Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Applied Kubernetes Security Pitfalls
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Michael Schubert
October 25, 2018
Technology
2.5k
0
Share
Applied Kubernetes Security Pitfalls
Michael Schubert
October 25, 2018
More Decks by Michael Schubert
See All by Michael Schubert
A gentle introduction to [e]BPF @ Open Source Summit LinuxCon 2017
schu
1
910
Landlock LSM: Towards unprivileged sandboxing @ All Systems Go! 2017
schu
0
860
gobpf - utilizing eBPF from Go @ FOSDEM 2017
schu
0
1.3k
gobpf - utilizing eBPF from Go @ GDG Golang Berlin
schu
1
220
Other Decks in Technology
See All in Technology
「背中を見て育て」からの卒業 〜専門技術としてのテスト設計を軸に、品質保証のバトンを繋ぐ〜 #genda_tech_talk
nihonbuson
PRO
3
1.5k
みんなの考えた最強のデータ基盤アーキテクチャ'26前期〜前夜祭〜ルーキーズ_資料_遠藤な
endonanana
0
450
AWS WAFの運用を地道に改善し、自社で運用可能にするプラクティス
andpad
1
420
[みん強]AIの価値を最大化するデータ基盤戦略:Self-Service型Data Meshへの転換とAgentic AI Meshに向けた取り組み with Snowflake他
y_matsubara
1
130
エンタープライズの厳格な制約を開発者に意識させない:クラウドネイティブ開発基盤設計/cloudnative-kaigi-golden-path
mhrtech
0
450
"うちにはまだ早い"は本当? ─ 小さく始めるPlatform Engineering入門
harukasakihara
6
630
分断された OT と IT を繋ぐ架け橋 -Kubernetes が切り拓く 産業用組み込み製品の現在地 -
yudaiono
1
120
Terragrunt x Snowflake + dbt で作るマルチテナントなデータ基盤構築プラットフォーム
gak_t12
0
390
可視化から活用へ — Mesh化・Segmentation・アライメントの研究動向
gpuunite_official
0
220
パーソルキャリア IT/テクノロジー職向け 会社紹介資料|Company Introduction Deck
techtekt
PRO
0
220
2026-05-14 要件定義からソース管理まで!IBM Bob基礎ハンズオン
yutanonaka
0
160
R&D 祭 2024 UE5で絵コンテ・作画の制作支援ツールをつくる話
olmdrd
PRO
0
180
Featured
See All Featured
GitHub's CSS Performance
jonrohan
1033
470k
We Analyzed 250 Million AI Search Results: Here's What I Found
joshbly
1
1.3k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
508
140k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
34
2.7k
A better future with KSS
kneath
240
18k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
49
9.9k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
360
30k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
130k
Building Flexible Design Systems
yeseniaperezcruz
330
40k
The Spectacular Lies of Maps
axbom
PRO
1
750
From π to Pie charts
rasagy
0
180
DBのスキルで生き残る技術 - AI時代におけるテーブル設計の勘所
soudai
PRO
65
54k
Transcript
Applied Kubernetes Security Pitfalls
Kubernetes today ❏ Many means available to make clusters more
secure ❏ Continued efforts towards secure-by-default ❏ Fairly good security track record
None
apiVersion: v1 kind: Pod … volumeMounts: - mountPath: /test name:
test subPath: malicious-symlink volumes: - name: test hostPath: path: /tmp/test type: Directory
“Complexity is insecurity” Complexity correlated with the presence of security
vulnerabilities
Capture the flag http://tiny.cc/k8sminictf PS: No DoS and wrongdoing please
:)
kube-apiserver: auth delegation ❏ Needed for e.g. API extensions --requestheader-client-ca-file
--requestheader-group-headers --requestheader-username-headers --requestheader-allowed-names (~optional) --requestheader-extra-headers-prefix (optional)
kube-apiserver: auth delegation [Service] ExecStart=/usr/local/bin/kube-apiserver \ --authorization-mode=Node,RBAC \ --client-ca-file=/etc/k8s/ca.pem \
--bind-address=0.0.0.0 \ […] --requestheader-client-ca-file=/etc/k8s/ca.pem \ --requestheader-group-headers=X-Remote-Group \ --requestheader-username-headers=X-Remote-User CTF: Demo #1 http://tiny.cc/k8sminictf
PodSecurityPolicy (PSP) ❏ Added with v1.10 ❏ Administrators decide what
contexts pods can run in ❏ Would have been a way to mitigate CVE-2017-1002101 ... with the right policy
apiVersion: policy/v1beta1 kind: PodSecurityPolicy … privileged: false volumes: - 'hostPath'
allowedHostPaths: - pathPrefix: /tmp runAsUser: rule: 'MustRunAs' ranges: - min: 1 max: 65535 CTF: Demo #2 http://tiny.cc/k8sminictf
Server-side request forgery (SSRF) ❏ “... is a type of
exploit where an attacker abuses the functionality of a server causing it to access or manipulate information in the realm of that server ...”
Server-side request forgery (SSRF) <script> window.location="http://metadata.google.internal/…; </script> https://hackerone.com/reports/341876 Kudos Shopify!
Thank you
[email protected]
@schux00 @
[email protected]
[email protected]
Resources ❏ https://github.com/kubernetes/kubernetes/issues/60813 ❏ https://www.daemonology.net/blog/2009-09-04-complexity-is-insecurity.html ❏ https://www.schneier.com/blog/archives/2018/06/thomas_dullien_.html ❏ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-syst ems
❏ https://en.wikipedia.org/wiki/Server-side_request_forgery ❏ https://hackerone.com/reports/341876
schu
nihonbuson
endonanana
andpad
y_matsubara
mhrtech
harukasakihara
yudaiono
gak_t12
gpuunite_official
techtekt
yutanonaka
olmdrd
jonrohan
joshbly
chriscoyier
jcasabona
kneath
mongodb
bermonpainter
pedronauck
yeseniaperezcruz
axbom
rasagy
soudai
![kube-apiserver: auth delegation [Service] ExecStart=/usr/local/bin/kube-apiserver \ --authorization-mode=Node,RBAC \ --client-ca-file=/etc/k8s/ca.pem \](https://files.speakerdeck.com/presentations/a22fd8e9d7374d91bd15f872193ad751/slide_7.jpg){kind=link}
![Thank you [email protected] @schux00 @[email protected] [email protected]](https://files.speakerdeck.com/presentations/a22fd8e9d7374d91bd15f872193ad751/slide_12.jpg){kind=link}
