►
Description
Attackers always get better with new attack techniques, so our threat modelling and defense mechanisms need to level up.
The aim of the presentation is to demonstrate the kind of attacks that are possible due to
misconfigurations. In particular, through the use of multiple examples, I will explain scenarios
such as how misconfigured cluster privileges can lead to backdooring cloud environments,
avoid detection by manipulating logging controls and access sensitive information and trade
secrets due to IAM, pod security policy and webhook misconfigurations. The presentation
will also include the demonstration of the tool, Kubestriker which is designed to perform
automatic checks and scans to detect various misconfigurations and mitigate such
consequences.
Vasant is a security enthusiast speaker and currently serves as a Security Architect, DevSecOps Practitioner/learner and working towards securing cloud and cloud native in a Continuous Deployment world at mx51.
He is Passionate about Cloud Security, Cloud Native and containerisation Technology, DevSecOps and Security automation and acts as a security advisor for small medium and large scale businesses.
Always a Learner and currently ramping up DevOps skills to bridge the gap between the security and DevOps teams.
A
A
I
am
currently
working
for
a
startup
named
mx51
in
sydney
where
I
play
the
role
of
a
security
architect,
a
security
engineer,
penetration
tester
and
a
compliance
specialist.
As
you
can
tell,
I
wear
multiple
hats,
which
certainly
keeps
me
on
my
toes
now.
Let's
well
now,
that's
the
introduction
is
done.
Let's
dive
into
more
fascinating
stuff,
the
world
of
kubernetes
getting
started
with.
Kubernetes
is
easy.
It
takes
a
matter
of
minutes
to
set
up
the
new
cluster
and
run
applications.
A
However,
the
real
concern
of
the
challenge
is
what
follows
this:
the
pivotal
question
of
how
to
make
sure
your
cluster
is
a
cure.
In
fact,
let
me
tell
you
exactly
what
happens
in
the
real
world
when
kubernetes
clusters
aren't
secured
properly
in
mid
2019
second
largest,
auto
finance
company
in
the
united
states
was
hacked
and
huge
amounts
of
credit
card
data,
social
security
numbers
and
bank
account
numbers
of
more
than
100
million
customers
was
leaked.
Do
you
recall
who
this
was.
A
It
was
capital
one
and
world's
famous
automaker
was
one
of
the
earlier
victims
of
crypto
jacking.
When
a
kubernetes
cluster
was
compromised
due
to
an
administrative
console
not
being
password
protected,
can
you
guess
who
this
was
it's
tesla?
There
are
many
other
incidents
like
microsoft's
cube
flow
breach
and
docker
hub
last
year,
where
attackers
managed
to
plant
malicious
images.
A
Well,
now
that
we
have
understood
the
dangers
facing
our
industry
and
given
the
knowledge
gap
among
the
teams
and
the
lack
of
solid
security
measures
to
protect
humanities,
you
might
be
wondering
how,
in
the
world
are
we
ever
going
to
secure
all
these
moving
pieces
and
stop
these
attacks?
I
have
the
same
exact
thought
and
that's
what
led
me
to
build
a
tool
named
cube,
striker.
A
In
simple
terms,
the
object
of
cube
striker
is
to
secure
the
cloud
native
in
the
most
efficient
and
user-friendly
way.
The
cornerstone
of
security
is
visibility.
You
can't
secure
what
you
can't
see,
therefore,
cube
striker
adopts
this
philosophy
and
aims
to
enhance
the
visibility
by
acting
as
a
security
auditing
tool
for
communities.
A
It
is
platform
agnostic
tool
and
compatible
with
various
platforms
such
as
self-hosted
kubernetes,
amazon,
eks,
azure
aks
and
google
gke.
It
is
specifically
designed
to
tackle
kubernetes
cluster
security
issues
due
to
misconfigurations
and
will
help
strengthen
the
overall
id
infrastructure
of
any
organization.
A
Now,
let
me
show
you
exactly
how
the
magic
happens.
You
can
install
cube
striker
using
python
or
pip,
not
just
a
matter
of
seconds.
In
addition
to
that,
you
can
also
spin
up
the
cube
striker
with
just
one
command
and
it
can
run
anywhere
regardless
of
the
operating
system.
As
long
as
you
have
a
container
runtime
installed
now,
let
me
spin
up
the
quickly
the
cube
striker
container.
A
There
we
go
and
cube.
Striker
accepts
three
forms
of
inputs,
a
url
on
an
ip
address,
or
you
can
choose
from
your
cube
config
file
or
you
can
provide
a
range
of
ip
addresses
which
could
be
combination
of
your
master
node
and
the
worker
nodes.
For
the
first
scenario,
let's
scan
a
cluster
that
is
hosted
in
the
google
cloud,
the
gke
engine.
A
This
snag
it
has
identified,
cube,
server,
secure
and
point
identified,
and
it
also
tells
us
the
version
of
the
kubernetes
that
is
running
on
the
cluster,
and
then
it
gives
us
two
options
whether
we
want
to
perform
an
authenticated
scan
or
an
authenticated
scan.
So
you
can
relate
them
as
a
black
box
and
a
white
box
testing
in
order
to
perform
an
authenticated
scan.
A
A
So,
let's
see
an
example
how
we
can
execute
commands
on
the
containers.
So
if
we
list
all
the
parts
that
we
have
in
the
container,
let's
choose
this
port
and
it
will
list
the
containers
that
are
running
inside
this
board
and
it
says,
execute
enter
the
command
that
needs
to
be
executed
there.
You
go
it
streams,
us
the
output.
So
if
I
click
on
exit,
it
says
the
scan
has
been
completed
and
the
results
generated
with
the
target
file
name.
So
after
a
couple
of
scans,
we
will
go
through
the
results.
A
A
A
Well,
in
the
first
two
scenarios
we
have
seen
scanning
like
the
kubernetes
clusters.
Now,
let's
look
at
scanning
a
kubernetes
worker
node,
which
will
have
important
components
such
as,
like
cube,
led,
read,
write
portrait
only
quotes,
although
these
are
like
not
enabled
to
public
by
default.
However,
some
engineers
like
me,
might
end
up
enabling
it
for
testing
purposes
and
then
forget
to
revert
those
changes
once
the
testing
is
done.
This
issue
might
escalate
over
the
time,
especially
during
the
pandemic,
where
most
people
work
from
home.
So
this
time,
let's
quickly
scan
a
worker.
A
A
And
because
this
is
a
worker
node,
it
will
usually
not
ask
us
for
an
authenticated
or
an
authenticator
scan,
because
the
services
that
run
on
the
worker
node
are
quite
different
from
the
master,
node
and
yeah.
The
scan
has
completed
and
it
says
like
it,
has
identified
the
ports,
such
as
like
cube.
Let's
read,
write
cable,
read
only
q
proxy
health
check
and
there
is
an
open,
422
and
also
the
kubernetes
dashboard
and
pointing
file,
and
it
also
tells
us
like
what
are
the
end
points
that
have
been
identified.
A
A
A
It
generates
a
report
with
that.
One
cube
cycle
creates
a
very
elaborate
report.
It
says
what
all
ports
it
has
stand
for
and
once
identifies
it
says:
hey
endpoint
has
been
identified
on
this
ip
on
this
port
and
it
gives
us
all
the
informations
are
like
admin
roles,
read-only
admin
roles,
the
distracted
roles
and
the
secret
privileged
roles.
To
also
give
us
very
clear
information
like
hey.
This
is
a
role
which
has
privileges
to
secrets,
and
this
role
has
been
attached
to
these
service
accounts.
A
This
service
account
can
access
secrets
in
this
name,
space,
ingress
engineering.
So
that
way
it
gives
us
like
a
clear
visibility
like
who
have
what
kind
of
privileges
inside
the
cluster,
and
then
it
will
give
us
the
information
about
the
privileged
containers
like
hey.
These
are
the
privileged
containers.
It
will
also
give
us
the
information
why
a
container
is
flagged
as
a
privileged
container
for
this
container.
It
has
like
a
low,
privileged
escalation
flag
enabled
too,
and
there
are
some
other
containers
which
are
sharing
like
the
host
networks.
A
That
is
the
reason
why
these
containers
have
been
flagged
as
released
containers.
It
also
lists
all
the
containers
where
the
liveness
probe
is
not
set.
The
readiness
probe
is
not
set
or
where
the
cpu
and
the
memory
limits
are
not
set
and
the
priority
class
name
is
not
set
and
the
containers
where
the
service
account
has
been
mounted
and
also
the
containers
where
secrets
have
been
mounted
and
the
containers
where
the
docker
sockets
have
been
mounted.
To
also
give
us
the
information
about
the
communities,
worker
notes
and
the
privileged
board
security
policies.
A
People
have
started
using
it
to
scan
their
infrastructures,
and
I
have
been
asked
to
develop
more
features.
This
gave
me
the
guidance
and
encouragement
and
that
I
needed
to
build
the
next
version,
with
more
advanced
capabilities
and
an
easy
to
use.
Interface
here
is
the
new
and
the
improved
version
of
cube
striker.
A
A
A
And
there
we
go.
That
is
like
the
new
version
of
the
cube
striker,
which
I'm
about
to
release
in
the
next
one
week.
So
it
will
give
us
information
about
the
clusters
and
the
containers
inside
running
inside
the
clusters,
and
you
can
add
or
scan
a
cluster
by
creating
that
button
and
it
will
add
aws,
azure,
google
and
generate
clusters
such
as,
like
self-hosted
or
openshift,
and
in
order
to
scan
a
cluster.
A
There
we
go.
The
scan
has
been
completed.
It
says
the
scans
total
number
count
one,
and
here
are
the
results
that
we
have
on
the
screen.
So
it
says
it
has
scanned
total
hundred
and
forty
nine
goals
out
of
which
hundred
and
thirteen
are
misconfigured,
so
total
seven
misconduct,
containers
and
power
security
policies,
network
policies,
total
nodes.
A
A
In
the
misconfigured,
possibly
policies,
it
could
also
tell
you
why
a
particular
particular
policies
match
is
flagged
as
a
privileged
one.
For
example,
if
you
look
at
this
one,
it
has
flags
such
as
privileged
run
as
any
user.
Star
capabilities
allowed
and
privileged
escalation
flag
has
been
enabled.
A
There
we
go,
the
page
has
been
refreshed
and
we
have
all
the
television
reports
or
the
count
of
the
clusters
on
the
main
dashboard.
And
when
we
go
to
the
clusters
section,
we
can
see
the
different
clusters
that
we
have
and
if
you
click
on
each
and
every
cluster,
it
will
give
the
individual
results
of
that
particular
cluster
and
on
the
containers
section.
It
will
also
give
you
the
list
of
containers
that
are
running
in
each
and
every.
A
A
And
I
strongly
believe
that
security
should
be
baked
into
the
devops
process,
and
the
security
tool
should
also
flow
very
freely
through
the
devops
pipelines,
giving
the
developers
more
autonomy
and
authority
without
compromising
the
security
or
elevating
the
risk.
Keeping
this
in
mind,
I
made
cube
striker
the
acd
integration
with
the
box
by
pencil,
such
as
like
jenkins
or
azure
pipelines
or
pit
bucket
pipelines
or
bamboo.
This
basically
allows
for
continuous
scanning
of
the
infrastructure
to
identify
any
misconfigurations
prior
to
deployment
into
the
sandbox
or
the
production
environments.
B
A
Cube
striker,
this
new
version
of
cube
striker
also
incorporates
the
ability
to
see
some
critical
resources
in
the
communities,
infrastructure
and
the
ways
in
which
it
could
be
compromised.
You
can
see
like
a
visualized
attack
parts
of
how
hackers
can
advance
their
attacks
by
changing
different
misconception
components
in
the
kubernetes
cluster.
This
feature
is
currently
in
the
beta
version
and
will
be
further
improved
as
the
threat
analysis
in
the
visualization
tool.
A
For
example,
if
you
click
on
the
roles,
it
will
give
you
the
list
of
all
the
admin
roles,
the
structure
roles,
privileged
roles
and,
if
you
click
on
the
admin
rules
on
the
cluster-wide
rules,
that
will
say
which
subject
has
access
over
the
cluster-wide
and
what
resources
they
can
access
and
in
any
particular
name
space
in
the
namespace
or
cube
system.
It
says
these
are
the
users
and
they
can
access
these
resources.
A
A
A
I'm
currently
working
on
enhancing
this
feature
and
working
on
setting
up
all
other
features
where
it
will
give
us
the
complete
visibility
of
the
entire
kubernetes
clusters
and
the
ways
the
different
loopholes
that
attackers
can
use
and
gain
access
to
your
clusters
and
perform
privileged
installations,
and
I'm
also
currently
working
on
setting
up
our
documentation
for
this
website.
This
new
version
of
cubestriker
will
go,
live
on
may
9th
and
also
the
documentation
site
will
be
available.
A
The
new
weber
version,
as
I
mentioned
it,
will
be
released
on
github
on
may
9.
However,
the
command
line
interface
is
already
available
on
the
github,
so
the
link
is
shown
on
the
slides.
Please
give
it
a
test,
drive
yourself
and
then
share
your
thoughts.
Any
feedback
or
any
suggestions
or
improvements
are
always
welcome
and,
needless
to
say,
like
innovation
needs
collaboration.
A
So,
while
the
cube,
striker
community
of
adopters
and
contributors
are
growing
steadily,
I
hope
to
continue
the
expansion
of
its
use
by
collaborating
with
more
users
and
get
more
contributors
on
board.
If
you're
keen
to
learn
more
and
get
involved,
please
get
in
touch
with
me
through
any
of
these
channels,
and
I
would
like
to
thank
the
organization
organizers
for
giving
me
this
wonderful
opportunity.