►
From YouTube: Strengthening your Kubernetes Security Cloud Native way
Description
Kubernetes Community Days Bengaluru'21
There are many moving parts within the Kubernetes cluster that must be properly secured. The aim of the presentation is to demonstrate the kind of attacks that are possible due to misconfigurations. In particular, through the use of multiple examples, Vasanth will explain scenarios such as how misconfigured cluster privileges can lead to backdooring cloud environments, avoid detection by manipulating logging controls and access sensitive information and trade secrets due to IAM, pod security policy, and webhook misconfigurations. The presentation will also include the demonstration of the tool, Kubestriker which is designed to perform automatic checks and scans to detect various misconfigurations and mitigate such consequences.
A
Welcome
fellow
kubernetes
enthusiasts,
thank
you
for
joining
the
session
today
and,
of
course,
we
will
be
talking
about
kubernetes
and
specifically
about
securing
the
kubernetes
ecosystem,
taking
a
look
at
other
talks
that
are
going
on
here.
Certainly
other
professionals
are
showcasing
different
tools
and
talking
about
different
aspects
of
kubernetes,
but
what
I
want
to
talk
about
is
really
more
securing
the
entire
big
picture
of
kubernetes
ecosystem.
Looking
at
how
we
can
secure
numerous
moving
pieces
in
the
kubernetes
and
building
a
secure,
kubernetes
clusters.
A
Let
me
start
by
introducing
myself.
My
name
is
bassam
chinipili.
Like
many
of
you,
I
am
a
kubernetes
and
security
fanatic.
My
experience
spans
across
various
domains
of
information
security,
including
cloud
container
security,
penetration
testing
and
devsecops.
I'm
also
passionate
about
cloud
and
cloud
native
psychopaths
and
security
automation.
A
Now
that
the
intro
is
done,
let's
dive
into
more
fascinating
stuff,
the
world
of
kubernetes
kubernetes
is
hot.
In
the
devops
space
is
now
the
third
most
wanted
platform
among
developers.
Kubernetes
is
rapidly
growing
and
evolving,
and
it
is
not
just
kubernetes
anymore.
This
is
a
landscape
picture
from
cncf.
Every
tiny
picture
is
a
product
logo.
A
few
years
ago,
kubernetes
was
just
a
platform,
but
now
it's
a
platform
to
build
many
other
platforms.
A
A
Do
you
recall
who
this
was?
It
was
capital
one
and
for
this
breach,
capital
one
was
hit
with
a
18
million
dollar
civil
penalty,
and
world's
famous
automaker
was
one
of
the
earlier
victims
of
crypto
jacking.
When
a
kubernetes
cluster
was
compromised
due
to
an
administrative
console
not
being
passed
and
protected,
can
you
guess
who
this
was?
A
It
was
tesla,
there
are
many
other
incidents
like
microsoft's
cube
flow
bridge
and
docker
hub
incident
last
year,
where
attackers
managed
to
plant
malicious
images
in
the
docker
hub,
causing
anyone
who
uses
those
images
to
be
crypto
jacked.
What
this
means
is
users,
unknowingly
deployed
cryptocurrency
miners
in
the
form
of
docker
containers
that
then
diverted
compute
resources
toward
mining
cryptocurrency
for
the
attacker,
a
mistake
done
knowingly
or
knowingly
is
always
a
mistake
and
can
cost
companies
a
lot
not
just
in
terms
of
financial
loss
but
also
reputational
damage.
A
A
We
also
know
that
if
the
control
plane
is
the
brain
of
the
operations,
the
work
nerds
are
the
muscles
and
do
you
need
to
interact
with
your
kubernetes
cluster
talk
to
the
api.
The
kubernetes
api
is
the
front
end
of
the
kubernetes
control,
plane,
handling,
internal
and
external
requests.
Is
your
cluster
healthy
if
new
containers
are
needed?
Where
will
they
fit?
These
are
the
concerns
of
the
kubernetes,
scheduler
and
kubernetes
controllers.
A
A
They
run
and
control
all
the
pods
and
containers
for
your
cluster
and
each
compute.
Node
contains
a
cubelet,
a
tiny
application
that
communicates
with
the
control
plane
and
a
pod
is
the
smallest
and
the
simplest
unit
in
the
kubernetes
object
model.
It
represents
a
single
instance
of
an
application.
Now,
let's
discuss
how
an
attacker
looks
at
the
kubernetes
components.
Well,
diagram
shows
that
all
communications
go
through
the
cube
api
server.
This
is
what
defines
and
controls
all
of
the
kubernetes
management
and
operational
functions.
A
The
kubernetes
api
service
acts
as
the
front
door
to
any
cluster.
It
is
generally
exposed
on
every
deployment,
since
it
is
needed
for
management
purposes,
but
exposing
your
api
server
to
the
public
is
the
most
common
entry
point
for
attackers.
It
is
actually
a
really
juicy
target.
Malicious
actors
will
always
try
to
get
access
to
the
cube
api
server
and
the
control
plane,
and
once
these
are
compromised,
they
can
then
proceed
to
compromising
the
whole
cluster.
A
A
It
is
used
to
store
highly
sensitive
configuration
data,
but
it
is
also
easily
left
unprotected.
Anyone
who
gains
access
to
hcd
targets
to
retrieve
service,
cam
tokens
and
secrets
once
if
an
attacker
has
access
to
a
privileged
secret
order.
Token,
then
it's
game
over
a
very
quick
win
for
the
attacker.
A
In
addition
to
stealing
valuable
secrets,
attackers
could
also
potentially
change
configuration
data
for
various
services.
You
have
a
host
of
ports
to
worry
about.
It's
not
just
the
xcd
service
and
kubernetes
api
that
you
need
to
be
cautious
about
leaving
exposed,
depending
on
how
your
cluster
is
configured.
Other
services
might
cause
you
trouble
if
a
hacker
gains
access
to
them.
A
Now,
let's
talk
about
the
attacks
on
the
node
cubelet
expose
endpoints,
which
grant
powerful
control
over
the
node
and
containers
when
compromised
by
gaining
control
of
a
cubelet.
The
attacker
has
gained
unfettered
access
to
the
kubernetes
application.
This
is
an
endgame
too
cubelet
is
accessible
via
two
ports,
read
write
and
read
only
port
and
the
container
runtime.
This
component
enables
the
functionality
required
to
start
run
and
manage
containers
on
a
given
node.
The
container
runtime
is
what
executes
containers
and
therefore
is
another
prime
target
for
attackers.
A
I
can't
stress
enough
how
important
is
to
secure
your
workloads
or
containers
a
privileged
container
when
gained
access,
gives
an
attack
at
the
privilege
to
run
a
command
in
the
context
of
the
container
the
option
to
escape
and
access
the
host
resources.
This
is
an
end
game
too.
An
attacker
who
gains
access
to
the
container
has
gained
access
to
your
cluster
and
eventually
the
underlying
account.
A
framework
named
miter
attack
framework
is
a
knowledge
base
of
known
tactics
and
techniques
that
are
involved
in
cyber
attacks.
A
A
A
A
The
next
technique
is
privilege,
escalation
tactic,
which
consists
of
techniques
that
are
used
by
attackers
to
get
higher
privileges
in
the
environment
than
those
they
currently
have
in
containerized
environments.
This
can
include
getting
access
to
the
node
from
a
container
or
gaining
higher
privileges
in
the
cluster
and
even
getting
access
to
the
cloud
resources
it
could
be
using
techniques
such
as
like
cluster
admin,
binding
or
host
path
mount
in
the
next
one.
The
defense
evasion
tactic
consists
of
techniques
that
are
used
by
attackers
to
avoid
detection
and
hide
their
activity.
A
Attackers
may
delete
the
application
or
os
logs
on
a
compromised
container
in
an
attempt
to
prevent
detection
of
their
activity,
or
they
may
even
delete
the
kubernetes
events.
The
next
one
is
the
credential
access
tactic,
which
consists
of
techniques
that
are
used
by
the
attackers
to
steal
credentials.
It
could
be
like
listing
kubernetes
secrets
or
mounting
service
principle
onto
the
containers
or
accessing
container
service
account
token
or
application
credentials
in
some
configuration
files.
A
A
A
The
impact
tactic
consists
of
techniques
that
are
used
by
the
attackers
to
destroy
abuse
or
disrupt
the
normal
behavior
of
the
environment.
The
impact
could
be
data,
destruction
or
resource,
hijacking
or
even
denial
of
service
understanding.
The
attack
surface
of
containerized
environments
is
the
first
step
of
building
security
solutions
for
these
environments.
A
The
matrix
that
was
presented
above
can
help
organizations
identify
the
security
gaps
in
the
defense's
coverage
against
the
different
threats
that
target
kubernetes
ecosystem.
Now,
let's
quickly
look
into
some
scenarios
why
kubernetes
has
become
a
prime
target
for
hackers
and
how
hackers
change
different
attacks
on
the
kubernetes
ecosystem
in
the
real
world.
B
B
B
B
It
confirms
more
now,
let's
download
the
cube
ctl
binary,
cube,
cdl
binary
can
be
used
to
run
the
commands
against
the
cluster
for
any
pod
which
is
running
in
the
cluster.
Has
a
service
account
auto
mounted
in
the
default
setup,
and
the
service
account
has
a
rolled
tack
to
it.
Let's
verify
which
role
is
stacked
to
our
service
account
in
this
bottom
cube.
Ctl
auth.
B
B
B
What
can
I
create
pods?
The
answer
is
yes,
let's
see,
can
we
create
the
secrets
cube
ctl,
or
can
I
create
secret?
No,
so,
as
you
can
see,
we
have
compromised
the
pod
from
the
vulnerable
web
application.
Let's
leverage
this
feature
where
the
service
account
can
create
the
pod
in
the
cluster,
we
will
be
creating
the
crypto
mining
pod
in
the
cluster.
B
Let's
look
at
the
yaml
of
it.
This
is
the
yaml
for
the
miner
pod.
We
are
pulling
out
the
image
k8s
miner,
which
is
a
monero
pod.
All
the
coins
mined
using
the
infrastructure
will
be
uploaded
to
particular
website.
Using
these
particulars,
as
you
can
see,
we
have
put
down
the
limits
on
the
memory
and
cpu
just
to
remain
stealthy.
Otherwise
the
miner
pod
will
consume
the
entire
memory
of
the
infrastructure.
B
B
So
till
now
we
have
seen
we
exported
the
web
application
and
compromised
underlying
pod.
We
also
started
the
crypto
mining
pod
in
the
cluster.
Let's
see
can
we
compromise
the
master
and
worker
node,
let's
leverage
the
privileges
which
we
recently
grabbed
it
for
this,
we
will
be
using
yaml
definition
file,
which
has
a
privilege
pod
in
it.
Let's
see
the
contents
of
the
ml
file,
as
you
can
see,
the
first
content
in
this
file
is
for
starting
the
pod
on
the
worker
node,
and
the
second
definition
is
starting
the
pod
on
the
master
node.
B
The
only
distribution
factors
between
two
file
is
the
node
name
equal
to
master
states
that
this
spot
should
start
on
the
master
node.
If
you
don't
define
this
parameter,
it
automatically
lands
on
the
worker
node.
Here
we
will
be
using
different
attributes
in
the
yaml
file,
for
example
hostpath
using
this,
you
can
mount
the
file
system
of
the
base
operating
system
in
your
pod,
and
then
you
can
browse
it.
B
Then
we
also
saying
that
run
as
a
user
zero,
which
means
there
start
this
part
as
a
root
user,
and
this
is
a
volume
mount
which
you
have
created,
preview
pod
and
the
same
is
there
in
pod,
which
will
be
running
in
the
master.
Let's
copy
this,
I
also
let's
copy
this.
I
also
have
a
dedicated
slide
discussing
each
attribute
and
the
impact
mapping.
B
B
A
B
A
And
then
he
comes
across
a
container
which
is
like
a
jenkins
which
is
a
bill
server
and
checks.
If
we
can
access
that
jenkins
server
and
there
we
go,
we
got
access
to
the
jenkins,
build
server
and
we
are
running
inside
the
cluster.
Now,
let's
try
to
grab
the
public
ip
address
of
the
machine
to
access
the
ui
of
the
jenkins.
A
A
And
it
should
bring
up
a
new
jenkins
pod
and
now,
let's
see
if
we
can
access
the
jenkins
console
again
there
we
go.
We
were
able
to
bypass
the
authentication
mechanism
and
now,
let's
create
a
new
job,
basically
to
grab
some
secrets
and
the
environment
variables,
and
I
will
just
create
a
small
build
step
which
will
run
a
quick
bash
command.
A
A
Well,
there
is
another
interesting
way
of
bypassing
the
security
controls
to
avoid
detection
after
gaining
access
to
the
cluster
by
just
creating
a
replica
or
duplicating
the
api
server.
I
have
learned
this
technique
from
recent
presentation
of
pride
geeseman,
a
well-known
security
geek
well
after
gaining
access
to
the
cluster.
A
There
we
go
and
that's
why
it
is
called
a
game
over
if
you
are
planning
on
using
kubernetes
in
production.
One
of
the
key
things
to
consider
from
a
security
perspective
is
the
threat
model.
The
application
of
the
attack
methodology
and
kubernetes
is
something
that
everyone
who
uses
kubernetes
need
to
understand.
A
While
kubernetes
has
many
advantages,
it
also
brings
new
security
challenges
and
risks
and
has
threats
in
various
forms,
such
as
external
and
internal
attackers
and
vulnerable
container
runtime.
As
seen
now,
and
in
addition
to
that,
it
has
become
a
prime
target
for
hackers
because
of
the
numerous
moving
pieces
that
needs
to
be
secured
inside
the
cluster.
A
Now
that
we
have
understood
the
dangers
facing
our
industry
and
given
the
knowledge
gap
among
teams
and
numerous
resources
that
needs
to
be
secured,
you
might
be
wondering
how,
in
the
world
are
we
ever
going
to
secure
all
these
moving
pieces
and
stop
these
attacks?
I
had
the
same
exact
thought
and
that's
what
led
me
to
build
a
tool
named,
cube
striker
that
is
designed
to
identify
these
misconfigurations,
which
make
organizations
an
easy
target
for
attackers,
and
there
you
go.
A
It
will
give
you
all
the
information
about
the
total
number
of
clusters
or
the
containers
that
are
running
inside
all
your
clusters.
It
will
show
us
information
about
the
roles,
misconfigured
containers
etc.
Now,
let's
look
at
a
scenario
by
adding
a
cluster
and
it
accepts
amazon,
azure,
aks,
google
cloud
customer
and
also
you
can
add
generic
clusters
such
as
like
open
shift
or
ibm
or
even
like
an
on-prem
one.
So
you
can
add
a
cluster
by
giving
like
the
cluster
name.
A
That
needs
to
be
scanned
and
you
need
to
provide
an
iam
role
which
will
have
the
privileges
to
reach
out
and
scan
your
target
cluster
and
the
region
where
your
cluster
is
located
in
case.
If
it
is
an
amazon
click
on
create,
and
usually
the
scan
takes
anywhere
close
to
nine
to
ten
seconds
at
this
stage,
and
once
the
scan
is
ready
towards
the
right
side
of
your
screen,
the
total
number
will
increase
to
one
and
within
the
next
one
to
two
seconds.
It
will
come
up
with
all
the
relevant
information
of
that
scan.
A
Well,
it
gives
you
like
the
version
of
the
kubernetes
that
is
running
inside
the
cluster
and
the
version
of
docker
that
is
running
on
the
worker
nodes
and
also
like
the
same
information
like
misconfigured
roles,
containers
or
security
policies,
nodes
and
scans,
etc.
Now
the
all
the
information,
whatever
we
have
seen
using
the
cli,
it's
displayed
in
a
very
appropriate
way,
using
like
gui
under
the
misconfigured
rules.
A
It
says,
like
admin,
roles,
reader
admin
roles,
destructive
roles,
secret
roles
and
all
kinds
of
privileged
roles,
and
it
also
clearly
says
this
user
web
app
in
the
namespace
default
has
verbs
star,
which
means
actions
and
all
resources
star,
which
means
this
particular
user
can
access
all
the
resources
across
the
cluster.
This
is
the
reason
why
this
is
considered
as
admin
role
and
pretty
much
like
a
reader
admin
role,
the
destructive
world,
where
the
users
have
got
delete
privileges
on
the
resources.
A
A
A
If
you
click
on
one
of
the
containers,
it
will
tell
you
the
reason
why
it
is
called
as
a
privileged
container.
It
will
show
you
the
flags
for
this
one.
It
says
like
the
host
network
id
set
us
true,
and
here
it
says,
like
host
pid
has
been
set
up
set
as
true,
and
these
are
the
this
is
the
reason
why
it
has
been
flagged
as
the
privileged
rule.
Then
it
will
list
all
the
containers
where
the
liveness
probe
is
missing.
Readiness
probe
is
missing,
memory
limits
and
cpu
limits
are
missing.
A
The
priority
class
name
has
not
been
set
and
where
the
secrets
and
the
service
accounts
have
been
mounted
and
then
the
misconfigured
policies,
it
will
tell
you
why
a
particular
or
security
policy
is
on
is
called
as
misconfigured,
because
if
you
look
at
this
one,
it
has
like
all
the
flags
just
privileged
as
true
and
is
running
as
any
user
and
hello
privilege.
Escalation
is
set
to
true
and
it
is
letting
to
run
or
to
deploy
anything
with
all
the
capabilities.
A
And
then
the
miss
config
network
policies
and
then
it
will
list
the
nodes
that
you
have
running
inside.
The
cluster
will
give
you
like
the
operating
system,
architecture
fight,
which
provides
you
a
road
map
and
narrates
the
journey
of
cube
striker
to
date.
It
also
gives
you
a
detailed
explanation
of
its
capabilities
procedures,
guidelines
and
some
handy
how-to
videos
to
make
your
life
easier.
Please
check
out
the
website
as
well
and
share
your
feedback.
A
Innovation
needs
collaboration,
so
while
the
cubestriker
community
of
adopters
and
contributors
are
growing
steadily,
I
hope
to
continue
the
expansion
of
its
use
by
collaborating
with
more
users
and
get
more
contributors
on
board.
If
you're
keen
to
learn
more
and
get
involved,
please
get
in
touch
with
me
through
any
of
these
channels.
A
To
sum
up,
I
want
to
leave
you
with
this.
If
you
patch
99
vulnerabilities
out
of
100,
it
doesn't
mean
you're,
99
secured,
but
still
hundred
percent
vulnerable,
because
a
hacker
needs
only
one
weight
link
to
bring
your
whole
system
down.
That
concludes
my
presentation.
Happy
to
take
any
questions
you.