The Path Less Traveled: Abusing Kubernetes Defaults

Slide 1

Slide 1 text

THE PATH LESS TRAVELED Abusing Kubernetes Defaults

Slide 2

Slide 2 text

• Ian Coldwater is a Lead Platform Security Engineer at Heroku, who specializes in hacking and hardening Kubernetes, containers and cloud infrastructure. • Dufﬁe Cooley is a Staff Cloud Native Architect at VMWare. He likes to talk about Kubernetes and distributed systems. He is a presenter on tgik.io a weekly video blog on Kubernetes ecosystem. He can be found in most places as @mauilion Twitter @mauilion Twitter @IanColdwater #BHUSA

Slide 3

Slide 3 text

CHECK YOUR ASSUMPTIONS • Kubernetes is not secure by default. • Nor are the applications deployed upon it.

Slide 4

Slide 4 text

A WORD ON DEFAULTS • There is no singular set of Kubernetes defaults • Kubernetes requires config, and every cluster is likely to be configured differently • This talk uses a cluster with defaults defined by kubeadm

Slide 5

Slide 5 text

WHAT IS KUBERNETES? • Most widely used container orchestrator, with rapid rates of adoption and change • Kubernetes is both a distributed system and an API-based platform • These are both attack surfaces, but different ones

Slide 6

Slide 6 text

HOW DOES KUBERNETES WORK?

Slide 7

Slide 7 text

KUBERNETES COMPONENTS

Slide 8

Slide 8 text

THE KUBERNETES API • kubectl is a CLI tool bundled with Kubernetes. • kubectl explain lets you explore the api interactively • kubectl apply -f https://some/manifest.yaml applies conﬁg

Slide 9

Slide 9 text

HOW THE PARTS MOVE

Slide 10

Slide 10 text

DEMO direct schedule with hostPath and hostNetwork to grab cluster admin token from etcd Link: https://asciinema.org/a/261376 10

Slide 11

Slide 11 text

DEMO TAKEAWAYS ● Users can create pods with wild permissions by default ● Scheduling is not a security boundary ● Namespace isolation is not always enough ● Mitigations: encrypt etcd secrets at rest, and don’t run a kubelet on control plane nodes

Slide 12

Slide 12 text

HOSTPATH! Kubernetes documentation refers to hostPath as a “powerful escape hatch.” No kidding.

Slide 13

Slide 13 text

DOCKER IN DOCKER • Allows users to build containers inside of Kubernetes • Allows attackers to escalate privileges from an unprivileged pod • Docker socket lives at /var/run/docker.sock • Other container runtimes have sockets too

Slide 14

Slide 14 text

DEMO Docker in Docker Link: https://asciinema.org/a/261373 14

Slide 15

Slide 15 text

DEMO TAKEAWAYS ● Docker in Docker gives a lot of access to the underlying host. ● Docker is an unauthenticated api with full access to the kernel when used it in this way. ● Mitigations: Restrict the use of hostPath with admission control.

Slide 16

Slide 16 text

CONTAINER ATTACKS • Kubernetes is a container orchestrator. Attacks on containers still work! • Understanding how containers work can be helpful for both attackers and defenders. • Containers are made of Linux primitives. Attacking containers is attacking Linux.

Slide 17

Slide 17 text

WHAT IS A CONTAINER? • Single process on a shared host, controlled by cgroups, isolated by namespaces • These primitives aren’t new tech. Containers seem simple on the outside, but all that old tech still lives in the background. That’s where the attack surface lives. • Capabilities and other ways to attack the Linux kernel still apply • Shared resources make for a shared attack surface!

Slide 18

Slide 18 text

WHAT ARE CONTAINERS MADE OF?

Slide 19

Slide 19 text

ONE TWEET TO ROOT

Slide 20

Slide 20 text

DEMO k8s root via nsenter link: https://asciinema.org/a/261377 20

Slide 21

Slide 21 text

DEMO TAKEAWAYS ● Restrict the use of “privileged” Containers. ● Restrict the use of hostPID. ● nsenter is a very powerful tool that can be used to access any process on the host system

Slide 22

Slide 22 text

CAN WE FIX THIS? Yes we can! Mostly. 22

Slide 23

Slide 23 text

ADMISSION CONTROL ● Admission control is your only line of defense! ● Lets you limit what a user or controller can do in depth ● Can be used to validate or mutate on admission

Slide 24

Slide 24 text

DEMO Pod Security Policy link: https://asciinema.org/a/261378 24

Slide 25

Slide 25 text

DEMO TAKEAWAYS ● Pod Security Policies provide a granular way to deﬁne what a pod can do. ● They are an admission controller that can mutate or validate pods. ● PSP is hard to setup and adopt. ● With constraint comes a loss of agility.

Slide 26

Slide 26 text

...AND ONE MORE THING Can admission control stand up to a static pod? 26

Slide 27

Slide 27 text

COMING FULL CIRCLE • We’re really not trying to scare you here. • Kubernetes is powerful and complex, with a lot of moving parts and a few gotchas. • It is possible to make Kubernetes more secure! • We need your help to do that.

Slide 28

Slide 28 text

GET INVOLVED! • Kubernetes is an open source project that could use more security-minded contributors! • Vulnerability disclosure info: k8s.io/security • Kubernetes is getting more serious about the security of the project! • Third party code review and ﬁndings: git.io/k8s-audit • Bug Bounty coming soon.

Slide 29

Slide 29 text

BLACK HAT SOUND BYTES • Check your assumptions! Kubernetes is not secure by default. • Kubernetes is complex, with many moving parts and some unexpected behavior. Understanding how the system works can help you both as an operator and an attacker. • It is possible to make Kubernetes more secure, but you have to put in the work! Put admission control on your clusters, and get involved in the Kubernetes project. RESOURCES: git.io/bh-kubernetes