Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Applied Kubernetes Security Pitfalls
Search
Michael Schubert
October 25, 2018
Technology
0
2.4k
Applied Kubernetes Security Pitfalls
Michael Schubert
October 25, 2018
Tweet
Share
More Decks by Michael Schubert
See All by Michael Schubert
A gentle introduction to [e]BPF @ Open Source Summit LinuxCon 2017
schu
1
840
Landlock LSM: Towards unprivileged sandboxing @ All Systems Go! 2017
schu
0
760
gobpf - utilizing eBPF from Go @ FOSDEM 2017
schu
0
1.2k
gobpf - utilizing eBPF from Go @ GDG Golang Berlin
schu
1
200
Other Decks in Technology
See All in Technology
DMMブックスへのTipKit導入
ttyi2
1
110
Kotlin Multiplatformのポテンシャル
recruitengineers
PRO
2
150
Oracle Base Database Service:サービス概要のご紹介
oracle4engineer
PRO
1
16k
カップ麺の待ち時間(3分)でわかるPartyRockアップデート
ryutakondo
0
140
Amazon Route 53, 待ちに待った TLSAレコードのサポート開始
kenichinakamura
0
170
comilioとCloudflare、そして未来へと向けて
oliver_diary
6
440
あなたの知らないクラフトビールの世界
miura55
0
120
2024AWSで個人的にアツかったアップデート
nagisa53
1
110
【JAWS-UG大阪 reInvent reCap LT大会 サンバが始まったら強制終了】“1分”で初めてのソロ参戦reInventを数字で振り返りながら反省する
ttelltte
0
140
2025年の挑戦 コーポレートエンジニアの技術広報/techpr5
nishiuma
0
140
生成AI × 旅行 LLMを活用した旅行プラン生成・チャットボット
kominet_ava
0
160
re:Invent 2024のふりかえり
beli68
0
110
Featured
See All Featured
Learning to Love Humans: Emotional Interface Design
aarron
274
40k
Designing Experiences People Love
moore
139
23k
A designer walks into a library…
pauljervisheath
205
24k
The Power of CSS Pseudo Elements
geoffreycrofte
74
5.4k
Side Projects
sachag
452
42k
Faster Mobile Websites
deanohume
305
30k
VelocityConf: Rendering Performance Case Studies
addyosmani
327
24k
How to train your dragon (web standard)
notwaldorf
89
5.8k
Bash Introduction
62gerente
610
210k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
49
2.2k
StorybookのUI Testing Handbookを読んだ
zakiyama
28
5.4k
Transcript
Applied Kubernetes Security Pitfalls
Kubernetes today ❏ Many means available to make clusters more
secure ❏ Continued efforts towards secure-by-default ❏ Fairly good security track record
None
apiVersion: v1 kind: Pod … volumeMounts: - mountPath: /test name:
test subPath: malicious-symlink volumes: - name: test hostPath: path: /tmp/test type: Directory
“Complexity is insecurity” Complexity correlated with the presence of security
vulnerabilities
Capture the flag http://tiny.cc/k8sminictf PS: No DoS and wrongdoing please
:)
kube-apiserver: auth delegation ❏ Needed for e.g. API extensions --requestheader-client-ca-file
--requestheader-group-headers --requestheader-username-headers --requestheader-allowed-names (~optional) --requestheader-extra-headers-prefix (optional)
kube-apiserver: auth delegation [Service] ExecStart=/usr/local/bin/kube-apiserver \ --authorization-mode=Node,RBAC \ --client-ca-file=/etc/k8s/ca.pem \
--bind-address=0.0.0.0 \ […] --requestheader-client-ca-file=/etc/k8s/ca.pem \ --requestheader-group-headers=X-Remote-Group \ --requestheader-username-headers=X-Remote-User CTF: Demo #1 http://tiny.cc/k8sminictf
PodSecurityPolicy (PSP) ❏ Added with v1.10 ❏ Administrators decide what
contexts pods can run in ❏ Would have been a way to mitigate CVE-2017-1002101 ... with the right policy
apiVersion: policy/v1beta1 kind: PodSecurityPolicy … privileged: false volumes: - 'hostPath'
allowedHostPaths: - pathPrefix: /tmp runAsUser: rule: 'MustRunAs' ranges: - min: 1 max: 65535 CTF: Demo #2 http://tiny.cc/k8sminictf
Server-side request forgery (SSRF) ❏ “... is a type of
exploit where an attacker abuses the functionality of a server causing it to access or manipulate information in the realm of that server ...”
Server-side request forgery (SSRF) <script> window.location="http://metadata.google.internal/…; </script> https://hackerone.com/reports/341876 Kudos Shopify!
Thank you
[email protected]
@schux00 @
[email protected]
[email protected]
Resources ❏ https://github.com/kubernetes/kubernetes/issues/60813 ❏ https://www.daemonology.net/blog/2009-09-04-complexity-is-insecurity.html ❏ https://www.schneier.com/blog/archives/2018/06/thomas_dullien_.html ❏ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-syst ems
❏ https://en.wikipedia.org/wiki/Server-side_request_forgery ❏ https://hackerone.com/reports/341876
schu
ttyi2
recruitengineers
oracle4engineer
ryutakondo
kenichinakamura
oliver_diary
miura55
nagisa53
ttelltte
nishiuma
kominet_ava
beli68
aarron
moore
pauljervisheath
geoffreycrofte
sachag
deanohume
addyosmani
notwaldorf
62gerente
denniskardys
tammyeverts
zakiyama
![kube-apiserver: auth delegation [Service] ExecStart=/usr/local/bin/kube-apiserver \ --authorization-mode=Node,RBAC \ --client-ca-file=/etc/k8s/ca.pem \](https://files.speakerdeck.com/presentations/a22fd8e9d7374d91bd15f872193ad751/slide_7.jpg){kind=link}
![Thank you [email protected] @schux00 @[email protected] [email protected]](https://files.speakerdeck.com/presentations/a22fd8e9d7374d91bd15f872193ad751/slide_12.jpg){kind=link}
