Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Scaling Kubernetes Security with Kubernetes Goat - All Day DevOps 2022

Madhu Akula
November 10, 2022

Scaling Kubernetes Security with Kubernetes Goat - All Day DevOps 2022

Most companies adopting Kubernetes have a hard time building their security around it. With cloud-native transformation, growth of the company, and adoptions it’s super hard to build security across different layers. In this talk, Madhu Akula will showcase how Kubernetes Goat will solve these problems by helping developers, DevOps, and security teams to understand the real-world security misconfigurations, vulnerabilities, and attacks in a context-driven practical hands-on way. So most of your security issues will be fixed before even being deployed into Production.

Some examples include helping DevOps/Developer teams understand the risks so they could have been mitigated even before they write Dockerfiles, Manifests, Helm charts, etc. to deploy the microservice into clusters. We will see some real challenges regards competency, knowledge gap, and bridging the gap between DevOps/SRE teams and security collaboratively and practically.

Madhu Akula

November 10, 2022
Tweet

More Decks by Madhu Akula

Other Decks in Technology

Transcript

  1. TRACK: DEVSECOPS
    NOVEMBER 10, 2022
    Madhu Akula, Pragmatic Security Leader
    Scaling Kubernetes Security
    with Kubernetes Goat

    View full-size slide

  2. TRACK: DEVSECOPS
    Welcome to Amazing
    All Day DevOps DevSecOps
    Track 2022 🎉

    View full-size slide

  3. TRACK: DEVSECOPS
    🙏 About - Madhu Akula
    ● Founder, Advisor & Pragmatic Security Leader
    ● Creator of Kubernetes Goat, Hacker Container, tools.tldr.run, many other OSS projects.
    ● Speaker & Trainer at Blackhat, DEFCON, GitHub, USENIX, OWASP, All Day DevOps, SANS,
    DevSecCon, CNCF, c0c0n, Nullcon, SACON, null, many others.
    ● Author of Security Automation with Ansible2, OWASP KSTG, whitepapers, etc.
    ● Technical reviewer (multiple books) & Review board member of multiple conferences,
    organizations, communities, etc.
    ● Found security vulnerabilities in 200+ organizations and products including Google,
    Microsoft, AT&T, Adobe, WordPress, Ntop, etc.
    ● Certified Kubernetes (CKA/CKS), Offensive Security Certified Professional (OSCP), etc.
    ● Never ending learner!

    View full-size slide

  4. TRACK: DEVSECOPS
    Why Kubernetes Security?
    https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ @madhuakula

    View full-size slide

  5. TRACK: DEVSECOPS
    Why Kubernetes Security?
    https://github.com/cncf/financial-user-group/blob/master/projects/k8s-threat-model/AttackTrees/AccessSensitiveData.md @madhuakula

    View full-size slide

  6. TRACK: DEVSECOPS
    What is Kubernetes Goat 🐐
    Kubernetes Goat is an interactive Kubernetes
    security learning playground.
    Intentionally vulnerable by design scenarios to
    showcase the common misconfigurations, real-world
    vulnerabilities, and security issues in Kubernetes
    clusters, containers, and cloud native environments.
    @madhuakula

    View full-size slide

  7. TRACK: DEVSECOPS
    Kubernetes Goat has intentionally created vulnerabilities, applications, and configurations to attack
    and gain access to your cluster and workloads. Please DO NOT run alongside your production
    environments and infrastructure. So we highly recommend running this in a safe and isolated
    environment.
    Kubernetes Goat is used for educational purposes only, do not test or apply these attacks on any
    systems without permission. Kubernetes Goat comes with absolutely no warranties, by using it you
    take full responsibility for all the outcomes.
    🚨 Disclaimer
    @madhuakula

    View full-size slide

  8. TRACK: DEVSECOPS
    Can I use from Kubernetes Goat 🤔
    Kubernetes Goat is intended for a variety of audiences and end-users.
    Which includes hackers, attackers, defenders, developers, architects,
    DevOps teams, engineers, researchers, products, vendors, and anyone
    interested in learning about Kubernetes Security.
    Below are some of the very high-level categories of audience
    💥 Attackers & Red Teams 🛡 Defenders & Blue Teams
    🧰 Products & Vendors
    🔐 Developers & DevOps Teams
    💡 Interested in Kubernetes Security
    @madhuakula

    View full-size slide

  9. TRACK: DEVSECOPS
    🔥 Kubernetes Goat Audience
    @madhuakula

    View full-size slide

  10. TRACK: DEVSECOPS
    1. Sensitive keys in codebases
    2. DIND (docker-in-docker) exploitation
    3. SSRF in the Kubernetes (K8S) world
    4. Container escape to the host system
    5. Docker CIS benchmarks analysis
    6. Kubernetes CIS benchmarks analysis
    7. Attacking private registry
    8. NodePort exposed services
    9. Helm v2 tiller to PwN the cluster - [Deprecated]
    10. Analyzing crypto miner container
    11. Kubernetes namesapces bypass
    12. Gaining environment information
    13. DoS the memory/cpu resources
    14. Hacker Container preview
    15. Hidden in layers
    16. RBAC Least Privileges Misconfiguration
    17. KubeAudit - Audit Kubernetes Clusters
    18. Sysdig Falco - Runtime Security Monitoring & Detection
    19. Popeye - A Kubernetes Cluster Sanitizer
    20. Secure network boundaries using NSP
    Scenarios in Kubernetes Goat 🚀
    15+ more scenarios releasing soon… ❤
    Scenarios going to be updated with defenders, developers, tools & vendor sections for reach scenario 🥳
    @madhuakula

    View full-size slide

  11. TRACK: DEVSECOPS
    🚀 Katacoda Playground - Free Online in-browser
    ☸ Vanilla Kubernetes Cluster
    ☁ AWS Kubernetes (EKS)
    ☁ GCP Kubernetes (GKE)
    ☁ Azure Kubernetes (AKS)
    ☸ Kubernetes IN Docker (KiND)
    ☸ Lightweight Kubernetes (K3S) - Coming soon 👀
    ☸ Digital Ocean, Vagrant, Many others…
    ⚙ How can I setup Kubernetes Goat
    @madhuakula

    View full-size slide

  12. TRACK: DEVSECOPS
    ● Make sure you have Kubernetes cluster with cluster-admin privileges. Also kubectl and
    helm installed in your system before running the following commands to setup the
    Kubernetes Goat
    ⎈ Setting up in your Kubernetes Cluster
    $ git clone https://github.com/madhuakula/kubernetes-goat.git
    $ cd kubernetes-goat
    $ bash setup-kubernetes-goat.sh
    $ bash access-kubernetes-goat.sh
    ● Now you can access the Kubernetes Goat by navigating to http://127.0.0.1:1234
    @madhuakula

    View full-size slide

  13. TRACK: DEVSECOPS
    ⚡ Get Started with Kubernetes Goat 🐐
    @madhuakula

    View full-size slide

  14. TRACK: DEVSECOPS
    ⚡ Get Started with Kubernetes Goat 🐐
    @madhuakula

    View full-size slide

  15. TRACK: DEVSECOPS
    ⚡ Get Started with Kubernetes Goat 🐐
    @madhuakula
    https://madhuakula.com/kubernetes-goat

    View full-size slide

  16. TRACK: DEVSECOPS
    ☸ 🐐 Demo Time 🤞
    🙏
    @madhuakula

    View full-size slide

  17. TRACK: DEVSECOPS
    @madhuakula
    Why do we need to scale Kubernetes Security?
    ● Nature of immutable infrastructure
    ● Matching the speed of containers, infrastructure with security
    ● Frequency of deployments and workloads
    ● Size of the teams, deployments from both dev, ops, engineering and security
    ● How frequently and repetitively we fix certain issues
    ● Education, knowledge and skill gap
    ● Maturity of the security and the alignment with stakeholders
    ● Many others…

    View full-size slide

  18. TRACK: DEVSECOPS
    @madhuakula
    What should we do & how should we go about it?
    ● I think there is no single answer, approach here
    ● Always look at the core problem and root cause and fix at that layer
    ● Try to be self-service model by providing patterns in an actionable way
    ● Be an helping hand for DevOps, SRE and Engineering teams rather pointing just issues
    ○ Helping them to create secure and safe Helm charts, Dockerfiles, Templates, etc.
    ○ Removing the blockers by being pragmatic and empathetic
    ○ Eliminate the possible things early and at scale
    ● Repeat after me: Education, Education, Education
    ○ Most people don’t even understand the technology, leave about security. So educating them by
    teaching and practicing is the way to go 🚀

    View full-size slide

  19. TRACK: DEVSECOPS
    ☸ 🐐 Demo Time 🤞
    🙏
    @madhuakula

    View full-size slide

  20. TRACK: DEVSECOPS
    🚀 Key Takeaways
    @madhuakula
    ✅ Security is everyone’s responsibility (Dev, Ops, Security, Management, etc.)
    ⚠ Threat model your architecture and identify risks/threats
    🙌 Follow and apply secure defaults
    📚Know what you have (Inventory of assets)
    🧱Adopt zero trust model (Zoning, Containment & Segmentation)
    🎯Apply security at each layer (Defense in depth strategy)
    🚨Follow least privilege principle
    👮AuthN & AuthZ
    🔐Encryption at REST & TRANSIT
    🛡Proactive monitoring & Active defense
    🔁Continuously analyse and apply feedback loops
    👉 Crawl 🐢, Walk 🚶, Run 🏃, Fly ✈

    View full-size slide

  21. TRACK: DEVSECOPS
    👉 https://madhuakula.com/content
    👉 https://kubernetes.io
    👉 https://github.com/madhuakula/hacker-container
    👉 https://kubernetes-security.info
    👉 https://github.com/kelseyhightower/kubernetes-the-hard-way
    👉 https://container.training
    👉 https://github.com/freach/kubernetes-security-best-practice
    👉 https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster
    👉 https://github.com/docker/labs
    👉 https://labs.play-with-docker.com
    👉 https://labs.play-with-k8s.com
    👉 https://landscape.cncf.io
    🔖 Resources & References
    @madhuakula
    👉 https://github.com/cncf/sig-security/tree/master/security-whitepaper
    👉 https://tools.tldr.run
    👉 https://github.com/magnologan/awesome-k8s-security
    👉 https://github.com/ramitsurana/awesome-kubernetes
    👉 https://github.com/tomhuang12/awesome-k8s-resources
    👉 CNCF Slack
    👉 Kubernetes Slack
    👉 https://k8s.af
    👉 https://contained.af
    👉 https://github.com/genuinetools/img
    👉 https://github.com/genuinetools/bane
    👉 https://github.com/genuinetools/amicontained
    👉 CNCF YouTube Playlists for the KubeCon

    View full-size slide

  22. TRACK: DEVSECOPS
    Thank you 🙏
    @madhuakula
    https://madhuakula.com
    @madhuakula
    https://madhuakula.com
    Want to learn more, have some idea, or just wanted to say
    👋

    View full-size slide

  23. TRACK: DEVSECOPS

    View full-size slide