuakula

3. 📅 Agenda - Our next 30 minutes or so… 🤔

   We will start thinking together ◦ Why Kubernetes and Cloud Native security? ◦ What are the challenges in the security? 🤖 We start brainstorming some approaches on how can we solve those problems? 💥 Can you take over cluster - Are you sure? You can't be serious 👋 Introducing an Interactive Learning Playground - ⎈ Kubernetes Goat 🐐 ◦ Showcase of real-world mappings (OWASP Top 10, MITRE ATT&CK, etc.) ▪ Attacks, Defenses, Approaches, Many Others. 🚀 Key takeaways - Go back, hack, learn & build secure Cloud Native Ecosystem 🙏 Feedback, Questions, and a BIG THANK YOU! @madhuakula

4. Why Security? Kubernetes & Cloud Native @madhuakula

5. Why K8S & Cloud Native Security? Lack of knowledge in

   security teams Understanding the technology gap Maturity of the cloud native ecosystem Popular Hacks & Attacks in the real-world Speed of the changes & adoption Improving the experience @madhuakula

6. Lack of knowledge in security teams Why K8S & Cloud

   Native Security? @madhuakula

7. Understanding the technology gap Why K8S & Cloud Native Security?

   @madhuakula

8. Maturity of the cloud native ecosystem Why K8S & Cloud

   Native Security? @madhuakula

9. Speed of the changes & adoption Why K8S & Cloud

   Native Security? @madhuakula

10. Popular Hacks & Attacks in the real-world Why K8S &

    Cloud Native Security? @madhuakula

11. Why K8S & Cloud Native Security? Improving the experience @madhuakula

12. Can we do something about these Kubernetes security problems? @madhuakula

13. 🤖 Some approaches to K8S Security https://github.com/cncf/financial-user-group/tree/main/projects/k8s-threat-model Threat Model Your

    Architecture @madhuakula

14. 🤖 Some approaches to K8S Security https://github.com/cncf/financial-user-group/tree/main/projects/k8s-threat-model/AttackTrees Attack Trees @madhuakula

15. 🤖 Some approaches to K8S Security https://www.cncf.io/reports/cloud-native-security-whitepaper/ CNCF Whitepaper &

    Official K8S Security Docs https://kubernetes.io/docs/concepts/security/ @madhuakula

16. 🤖 Some approaches to K8S Security Many others… @madhuakula

17. Are these enough? @madhuakula

18. Attack Path / Kill Chain What it looks like? @madhuakula

19. Kubernetes - Attack Path / Kill Chain @madhuakula

20. Kubernetes - Attack Path / Kill Chain https://youtu.be/7nc78ZrvP4Y T A

    K E O V E R E N T R Y P O I N T @madhuakula

21. Can we try practicing them like an attacker? @madhuakula

22. Introducing ⎈ Kubernetes Goat 🐐 @madhuakula

23. Kubernetes Goat is an interactive Kubernetes security learning playground 🚀

    🐐 What is Kubernetes Goat? @madhuakula

24. 🚨 Disclaimer Kubernetes Goat has intentionally created vulnerabilities, applications, and

    configurations to attack and gain access to your cluster and workloads. Please DO NOT run alongside your production environments and infrastructure. So we highly recommend running this in a safe and isolated environment. Kubernetes Goat is used for educational purposes only, do not test or apply these attacks on any systems without permission. Kubernetes Goat comes with absolutely no warranties, by using it you take full responsibility for all the outcomes. @madhuakula

25. 🔥 Kubernetes Goat Audience 💥 Attackers & Red Teams 🛡

    Defenders & Blue Teams 🧰 Products & Vendors 🔐 Developers & DevOps Teams 💡 Interested in Kubernetes Security @madhuakula

26. 🚀 Scenarios in Kubernetes Goat 1. Sensitive keys in codebases

    2. DIND (docker-in-docker) exploitation 3. SSRF in the Kubernetes (K8S) world 4. Container escape to the host system 5. Docker CIS benchmarks analysis 6. Kubernetes CIS benchmarks analysis 7. Attacking private registry 8. NodePort exposed services 9. Helm v2 tiller to PwN the cluster - [Deprecated] 10. Analyzing crypto miner container 11. Kubernetes namespaces bypass 12. Gaining environment information 13. DoS the Memory/CPU resources 14. Hacker container preview 15. Hidden in layers 16. RBAC least privileges misconfiguration 17. KubeAudit - Audit Kubernetes clusters 18. Falco - Runtime security monitoring & detection 19. Popeye - A Kubernetes cluster sanitizer 20. Secure network boundaries using NSP 21. Cilium Tetragon - eBPF-based Security Observability and Runtime Enforcement 22. Securing Kubernetes Clusters using Kyverno Policy Engine More scenarios releasing soon… ❤ @madhuakula

27. 🧰 How can I setup Kubernetes Goat ☸ Vanilla Kubernetes

    Cluster ☁ AWS Kubernetes (EKS) ☁ GCP Kubernetes (GKE) ☁ Azure Kubernetes (AKS) ☸ Kubernetes IN Docker (KiND) ☸ Lightweight Kubernetes (K3S) ☸ Digital Ocean, Vagrant, Many others… @madhuakula

28. ⎈ Setting up in your Kubernetes Cluster • Make sure

    you have Kubernetes cluster with cluster-admin privileges. Also kubectl and helm installed in your system before running the following commands to setup the Kubernetes Goat • Now you can access the Kubernetes Goat by navigating to http://127.0.0.1:1234 @madhuakula

29. ⚡ Get Started with Kubernetes Goat 🐐 @madhuakula

30. ⚡ Get Started with Kubernetes Goat 🐐 @madhuakula

31. https://madhuakula.com/kubernetes-goat ⚡ Get Started with Kubernetes Goat 🐐 @madhuakula

32. 🔟 OWASP Kubernetes Top 10 https://owasp.org/www-project-kubernetes-top-ten/ @madhuakula

33. 🛡 MITRE ATT&CK - Kubernetes https://attack.mitre.org https://microsoft.github.io/Threat-Matrix-for-Kubernetes/ @madhuakula

34. Let’s explore the @madhuakula

35. 📝 Security Tools Reports @madhuakula

36. 🥳 Adoption of Kubernetes Goat https://youtu.be/62_Cj6yseno?t=352 @madhuakula

37. Key Takeaways! 🧐 A lot of gaps in the knowledge

    & understanding of the Cloud Native Ecosystem ⏩ The speed & adoption are growing faster, and the security maturity? 📚 Lots of resources, frameworks, and tools. But not practical enough! 🛡 Think & train practically like a hacker with real-world scenarios 🚀 Learn, practice & build a security cloud native ecosystem with Kubernetes Goat @madhuakula

38. Spread the ❤ #KubernetesGoat 🙌 Give it a try 🚀

    Contribute ideas & suggestions 🤝 Work with the project & improve 🙏 Share your valuable feedback 🌟 Star in GitHub 🎉 Spread word #KubernetesGoat We have some awesome Kubernetes Goat Stickers 🥳 Take a photo of your one & only cool sticker and share with #KubernetesGoat hashtag! @madhuakula

39. 🙏 Thank You @madhuakula https://madhuakula.com @madhuakula https://madhuakula.com Want to learn

    more, have some idea, or just wanted to say 👋 Talk Feedback & Review #KubernetesGoat https://github.com/madhuakula/kubernetes-goat https://sched.co/1HyQj