Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Applied Kubernetes Security Pitfalls
Search
Michael Schubert
October 25, 2018
Technology
0
2.4k
Applied Kubernetes Security Pitfalls
Michael Schubert
October 25, 2018
Tweet
Share
More Decks by Michael Schubert
See All by Michael Schubert
A gentle introduction to [e]BPF @ Open Source Summit LinuxCon 2017
schu
1
860
Landlock LSM: Towards unprivileged sandboxing @ All Systems Go! 2017
schu
0
800
gobpf - utilizing eBPF from Go @ FOSDEM 2017
schu
0
1.2k
gobpf - utilizing eBPF from Go @ GDG Golang Berlin
schu
1
210
Other Decks in Technology
See All in Technology
mrubyと micro-ROSが繋ぐロボットの世界
kishima
2
360
Claude Code Actionを使ったコード品質改善の取り組み
potix2
PRO
6
2.5k
SpringBoot x TestContainerで実現するポータブル自動結合テスト
demaecan
0
110
Node-REDのFunctionノードでMCPサーバーの実装を試してみた / Node-RED × MCP 勉強会 vol.1
you
PRO
0
120
2025-06-26 GitHub CopilotとAI駆動開発:実践と導入のリアル
fl_kawachi
1
150
LangChain Interrupt & LangChain Ambassadors meetingレポート
os1ma
2
130
Github Copilot エージェントモードで試してみた
ochtum
0
110
Geminiとv0による高速プロトタイピング
shinya337
0
130
低レイヤを知りたいPHPerのためのCコンパイラ作成入門 完全版 / Building a C Compiler for PHPers Who Want to Dive into Low-Level Programming - Expanded
tomzoh
4
3.3k
「良さそう」と「とても良い」の間には 「良さそうだがホンマか」がたくさんある / 2025.07.01 LLM品質Night
smiyawaki0820
1
390
無意味な開発生産性の議論から抜け出すための予兆検知とお金とAI
i35_267
0
160
プロダクトエンジニアリング組織への歩み、その現在地 / Our journey to becoming a product engineering organization
hiro_torii
0
130
Featured
See All Featured
The Illustrated Children's Guide to Kubernetes
chrisshort
48
50k
GitHub's CSS Performance
jonrohan
1031
460k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
How to Ace a Technical Interview
jacobian
277
23k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
31
1.2k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
48
5.4k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
657
60k
Site-Speed That Sticks
csswizardry
10
670
It's Worth the Effort
3n
185
28k
Navigating Team Friction
lara
187
15k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
107
19k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Transcript
Applied Kubernetes Security Pitfalls
Kubernetes today ❏ Many means available to make clusters more
secure ❏ Continued efforts towards secure-by-default ❏ Fairly good security track record
None
apiVersion: v1 kind: Pod … volumeMounts: - mountPath: /test name:
test subPath: malicious-symlink volumes: - name: test hostPath: path: /tmp/test type: Directory
“Complexity is insecurity” Complexity correlated with the presence of security
vulnerabilities
Capture the flag http://tiny.cc/k8sminictf PS: No DoS and wrongdoing please
:)
kube-apiserver: auth delegation ❏ Needed for e.g. API extensions --requestheader-client-ca-file
--requestheader-group-headers --requestheader-username-headers --requestheader-allowed-names (~optional) --requestheader-extra-headers-prefix (optional)
kube-apiserver: auth delegation [Service] ExecStart=/usr/local/bin/kube-apiserver \ --authorization-mode=Node,RBAC \ --client-ca-file=/etc/k8s/ca.pem \
--bind-address=0.0.0.0 \ […] --requestheader-client-ca-file=/etc/k8s/ca.pem \ --requestheader-group-headers=X-Remote-Group \ --requestheader-username-headers=X-Remote-User CTF: Demo #1 http://tiny.cc/k8sminictf
PodSecurityPolicy (PSP) ❏ Added with v1.10 ❏ Administrators decide what
contexts pods can run in ❏ Would have been a way to mitigate CVE-2017-1002101 ... with the right policy
apiVersion: policy/v1beta1 kind: PodSecurityPolicy … privileged: false volumes: - 'hostPath'
allowedHostPaths: - pathPrefix: /tmp runAsUser: rule: 'MustRunAs' ranges: - min: 1 max: 65535 CTF: Demo #2 http://tiny.cc/k8sminictf
Server-side request forgery (SSRF) ❏ “... is a type of
exploit where an attacker abuses the functionality of a server causing it to access or manipulate information in the realm of that server ...”
Server-side request forgery (SSRF) <script> window.location="http://metadata.google.internal/…; </script> https://hackerone.com/reports/341876 Kudos Shopify!
Thank you
[email protected]
@schux00 @
[email protected]
[email protected]
Resources ❏ https://github.com/kubernetes/kubernetes/issues/60813 ❏ https://www.daemonology.net/blog/2009-09-04-complexity-is-insecurity.html ❏ https://www.schneier.com/blog/archives/2018/06/thomas_dullien_.html ❏ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-syst ems
❏ https://en.wikipedia.org/wiki/Server-side_request_forgery ❏ https://hackerone.com/reports/341876
schu
kishima
potix2
demaecan
you
fl_kawachi
os1ma
ochtum
shinya337
tomzoh
smiyawaki0820
i35_267
.jpg){kind=avatar}
hiro_torii
chrisshort
jonrohan
keavy
jacobian
garrettdimon
reverentgeek
lemiorhan
csswizardry
3n
lara
panda_program
chriscoyier
![kube-apiserver: auth delegation [Service] ExecStart=/usr/local/bin/kube-apiserver \ --authorization-mode=Node,RBAC \ --client-ca-file=/etc/k8s/ca.pem \](https://files.speakerdeck.com/presentations/a22fd8e9d7374d91bd15f872193ad751/slide_7.jpg){kind=link}
![Thank you [email protected] @schux00 @[email protected] [email protected]](https://files.speakerdeck.com/presentations/a22fd8e9d7374d91bd15f872193ad751/slide_12.jpg){kind=link}
