Madhu Akula Interactive Playground to Learn Kubernetes and Cloud Native Security https://sched.co/1HyQj

👋 Whoami - Madhu Akula 👉 Pragmatic Security Leader, working on Cloud Native Infra, Security, and Startups 👉 Creator of Kubernetes Goat, Hacker Container, tools.tldr.run, many other OSS projects. 👉 Speaks & Trains at Black Hat (USA, EU, Asia), DEF CON, GitHub, USENIX, OWASP, All Day DevOps, SANS, DevSecCon, CNCF, c0c0n, Nullcon, null, many others around the globe. 👉 Author of Security Automation with Ansible2, OWASP KSTG, whitepapers, etc. 👉 Technical reviewer (multiple books) & Review board member of multiple conferences, organizations, communities, advisory, etc. 👉 Found security vulnerabilities in 200+ organizations and products including Google, Microsoft, AT&T, Adobe, eBay, WordPress, Ntop, Cloudflare, Yahoo, LocalBitcoins, etc. 👉 Certified Kubernetes(CKA/CKS), Offensive Security Certified Professional, etc. 👉 Never ending learner! @madhuakula

📅 Agenda - Our next 30 minutes or so… 🤔 We will start thinking together ○ Why Kubernetes and Cloud Native security? ○ What are the challenges in the security? 🤖 We start brainstorming some approaches on how can we solve those problems? 💥 Can you take over cluster - Are you sure? You can't be serious 👋 Introducing an Interactive Learning Playground - ⎈ Kubernetes Goat 🐐 ○ Showcase of real-world mappings (OWASP Top 10, MITRE ATT&CK, etc.) ■ Attacks, Defenses, Approaches, Many Others. 🚀 Key takeaways - Go back, hack, learn & build secure Cloud Native Ecosystem 🙏 Feedback, Questions, and a BIG THANK YOU! @madhuakula

Why Security? Kubernetes & Cloud Native @madhuakula

Why K8S & Cloud Native Security? Lack of knowledge in security teams Understanding the technology gap Maturity of the cloud native ecosystem Popular Hacks & Attacks in the real-world Speed of the changes & adoption Improving the experience @madhuakula

Lack of knowledge in security teams Why K8S & Cloud Native Security? @madhuakula

Understanding the technology gap Why K8S & Cloud Native Security? @madhuakula

Maturity of the cloud native ecosystem Why K8S & Cloud Native Security? @madhuakula

Speed of the changes & adoption Why K8S & Cloud Native Security? @madhuakula

Popular Hacks & Attacks in the real-world Why K8S & Cloud Native Security? @madhuakula

Why K8S & Cloud Native Security? Improving the experience @madhuakula

Can we do something about these Kubernetes security problems? @madhuakula

🤖 Some approaches to K8S Security https://github.com/cncf/financial-user-group/tree/main/projects/k8s-threat-model Threat Model Your Architecture @madhuakula

🤖 Some approaches to K8S Security https://github.com/cncf/financial-user-group/tree/main/projects/k8s-threat-model/AttackTrees Attack Trees @madhuakula

🤖 Some approaches to K8S Security https://www.cncf.io/reports/cloud-native-security-whitepaper/ CNCF Whitepaper & Official K8S Security Docs https://kubernetes.io/docs/concepts/security/ @madhuakula

🤖 Some approaches to K8S Security Many others… @madhuakula

Are these enough? @madhuakula

Attack Path / Kill Chain What it looks like? @madhuakula

Kubernetes - Attack Path / Kill Chain @madhuakula

Kubernetes - Attack Path / Kill Chain https://youtu.be/7nc78ZrvP4Y T A K E O V E R E N T R Y P O I N T @madhuakula

Can we try practicing them like an attacker? @madhuakula

Introducing ⎈ Kubernetes Goat 🐐 @madhuakula

Kubernetes Goat is an interactive Kubernetes security learning playground 🚀 🐐 What is Kubernetes Goat? @madhuakula

🚨 Disclaimer Kubernetes Goat has intentionally created vulnerabilities, applications, and configurations to attack and gain access to your cluster and workloads. Please DO NOT run alongside your production environments and infrastructure. So we highly recommend running this in a safe and isolated environment. Kubernetes Goat is used for educational purposes only, do not test or apply these attacks on any systems without permission. Kubernetes Goat comes with absolutely no warranties, by using it you take full responsibility for all the outcomes. @madhuakula

🔥 Kubernetes Goat Audience 💥 Attackers & Red Teams 🛡 Defenders & Blue Teams 🧰 Products & Vendors 🔐 Developers & DevOps Teams 💡 Interested in Kubernetes Security @madhuakula

🚀 Scenarios in Kubernetes Goat 1. Sensitive keys in codebases 2. DIND (docker-in-docker) exploitation 3. SSRF in the Kubernetes (K8S) world 4. Container escape to the host system 5. Docker CIS benchmarks analysis 6. Kubernetes CIS benchmarks analysis 7. Attacking private registry 8. NodePort exposed services 9. Helm v2 tiller to PwN the cluster - [Deprecated] 10. Analyzing crypto miner container 11. Kubernetes namespaces bypass 12. Gaining environment information 13. DoS the Memory/CPU resources 14. Hacker container preview 15. Hidden in layers 16. RBAC least privileges misconfiguration 17. KubeAudit - Audit Kubernetes clusters 18. Falco - Runtime security monitoring & detection 19. Popeye - A Kubernetes cluster sanitizer 20. Secure network boundaries using NSP 21. Cilium Tetragon - eBPF-based Security Observability and Runtime Enforcement 22. Securing Kubernetes Clusters using Kyverno Policy Engine More scenarios releasing soon… ❤ @madhuakula

🧰 How can I setup Kubernetes Goat ☸ Vanilla Kubernetes Cluster ☁ AWS Kubernetes (EKS) ☁ GCP Kubernetes (GKE) ☁ Azure Kubernetes (AKS) ☸ Kubernetes IN Docker (KiND) ☸ Lightweight Kubernetes (K3S) ☸ Digital Ocean, Vagrant, Many others… @madhuakula

⎈ Setting up in your Kubernetes Cluster ● Make sure you have Kubernetes cluster with cluster-admin privileges. Also kubectl and helm installed in your system before running the following commands to setup the Kubernetes Goat ● Now you can access the Kubernetes Goat by navigating to http://127.0.0.1:1234 @madhuakula

⚡ Get Started with Kubernetes Goat 🐐 @madhuakula

⚡ Get Started with Kubernetes Goat 🐐 @madhuakula

https://madhuakula.com/kubernetes-goat ⚡ Get Started with Kubernetes Goat 🐐 @madhuakula

🔟 OWASP Kubernetes Top 10 https://owasp.org/www-project-kubernetes-top-ten/ @madhuakula

🛡 MITRE ATT&CK - Kubernetes https://attack.mitre.org https://microsoft.github.io/Threat-Matrix-for-Kubernetes/ @madhuakula

Let’s explore the @madhuakula

📝 Security Tools Reports @madhuakula

🥳 Adoption of Kubernetes Goat https://youtu.be/62_Cj6yseno?t=352 @madhuakula

Key Takeaways! 🧐 A lot of gaps in the knowledge & understanding of the Cloud Native Ecosystem ⏩ The speed & adoption are growing faster, and the security maturity? 📚 Lots of resources, frameworks, and tools. But not practical enough! 🛡 Think & train practically like a hacker with real-world scenarios 🚀 Learn, practice & build a security cloud native ecosystem with Kubernetes Goat @madhuakula

Spread the ❤ #KubernetesGoat 🙌 Give it a try 🚀 Contribute ideas & suggestions 🤝 Work with the project & improve 🙏 Share your valuable feedback 🌟 Star in GitHub 🎉 Spread word #KubernetesGoat We have some awesome Kubernetes Goat Stickers 🥳 Take a photo of your one & only cool sticker and share with #KubernetesGoat hashtag! @madhuakula

🙏 Thank You @madhuakula https://madhuakula.com @madhuakula https://madhuakula.com Want to learn more, have some idea, or just wanted to say 👋 Talk Feedback & Review #KubernetesGoat https://github.com/madhuakula/kubernetes-goat https://sched.co/1HyQj