Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mastering Kubernetes Security with Kubernetes Goat - Cloud-Native Modernization @ TechTarget

Mastering Kubernetes Security with Kubernetes Goat - Cloud-Native Modernization @ TechTarget

Kubernetes security is crucial in ensuring the safety and integrity of your organization's data and systems. However, keeping up with the latest security threats and vulnerabilities can be a daunting task. This is where Kubernetes Goat comes in - a "vulnerable by design" Kubernetes Cluster environment that allows you to practice and learn Kubernetes security in a hands-on way.

In this webinar, Pragmatic Security Leader Madhu Akula presents the latest version of Kubernetes Goat and demonstrates how to use it to identify and mitigate vulnerabilities in Kubernetes and containerized environments. He will cover various attack scenarios and real-world vulnerabilities and show how Kubernetes Goat scenarios can be mapped with them. The session will also explore open-source security tools that can be used to write secure code and deploy secure containers in production.

Key Takeaways:
- Gain practical, hands-on experience with Kubernetes security through 25+ offensive and defensive scenarios.
- Learn about the latest security threats and vulnerabilities in containers, Kubernetes, and cloud-native environments.
- Access detailed documentation, labs, and other resources to continue your learning and development in Kubernetes security.
- And more...

Madhu Akula

April 26, 2023
Tweet

More Decks by Madhu Akula

Other Decks in Technology

Transcript

  1. Madhu Akula
    Cloud-Native Modernization @ TechTarget
    @madhuakula
    Mastering Kubernetes
    Security with Kubernetes Goat

    View full-size slide

  2. 👉 Pragmatic Security Leader, working on Cloud Native Infra, Security, and Startups
    👉 Creator of Kubernetes Goat, Hacker Container, tools.tldr.run, many other OSS projects.
    👉 Speaks & Trains at Black Hat (USA, EU, Asia), DEF CON, GitHub, USENIX, OWASP, All Day DevOps,
    SANS, DevSecCon, CNCF, c0c0n, Nullcon, null, many others around the globe.
    👉 Author of Security Automation with Ansible2, OWASP KSTG, whitepapers, etc.
    👉 Technical reviewer (multiple books) & Review board member of multiple conferences,
    organizations, communities, advisory, etc.
    👉 Found security vulnerabilities in 200+ organizations and products including Google, Microsoft,
    AT&T, Adobe, eBay, WordPress, Ntop, Cloudflare, Yahoo, LocalBitcoins, etc.
    👉 Certified Kubernetes(CKA/CKS), Offensive Security Certified Professional, etc.
    👉 Never ending learner!
    About Me 😊
    @madhuakula

    View full-size slide

  3. What is Docker?
    https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/#going-back-in-time @madhuakula

    View full-size slide

  4. What is Docker?
    ● Docker is an open source platform for building, deploying, and managing
    containerized applications
    ● Docker became the de facto standard to build and share containerized apps
    - from desktop, to the cloud, even edge devices
    ● Docker enables developers to easily pack, ship, and run any application as a
    lightweight, portable, self-sufficient container, which can run virtually
    anywhere
    https://docs.docker.com/get-started/overview/ @madhuakula

    View full-size slide

  5. What is Kubernetes?
    Kubernetes is a portable, extensible, open-source platform for
    managing containerized workloads and services, that
    facilitates both declarative configuration and automation. It
    has a large, rapidly growing ecosystem. Kubernetes services,
    support, and tools are widely available.
    https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/ @madhuakula

    View full-size slide

  6. What is Kubernetes?
    @madhuakula

    View full-size slide

  7. The illustrated children's guide to Kubernetes
    https://www.youtube.com/watch?v=3I9PkvZ80BQ @madhuakula

    View full-size slide

  8. Why Kubernetes Security Matters?
    Lack of knowledge
    in security teams
    @madhuakula

    View full-size slide

  9. Rapidly growing
    Cloud Native
    Landscape
    ecosystem
    Why Kubernetes Security Matters?
    @madhuakula

    View full-size slide

  10. Technology Gap
    Adoption &
    Maturity
    Why Kubernetes Security Matters?
    @madhuakula

    View full-size slide

  11. Why Kubernetes Security Matters?
    @madhuakula

    View full-size slide

  12. 📚 Kubernetes Security - Layers & Areas
    @madhuakula
    https://owasp.org/www-project-kubernetes-top-ten/

    View full-size slide

  13. 📚 Kubernetes Security Learning - Application Security
    @madhuakula
    The security of the application code and dependencies
    that run inside the Kubernetes cluster. This can be
    achieved by following secure software development
    lifecycle standards and conducting regular code reviews,
    penetration testing, and vulnerability assessments.

    View full-size slide

  14. 📚 Kubernetes Security Learning - Image Security
    @madhuakula
    The security of the images used to deploy containers in
    the Kubernetes cluster. This includes scanning images for
    vulnerabilities, using image signing and verification, and
    only using trusted sources for images.

    View full-size slide

  15. 📚 Kubernetes Security Learning - Supply-chain Security
    @madhuakula
    The security of the entire process from writing application
    code to deploying it in production, which involves areas
    such as libraries, dependencies, signing, SBOM, validation,
    and enforcement with the SLSA framework.

    View full-size slide

  16. 📚 Kubernetes Security Learning - Infrastructure Security
    @madhuakula
    The security of the underlying infrastructure that
    supports the Kubernetes cluster, including network
    security, access control, and ensuring that the underlying
    operating system is patched and up-to-date.

    View full-size slide

  17. 📚 Kubernetes Security Learning - Container Security
    @madhuakula
    The security of the containers deployed in the Kubernetes
    cluster, including setting resource limits, using security
    contexts, and ensuring that containers run as non-root
    users.

    View full-size slide

  18. 📚 Kubernetes Security Learning - Cluster Security
    @madhuakula
    The security of the Kubernetes cluster itself, including
    securing the Kubernetes API server, etcd, and worker
    nodes. This can be achieved through measures such as
    enabling RBAC, enabling network policies, disabling
    anonymous access to the API server, and more.

    View full-size slide

  19. 📚 Kubernetes Security Learning - Network Security
    @madhuakula
    The security of the network traffic that flows in and out of
    the Kubernetes cluster, including measures such as
    network policies, encryption, and firewalls.

    View full-size slide

  20. 📚 Kubernetes Security Learning - Runtime Security
    @madhuakula
    The ongoing security of the Kubernetes cluster for
    detecting and responding to any security incidents or
    suspicious activity. This can be achieved through measures
    such as logging and monitoring, threat detection and
    response, and using security-focused tools like
    Kubernetes Goat to simulate attacks and identify
    vulnerabilities.

    View full-size slide

  21. How can we learn and practice this?
    @madhuakula

    View full-size slide

  22. What is Kubernetes Goat 🐐
    @madhuakula

    View full-size slide

  23. Kubernetes Goat has intentionally created vulnerabilities, applications, and
    configurations to attack and gain access to your cluster and workloads. Please
    DO NOT run alongside your production environments and infrastructure. So we
    highly recommend running this in a safe and isolated environment.
    Kubernetes Goat is used for educational purposes only, do not test or apply
    these attacks on any systems without permission. Kubernetes Goat comes with
    absolutely no warranties, by using it you take full responsibility for all the
    outcomes.
    🚨 Disclaimer
    @madhuakula

    View full-size slide

  24. Can I use from Kubernetes Goat 🤔
    Kubernetes Goat is intended for a variety of audiences and end-users.
    Which includes hackers, attackers, defenders, developers, architects,
    DevOps teams, engineers, researchers, products, vendors, and anyone
    interested in learning about Kubernetes Security.
    Below are some of the very high-level categories of audience
    💥 Attackers & Red Teams 🛡 Defenders & Blue Teams
    🧰 Products & Vendors
    🔐 Developers & DevOps Teams
    💡 Interested in Kubernetes Security
    @madhuakula

    View full-size slide

  25. 🔥 Kubernetes Goat Audience
    @madhuakula

    View full-size slide

  26. Scenarios in Kubernetes Goat 🚀
    @madhuakula
    1. Sensitive keys in codebases
    2. DIND (docker-in-docker) exploitation
    3. SSRF in the Kubernetes (K8S) world
    4. Container escape to the host system
    5. Docker CIS benchmarks analysis
    6. Kubernetes CIS benchmarks analysis
    7. Attacking private registry
    8. NodePort exposed services
    9. Helm v2 tiller to PwN the cluster - [Deprecated]
    10. Analyzing crypto miner container
    11. Kubernetes namespaces bypass
    12. Gaining environment information
    13. DoS the Memory/CPU resources
    14. Hacker container preview
    15. Hidden in layers
    16. RBAC least privileges misconfiguration
    17. KubeAudit - Audit Kubernetes clusters
    18. Falco - Runtime security monitoring & detection
    19. Popeye - A Kubernetes cluster sanitizer
    20. Secure network boundaries using NSP
    21. Cilium Tetragon - eBPF-based Security
    Observability and Runtime Enforcement
    22. Securing Kubernetes Clusters using Kyverno Policy
    Engine
    More scenarios releasing soon… ❤

    View full-size slide

  27. ☸ Vanilla Kubernetes Cluster
    ☁ AWS Kubernetes (EKS)
    ☁ GCP Kubernetes (GKE)
    ☁ Azure Kubernetes (AKS)
    ☸ Kubernetes IN Docker (KiND)
    ☸ Lightweight Kubernetes (K3S) - Coming soon 👀
    ☸ Digital Ocean, Vagrant, Many others…
    ⚙ How can I setup Kubernetes Goat
    @madhuakula

    View full-size slide

  28. ● Make sure you have Kubernetes cluster with cluster-admin privileges. Also kubectl and
    helm installed in your system before running the following commands to setup the
    Kubernetes Goat
    ⎈ Setting up in your Kubernetes Cluster
    ● Now you can access the Kubernetes Goat by navigating to http://127.0.0.1:1234
    @madhuakula

    View full-size slide

  29. ⚡ Get Started with Kubernetes Goat 🐐
    @madhuakula

    View full-size slide

  30. ⚡ Get Started with Kubernetes Goat 🐐
    @madhuakula

    View full-size slide

  31. ⚡ Get Started with Kubernetes Goat 🐐
    @madhuakula
    https://madhuakula.com/kubernetes-goat

    View full-size slide

  32. 🔟 OWASP Kubernetes Top 10
    https://owasp.org/www-project-kubernetes-top-ten/ @madhuakula

    View full-size slide

  33. 🛡 MITRE ATT&CK for Kubernetes Goat
    https://madhuakula.com/kubernetes-goat/docs/mitre/mitre-attack
    @madhuakula

    View full-size slide

  34. ☸ 🐐 Demo Time 🤞 🙏
    @madhuakula

    View full-size slide

  35. 🔥 Kubernetes Hacking - Attack Path / Kill Chain
    @madhuakula
    https://youtu.be/7nc78ZrvP4Y
    This showcase the full
    Kubernetes Cluster hacking
    attack path or kill chain.
    From initial discovery to
    complete cluster takeover
    and map back to MITRE
    ATT&CK matrix 🚀

    View full-size slide

  36. 🔥 Kubernetes Hacking - Attack Path / Kill Chain
    @madhuakula
    https://youtu.be/7nc78ZrvP4Y
    👉 Information Gathering
    👉 Discovery
    👉 Enumeration
    👉 Reconnaissance
    👉 Entrypoint
    👉 Application Access
    👉 Execution (RCE - Remote Code Execution) - Container/Pod Access
    👉 Internal Discovery/Recon/Enumeration
    👉 Privilege Escalation (Container Escape / Escape to Host Node)
    👉 Lateral Movement (Hop in to another Node / Namespace)
    👉 Defense Evasion (Logs, Masquerading, Static Pods, Many others)
    👉 Persistence (CronJob, Static Pod, Distributed Cron Job, Good old techniques, Many others)
    👉 Lateral Movement (container/pod -- node/host -- another node/namespace -- another cluster -- cloud provider)
    👉 Impact (Exfiltration, DoS, Collection, Dump, Resource Hijacking, Many others)

    View full-size slide

  37. 🥳 Adoption of Kubernetes Goat
    https://youtu.be/62_Cj6yseno?t=352
    @madhuakula

    View full-size slide

  38. 🏁 What’s next for Kubernetes Goat
    🏆 Go to Kubernetes Security resources for anyone (from a variety experience and skills)
    🔥 All scenarios will be updated with Defenders, Developers, Tools & Vendors sections
    🚀 10+ more real-world hands-on scenarios coming (more and more will come 🏃…)
    ☸ One-click setups, various vendor related product testbeds, many more integrations
    📝 Various OSS & Vendor tools (working with security vendors to bridge the gap 👋)
    💥 Heavy push towards Developers, DevOps, Architects learning experience
    🎉 Sponsors, roadmap, support, contributors, more global scope around Cloud Native
    @madhuakula

    View full-size slide

  39. 🙌 Give it a try
    🚀 Contribute ideas & suggestions
    🤝 Work with the project & improve
    🙏 Share your valuable feedback
    🌟 Star in our GitHub
    🎉 Spread word #KubernetesGoat
    Spread the ❤ #KubernetesGoat
    https://madhuakula.com/kubernetes-goat/docs/wall-of-love
    @madhuakula

    View full-size slide

  40. Thank you 🙏
    @madhuakula
    https://madhuakula.com
    @madhuakula
    https://madhuakula.com
    Want to learn more, have some idea, or just wanted to say 👋

    View full-size slide