Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Interactive Playground to Learn Kubernetes and Cloud Native Security - KubeCon + CloudNativeCon EU 2023

Interactive Playground to Learn Kubernetes and Cloud Native Security - KubeCon + CloudNativeCon EU 2023

Provide feedback https://sched.co/1HyQj 🙏

Kubernetes Goat is a "vulnerable by design" Kubernetes Cluster environment to practice and learn about Kubernetes Security. In this session, Madhu Akula will present the latest version of the Kubernetes Goat by exploring different vulnerabilities in Kubernetes Cluster and Containerized environments. Also, he demonstrates the real-world vulnerabilities and maps the Kubernetes Goat scenarios with them.

We see a ton of newly added vulnerabilities, CVEs, and mapping with some open source security tools to perform from writing developer code to deploying into production security using different layers like Infrastructure security, Supply chain security, and Runtime security. The newly added scenarios and documentation guide releases help even developers, DevOps teams, and security vendors to showcase and learn about security from attackers' perspectives.

Madhu Akula

April 20, 2023
Tweet

More Decks by Madhu Akula

Other Decks in Technology

Transcript

  1. Madhu Akula
    Interactive Playground to Learn
    Kubernetes and Cloud Native
    Security
    https://sched.co/1HyQj

    View full-size slide

  2. 👋 Whoami - Madhu Akula
    👉 Pragmatic Security Leader, working on Cloud Native Infra, Security, and Startups
    👉 Creator of Kubernetes Goat, Hacker Container, tools.tldr.run, many other OSS projects.
    👉 Speaks & Trains at Black Hat (USA, EU, Asia), DEF CON, GitHub, USENIX, OWASP, All Day
    DevOps, SANS, DevSecCon, CNCF, c0c0n, Nullcon, null, many others around the globe.
    👉 Author of Security Automation with Ansible2, OWASP KSTG, whitepapers, etc.
    👉 Technical reviewer (multiple books) & Review board member of multiple conferences,
    organizations, communities, advisory, etc.
    👉 Found security vulnerabilities in 200+ organizations and products including Google,
    Microsoft, AT&T, Adobe, eBay, WordPress, Ntop, Cloudflare, Yahoo, LocalBitcoins, etc.
    👉 Certified Kubernetes(CKA/CKS), Offensive Security Certified Professional, etc.
    👉 Never ending learner!
    @madhuakula

    View full-size slide

  3. 📅 Agenda - Our next 30 minutes or so…
    🤔 We will start thinking together
    ○ Why Kubernetes and Cloud Native security?
    ○ What are the challenges in the security?
    🤖 We start brainstorming some approaches on how can we solve those problems?
    💥 Can you take over cluster - Are you sure? You can't be serious
    👋 Introducing an Interactive Learning Playground - ⎈ Kubernetes Goat 🐐
    ○ Showcase of real-world mappings (OWASP Top 10, MITRE ATT&CK, etc.)
    ■ Attacks, Defenses, Approaches, Many Others.
    🚀 Key takeaways - Go back, hack, learn & build secure Cloud Native Ecosystem
    🙏 Feedback, Questions, and a BIG THANK YOU!
    @madhuakula

    View full-size slide

  4. Why
    Security?
    Kubernetes & Cloud Native
    @madhuakula

    View full-size slide

  5. Why K8S & Cloud Native Security?
    Lack of knowledge
    in security teams
    Understanding the
    technology gap
    Maturity of the cloud
    native ecosystem
    Popular Hacks & Attacks
    in the real-world
    Speed of the
    changes & adoption
    Improving the
    experience
    @madhuakula

    View full-size slide

  6. Lack of
    knowledge in
    security teams
    Why K8S & Cloud Native Security?
    @madhuakula

    View full-size slide

  7. Understanding
    the technology
    gap
    Why K8S & Cloud Native Security?
    @madhuakula

    View full-size slide

  8. Maturity of the
    cloud native
    ecosystem
    Why K8S & Cloud Native Security?
    @madhuakula

    View full-size slide

  9. Speed of the
    changes &
    adoption
    Why K8S & Cloud Native Security?
    @madhuakula

    View full-size slide

  10. Popular Hacks &
    Attacks in the
    real-world
    Why K8S & Cloud Native Security?
    @madhuakula

    View full-size slide

  11. Why K8S & Cloud Native Security?
    Improving the
    experience
    @madhuakula

    View full-size slide

  12. Can we do something
    about these Kubernetes
    security problems?
    @madhuakula

    View full-size slide

  13. 🤖 Some approaches to K8S Security
    https://github.com/cncf/financial-user-group/tree/main/projects/k8s-threat-model
    Threat Model Your Architecture
    @madhuakula

    View full-size slide

  14. 🤖 Some approaches to K8S Security
    https://github.com/cncf/financial-user-group/tree/main/projects/k8s-threat-model/AttackTrees
    Attack Trees
    @madhuakula

    View full-size slide

  15. 🤖 Some approaches to K8S Security
    https://www.cncf.io/reports/cloud-native-security-whitepaper/
    CNCF Whitepaper & Official K8S Security Docs
    https://kubernetes.io/docs/concepts/security/
    @madhuakula

    View full-size slide

  16. 🤖 Some approaches to K8S Security
    Many others…
    @madhuakula

    View full-size slide

  17. Are these enough?
    @madhuakula

    View full-size slide

  18. Attack Path / Kill Chain
    What it looks like?
    @madhuakula

    View full-size slide

  19. Kubernetes - Attack Path / Kill Chain
    @madhuakula

    View full-size slide

  20. Kubernetes - Attack Path / Kill Chain
    https://youtu.be/7nc78ZrvP4Y
    T
    A
    K
    E
    O
    V
    E
    R
    E
    N
    T
    R
    Y
    P
    O
    I
    N
    T
    @madhuakula

    View full-size slide

  21. Can we try practicing
    them like an attacker?
    @madhuakula

    View full-size slide

  22. Introducing
    ⎈ Kubernetes Goat 🐐
    @madhuakula

    View full-size slide

  23. Kubernetes Goat
    is an interactive
    Kubernetes security
    learning playground 🚀
    🐐 What is Kubernetes Goat?
    @madhuakula

    View full-size slide

  24. 🚨 Disclaimer
    Kubernetes Goat has intentionally created vulnerabilities, applications, and
    configurations to attack and gain access to your cluster and workloads. Please DO NOT
    run alongside your production environments and infrastructure. So we highly
    recommend running this in a safe and isolated environment.
    Kubernetes Goat is used for educational purposes only, do not test or apply these
    attacks on any systems without permission. Kubernetes Goat comes with absolutely no
    warranties, by using it you take full responsibility for all the outcomes.
    @madhuakula

    View full-size slide

  25. 🔥 Kubernetes Goat Audience
    💥 Attackers & Red Teams 🛡 Defenders & Blue Teams
    🧰 Products & Vendors
    🔐 Developers & DevOps Teams
    💡 Interested in Kubernetes Security
    @madhuakula

    View full-size slide

  26. 🚀 Scenarios in Kubernetes Goat
    1. Sensitive keys in codebases
    2. DIND (docker-in-docker) exploitation
    3. SSRF in the Kubernetes (K8S) world
    4. Container escape to the host system
    5. Docker CIS benchmarks analysis
    6. Kubernetes CIS benchmarks analysis
    7. Attacking private registry
    8. NodePort exposed services
    9. Helm v2 tiller to PwN the cluster - [Deprecated]
    10. Analyzing crypto miner container
    11. Kubernetes namespaces bypass
    12. Gaining environment information
    13. DoS the Memory/CPU resources
    14. Hacker container preview
    15. Hidden in layers
    16. RBAC least privileges misconfiguration
    17. KubeAudit - Audit Kubernetes clusters
    18. Falco - Runtime security monitoring & detection
    19. Popeye - A Kubernetes cluster sanitizer
    20. Secure network boundaries using NSP
    21. Cilium Tetragon - eBPF-based Security
    Observability and Runtime Enforcement
    22. Securing Kubernetes Clusters using Kyverno Policy
    Engine
    More scenarios releasing soon… ❤
    @madhuakula

    View full-size slide

  27. 🧰 How can I setup Kubernetes Goat
    ☸ Vanilla Kubernetes Cluster
    ☁ AWS Kubernetes (EKS)
    ☁ GCP Kubernetes (GKE)
    ☁ Azure Kubernetes (AKS)
    ☸ Kubernetes IN Docker (KiND)
    ☸ Lightweight Kubernetes (K3S)
    ☸ Digital Ocean, Vagrant, Many others…
    @madhuakula

    View full-size slide

  28. ⎈ Setting up in your Kubernetes Cluster
    ● Make sure you have Kubernetes cluster with cluster-admin privileges. Also kubectl and
    helm installed in your system before running the following commands to setup the
    Kubernetes Goat
    ● Now you can access the Kubernetes Goat by navigating to http://127.0.0.1:1234
    @madhuakula

    View full-size slide

  29. ⚡ Get Started with Kubernetes Goat 🐐
    @madhuakula

    View full-size slide

  30. ⚡ Get Started with Kubernetes Goat 🐐
    @madhuakula

    View full-size slide

  31. https://madhuakula.com/kubernetes-goat
    ⚡ Get Started with Kubernetes Goat 🐐
    @madhuakula

    View full-size slide

  32. 🔟 OWASP Kubernetes Top 10
    https://owasp.org/www-project-kubernetes-top-ten/ @madhuakula

    View full-size slide

  33. 🛡 MITRE ATT&CK - Kubernetes
    https://attack.mitre.org
    https://microsoft.github.io/Threat-Matrix-for-Kubernetes/ @madhuakula

    View full-size slide

  34. Let’s explore the
    @madhuakula

    View full-size slide

  35. 📝 Security Tools Reports
    @madhuakula

    View full-size slide

  36. 🥳 Adoption of Kubernetes Goat
    https://youtu.be/62_Cj6yseno?t=352
    @madhuakula

    View full-size slide

  37. Key Takeaways!
    🧐 A lot of gaps in the knowledge & understanding of the Cloud Native Ecosystem
    ⏩ The speed & adoption are growing faster, and the security maturity?
    📚 Lots of resources, frameworks, and tools. But not practical enough!
    🛡 Think & train practically like a hacker with real-world scenarios
    🚀 Learn, practice & build a security cloud native ecosystem with Kubernetes Goat
    @madhuakula

    View full-size slide

  38. Spread the ❤ #KubernetesGoat
    🙌 Give it a try
    🚀 Contribute ideas & suggestions
    🤝 Work with the project & improve
    🙏 Share your valuable feedback
    🌟 Star in GitHub
    🎉 Spread word #KubernetesGoat
    We have some awesome Kubernetes Goat
    Stickers 🥳 Take a photo of your one & only
    cool sticker and share with
    #KubernetesGoat hashtag!
    @madhuakula

    View full-size slide

  39. 🙏 Thank You
    @madhuakula
    https://madhuakula.com
    @madhuakula
    https://madhuakula.com
    Want to learn more, have some idea, or just wanted to say 👋
    Talk Feedback & Review
    #KubernetesGoat
    https://github.com/madhuakula/kubernetes-goat
    https://sched.co/1HyQj

    View full-size slide