Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mastering Kubernetes Security with Kubernetes G...

Mastering Kubernetes Security with Kubernetes Goat - Cloud-Native Modernization @ย TechTarget

Kubernetes security is crucial in ensuring the safety and integrity of your organization's data and systems. However, keeping up with the latest security threats and vulnerabilities can be a daunting task. This is where Kubernetes Goat comes in - a "vulnerable by design" Kubernetes Cluster environment that allows you to practice and learn Kubernetes security in a hands-on way.

In this webinar, Pragmatic Security Leader Madhu Akula presents the latest version of Kubernetes Goat and demonstrates how to use it to identify and mitigate vulnerabilities in Kubernetes and containerized environments. He will cover various attack scenarios and real-world vulnerabilities and show how Kubernetes Goat scenarios can be mapped with them. The session will also explore open-source security tools that can be used to write secure code and deploy secure containers in production.

Key Takeaways:
- Gain practical, hands-on experience with Kubernetes security through 25+ offensive and defensive scenarios.
- Learn about the latest security threats and vulnerabilities in containers, Kubernetes, and cloud-native environments.
- Access detailed documentation, labs, and other resources to continue your learning and development in Kubernetes security.
- And more...

Madhu Akula

April 26, 2023
Tweet

More Decks by Madhu Akula

Other Decks in Technology

Transcript

  1. ๐Ÿ‘‰ Pragmatic Security Leader, working on Cloud Native Infra, Security,

    and Startups ๐Ÿ‘‰ Creator of Kubernetes Goat, Hacker Container, tools.tldr.run, many other OSS projects. ๐Ÿ‘‰ Speaks & Trains at Black Hat (USA, EU, Asia), DEF CON, GitHub, USENIX, OWASP, All Day DevOps, SANS, DevSecCon, CNCF, c0c0n, Nullcon, null, many others around the globe. ๐Ÿ‘‰ Author of Security Automation with Ansible2, OWASP KSTG, whitepapers, etc. ๐Ÿ‘‰ Technical reviewer (multiple books) & Review board member of multiple conferences, organizations, communities, advisory, etc. ๐Ÿ‘‰ Found security vulnerabilities in 200+ organizations and products including Google, Microsoft, AT&T, Adobe, eBay, WordPress, Ntop, Cloud๏ฌ‚are, Yahoo, LocalBitcoins, etc. ๐Ÿ‘‰ Certi๏ฌed Kubernetes(CKA/CKS), O๏ฌ€ensive Security Certi๏ฌed Professional, etc. ๐Ÿ‘‰ Never ending learner! About Me ๐Ÿ˜Š @madhuakula
  2. What is Docker? โ€ข Docker is an open source platform

    for building, deploying, and managing containerized applications โ€ข Docker became the de facto standard to build and share containerized apps - from desktop, to the cloud, even edge devices โ€ข Docker enables developers to easily pack, ship, and run any application as a lightweight, portable, self-su๏ฌƒcient container, which can run virtually anywhere https://docs.docker.com/get-started/overview/ @madhuakula
  3. What is Kubernetes? Kubernetes is a portable, extensible, open-source platform

    for managing containerized workloads and services, that facilitates both declarative con๏ฌguration and automation. It has a large, rapidly growing ecosystem. Kubernetes services, support, and tools are widely available. https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/ @madhuakula
  4. ๐Ÿ“š Kubernetes Security Learning - Application Security @madhuakula The security

    of the application code and dependencies that run inside the Kubernetes cluster. This can be achieved by following secure software development lifecycle standards and conducting regular code reviews, penetration testing, and vulnerability assessments.
  5. ๐Ÿ“š Kubernetes Security Learning - Image Security @madhuakula The security

    of the images used to deploy containers in the Kubernetes cluster. This includes scanning images for vulnerabilities, using image signing and veri๏ฌcation, and only using trusted sources for images.
  6. ๐Ÿ“š Kubernetes Security Learning - Supply-chain Security @madhuakula The security

    of the entire process from writing application code to deploying it in production, which involves areas such as libraries, dependencies, signing, SBOM, validation, and enforcement with the SLSA framework.
  7. ๐Ÿ“š Kubernetes Security Learning - Infrastructure Security @madhuakula The security

    of the underlying infrastructure that supports the Kubernetes cluster, including network security, access control, and ensuring that the underlying operating system is patched and up-to-date.
  8. ๐Ÿ“š Kubernetes Security Learning - Container Security @madhuakula The security

    of the containers deployed in the Kubernetes cluster, including setting resource limits, using security contexts, and ensuring that containers run as non-root users.
  9. ๐Ÿ“š Kubernetes Security Learning - Cluster Security @madhuakula The security

    of the Kubernetes cluster itself, including securing the Kubernetes API server, etcd, and worker nodes. This can be achieved through measures such as enabling RBAC, enabling network policies, disabling anonymous access to the API server, and more.
  10. ๐Ÿ“š Kubernetes Security Learning - Network Security @madhuakula The security

    of the network tra๏ฌƒc that ๏ฌ‚ows in and out of the Kubernetes cluster, including measures such as network policies, encryption, and ๏ฌrewalls.
  11. ๐Ÿ“š Kubernetes Security Learning - Runtime Security @madhuakula The ongoing

    security of the Kubernetes cluster for detecting and responding to any security incidents or suspicious activity. This can be achieved through measures such as logging and monitoring, threat detection and response, and using security-focused tools like Kubernetes Goat to simulate attacks and identify vulnerabilities.
  12. Kubernetes Goat has intentionally created vulnerabilities, applications, and con๏ฌgurations to

    attack and gain access to your cluster and workloads. Please DO NOT run alongside your production environments and infrastructure. So we highly recommend running this in a safe and isolated environment. Kubernetes Goat is used for educational purposes only, do not test or apply these attacks on any systems without permission. Kubernetes Goat comes with absolutely no warranties, by using it you take full responsibility for all the outcomes. ๐Ÿšจ Disclaimer @madhuakula
  13. Can I use from Kubernetes Goat ๐Ÿค” Kubernetes Goat is

    intended for a variety of audiences and end-users. Which includes hackers, attackers, defenders, developers, architects, DevOps teams, engineers, researchers, products, vendors, and anyone interested in learning about Kubernetes Security. Below are some of the very high-level categories of audience ๐Ÿ’ฅ Attackers & Red Teams ๐Ÿ›ก Defenders & Blue Teams ๐Ÿงฐ Products & Vendors ๐Ÿ” Developers & DevOps Teams ๐Ÿ’ก Interested in Kubernetes Security @madhuakula
  14. Scenarios in Kubernetes Goat ๐Ÿš€ @madhuakula 1. Sensitive keys in

    codebases 2. DIND (docker-in-docker) exploitation 3. SSRF in the Kubernetes (K8S) world 4. Container escape to the host system 5. Docker CIS benchmarks analysis 6. Kubernetes CIS benchmarks analysis 7. Attacking private registry 8. NodePort exposed services 9. Helm v2 tiller to PwN the cluster - [Deprecated] 10. Analyzing crypto miner container 11. Kubernetes namespaces bypass 12. Gaining environment information 13. DoS the Memory/CPU resources 14. Hacker container preview 15. Hidden in layers 16. RBAC least privileges miscon๏ฌguration 17. KubeAudit - Audit Kubernetes clusters 18. Falco - Runtime security monitoring & detection 19. Popeye - A Kubernetes cluster sanitizer 20. Secure network boundaries using NSP 21. Cilium Tetragon - eBPF-based Security Observability and Runtime Enforcement 22. Securing Kubernetes Clusters using Kyverno Policy Engine More scenarios releasing soonโ€ฆ โค
  15. โ˜ธ Vanilla Kubernetes Cluster โ˜ AWS Kubernetes (EKS) โ˜ GCP

    Kubernetes (GKE) โ˜ Azure Kubernetes (AKS) โ˜ธ Kubernetes IN Docker (KiND) โ˜ธ Lightweight Kubernetes (K3S) - Coming soon ๐Ÿ‘€ โ˜ธ Digital Ocean, Vagrant, Many othersโ€ฆ โš™ How can I setup Kubernetes Goat @madhuakula
  16. โ€ข Make sure you have Kubernetes cluster with cluster-admin privileges.

    Also kubectl and helm installed in your system before running the following commands to setup the Kubernetes Goat โŽˆ Setting up in your Kubernetes Cluster โ€ข Now you can access the Kubernetes Goat by navigating to http://127.0.0.1:1234 @madhuakula
  17. ๐Ÿ”ฅ Kubernetes Hacking - Attack Path / Kill Chain @madhuakula

    https://youtu.be/7nc78ZrvP4Y This showcase the full Kubernetes Cluster hacking attack path or kill chain. From initial discovery to complete cluster takeover and map back to MITRE ATT&CK matrix ๐Ÿš€
  18. ๐Ÿ”ฅ Kubernetes Hacking - Attack Path / Kill Chain @madhuakula

    https://youtu.be/7nc78ZrvP4Y ๐Ÿ‘‰ Information Gathering ๐Ÿ‘‰ Discovery ๐Ÿ‘‰ Enumeration ๐Ÿ‘‰ Reconnaissance ๐Ÿ‘‰ Entrypoint ๐Ÿ‘‰ Application Access ๐Ÿ‘‰ Execution (RCE - Remote Code Execution) - Container/Pod Access ๐Ÿ‘‰ Internal Discovery/Recon/Enumeration ๐Ÿ‘‰ Privilege Escalation (Container Escape / Escape to Host Node) ๐Ÿ‘‰ Lateral Movement (Hop in to another Node / Namespace) ๐Ÿ‘‰ Defense Evasion (Logs, Masquerading, Static Pods, Many others) ๐Ÿ‘‰ Persistence (CronJob, Static Pod, Distributed Cron Job, Good old techniques, Many others) ๐Ÿ‘‰ Lateral Movement (container/pod -- node/host -- another node/namespace -- another cluster -- cloud provider) ๐Ÿ‘‰ Impact (Ex๏ฌltration, DoS, Collection, Dump, Resource Hijacking, Many others)
  19. ๐Ÿ Whatโ€™s next for Kubernetes Goat ๐Ÿ† Go to Kubernetes

    Security resources for anyone (from a variety experience and skills) ๐Ÿ”ฅ All scenarios will be updated with Defenders, Developers, Tools & Vendors sections ๐Ÿš€ 10+ more real-world hands-on scenarios coming (more and more will come ๐Ÿƒโ€ฆ) โ˜ธ One-click setups, various vendor related product testbeds, many more integrations ๐Ÿ“ Various OSS & Vendor tools (working with security vendors to bridge the gap ๐Ÿ‘‹) ๐Ÿ’ฅ Heavy push towards Developers, DevOps, Architects learning experience ๐ŸŽ‰ Sponsors, roadmap, support, contributors, more global scope around Cloud Native @madhuakula
  20. ๐Ÿ™Œ Give it a try ๐Ÿš€ Contribute ideas & suggestions

    ๐Ÿค Work with the project & improve ๐Ÿ™ Share your valuable feedback ๐ŸŒŸ Star in our GitHub ๐ŸŽ‰ Spread word #KubernetesGoat Spread the โค #KubernetesGoat https://madhuakula.com/kubernetes-goat/docs/wall-of-love @madhuakula