Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Interactive Playground to Learn Kubernetes and Cloud Native Security - KubeCon + CloudNativeCon EU 2023

Interactive Playground to Learn Kubernetes and Cloud Native Security - KubeCon + CloudNativeCon EU 2023

Provide feedback https://sched.co/1HyQj 🙏

Kubernetes Goat is a "vulnerable by design" Kubernetes Cluster environment to practice and learn about Kubernetes Security. In this session, Madhu Akula will present the latest version of the Kubernetes Goat by exploring different vulnerabilities in Kubernetes Cluster and Containerized environments. Also, he demonstrates the real-world vulnerabilities and maps the Kubernetes Goat scenarios with them.

We see a ton of newly added vulnerabilities, CVEs, and mapping with some open source security tools to perform from writing developer code to deploying into production security using different layers like Infrastructure security, Supply chain security, and Runtime security. The newly added scenarios and documentation guide releases help even developers, DevOps teams, and security vendors to showcase and learn about security from attackers' perspectives.

Madhu Akula

April 20, 2023

More Decks by Madhu Akula

Other Decks in Technology


  1. 👋 Whoami - Madhu Akula 👉 Pragmatic Security Leader, working

    on Cloud Native Infra, Security, and Startups 👉 Creator of Kubernetes Goat, Hacker Container, tools.tldr.run, many other OSS projects. 👉 Speaks & Trains at Black Hat (USA, EU, Asia), DEF CON, GitHub, USENIX, OWASP, All Day DevOps, SANS, DevSecCon, CNCF, c0c0n, Nullcon, null, many others around the globe. 👉 Author of Security Automation with Ansible2, OWASP KSTG, whitepapers, etc. 👉 Technical reviewer (multiple books) & Review board member of multiple conferences, organizations, communities, advisory, etc. 👉 Found security vulnerabilities in 200+ organizations and products including Google, Microsoft, AT&T, Adobe, eBay, WordPress, Ntop, Cloudflare, Yahoo, LocalBitcoins, etc. 👉 Certified Kubernetes(CKA/CKS), Offensive Security Certified Professional, etc. 👉 Never ending learner! @madhuakula
  2. 📅 Agenda - Our next 30 minutes or so… 🤔

    We will start thinking together ◦ Why Kubernetes and Cloud Native security? ◦ What are the challenges in the security? 🤖 We start brainstorming some approaches on how can we solve those problems? 💥 Can you take over cluster - Are you sure? You can't be serious 👋 Introducing an Interactive Learning Playground - ⎈ Kubernetes Goat 🐐 ◦ Showcase of real-world mappings (OWASP Top 10, MITRE ATT&CK, etc.) ▪ Attacks, Defenses, Approaches, Many Others. 🚀 Key takeaways - Go back, hack, learn & build secure Cloud Native Ecosystem 🙏 Feedback, Questions, and a BIG THANK YOU! @madhuakula
  3. Why K8S & Cloud Native Security? Lack of knowledge in

    security teams Understanding the technology gap Maturity of the cloud native ecosystem Popular Hacks & Attacks in the real-world Speed of the changes & adoption Improving the experience @madhuakula
  4. Popular Hacks & Attacks in the real-world Why K8S &

    Cloud Native Security? @madhuakula
  5. 🤖 Some approaches to K8S Security https://www.cncf.io/reports/cloud-native-security-whitepaper/ CNCF Whitepaper &

    Official K8S Security Docs https://kubernetes.io/docs/concepts/security/ @madhuakula
  6. 🚨 Disclaimer Kubernetes Goat has intentionally created vulnerabilities, applications, and

    configurations to attack and gain access to your cluster and workloads. Please DO NOT run alongside your production environments and infrastructure. So we highly recommend running this in a safe and isolated environment. Kubernetes Goat is used for educational purposes only, do not test or apply these attacks on any systems without permission. Kubernetes Goat comes with absolutely no warranties, by using it you take full responsibility for all the outcomes. @madhuakula
  7. 🔥 Kubernetes Goat Audience 💥 Attackers & Red Teams 🛡

    Defenders & Blue Teams 🧰 Products & Vendors 🔐 Developers & DevOps Teams 💡 Interested in Kubernetes Security @madhuakula
  8. 🚀 Scenarios in Kubernetes Goat 1. Sensitive keys in codebases

    2. DIND (docker-in-docker) exploitation 3. SSRF in the Kubernetes (K8S) world 4. Container escape to the host system 5. Docker CIS benchmarks analysis 6. Kubernetes CIS benchmarks analysis 7. Attacking private registry 8. NodePort exposed services 9. Helm v2 tiller to PwN the cluster - [Deprecated] 10. Analyzing crypto miner container 11. Kubernetes namespaces bypass 12. Gaining environment information 13. DoS the Memory/CPU resources 14. Hacker container preview 15. Hidden in layers 16. RBAC least privileges misconfiguration 17. KubeAudit - Audit Kubernetes clusters 18. Falco - Runtime security monitoring & detection 19. Popeye - A Kubernetes cluster sanitizer 20. Secure network boundaries using NSP 21. Cilium Tetragon - eBPF-based Security Observability and Runtime Enforcement 22. Securing Kubernetes Clusters using Kyverno Policy Engine More scenarios releasing soon… ❤ @madhuakula
  9. 🧰 How can I setup Kubernetes Goat ☸ Vanilla Kubernetes

    Cluster ☁ AWS Kubernetes (EKS) ☁ GCP Kubernetes (GKE) ☁ Azure Kubernetes (AKS) ☸ Kubernetes IN Docker (KiND) ☸ Lightweight Kubernetes (K3S) ☸ Digital Ocean, Vagrant, Many others… @madhuakula
  10. ⎈ Setting up in your Kubernetes Cluster • Make sure

    you have Kubernetes cluster with cluster-admin privileges. Also kubectl and helm installed in your system before running the following commands to setup the Kubernetes Goat • Now you can access the Kubernetes Goat by navigating to @madhuakula
  11. Key Takeaways! 🧐 A lot of gaps in the knowledge

    & understanding of the Cloud Native Ecosystem ⏩ The speed & adoption are growing faster, and the security maturity? 📚 Lots of resources, frameworks, and tools. But not practical enough! 🛡 Think & train practically like a hacker with real-world scenarios 🚀 Learn, practice & build a security cloud native ecosystem with Kubernetes Goat @madhuakula
  12. Spread the ❤ #KubernetesGoat 🙌 Give it a try 🚀

    Contribute ideas & suggestions 🤝 Work with the project & improve 🙏 Share your valuable feedback 🌟 Star in GitHub 🎉 Spread word #KubernetesGoat We have some awesome Kubernetes Goat Stickers 🥳 Take a photo of your one & only cool sticker and share with #KubernetesGoat hashtag! @madhuakula
  13. 🙏 Thank You @madhuakula https://madhuakula.com @madhuakula https://madhuakula.com Want to learn

    more, have some idea, or just wanted to say 👋 Talk Feedback & Review #KubernetesGoat https://github.com/madhuakula/kubernetes-goat https://sched.co/1HyQj