Slide 1

Slide 1 text

TRACK: DEVSECOPS NOVEMBER 12, 2020 Madhu Akula Kubernetes Goat Practical Approach to Learn Kubernetes Security

Slide 2

Slide 2 text

TRACK: DEVSECOPS ● Creator of Kubernetes Goat, Hacker Container, tools.tldr.run, many other OSS projects. ● Speaker & Trainer at Blackhat, DEFCON, GitHub, USENIX, OWASP, All Day DevOps, DevSecCon, CNCF, c0c0n, Nullcon, SACON, null, many others. ● Author of Security Automation with Ansible2, OWASP KSTG, DevSecOps whitepaper, etc. ● Technical reviewer (multiple books) & Review board member of multiple conferences, organizations, communities, etc. ● Found security vulnerabilities in 200+ organizations and products including Google, Microsoft, AT&T, Adobe, WordPress, Ntop, etc. ● Certified Kubernetes Administrator & Offensive Security Certified Professional, etc. ● Never ending learner! About Me

Slide 3

Slide 3 text

TRACK: DEVSECOPS What is Kubernetes Goat? Kubernetes Goat is designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security.

Slide 4

Slide 4 text

TRACK: DEVSECOPS Disclaimer Kubernetes Goat creates intentionally vulnerable resources into your cluster. DO NOT deploy Kubernetes Goat in a production environment or alongside any sensitive cluster resources.

Slide 5

Slide 5 text

TRACK: DEVSECOPS Current Scenarios in Kubernetes Goat! 1. Sensitive keys in code bases 2. DIND (docker-in-docker) exploitation 3. SSRF in K8S world 4. Container escape to access host system 5. Docker CIS Benchmarks analysis 6. Kubernetes CIS Benchmarks analysis 7. Attacking private registry 8. NodePort exposed services 9. Helm v2 tiller to PwN the cluster 10. Analysing crypto miner container 11. Kubernetes Namespaces bypass 12. Gaining environment information 13. DoS the memory/cpu resources 14. Hacker Container preview 15. Hidden in layers 16. RBAC Least Privileges Misconfiguration 17. KubeAudit - Audit Kubernetes Clusters 18. Sysdig Falco - Runtime Security Monitoring & Detection 19. Popeye - A Kubernetes Cluster Sanitizer 20. Secure network boundaries using NSP More coming soon….

Slide 6

Slide 6 text

TRACK: DEVSECOPS ● Ensure you have admin access to the Kubernetes cluster ○ Refer to kubectl releases for binaries https://kubernetes.io/docs/tasks/tools/install-kubectl/ ● Verify by running kubectl version ● Ensure you have helm version 2 setup in your path as helm2 ○ Refer to helm version 2 releases for binaries https://github.com/helm/helm/releases ○ Verify by running helm2 version ● To set up the Kubernetes Goat resources in your cluster, run the following commands git clone https://github.com/madhuakula/kubernetes-goat.git cd kubernetes-goat bash setup-kubernetes-goat.sh Kubernetes Goat Setup

Slide 7

Slide 7 text

TRACK: DEVSECOPS https://katacoda.com/madhuakula/scenarios/kubernetes-goat Kubernetes Goat - Without Setup 😎

Slide 8

Slide 8 text

TRACK: DEVSECOPS Demo Time!

Slide 9

Slide 9 text

TRACK: DEVSECOPS ● Attackers/Red Teams ○ Learning how to attack/find security issues with in containers, Kubernetes and similar environments and workloads to exploit and gain access ● Defenders/Blue Teams ○ Understanding best practices, learning how attackers works to apply defense, practicing the attacks, misconfigurations to apply defense and detection ● Security Vendors ○ Using Kubernetes Goat to showcase the effectiveness of the tools/product, helping educate the customers and sharing their knowledge in an interactive hands-on way ● Architects/Engineers/Consultants/Developers/Users/etc… ○ Learning and Practicing ● Share it with your friends, colleagues, everyone. Provide your valuable feedback, contributions, and suggestions Key Takeaways!

Slide 10

Slide 10 text

TRACK: DEVSECOPS Thank You! @madhuakula https://madhuakula.com