Kubernetes Goat - Practical Approach to Learn Kubernetes Security

Transcript

1. TRACK: DEVSECOPS
   NOVEMBER 12, 2020
   Madhu Akula
   Kubernetes Goat
   Practical Approach to
   Learn Kubernetes
   Security
   

   View Slide

2. TRACK: DEVSECOPS
   ● Creator of Kubernetes Goat, Hacker Container, tools.tldr.run, many other OSS projects.
   ● Speaker & Trainer at Blackhat, DEFCON, GitHub, USENIX, OWASP, All Day DevOps,
   DevSecCon, CNCF, c0c0n, Nullcon, SACON, null, many others.
   ● Author of Security Automation with Ansible2, OWASP KSTG, DevSecOps whitepaper, etc.
   ● Technical reviewer (multiple books) & Review board member of multiple conferences,
   organizations, communities, etc.
   ● Found security vulnerabilities in 200+ organizations and products including Google,
   Microsoft, AT&T, Adobe, WordPress, Ntop, etc.
   ● Certified Kubernetes Administrator & Offensive Security Certified Professional, etc.
   ● Never ending learner!
   About Me
   

   View Slide

3. TRACK: DEVSECOPS
   What is Kubernetes Goat?
   Kubernetes Goat is designed to be an intentionally
   vulnerable cluster environment to learn and practice
   Kubernetes security.
   

   View Slide

4. TRACK: DEVSECOPS
   Disclaimer
   Kubernetes Goat creates intentionally vulnerable resources into your cluster. DO NOT
   deploy Kubernetes Goat in a production environment or alongside any sensitive cluster
   resources.
   

   View Slide

5. TRACK: DEVSECOPS
   Current Scenarios in Kubernetes Goat!
   1. Sensitive keys in code bases
   2. DIND (docker-in-docker) exploitation
   3. SSRF in K8S world
   4. Container escape to access host system
   5. Docker CIS Benchmarks analysis
   6. Kubernetes CIS Benchmarks analysis
   7. Attacking private registry
   8. NodePort exposed services
   9. Helm v2 tiller to PwN the cluster
   10. Analysing crypto miner container
   11. Kubernetes Namespaces bypass
   12. Gaining environment information
   13. DoS the memory/cpu resources
   14. Hacker Container preview
   15. Hidden in layers
   16. RBAC Least Privileges Misconfiguration
   17. KubeAudit - Audit Kubernetes Clusters
   18. Sysdig Falco - Runtime Security Monitoring & Detection
   19. Popeye - A Kubernetes Cluster Sanitizer
   20. Secure network boundaries using NSP
   More coming soon….
   

   View Slide

6. TRACK: DEVSECOPS
   ● Ensure you have admin access to the Kubernetes cluster
   ○ Refer to kubectl releases for binaries
   https://kubernetes.io/docs/tasks/tools/install-kubectl/
   ● Verify by running kubectl version
   ● Ensure you have helm version 2 setup in your path as helm2
   ○ Refer to helm version 2 releases for binaries
   https://github.com/helm/helm/releases
   ○ Verify by running helm2 version
   ● To set up the Kubernetes Goat resources in your cluster, run the following commands
   git clone https://github.com/madhuakula/kubernetes-goat.git
   cd kubernetes-goat
   bash setup-kubernetes-goat.sh
   Kubernetes Goat Setup
   

   View Slide

7. TRACK: DEVSECOPS
   https://katacoda.com/madhuakula/scenarios/kubernetes-goat
   Kubernetes Goat - Without Setup 😎
   

   View Slide

8. TRACK: DEVSECOPS
   Demo Time!
   

   View Slide

9. TRACK: DEVSECOPS
   ● Attackers/Red Teams
   ○ Learning how to attack/find security issues with in containers, Kubernetes and similar
   environments and workloads to exploit and gain access
   ● Defenders/Blue Teams
   ○ Understanding best practices, learning how attackers works to apply defense, practicing the
   attacks, misconfigurations to apply defense and detection
   ● Security Vendors
   ○ Using Kubernetes Goat to showcase the effectiveness of the tools/product, helping educate
   the customers and sharing their knowledge in an interactive hands-on way
   ● Architects/Engineers/Consultants/Developers/Users/etc…
   ○ Learning and Practicing
   ● Share it with your friends, colleagues, everyone. Provide your valuable feedback, contributions, and
   suggestions
   Key Takeaways!
   

   View Slide

10. TRACK: DEVSECOPS
    Thank You!
    @madhuakula
    https://madhuakula.com
    

    View Slide