Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Scaling Kubernetes Security with Kubernetes Goat

Madhu Akula
October 04, 2022
Technology
0
51

Scaling Kubernetes Security with Kubernetes Goat

Madhu Akula

October 04, 2022
Tweet

More Decks by Madhu Akula

See All by Madhu Akula
Practical Guide to Kubernetes Security for Developers 🚀
madhuakula
0
22
Defenders Guide to Kubernetes Security - Dutch Microsoft & Security NL - Summer Security Night (+BBQ)
madhuakula
0
29
Kubernetes Goat - Practical Approach to Learn Kubernetes Security
madhuakula
0
34
KUBERNETES GOAT - INTERACTIVE KUBERNETES SECURITY LEARNING PLAYGROUND
madhuakula
0
40
Getting Started with Your Journey into Cloud Security - SOSC devhost:21
madhuakula
0
220
A Practical Guide to Writing Secure Dockerfiles - WeAreDevelopers Container Day 2021
madhuakula
7
4.3k
Defender's Guide to Cloud Native Infrastructure Security - All Day DevOps 2020
madhuakula
1
180
Defenders Guide to Cloud Native Infrastructure Security - Github Satellite 2020
madhuakula
3
1.6k
Container Security for RED and BLUE Teams! - All Day DevOps 2020 Spring Break Edition
madhuakula
4
1.8k

Other Decks in Technology

See All in Technology
赤裸々図解!新卒3年目でマネジメントもこなすフルスタックエンジニアになるまで
mizunohiroaki
7
4.3k
エンジニアのためのドキュメントライティング / Docs for Developers and Paragraph Writing
nttcom
3
550
マネジメント3.0モデル入門(120分版)
takufujii
11
2.7k
ジョブキューシステムFireworqのアーキテクチャ設計と運用時のベストプラクティス
tarao
1
820
“品質”をみんなのものにするために行なっている入社者オンボーディング/Onboarding new members to think about "quality" together
mii3king
0
250
PHP で学ぶ Cache の距離の話 / study_cache_with_php
hanhan1978
3
790
Linuxのブロックデバイス
sat
PRO
4
1.6k
大規模言語モデルで変わるMLシステム開発
hirosatogamo
11
8.9k
レコメンドコンペ入門
t88
0
120
Privacy Techによる新しいデータ活用の形
line_developers
PRO
1
220
『登記所備付地図XMLデータ』に触れてみよう〜法務省が公開した大規模オープンデータとは一体何なのか〜 / What is moj map xml
sakaik
0
140
Concevoir son API pour le futur
tgalopin
1
330

Featured

See All Featured
Design by the Numbers
sachag
271
18k
WebSockets: Embracing the real-time Web
robhawkes
58
6.1k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
32
7.3k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
657
120k
Designing for Performance
lara
600
65k
Unsuck your backbone
ammeep
660
56k
How To Stay Up To Date on Web Technology
chriscoyier
779
250k
What's new in Ruby 2.0
geeforr
336
30k
Art, The Web, and Tiny UX
lynnandtonic
284
18k
Documentation Writing (for coders)
carmenintech
51
3k
What the flash - Photography Introduction
edds
64
10k
The World Runs on Bad Software
bkeepers
PRO
59
5.8k

Transcript

  1. Madhu Akula
    @madhuakula
    Scaling Kubernetes Security
    with Kubernetes Goat

    View Slide

  2. ● Pragmatic Security Leader
    ● Creator of Kubernetes Goat, Hacker Container, tools.tldr.run, many other OSS projects.
    ● Speaker & Trainer at Blackhat, DEFCON, GitHub, USENIX, OWASP, All Day DevOps, SANS,
    DevSecCon, CNCF, c0c0n, Nullcon, SACON, null, many others.
    ● Author of Security Automation with Ansible2, OWASP KSTG, whitepapers, etc.
    ● Technical reviewer (multiple books) & Review board member of multiple conferences,
    organizations, communities, etc.
    ● Found security vulnerabilities in 200+ organizations and products including Google,
    Microsoft, AT&T, Adobe, WordPress, Ntop, etc.
    ● Certified Kubernetes Administrator, Offensive Security Certified Professional, etc.
    ● Never ending learner!
    About Me 😊
    @madhuakula

    View Slide

  3. ● Introduction and overview about Kubernetes Goat 🐐
    ● Why Kubernetes Security?
    ○ Some real-world attacks, threats and examples
    ○ Showcasing live hacking of attacks
    ● Why do we need to scale Kubernetes Security?
    ○ The need of scale, and importance
    ○ What’s we really missing here!
    ● What should we do & how should we go about it?
    ○ Examples, patterns, core issues, etc.
    ○ Education, Training, Knowledge and skill gaps
    ● Key takeaways and learnings!
    ● Questions & Discussions?
    Today’s Agenda
    @madhuakula

    View Slide

  4. What's your approach for
    security
    engineering/process?

    View Slide

  5. What is Kubernetes Goat 🐐
    Kubernetes Goat is an interactive Kubernetes security
    learning playground.
    Intentionally vulnerable by design scenarios to
    showcase the common misconfigurations, real-world
    vulnerabilities, and security issues in Kubernetes
    clusters, containers, and cloud native environments.
    @madhuakula

    View Slide

  6. Kubernetes Goat has intentionally created vulnerabilities, applications, and configurations to attack
    and gain access to your cluster and workloads. Please DO NOT run alongside your production
    environments and infrastructure. So we highly recommend running this in a safe and isolated
    environment.
    Kubernetes Goat is used for educational purposes only, do not test or apply these attacks on any
    systems without permission. Kubernetes Goat comes with absolutely no warranties, by using it you
    take full responsibility for all the outcomes.
    🚨 Disclaimer
    @madhuakula

    View Slide

  7. Can I use from Kubernetes Goat 🤔
    Kubernetes Goat is intended for a variety of audiences and end-users.
    Which includes hackers, attackers, defenders, developers, architects,
    DevOps teams, engineers, researchers, products, vendors, and anyone
    interested in learning about Kubernetes Security.
    Below are some of the very high-level categories of audience
    💥 Attackers & Red Teams 🛡 Defenders & Blue Teams
    🧰 Products & Vendors
    🔐 Developers & DevOps Teams
    💡 Interested in Kubernetes Security
    @madhuakula

    View Slide

  8. 🔥 Kubernetes Goat Audience
    @madhuakula

    View Slide

  9. 12. Gaining environment information
    13. DoS the memory/cpu resources
    14. Hacker Container preview
    15. Hidden in layers
    16. RBAC Least Privileges Misconfiguration
    17. KubeAudit - Audit Kubernetes Clusters
    18. Sysdig Falco - Runtime Security Monitoring &
    Detection
    19. Popeye - A Kubernetes Cluster Sanitizer
    20. Secure network boundaries using NSP
    1. Sensitive keys in codebases
    2. DIND (docker-in-docker) exploitation
    3. SSRF in the Kubernetes (K8S) world
    4. Container escape to the host system
    5. Docker CIS benchmarks analysis
    6. Kubernetes CIS benchmarks analysis
    7. Attacking private registry
    8. NodePort exposed services
    9. Helm v2 tiller to PwN the cluster - [Deprecated]
    10. Analyzing crypto miner container
    Scenarios in Kubernetes Goat 🚀
    15+ more scenarios releasing soon… ❤
    Scenarios going to be updated with defenders, developers, tools & vendor sections for reach scenario 🥳
    @madhuakula

    View Slide

  10. 🚀 Katacoda Playground - Free Online in-browser
    ☸ Vanilla Kubernetes Cluster
    ☁ AWS Kubernetes (EKS)
    ☁ GCP Kubernetes (GKE)
    ☁ Azure Kubernetes (AKS)
    ☸ Kubernetes IN Docker (KiND)
    ☸ Lightweight Kubernetes (K3S)
    ☸ Digital Ocean, Vagrant, Many others…
    ⚙ How can I setup Kubernetes Goat
    @madhuakula

    View Slide

  11. ● Make sure you have Kubernetes cluster with cluster-admin privileges. Also kubectl and
    helm installed in your system before running the following commands to setup the
    Kubernetes Goat
    ⎈ Setting up in your Kubernetes Cluster
    $ git clone https://github.com/madhuakula/kubernetes-goat.git
    $ cd kubernetes-goat
    $ bash setup-kubernetes-goat.sh
    $ bash access-kubernetes-goat.sh
    ● Now you can access the Kubernetes Goat by navigating to http://127.0.0.1:1234
    @madhuakula

    View Slide

  12. ⚡ Get Started with Kubernetes Goat 🐐
    @madhuakula

    View Slide

  13. ⚡ Get Started with Kubernetes Goat 🐐
    @madhuakula

    View Slide

  14. ⚡ Get Started with Kubernetes Goat 🐐
    https://madhuakula.com/kubernetes-goat
    @madhuakula

    View Slide

  15. @madhuakula
    Why Kubernetes Security?
    https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/

    View Slide

  16. @madhuakula
    Why Kubernetes Security?
    https://github.com/cncf/financial-user-group/blob/master/projects/k8s-threat-model/AttackTrees/AccessSensitiveData.md

    View Slide

  17. ☸ 🐐 Demo Time 🤞
    🙏
    @madhuakula

    View Slide

  18. @madhuakula
    Why do we need to scale Kubernetes Security?
    ● Nature of immutable infrastructure
    ● Matching the speed of containers, infrastructure with security
    ● Frequency of deployments and workloads
    ● Size of the teams, deployments from both dev, ops, engineering and security
    ● How frequently and repetitively we fix certain issues
    ● Education, knowledge and skill gap
    ● Maturity of the security and the alignment with stakeholders
    ● Many others…

    View Slide

  19. What's the most repetitive
    security issue you fixed at
    which stage?

    View Slide

  20. ☸ 🐐 Demo Time 🤞
    🙏
    @madhuakula

    View Slide

  21. @madhuakula
    What should we do & how should we go about it?
    ● I think there is no single answer, approach here
    ● Always look at the core problem and root cause and fix at that layer
    ● Try to be self-service model by providing patterns in an actionable way
    ● Be an helping hand for DevOps, SRE and Engineering teams rather pointing just issues
    ○ Helping them to create secure and safe Helm charts, Dockerfiles, Templates, etc.
    ○ Removing the blockers by being pragmatic and empathetic
    ○ Eliminate the possible things early and at scale
    ● Repeat after me: Education, Education, Education
    ○ Most people don’t even understand the technology, leave about security. So
    educating them by teaching and practicing is the way to go 🚀

    View Slide

  22. Which stage you add most
    security sane
    defaults/fixes/best
    practices?

    View Slide

  23. ☸ 🐐 Demo Time 🤞
    🙏
    @madhuakula

    View Slide

  24. ✅ Security is everyone’s responsibility (Dev, Ops, Security, Management, etc.)
    ⚠ Threat model your architecture and identify risks/threats
    🙌 Follow and apply secure defaults
    📚Know what you have (Inventory of assets)
    🧱Adopt zero trust model (Zoning, Containment & Segmentation)
    🎯Apply security at each layer (Defense in depth strategy)
    🚨Follow least privilege principle
    👮AuthN & AuthZ
    🔐Encryption at REST & TRANSIT
    🛡Proactive monitoring & Active defense
    🔁Continuously analyse and apply feedback loops
    👉 Crawl 🐢, Walk 🚶, Run 🏃, Fly ✈
    Key Takeaways!
    @madhuakula

    View Slide

  25. 🔥 All scenarios will be updated with Defenders, Developers, Tools & Vendors sections
    📖 Updating and maintaining the great documentation
    🚀 30+ more real-world hands-on scenarios coming (more and more will come 🏃…)
    ☸ One-click setups, various vendor related product testbeds, many more integrations
    📝 Various OSS & Vendor tools (working with security vendors to bridge the gap 👋)
    💥 Heavy push towards Developers, DevOps, Architects & non-security learning experience
    🏆 Go to Kubernetes Security resources for anyone (from a variety experience and skills)
    🎉 Sponsors, roadmap, support, contributors, more global scope around Cloud Native
    🏁 What’s next for Kubernetes Goat
    @madhuakula

    View Slide

  26. 🙌 Give it a try
    🚀 Contribute ideas & suggestions
    🤝 Work with the project & improve
    🙏 Share your valuable feedback
    🌟 Star in our GitHub
    🎉 Spread the word in social media
    Spread the ❤ Kubernetes Goat
    https://madhuakula.com/kubernetes-goat/docs/wall-of-love
    Awesome Kubernetes Goat Stickers,
    T-Shirts & Some cool goodies on the way 🥳
    @madhuakula

    View Slide

  27. Thank You 🙏
    Want to learn more, have some idea, or just wanted to say 👋
    @madhuakula
    https://madhuakula.com

    View Slide