Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kubernetes Goat - Interactive Kubernetes Security Playground: 2022 Edition

Kubernetes Goat - Interactive Kubernetes Security Playground: 2022 Edition

Kubernetes Goat is “vulnerable by design” Kubernetes Cluster environment to practice and learn about Kubernetes Security.

In this session, Madhu Akula will present the latest version of the Kubernetes Goat by exploring different vulnerabilities in Kubernetes Cluster and Containerised environments. Also, he demonstrates the real-world vulnerabilities and maps the Kubernetes Goat scenarios with them. As a defender you will see how we can learn these attacks, misconfigurations to understand and improve your cloud native infrastructure security posture.

We see a ton of newly added vulnerabilities, CVEs, and mapping with some opensource security tools to perform from writing developer code to deploying into production security using different layers like Infrastructure security, Supply chain security, Runtime security.

Madhu Akula

May 04, 2022
Tweet

More Decks by Madhu Akula

Other Decks in Technology

Transcript

  1. Madhu Akula
    SANS CloudSecNext Summit 2022
    @madhuakula

    View full-size slide

  2. 🙌 Overview
    ⚡ The story
    🎯 Goal
    🪄 Hints & Spoilers
    🎉 Solution & Walkthrough
    🎲 Method 1
    🎲 Method 2
    🔖 References
    🔥 Awesome fancy logo
    📖 Amazingly great documentation 🥳
    🚀 20+ hands-on scenarios (more 🏃…)
    ☸ Various cluster setups and configurations
    📝 Security Reports for various OSS tools (more 🏃…)
    💥 Scenarios improved towards Attackers, Defenders, etc.
    🙌 Lot of improvements towards contributions & modularity
    🎉 Cheat sheet, Diagrams, Resources, Wall of Love, Many others…
    Kubernetes Goat Changes aka 2022 Edition
    🎉
    @madhuakula

    View full-size slide

  3. ● Product Security @ Miro
    ● Creator of Kubernetes Goat, Hacker Container, tools.tldr.run, many other OSS projects.
    ● Speaker & Trainer at Blackhat, DEFCON, GitHub, USENIX, OWASP, All Day DevOps, SANS,
    DevSecCon, CNCF, c0c0n, Nullcon, SACON, null, many others.
    ● Author of Security Automation with Ansible2, OWASP KSTG, whitepapers, etc.
    ● Technical reviewer (multiple books) & Review board member of multiple conferences,
    organizations, communities, etc.
    ● Found security vulnerabilities in 200+ organizations and products including Google, Microsoft,
    AT&T, Adobe, WordPress, Ntop, etc.
    ● Certified Kubernetes Administrator, Offensive Security Certified Professional, etc.
    ● Never ending learner!
    About Me 😊
    @madhuakula

    View full-size slide

  4. What is Kubernetes Goat 🐐
    Kubernetes Goat is an interactive
    Kubernetes security learning playground.
    Intentionally vulnerable by design
    scenarios to showcase the common
    misconfigurations, real-world
    vulnerabilities, and security issues in
    Kubernetes clusters, containers, and
    cloud native environments.
    @madhuakula

    View full-size slide

  5. Kubernetes Goat has intentionally created vulnerabilities, applications, and
    configurations to attack and gain access to your cluster and workloads. Please
    DO NOT run alongside your production environments and infrastructure. So we
    highly recommend running this in a safe and isolated environment.
    Kubernetes Goat is used for educational purposes only, do not test or apply
    these attacks on any systems without permission. Kubernetes Goat comes with
    absolutely no warranties, by using it you take full responsibility for all the
    outcomes.
    🚨 Disclaimer
    @madhuakula

    View full-size slide

  6. Can I use from Kubernetes Goat 🤔
    Kubernetes Goat is intended for a variety of audiences and end-users.
    Which includes hackers, attackers, defenders, developers, architects,
    DevOps teams, engineers, researchers, products, vendors, and anyone
    interested in learning about Kubernetes Security.
    Below are some of the very high-level categories of audience
    💥 Attackers & Red Teams 🛡 Defenders & Blue Teams
    🧰 Products & Vendors
    🔐 Developers & DevOps Teams
    💡 Interested in Kubernetes Security
    @madhuakula

    View full-size slide

  7. 🔥 Kubernetes Goat Audience
    @madhuakula

    View full-size slide

  8. 12. Gaining environment information
    13. DoS the memory/cpu resources
    14. Hacker Container preview
    15. Hidden in layers
    16. RBAC Least Privileges Misconfiguration
    17. KubeAudit - Audit Kubernetes Clusters
    18. Sysdig Falco - Runtime Security Monitoring & Detection
    19. Popeye - A Kubernetes Cluster Sanitizer
    20. Secure network boundaries using NSP
    1. Sensitive keys in codebases
    2. DIND (docker-in-docker) exploitation
    3. SSRF in the Kubernetes (K8S) world
    4. Container escape to the host system
    5. Docker CIS benchmarks analysis
    6. Kubernetes CIS benchmarks analysis
    7. Attacking private registry
    8. NodePort exposed services
    9. Helm v2 tiller to PwN the cluster - [Deprecated]
    10. Analyzing crypto miner container
    Scenarios in Kubernetes Goat 🚀
    15+ more scenarios releasing soon… ❤
    Scenarios going to be updated with defenders, developers, tools & vendor sections for reach scenario 🥳
    @madhuakula

    View full-size slide

  9. 🚀 Katacoda Playground - Free Online in-browser
    ☸ Vanilla Kubernetes Cluster
    ☁ AWS Kubernetes (EKS)
    ☁ GCP Kubernetes (GKE)
    ☁ Azure Kubernetes (AKS)
    ☸ Kubernetes IN Docker (KiND)
    ☸ Lightweight Kubernetes (K3S) - Coming soon 👀
    ☸ Digital Ocean, Vagrant, Many others…
    ⚙ How can I setup Kubernetes Goat
    @madhuakula

    View full-size slide

  10. Try out Kubernetes Goat in Seconds for Free 🙌
    https://katacoda.com/madhuakula/scenarios/kubernetes-goat
    @madhuakula

    View full-size slide

  11. ● Make sure you have Kubernetes cluster with cluster-admin privileges. Also kubectl and
    helm installed in your system before running the following commands to setup the
    Kubernetes Goat
    ⎈ Setting up in your Kubernetes Cluster
    $ git clone https://github.com/madhuakula/kubernetes-goat.git
    $ cd kubernetes-goat
    $ bash setup-kubernetes-goat.sh
    $ bash access-kubernetes-goat.sh
    ● Now you can access the Kubernetes Goat by navigating to http://127.0.0.1:1234
    @madhuakula

    View full-size slide

  12. ⚡ Get Started with Kubernetes Goat 🐐
    @madhuakula

    View full-size slide

  13. ⚡ Get Started with Kubernetes Goat 🐐
    @madhuakula

    View full-size slide

  14. ⚡ Get Started with Kubernetes Goat 🐐
    @madhuakula
    https://madhuakula.com/kubernetes-goat

    View full-size slide

  15. ☸ 🐐 Demo Time 🤞 🙏
    @madhuakula

    View full-size slide

  16. 🔥 All scenarios will be updated with Defenders, Developers, Tools & Vendors sections
    📖 Updating and maintaining the great documentation
    🚀 15+ more real-world hands-on scenarios coming (more and more will come 🏃…)
    ☸ One-click setups, various vendor related product testbeds, many more integrations
    📝 Various OSS & Vendor tools (working with security vendors to bridge the gap 👋)
    💥 Heavy push towards Developers, DevOps, Architects & non-security learning experience
    🏆 Go to Kubernetes Security resources for anyone (from a variety experience and skills)
    🎉 Sponsors, roadmap, support, contributors, more global scope around Cloud Native
    🏁 What’s next for Kubernetes Goat
    @madhuakula

    View full-size slide

  17. 🙌 Give it a try
    🚀 Contribute ideas & suggestions
    🤝 Work with the project & improve
    🙏 Share your valuable feedback
    🌟 Star in our GitHub
    🎉 Spread the word in social media
    Spread the ❤ Kubernetes Goat
    https://madhuakula.com/kubernetes-goat/docs/wall-of-love
    Awesome Kubernetes Goat Stickers,
    T-Shirts & Some cool goodies on the way 🥳
    @madhuakula

    View full-size slide

  18. Thank you 🙏
    @madhuakula
    https://madhuakula.com
    @madhuakula
    https://madhuakula.com
    Want to learn more, have some idea, or just wanted to say 👋

    View full-size slide