Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Applied Kubernetes Security Pitfalls
Search
Michael Schubert
October 25, 2018
Technology
2.5k
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Applied Kubernetes Security Pitfalls
Michael Schubert
October 25, 2018
More Decks by Michael Schubert
See All by Michael Schubert
A gentle introduction to [e]BPF @ Open Source Summit LinuxCon 2017
schu
1
920
Landlock LSM: Towards unprivileged sandboxing @ All Systems Go! 2017
schu
0
880
gobpf - utilizing eBPF from Go @ FOSDEM 2017
schu
0
1.3k
gobpf - utilizing eBPF from Go @ GDG Golang Berlin
schu
1
220
Other Decks in Technology
See All in Technology
コミットの「なぜ」を読む
ota1022
0
120
水を運ぶ人としてのリーダーシップ
izumii19
4
1k
AIに障害切り分けを全部やってもらった。 。 。 。
estie
0
160
4人目のSREはAgent
tanimuyk
0
180
コミュニティの有益性 ~JAWS Days 2026 での体験を通して~ / The Benefits of a Community ~Through My Experience at JAWS Days 2026~
seike460
PRO
0
270
5分でわかるDuckDB Quack
chanyou0311
3
250
螺旋型キャリアの生存戦略 / kinoko-conf2026
rakus_dev
1
1k
PostgreSQL 19 新機能概要 OSC Hokkaido 2026
nori_shinoda
0
250
從開發到部署全都交給 AI:實作 AI 驅動的自動化流程
appleboy
0
170
AIのReact習熟度を測る
uhyo
2
690
「ビジネスがわかるエンジニア」とは何か?
ryooob
0
320
Zenoh on Zephyr on LiteX
takasehideki
2
110
Featured
See All Featured
Raft: Consensus for Rubyists
vanstee
141
7.6k
Measuring Dark Social's Impact On Conversion and Attribution
stephenakadiri
2
220
Unsuck your backbone
ammeep
672
58k
For a Future-Friendly Web
brad_frost
183
10k
The Pragmatic Product Professional
lauravandoore
37
7.3k
Keith and Marios Guide to Fast Websites
keithpitt
413
23k
Building an army of robots
kneath
306
46k
Designing for Timeless Needs
cassininazir
1
260
Utilizing Notion as your number one productivity tool
mfonobong
4
330
The State of eCommerce SEO: How to Win in Today's Products SERPs - #SEOweek
aleyda
2
11k
<Decoding/> the Language of Devs - We Love SEO 2024
nikkihalliwell
1
260
Code Review Best Practice
trishagee
74
20k
Transcript
Applied Kubernetes Security Pitfalls
Kubernetes today ❏ Many means available to make clusters more
secure ❏ Continued efforts towards secure-by-default ❏ Fairly good security track record
None
apiVersion: v1 kind: Pod … volumeMounts: - mountPath: /test name:
test subPath: malicious-symlink volumes: - name: test hostPath: path: /tmp/test type: Directory
“Complexity is insecurity” Complexity correlated with the presence of security
vulnerabilities
Capture the flag http://tiny.cc/k8sminictf PS: No DoS and wrongdoing please
:)
kube-apiserver: auth delegation ❏ Needed for e.g. API extensions --requestheader-client-ca-file
--requestheader-group-headers --requestheader-username-headers --requestheader-allowed-names (~optional) --requestheader-extra-headers-prefix (optional)
kube-apiserver: auth delegation [Service] ExecStart=/usr/local/bin/kube-apiserver \ --authorization-mode=Node,RBAC \ --client-ca-file=/etc/k8s/ca.pem \
--bind-address=0.0.0.0 \ […] --requestheader-client-ca-file=/etc/k8s/ca.pem \ --requestheader-group-headers=X-Remote-Group \ --requestheader-username-headers=X-Remote-User CTF: Demo #1 http://tiny.cc/k8sminictf
PodSecurityPolicy (PSP) ❏ Added with v1.10 ❏ Administrators decide what
contexts pods can run in ❏ Would have been a way to mitigate CVE-2017-1002101 ... with the right policy
apiVersion: policy/v1beta1 kind: PodSecurityPolicy … privileged: false volumes: - 'hostPath'
allowedHostPaths: - pathPrefix: /tmp runAsUser: rule: 'MustRunAs' ranges: - min: 1 max: 65535 CTF: Demo #2 http://tiny.cc/k8sminictf
Server-side request forgery (SSRF) ❏ “... is a type of
exploit where an attacker abuses the functionality of a server causing it to access or manipulate information in the realm of that server ...”
Server-side request forgery (SSRF) <script> window.location="http://metadata.google.internal/…; </script> https://hackerone.com/reports/341876 Kudos Shopify!
Thank you
[email protected]
@schux00 @
[email protected]
[email protected]
Resources ❏ https://github.com/kubernetes/kubernetes/issues/60813 ❏ https://www.daemonology.net/blog/2009-09-04-complexity-is-insecurity.html ❏ https://www.schneier.com/blog/archives/2018/06/thomas_dullien_.html ❏ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-syst ems
❏ https://en.wikipedia.org/wiki/Server-side_request_forgery ❏ https://hackerone.com/reports/341876