Slide 1

Slide 1 text

Madhu Akula Cloud-Native Modernization @ TechTarget @madhuakula Mastering Kubernetes Security with Kubernetes Goat

Slide 2

Slide 2 text

πŸ‘‰ Pragmatic Security Leader, working on Cloud Native Infra, Security, and Startups πŸ‘‰ Creator of Kubernetes Goat, Hacker Container, tools.tldr.run, many other OSS projects. πŸ‘‰ Speaks & Trains at Black Hat (USA, EU, Asia), DEF CON, GitHub, USENIX, OWASP, All Day DevOps, SANS, DevSecCon, CNCF, c0c0n, Nullcon, null, many others around the globe. πŸ‘‰ Author of Security Automation with Ansible2, OWASP KSTG, whitepapers, etc. πŸ‘‰ Technical reviewer (multiple books) & Review board member of multiple conferences, organizations, communities, advisory, etc. πŸ‘‰ Found security vulnerabilities in 200+ organizations and products including Google, Microsoft, AT&T, Adobe, eBay, WordPress, Ntop, Cloudflare, Yahoo, LocalBitcoins, etc. πŸ‘‰ Certified Kubernetes(CKA/CKS), Offensive Security Certified Professional, etc. πŸ‘‰ Never ending learner! About Me 😊 @madhuakula

Slide 3

Slide 3 text

What is Docker? https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/#going-back-in-time @madhuakula

Slide 4

Slide 4 text

What is Docker? ● Docker is an open source platform for building, deploying, and managing containerized applications ● Docker became the de facto standard to build and share containerized apps - from desktop, to the cloud, even edge devices ● Docker enables developers to easily pack, ship, and run any application as a lightweight, portable, self-sufficient container, which can run virtually anywhere https://docs.docker.com/get-started/overview/ @madhuakula

Slide 5

Slide 5 text

What is Kubernetes? Kubernetes is a portable, extensible, open-source platform for managing containerized workloads and services, that facilitates both declarative configuration and automation. It has a large, rapidly growing ecosystem. Kubernetes services, support, and tools are widely available. https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/ @madhuakula

Slide 6

Slide 6 text

What is Kubernetes? @madhuakula

Slide 7

Slide 7 text

The illustrated children's guide to Kubernetes https://www.youtube.com/watch?v=3I9PkvZ80BQ @madhuakula

Slide 8

Slide 8 text

Why Kubernetes Security Matters? Lack of knowledge in security teams @madhuakula

Slide 9

Slide 9 text

Rapidly growing Cloud Native Landscape ecosystem Why Kubernetes Security Matters? @madhuakula

Slide 10

Slide 10 text

Technology Gap Adoption & Maturity Why Kubernetes Security Matters? @madhuakula

Slide 11

Slide 11 text

Why Kubernetes Security Matters? @madhuakula

Slide 12

Slide 12 text

πŸ“š Kubernetes Security - Layers & Areas @madhuakula https://owasp.org/www-project-kubernetes-top-ten/

Slide 13

Slide 13 text

πŸ“š Kubernetes Security Learning - Application Security @madhuakula The security of the application code and dependencies that run inside the Kubernetes cluster. This can be achieved by following secure software development lifecycle standards and conducting regular code reviews, penetration testing, and vulnerability assessments.

Slide 14

Slide 14 text

πŸ“š Kubernetes Security Learning - Image Security @madhuakula The security of the images used to deploy containers in the Kubernetes cluster. This includes scanning images for vulnerabilities, using image signing and verification, and only using trusted sources for images.

Slide 15

Slide 15 text

πŸ“š Kubernetes Security Learning - Supply-chain Security @madhuakula The security of the entire process from writing application code to deploying it in production, which involves areas such as libraries, dependencies, signing, SBOM, validation, and enforcement with the SLSA framework.

Slide 16

Slide 16 text

πŸ“š Kubernetes Security Learning - Infrastructure Security @madhuakula The security of the underlying infrastructure that supports the Kubernetes cluster, including network security, access control, and ensuring that the underlying operating system is patched and up-to-date.

Slide 17

Slide 17 text

πŸ“š Kubernetes Security Learning - Container Security @madhuakula The security of the containers deployed in the Kubernetes cluster, including setting resource limits, using security contexts, and ensuring that containers run as non-root users.

Slide 18

Slide 18 text

πŸ“š Kubernetes Security Learning - Cluster Security @madhuakula The security of the Kubernetes cluster itself, including securing the Kubernetes API server, etcd, and worker nodes. This can be achieved through measures such as enabling RBAC, enabling network policies, disabling anonymous access to the API server, and more.

Slide 19

Slide 19 text

πŸ“š Kubernetes Security Learning - Network Security @madhuakula The security of the network traffic that flows in and out of the Kubernetes cluster, including measures such as network policies, encryption, and firewalls.

Slide 20

Slide 20 text

πŸ“š Kubernetes Security Learning - Runtime Security @madhuakula The ongoing security of the Kubernetes cluster for detecting and responding to any security incidents or suspicious activity. This can be achieved through measures such as logging and monitoring, threat detection and response, and using security-focused tools like Kubernetes Goat to simulate attacks and identify vulnerabilities.

Slide 21

Slide 21 text

How can we learn and practice this? @madhuakula

Slide 22

Slide 22 text

What is Kubernetes Goat 🐐 @madhuakula

Slide 23

Slide 23 text

Kubernetes Goat has intentionally created vulnerabilities, applications, and configurations to attack and gain access to your cluster and workloads. Please DO NOT run alongside your production environments and infrastructure. So we highly recommend running this in a safe and isolated environment. Kubernetes Goat is used for educational purposes only, do not test or apply these attacks on any systems without permission. Kubernetes Goat comes with absolutely no warranties, by using it you take full responsibility for all the outcomes. 🚨 Disclaimer @madhuakula

Slide 24

Slide 24 text

Can I use from Kubernetes Goat πŸ€” Kubernetes Goat is intended for a variety of audiences and end-users. Which includes hackers, attackers, defenders, developers, architects, DevOps teams, engineers, researchers, products, vendors, and anyone interested in learning about Kubernetes Security. Below are some of the very high-level categories of audience πŸ’₯ Attackers & Red Teams πŸ›‘ Defenders & Blue Teams 🧰 Products & Vendors πŸ” Developers & DevOps Teams πŸ’‘ Interested in Kubernetes Security @madhuakula

Slide 25

Slide 25 text

πŸ”₯ Kubernetes Goat Audience @madhuakula

Slide 26

Slide 26 text

Scenarios in Kubernetes Goat πŸš€ @madhuakula 1. Sensitive keys in codebases 2. DIND (docker-in-docker) exploitation 3. SSRF in the Kubernetes (K8S) world 4. Container escape to the host system 5. Docker CIS benchmarks analysis 6. Kubernetes CIS benchmarks analysis 7. Attacking private registry 8. NodePort exposed services 9. Helm v2 tiller to PwN the cluster - [Deprecated] 10. Analyzing crypto miner container 11. Kubernetes namespaces bypass 12. Gaining environment information 13. DoS the Memory/CPU resources 14. Hacker container preview 15. Hidden in layers 16. RBAC least privileges misconfiguration 17. KubeAudit - Audit Kubernetes clusters 18. Falco - Runtime security monitoring & detection 19. Popeye - A Kubernetes cluster sanitizer 20. Secure network boundaries using NSP 21. Cilium Tetragon - eBPF-based Security Observability and Runtime Enforcement 22. Securing Kubernetes Clusters using Kyverno Policy Engine More scenarios releasing soon… ❀

Slide 27

Slide 27 text

☸ Vanilla Kubernetes Cluster ☁ AWS Kubernetes (EKS) ☁ GCP Kubernetes (GKE) ☁ Azure Kubernetes (AKS) ☸ Kubernetes IN Docker (KiND) ☸ Lightweight Kubernetes (K3S) - Coming soon πŸ‘€ ☸ Digital Ocean, Vagrant, Many others… βš™ How can I setup Kubernetes Goat @madhuakula

Slide 28

Slide 28 text

● Make sure you have Kubernetes cluster with cluster-admin privileges. Also kubectl and helm installed in your system before running the following commands to setup the Kubernetes Goat ⎈ Setting up in your Kubernetes Cluster ● Now you can access the Kubernetes Goat by navigating to http://127.0.0.1:1234 @madhuakula

Slide 29

Slide 29 text

⚑ Get Started with Kubernetes Goat 🐐 @madhuakula

Slide 30

Slide 30 text

⚑ Get Started with Kubernetes Goat 🐐 @madhuakula

Slide 31

Slide 31 text

⚑ Get Started with Kubernetes Goat 🐐 @madhuakula https://madhuakula.com/kubernetes-goat

Slide 32

Slide 32 text

πŸ”Ÿ OWASP Kubernetes Top 10 https://owasp.org/www-project-kubernetes-top-ten/ @madhuakula

Slide 33

Slide 33 text

πŸ›‘ MITRE ATT&CK for Kubernetes Goat https://madhuakula.com/kubernetes-goat/docs/mitre/mitre-attack @madhuakula

Slide 34

Slide 34 text

☸ 🐐 Demo Time 🀞 πŸ™ @madhuakula

Slide 35

Slide 35 text

πŸ”₯ Kubernetes Hacking - Attack Path / Kill Chain @madhuakula https://youtu.be/7nc78ZrvP4Y This showcase the full Kubernetes Cluster hacking attack path or kill chain. From initial discovery to complete cluster takeover and map back to MITRE ATT&CK matrix πŸš€

Slide 36

Slide 36 text

πŸ”₯ Kubernetes Hacking - Attack Path / Kill Chain @madhuakula https://youtu.be/7nc78ZrvP4Y πŸ‘‰ Information Gathering πŸ‘‰ Discovery πŸ‘‰ Enumeration πŸ‘‰ Reconnaissance πŸ‘‰ Entrypoint πŸ‘‰ Application Access πŸ‘‰ Execution (RCE - Remote Code Execution) - Container/Pod Access πŸ‘‰ Internal Discovery/Recon/Enumeration πŸ‘‰ Privilege Escalation (Container Escape / Escape to Host Node) πŸ‘‰ Lateral Movement (Hop in to another Node / Namespace) πŸ‘‰ Defense Evasion (Logs, Masquerading, Static Pods, Many others) πŸ‘‰ Persistence (CronJob, Static Pod, Distributed Cron Job, Good old techniques, Many others) πŸ‘‰ Lateral Movement (container/pod -- node/host -- another node/namespace -- another cluster -- cloud provider) πŸ‘‰ Impact (Exfiltration, DoS, Collection, Dump, Resource Hijacking, Many others)

Slide 37

Slide 37 text

πŸ₯³ Adoption of Kubernetes Goat https://youtu.be/62_Cj6yseno?t=352 @madhuakula

Slide 38

Slide 38 text

🏁 What’s next for Kubernetes Goat πŸ† Go to Kubernetes Security resources for anyone (from a variety experience and skills) πŸ”₯ All scenarios will be updated with Defenders, Developers, Tools & Vendors sections πŸš€ 10+ more real-world hands-on scenarios coming (more and more will come πŸƒβ€¦) ☸ One-click setups, various vendor related product testbeds, many more integrations πŸ“ Various OSS & Vendor tools (working with security vendors to bridge the gap πŸ‘‹) πŸ’₯ Heavy push towards Developers, DevOps, Architects learning experience πŸŽ‰ Sponsors, roadmap, support, contributors, more global scope around Cloud Native @madhuakula

Slide 39

Slide 39 text

πŸ™Œ Give it a try πŸš€ Contribute ideas & suggestions 🀝 Work with the project & improve πŸ™ Share your valuable feedback 🌟 Star in our GitHub πŸŽ‰ Spread word #KubernetesGoat Spread the ❀ #KubernetesGoat https://madhuakula.com/kubernetes-goat/docs/wall-of-love @madhuakula

Slide 40

Slide 40 text

Thank you πŸ™ @madhuakula https://madhuakula.com @madhuakula https://madhuakula.com Want to learn more, have some idea, or just wanted to say πŸ‘‹