Slide 1
Slide 1 text
ADVANCED PERSISTENCE THREATS
The Future of Kubernetes Attacks
@bradgeesaman
@IanColdwater
Slide 2
Slide 2 text
• Ian Coldwater is a Lead Platform Security
Engineer at Salesforce, who specializes in
hacking and hardening Kubernetes,
containers and cloud infrastructure.
• Brad Geesaman is the co-founder of Darkbit,
who helps clients improve the security of
their clusters in cloud-native environments.
@bradgeesaman
@IanColdwater
Slide 3
Slide 3 text
EARLY K8S ARCHITECTURE
@bradgeesaman
@IanColdwater
Slide 4
Slide 4 text
No content
Slide 5
Slide 5 text
K8S COMES AT YOU FAST
@bradgeesaman
@IanColdwater
Slide 6
Slide 6 text
LOOKING FORWARD
@bradgeesaman
@IanColdwater
Slide 7
Slide 7 text
GOALS
What might an attacker want to do?
@bradgeesaman
@IanColdwater goose.game
Slide 8
Slide 8 text
DEMO
Tapping into the API Server Data Flow
@bradgeesaman
@IanColdwater
Slide 9
Slide 9 text
VALIDATING WEBHOOKS
@bradgeesaman
@IanColdwater
Slide 10
Slide 10 text
VALIDATING WEBHONKS
@bradgeesaman
@IanColdwater
Slide 11
Slide 11 text
No content
Slide 12
Slide 12 text
No content
Slide 13
Slide 13 text
DEMO
Shadow API Server
@bradgeesaman
@IanColdwater
• launch an in-cluster “shadow”
API server that silently bypasses
main API servers
• no security policy
• no logs
• no crime!
Slide 14
Slide 14 text
SHADOW API SERVER
@bradgeesaman
@IanColdwater
Slide 15
Slide 15 text
DEMO - C2BERNETES
Use Kubernetes as a C2 infrastructure across multiple clusters
@bradgeesaman
@IanColdwater
Slide 16
Slide 16 text
WHAT IS K3S?
• A lightweight Kubernetes distribution
designed for resource-constrained
environments
• Runs as a single <40MB binary
• Has a simplified communication channel:
only requires a single TLS connection
outbound from nodes to the control plane
• This is very likely to be available and blend in
with other valid traffic :)
@bradgeesaman
@IanColdwater
Slide 17
Slide 17 text
KUBERNETES VS K3S
@bradgeesaman
@IanColdwater
Slide 18
Slide 18 text
No content
Slide 19
Slide 19 text
ALL CLOUDS ARE BROKEN
@bradgeesaman
@IanColdwater
Slide 20
Slide 20 text
C2: CLUSTER OF CLUSTERS
@bradgeesaman
@IanColdwater
Slide 21
Slide 21 text
WHAT'S COMING
@bradgeesaman
@IanColdwater
Slide 22
Slide 22 text
CHECK YOUR --PRIVILEGE
New as of Kubernetes 1.19.0
@bradgeesaman
@IanColdwater
kubectl run --privileged
Slide 23
Slide 23 text
DYNAMIC CONFIGURATION
@bradgeesaman
@IanColdwater
• Dynamic Audit Sink configuration
--feature-gates=DynamicAuditing=true
• Dynamic Kubelet configuration
--feature-gates=DynamicKubeletConfig=true
Slide 24
Slide 24 text
Greetz to https://github.com/kayrus/kubelet-exploit
@bradgeesaman
@IanColdwater
Slide 25
Slide 25 text
DEMO
Bringing It Back
@bradgeesaman
@IanColdwater
Slide 26
Slide 26 text
COMING FULL CIRCLE
@bradgeesaman
@IanColdwater
Slide 27
Slide 27 text
No content
Slide 28
Slide 28 text
No content