Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Applied Kubernetes Security Pitfalls
Search
Michael Schubert
October 25, 2018
Technology
0
2.3k
Applied Kubernetes Security Pitfalls
Michael Schubert
October 25, 2018
Tweet
Share
More Decks by Michael Schubert
See All by Michael Schubert
A gentle introduction to [e]BPF @ Open Source Summit LinuxCon 2017
schu
1
770
Landlock LSM: Towards unprivileged sandboxing @ All Systems Go! 2017
schu
0
700
gobpf - utilizing eBPF from Go @ FOSDEM 2017
schu
0
1.1k
gobpf - utilizing eBPF from Go @ GDG Golang Berlin
schu
1
190
Other Decks in Technology
See All in Technology
推しは推せるときに推せ! プロダクトにフィードバックしていこう
nakasho
0
450
MapLibreとAmazon Location Service
dayjournal
1
170
成長をサポートするピープルマネジメントのやり方
sioncojp
3
270
今年のRubyKaigiはProfiler Year🤘
osyoyu
0
310
GrafanaMeetup_AmazonManagedGrafanaのアクセス制御機能とマルチテナント環境下でのアクセス制御について
daitak
0
380
Tellus の衛星データを見てみよう #mf_fukuoka
kongmingstrap
0
260
MLOpsの「壁」を乗り越える、LINEヤフーの Data Quality as Code
lycorptech_jp
PRO
8
610
よく聞くけど使ったことないソフトウェアNo.1 KafkaとSnowflake
foursue
4
490
アクセス制御にまつわる改善 / Improving access control
itkq
0
590
プロンプトエンジニアリングでがんばらない-Agentic Workflow へ-近藤憲児
kenjikondobai
6
1.1k
AWSに詳しくない人でも始められるコスト最適化ガイド
yuhta28
2
280
Rustで「プリズモイダル法」を利用して「土量計算」をガチでやる
nokonoko1203
1
250
Featured
See All Featured
The Cost Of JavaScript in 2023
addyosmani
19
3.9k
Designing the Hi-DPI Web
ddemaree
276
33k
GraphQLの誤解/rethinking-graphql
sonatard
55
9.3k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
34
8.9k
Git: the NoSQL Database
bkeepers
PRO
423
63k
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.6k
Side Projects
sachag
451
41k
Art, The Web, and Tiny UX
lynnandtonic
290
19k
Mobile First: as difficult as doing things right
swwweet
217
8.6k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
14
1.5k
Designing for Performance
lara
602
67k
Creatively Recalculating Your Daily Design Routine
revolveconf
211
11k
Transcript
Applied Kubernetes Security Pitfalls
Kubernetes today ❏ Many means available to make clusters more
secure ❏ Continued efforts towards secure-by-default ❏ Fairly good security track record
None
apiVersion: v1 kind: Pod … volumeMounts: - mountPath: /test name:
test subPath: malicious-symlink volumes: - name: test hostPath: path: /tmp/test type: Directory
“Complexity is insecurity” Complexity correlated with the presence of security
vulnerabilities
Capture the flag http://tiny.cc/k8sminictf PS: No DoS and wrongdoing please
:)
kube-apiserver: auth delegation ❏ Needed for e.g. API extensions --requestheader-client-ca-file
--requestheader-group-headers --requestheader-username-headers --requestheader-allowed-names (~optional) --requestheader-extra-headers-prefix (optional)
kube-apiserver: auth delegation [Service] ExecStart=/usr/local/bin/kube-apiserver \ --authorization-mode=Node,RBAC \ --client-ca-file=/etc/k8s/ca.pem \
--bind-address=0.0.0.0 \ […] --requestheader-client-ca-file=/etc/k8s/ca.pem \ --requestheader-group-headers=X-Remote-Group \ --requestheader-username-headers=X-Remote-User CTF: Demo #1 http://tiny.cc/k8sminictf
PodSecurityPolicy (PSP) ❏ Added with v1.10 ❏ Administrators decide what
contexts pods can run in ❏ Would have been a way to mitigate CVE-2017-1002101 ... with the right policy
apiVersion: policy/v1beta1 kind: PodSecurityPolicy … privileged: false volumes: - 'hostPath'
allowedHostPaths: - pathPrefix: /tmp runAsUser: rule: 'MustRunAs' ranges: - min: 1 max: 65535 CTF: Demo #2 http://tiny.cc/k8sminictf
Server-side request forgery (SSRF) ❏ “... is a type of
exploit where an attacker abuses the functionality of a server causing it to access or manipulate information in the realm of that server ...”
Server-side request forgery (SSRF) <script> window.location="http://metadata.google.internal/…; </script> https://hackerone.com/reports/341876 Kudos Shopify!
Thank you
[email protected]
@schux00 @
[email protected]
[email protected]
Resources ❏ https://github.com/kubernetes/kubernetes/issues/60813 ❏ https://www.daemonology.net/blog/2009-09-04-complexity-is-insecurity.html ❏ https://www.schneier.com/blog/archives/2018/06/thomas_dullien_.html ❏ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-syst ems
❏ https://en.wikipedia.org/wiki/Server-side_request_forgery ❏ https://hackerone.com/reports/341876