$30 off During Our Annual Pro Sale. View Details »
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Applied Kubernetes Security Pitfalls
Search
Michael Schubert
October 25, 2018
Technology
0
2.4k
Applied Kubernetes Security Pitfalls
Michael Schubert
October 25, 2018
Tweet
Share
More Decks by Michael Schubert
See All by Michael Schubert
A gentle introduction to [e]BPF @ Open Source Summit LinuxCon 2017
schu
1
890
Landlock LSM: Towards unprivileged sandboxing @ All Systems Go! 2017
schu
0
830
gobpf - utilizing eBPF from Go @ FOSDEM 2017
schu
0
1.2k
gobpf - utilizing eBPF from Go @ GDG Golang Berlin
schu
1
210
Other Decks in Technology
See All in Technology
Reinforcement Fine-tuning 基礎〜実践まで
ch6noota
0
200
Haskell を武器にして挑む競技プログラミング ─ 操作的思考から意味モデル思考へ
naoya
7
1.6k
JEDAI認定プログラム JEDAI Order 2026 エントリーのご案内 / JEDAI Order 2026 Entry
databricksjapan
0
140
regrowth_tokyo_2025_securityagent
hiashisan
0
270
障害対応訓練、その前に
coconala_engineer
0
130
WordPress は終わったのか ~今のWordPress の制作手法ってなにがあんねん?~ / Is WordPress Over? How We Build with WordPress Today
tbshiki
2
850
re:Invent2025 3つの Frontier Agents を紹介 / introducing-3-frontier-agents
tomoki10
0
290
寫了幾年 Code,然後呢?軟體工程師必須重新認識的 DevOps
cheng_wei_chen
1
1.5k
生成AI活用の型ハンズオン〜顧客課題起点で設計する7つのステップ
yushin_n
0
250
SREには開発組織全体で向き合う
koh_naga
0
390
RAG/Agent開発のアップデートまとめ
taka0709
0
190
通勤手当申請チェックエージェント開発のリアル
whisaiyo
3
240
Featured
See All Featured
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
37
6.2k
Applied NLP in the Age of Generative AI
inesmontani
PRO
3
1.9k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
359
30k
SEOcharity - Dark patterns in SEO and UX: How to avoid them and build a more ethical web
sarafernandezseo
0
82
Test your architecture with Archunit
thirion
1
2.1k
Rebuilding a faster, lazier Slack
samanthasiow
85
9.3k
Discover your Explorer Soul
emna__ayadi
2
1k
jQuery: Nuts, Bolts and Bling
dougneiner
65
8.3k
世界の人気アプリ100個を分析して見えたペイウォール設計の心得
akihiro_kokubo
PRO
63
35k
The innovator’s Mindset - Leading Through an Era of Exponential Change - McGill University 2025
jdejongh
PRO
1
63
Effective software design: The role of men in debugging patriarchy in IT @ Voxxed Days AMS
baasie
0
170
The browser strikes back
jonoalderson
0
63
Transcript
Applied Kubernetes Security Pitfalls
Kubernetes today ❏ Many means available to make clusters more
secure ❏ Continued efforts towards secure-by-default ❏ Fairly good security track record
None
apiVersion: v1 kind: Pod … volumeMounts: - mountPath: /test name:
test subPath: malicious-symlink volumes: - name: test hostPath: path: /tmp/test type: Directory
“Complexity is insecurity” Complexity correlated with the presence of security
vulnerabilities
Capture the flag http://tiny.cc/k8sminictf PS: No DoS and wrongdoing please
:)
kube-apiserver: auth delegation ❏ Needed for e.g. API extensions --requestheader-client-ca-file
--requestheader-group-headers --requestheader-username-headers --requestheader-allowed-names (~optional) --requestheader-extra-headers-prefix (optional)
kube-apiserver: auth delegation [Service] ExecStart=/usr/local/bin/kube-apiserver \ --authorization-mode=Node,RBAC \ --client-ca-file=/etc/k8s/ca.pem \
--bind-address=0.0.0.0 \ […] --requestheader-client-ca-file=/etc/k8s/ca.pem \ --requestheader-group-headers=X-Remote-Group \ --requestheader-username-headers=X-Remote-User CTF: Demo #1 http://tiny.cc/k8sminictf
PodSecurityPolicy (PSP) ❏ Added with v1.10 ❏ Administrators decide what
contexts pods can run in ❏ Would have been a way to mitigate CVE-2017-1002101 ... with the right policy
apiVersion: policy/v1beta1 kind: PodSecurityPolicy … privileged: false volumes: - 'hostPath'
allowedHostPaths: - pathPrefix: /tmp runAsUser: rule: 'MustRunAs' ranges: - min: 1 max: 65535 CTF: Demo #2 http://tiny.cc/k8sminictf
Server-side request forgery (SSRF) ❏ “... is a type of
exploit where an attacker abuses the functionality of a server causing it to access or manipulate information in the realm of that server ...”
Server-side request forgery (SSRF) <script> window.location="http://metadata.google.internal/…; </script> https://hackerone.com/reports/341876 Kudos Shopify!
Thank you
[email protected]
@schux00 @
[email protected]
[email protected]
Resources ❏ https://github.com/kubernetes/kubernetes/issues/60813 ❏ https://www.daemonology.net/blog/2009-09-04-complexity-is-insecurity.html ❏ https://www.schneier.com/blog/archives/2018/06/thomas_dullien_.html ❏ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-syst ems
❏ https://en.wikipedia.org/wiki/Server-side_request_forgery ❏ https://hackerone.com/reports/341876
schu
ch6noota
naoya
databricksjapan
hiashisan
coconala_engineer
tbshiki
tomoki10
cheng_wei_chen
yushin_n
.JPG){kind=avatar}
koh_naga
taka0709
whisaiyo
kevinliebholz
inesmontani
bermonpainter
sarafernandezseo
thirion
samanthasiow
emna__ayadi
dougneiner
akihiro_kokubo
jdejongh
baasie
jonoalderson
![kube-apiserver: auth delegation [Service] ExecStart=/usr/local/bin/kube-apiserver \ --authorization-mode=Node,RBAC \ --client-ca-file=/etc/k8s/ca.pem \](https://files.speakerdeck.com/presentations/a22fd8e9d7374d91bd15f872193ad751/slide_7.jpg){kind=link}
![Thank you [email protected] @schux00 @[email protected] [email protected]](https://files.speakerdeck.com/presentations/a22fd8e9d7374d91bd15f872193ad751/slide_12.jpg){kind=link}
