$30 off During Our Annual Pro Sale. View Details »

Kubernetes Goat - Practical Approach to Learn Kubernetes Security

Kubernetes Goat - Practical Approach to Learn Kubernetes Security

In this session, Madhu Akula will present how to get started with Kubernetes Goat by exploring different vulnerabilities in Kubernetes Cluster and Containerised environments. He will also demonstrate the real-world vulnerabilities and map the Kubernetes Goat scenarios with them. As a defender you will see how we can learn these attacks, misconfigurations to understand and improve your cloud native infrastructure security posture.

https://www.alldaydevops.com/addo-speakers/madhu-akula

Madhu Akula

October 28, 2021
Tweet

More Decks by Madhu Akula

Other Decks in Technology

Transcript

  1. TRACK: DEVSECOPS
    NOVEMBER 12, 2020
    Madhu Akula
    Kubernetes Goat
    Practical Approach to
    Learn Kubernetes
    Security

    View Slide

  2. TRACK: DEVSECOPS
    ● Creator of Kubernetes Goat, Hacker Container, tools.tldr.run, many other OSS projects.
    ● Speaker & Trainer at Blackhat, DEFCON, GitHub, USENIX, OWASP, All Day DevOps,
    DevSecCon, CNCF, c0c0n, Nullcon, SACON, null, many others.
    ● Author of Security Automation with Ansible2, OWASP KSTG, DevSecOps whitepaper, etc.
    ● Technical reviewer (multiple books) & Review board member of multiple conferences,
    organizations, communities, etc.
    ● Found security vulnerabilities in 200+ organizations and products including Google,
    Microsoft, AT&T, Adobe, WordPress, Ntop, etc.
    ● Certified Kubernetes Administrator & Offensive Security Certified Professional, etc.
    ● Never ending learner!
    About Me

    View Slide

  3. TRACK: DEVSECOPS
    What is Kubernetes Goat?
    Kubernetes Goat is designed to be an intentionally
    vulnerable cluster environment to learn and practice
    Kubernetes security.

    View Slide

  4. TRACK: DEVSECOPS
    Disclaimer
    Kubernetes Goat creates intentionally vulnerable resources into your cluster. DO NOT
    deploy Kubernetes Goat in a production environment or alongside any sensitive cluster
    resources.

    View Slide

  5. TRACK: DEVSECOPS
    Current Scenarios in Kubernetes Goat!
    1. Sensitive keys in code bases
    2. DIND (docker-in-docker) exploitation
    3. SSRF in K8S world
    4. Container escape to access host system
    5. Docker CIS Benchmarks analysis
    6. Kubernetes CIS Benchmarks analysis
    7. Attacking private registry
    8. NodePort exposed services
    9. Helm v2 tiller to PwN the cluster
    10. Analysing crypto miner container
    11. Kubernetes Namespaces bypass
    12. Gaining environment information
    13. DoS the memory/cpu resources
    14. Hacker Container preview
    15. Hidden in layers
    16. RBAC Least Privileges Misconfiguration
    17. KubeAudit - Audit Kubernetes Clusters
    18. Sysdig Falco - Runtime Security Monitoring & Detection
    19. Popeye - A Kubernetes Cluster Sanitizer
    20. Secure network boundaries using NSP
    More coming soon….

    View Slide

  6. TRACK: DEVSECOPS
    ● Ensure you have admin access to the Kubernetes cluster
    ○ Refer to kubectl releases for binaries
    https://kubernetes.io/docs/tasks/tools/install-kubectl/
    ● Verify by running kubectl version
    ● Ensure you have helm version 2 setup in your path as helm2
    ○ Refer to helm version 2 releases for binaries
    https://github.com/helm/helm/releases
    ○ Verify by running helm2 version
    ● To set up the Kubernetes Goat resources in your cluster, run the following commands
    git clone https://github.com/madhuakula/kubernetes-goat.git
    cd kubernetes-goat
    bash setup-kubernetes-goat.sh
    Kubernetes Goat Setup

    View Slide

  7. TRACK: DEVSECOPS
    https://katacoda.com/madhuakula/scenarios/kubernetes-goat
    Kubernetes Goat - Without Setup 😎

    View Slide

  8. TRACK: DEVSECOPS
    Demo Time!

    View Slide

  9. TRACK: DEVSECOPS
    ● Attackers/Red Teams
    ○ Learning how to attack/find security issues with in containers, Kubernetes and similar
    environments and workloads to exploit and gain access
    ● Defenders/Blue Teams
    ○ Understanding best practices, learning how attackers works to apply defense, practicing the
    attacks, misconfigurations to apply defense and detection
    ● Security Vendors
    ○ Using Kubernetes Goat to showcase the effectiveness of the tools/product, helping educate
    the customers and sharing their knowledge in an interactive hands-on way
    ● Architects/Engineers/Consultants/Developers/Users/etc…
    ○ Learning and Practicing
    ● Share it with your friends, colleagues, everyone. Provide your valuable feedback, contributions, and
    suggestions
    Key Takeaways!

    View Slide

  10. TRACK: DEVSECOPS
    Thank You!
    @madhuakula
    https://madhuakula.com

    View Slide