►
From YouTube: Cloud Native Live: Hacking Kubernetes
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
Where
we
broke
but
as
I.
A
C
A
A
A
C
My
screen
just
give
me
not
if,
if
it's
being
shared.
A
A
Oh,
you
cannot.
Okay,
we,
we
are
faced
a
little
problem
with
streaming
restraint.
Let's
wait
a
little
bit
more.
A
B
C
A
A
C
I
I'm
really
glad
being
to
be
here,
especially
I'm,
I'm
so
glad
that
you
know.
I
see
people
here
from
you
know
italy
and
in
mongolia
and
really
you
know
from
state,
and
I
I
really
you
know
appreciate
you
having
me
here
and
also
appreciate
you
know
your
attention.
C
So
so
what
we
are
going
to
talk
today,
I'm
going
to
show
you
our
take
on
on
attacking
kubernetes,
I'm
going
to
show
you
a
few
simple
attacks,
year-round
and,
let's
jump
into
it.
So
we'll
just
pause
apollo
said
you
know,
I'm
I'm
ben
I'm
vp,
rnd
armor
and
just
for
your,
you
know
for
your
you
to
know.
C
I'm
a
white
hacker
for
really
really
long
time
and
I
love
hacking
and
just
as
much
as
I
love
kubernetes
and
you
know
we
all
love
kubernetes
and
cloud
native,
and
you
know
there
is
no
no
denial
that
kubernetes
and
colonnade
is
at
all.
As
a
is
a
big,
a
big,
a
big
success
and
you
know
with
the
big
success
in
in
the
security
world
you
know
comes,
you
know
the
attacks.
C
Actually,
you
know,
but
because
once
you
are
you
are
you
become
a
key
player,
then
then
you
know
you're
you're
becoming
a
target
for
many
many
attacks,
and
you
know
I
just
brought
here
a
few
examples.
You
know
happened
only
you
know
in
the
past
few
months
of
attacks
on
kubernetes
and
you
know
as
a
white
hacker
you
know,
I'm.
I
always
think
that
you
know
we
have
power
and
and
kubernetes
has
a
great
power
and
with
the
great
powers
comes
great
responsibility.
C
So
I
know
that
I
saw
here
that
someone
was
concerned
about.
You
know
the
legality
of
of
hacking.
You
know
we
are
hacking,
kubernetes
and
we
are
doing
stuff
in
order
to
to
you
know,
to
make
things
better
and-
and
you
know
I-
I
also
encourage
everyone.
You
know
to
report
issues
to
the
kubernetes
teams,
revlon
converted
things
if
they
found
something
else,
just
as
I
did
before.
C
So
what
you
know
what
an
attacker
can
wants
from
a
kubernetes
cluster
and
kubernetes
system.
You
know
you
may
want
to
steal
data,
and
you
know
here
I'm
talking
about
not
just
stealing
data.
You
know
necessarily
directly
from
the
kubernetes
from
from
a
pod,
but
you
know
stealing
data
using
the
credentials
that
has
been
stolen
for
kubernetes
cluster,
so
think
about
all
the
you
know
cloud
credentials.
C
You
know
you
are
having
in
your
cluster
in
your
different
objects
and
also
in
your
file
systems,
so
each
of
them
can
be
an
attack
vector
and
the
mean
of
stealing
more
data.
C
Also,
you
know
kubernetes
cluster
can
be
used
to
to
know
to
gain
computational
resources,
so
it
can
be
a
you
know:
it's
going.
It
is
a
night.
It's
interesting
other
questions.
C
You
know
today
that
when
people
are
looking
for
computational
resources
in
order
to
do
some
bitcoin,
mining
and
stuff
like
that
to
to
use
the
other
kubernetes
in
order
to
gain
such
computational
resources,
we've
been
starting
to
hear
in
the
security
community
about
ransomware
around
kubernetes
people
are
looking
out
administrators
and
and
and
locking
data.
C
In
order
to
to
you
know
to
have
some
financial
gain
and
you
know
it's
a
real
threat
and
also
you
know
we
we're,
as
just
I
told
you
that,
before
that
any
service
provider
you
know
is,
is
also
can
be
a
victim
of
denial,
service
attacks
and
and
bringing
down
a
kubernetes
cluster,
you
know
can
be
a
really
big
problem,
so
these
things
that
that
occur
may
want.
C
You
know
when
we're
looking
into
a
kubernetes
kubernetes
environment,
so
my
story
today,
I
always
like
to
tell
you
know
a
framing
story
here
around
these
in
these
talks
and
and
our
story
begins
with,
with
google's
google's
online
boutique
micro
services.
C
Demo
application,
which
is
you
know,
we
are
calling
it
hipster
shop
and
because
it
was
the
old
layman
and-
and
you
know,
we
have
insert
shop
running
in
gke
in
google's
own
kubernetes
solution,
and
you
know
this
is
a
online
application,
a
web
shop
which
is
running
with
kubernetes,
and
it
has
some
security
measures
in
place.
So
containers
are
scanned
for
vulnerabilities
before
uploading.
C
We
have
installed
falco
in
this
cluster
and
you
know
this
is
the
point
of
start.
You
know
for
our
our
discussion,
so
this
is
when
the
attacker
is
going
to
start
to
work,
and
just
you
know,
in
order
to
to
to
enable
you
to
focus
on
this
whole
talk
on
this
demonstration
and-
and-
and
you
know
I
I
will
stop
here
and
there
to
to
review
questions
and
try
to
answer
during
the
time
to
answer
your
questions
in
place.
C
But
I
my
attack
is:
is
it
has
been
broken
down
to
to
several
smaller
attacks,
I'm
going
to
to
install
a
malware
or
get
the
operators
in
this
of
this
coverages
cluster
in
order
to
install
malware
in
in
their
cluster,
then
I'm
going
to
use
this
malware
to
to
get
get
into
the
pod
of
of
the
victim.
C
Then
I'm
going
to
steal
the
service
account
from
this
pod
and
and
from
remotely
not
from
the
the
not
from
the
comprehensive
cluster,
but
from
remotely
I'm
going
to
use
the
service
account
to
identify
myself
against
the
api
server
and
start
to
communicate
with
the
api
server
from
outside
the
cluster
and
and
then
I'm
going
to
start
stealing
secrets
from
your
kubernetes
cluster
and
and
after
it
we
are
going
to
exit
to
to
the
worker
notes
and
and
still
more
more
interesting
things
from
there.
C
So
this
is
about
a
a
this
is
up
until
now
and,
let's
you
know,
jump
into
into
the
first
attack
vector
which
is
actually
you
know
the
yeah.
Sorry
paul.
Have
you
asked.
A
Something
sure
yeah,
it's
just
just
one
thing
our
friend
ibrahim
asked
if
you
talk
about
any
attacks
over
the
os
hosting
from
the
kabul
next
brushing
you
cover
this.
This
kind
of
attack
today
so.
C
C
So
it's
it's
more
of
that.
So
thanks
so
sure
and
again
just
ask
me
questions
during
the
time
and
I
will
stop
for
for
for
answering.
C
So
let's
say
that
for
now
I'm
taking
the
hat
off
of
of
the
operator
operator
of
this
this
solution,
and
and
and
as
the
operator
I'm
I'm
opening
my
slack
one
morning-
and
you
know
I-
I
see
that
that
at
first
obviously
I'm
in
the
kubernetes
channel,
but
I
I
returned
to
my
home
channel
and
I
see
that
my
friends
just
sent
me
that
that
in
the
microservices
demo
there
is
a
new
version
and
I'm
pretty
great,
because
I
usually
you
know
I-
I
love
new
versions
of
of
the
software
because
they
are
usually
better
and-
and
you
know
I
go
to
the
github
and
I
see
that
well.
C
This
is
this.
This
must
be
a
very,
very
good
and
very
nice
and
very
good
version,
and
you
know
I'm
as
the
operator
I'm
I'm
a
little
bit.
Maybe
you
know
I
use
to
to
scan
the
vulnerabilities
for
for
the
images
I'm
in
installing
in
my
kubernetes
cluster
sign,
I'm
going
into
this
public
repository
repository
at
quay
io,
which
has
just
scanned
this
image,
and
I
see
that
that
it's,
it's
a
pretty
good
scan
result.
Okay,
the
query.
C
Security
scanner
has
not
detected
any
vulnerabilities
in
this
in
this
image.
So
I,
as
the
operator
right
now,
I'm
I'm
I'm
pretty
pretty
fine
with
installing
okay,
this
new
version
from
this
public
repository
and
and
what
I'm
going
to
do
now
is
just
before.
Well,
I've
got
disconnected
maybe
from
resist,
but
what
I'm
going
to
do
is
I'm
going
to
go
to
my
solution.
C
Okay,
which
is
working
here,
you
can
see
the
online
boutique
is,
is
up
and
running,
and-
and
you
know
I
I
can
see
my
workloads
here
also
running
smoothly
and
from
from
my
control,
shell,
okay,
what
I'm
going
to
do
is
I'm
going
to
patch
okay,
this
this
service,
I'm
going
to
install
this
version.
C
0.2.2
of
this
front
end
and-
and
you
know,
we'll
see
what
what
is
going
to
happen.
Okay,
I'm
I'm
with
my
I've,
updated
with
this
new
version.
My
deployment
and
the
new
version
started
to
work.
Okay
and
I'm
the
operator
coming
here,
doing
some
checks
and
yeah.
Well,
it's
still
working,
I'm
I'm
still
able
to
buy
stuff
in
the
boutique.
So
I'm
I
I
feel
fine.
I
am
going
to
sleep
now
and
then.
C
A
For
enter
interrupt
again,
but
you,
when
you
put
in
your
your
show,
you
can
increase
a
little
bit
your
character
size
because
it's
scene
is
seen
a
little
bit
this
one
just
some!
Yes,
a
little
bit
more.
I.
C
I'm
not,
I
think,
I'm
already
the
largest,
I'm
not
sure
that
maybe
the
lights
theme
is
better.
Oh,
do
you
think
it's
better.
C
A
It's
not
okay,
no
problem,
and
please,
if
possible,
could
you
put
your
your
name?
Your
twitter
account
people.
A
C
C
So
what's
happened
here
right
behind
the
scenes.
Is
that
I'm
as
an
attacker?
I'm
switching,
you
know
my
hats
and
I'm
the
attacker.
I
was
able
to
add
a
backdoor
into
into
the
new
version
of
of
this
front-end
component
here.
C
C
In
the
last,
even
in
the
last
month
of
of
tainted
images
in
public
repositories
and
I'm
you
know,
everyone
who's,
looking
who's
worried
about
cyber
security
and
and
reading
about
cyber
security.
C
I
guess,
although
you
also
heard
about
some
of
the
solar
winds
attack,
which
is
what
we
call
was
supply
chain
attack
and
and-
and
you
know
exactly,
this
is
what
what
it
is,
what
I'm
showing
you
that
that
I
published
a
malware,
enabled
a
version
of
a
public
component
in
a
public
container
repository,
and
I
got
someone
to
install
it
so
now
what's
happening
at
the
next
step.
The
next
step
is,
is
that.
C
The
next
step,
the
as
an
attacker,
okay,
I'm
going
to
connect
my
back
door.
Okay,
so
I
hope
the
text
is
better
here.
So
I'm
going
to
connect
this
ip
okay,
which
is
actually
the
the
public
ip
of
this
web
shop
at
the
service
port
and
I'm
going
to
connect
okay.
C
Do
you
see
my
my
fonts?
Is
it
okay.
C
And
what
I
can
show
you
that
I've
opened
a
reverse
shell
in
the
pod.
What
you
see
here
that
I
threw
a
tcp
connection.
I've
opened
a
connection
against
the
service.
I've
added
my
own
request
path
and
and
connected
my
vector,
which
was
embedded
in
this
new
version.
So
right
now
you
see
that
I've
opened
the
oh
opened
this.
If
you
want,
I
see
that
people
still
want
even
bigger
text,
I'm
going
to
just
put
something
even
okay,.
C
So
I
was
able
to
to
connect
my
my
malware
and
right
now,
I'm
running
a
process
within
the
pod.
I've
opened
the
reverse
shell,
so
I
have
an
access
access
to
the
to
the
system
at
the
pod
inside
and
and
the
when
I'm
inside
I'm,
I
can
do
different
things
in
it
as
an
attacker.
Someone
danielle
asked
what
service
permitted
this.
So
this
is
not
really
a
service
again.
We
have
taken
a
legit
application
and
added
a
a
malware
to
that.
Legit
application.
C
Okay
and-
and
someone
installed
this
legend,
this
version
the
smaller
version
of
this
application
because
it
was
pushed
into
a
public
repository
and
no
containers
can
reveal
the
actual
problem
with
the
image
okay.
So
actually,
what
is
running
here
is
the
front-end
application,
which
you
can
see
also
in
the
microservices
demo
github
at
google,
and
what
I'm
going
to
show
you
that
that
beyond
just
you
know
looking
into
the
files,
what
I'm
going
to
do
here
and
I'm
going
to
to
take
one
very,
very
interesting
file
here.
This
very
interesting
file
is
wait.
C
A
second.
This
doesn't
like
look
good
right,
this
okay,
so
this
file
is,
is
the
service
account
token?
C
Okay,
service
account
token
is,
is
actually
the
secret
running
secret,
which
is
it
has
been
mapped
into
the
kubernetes
pod.
C
Wait
a
second
okay,
so
service
account
token
is,
is
actually
the
secret
which
is
used
by
the
kubernetes
pod,
which
wants
to
connect
the
cube
api
and
and
make
requests
to
cuba
api.
This
token
is
used
to
authenticate
this
pod
against
the
cube
api.
So
it's
it's
essentially
it's
like
it's
it's
like
authentication.
C
You
know
a
password
or
or
or
authentication
secret,
as
you
will,
and
this
is
used
okay
by
kubernetes
in
order
to
authenticate
services.
Now
what
I'm
going
to?
What
I'm
going
to
do
here
as
I'm
I'm
going
as
an
attacker,
I'm
going
to
take
this
service
account
token.
C
Okay,
I'm
returning
to
my
cloud,
shell,
okay,
which
can
be
you
know
any
any
other
shell
from
word,
okay
and
and
I'm
taking
this
token,
and
and
I'm
going
to
use
it
beyond
that.
The
token
okay,
I'm
also
taking
something
else,
which
is
a
certificate.
C
Ca
crt
yeah,
so
this
is
also
the
certificate
which
is
used
for
communicating
with
the
api
server
and
I'm
copying
it,
just
as
I
did
with
the
service
account
token
exiting
now,
and
that's
just
disconnected
from
from
the
pod,
so
yeah
there
is
a
real
good
really
a
good
question
here.
So
are
all
service
account
tokens
mounted
in
the
pod
in
this
way
automatically
by
kubernetes?
C
Yes,
at
least
the
question
by
us
is
really
good,
so
the
grant
dismounts
these
service
account
tokens
into
the
pod.
I
did
not
didn't
do
any
explicit
mount
here
and
you
know
every
corporatist
pod
has
a
service
account
by
default,
which
is
the
namespace
service
account,
and
I-
and
you
know
you
can
see
it
in
the
report,
but
you
can
tell
kubernetes
not
to
mount
this
into
into
your
your
system,
so
yeah
returning
to
the
place,
I'm
going
to
store
my
certificate.
C
Also,
I
have
an
old
certificate
here.
I'm
just
cleaning
it
up
and
what
I
have
here
at
this
console
right
now,
two
things:
okay,
sorry,
two
things
here:
okay,
one
is
the
token.
The
second
is
the
certificate,
so
I'm
returning,
you
know
to
show
you
where
we
are
in
in
this
whole
scan,
so
we've
opened
the
reverse
shell
and
stolen
the
service
account
token
okay
from
this
pod.
C
Now.
The
interesting
thing
is
that
that
I'm
going
that
cervical
accounts
are
met
our
way
in
kubernetes
to
authenticate
services
within
kubernetes.
C
Now
the
interesting
part
is
that
that,
as
of
today,
these
tokens
can
all
can
be
used
from
anywhere
to
authenticate
against
the
cube
api
servers.
Now
you
don't
need
you
don't
necessarily
need
to
be
in
the
cluster
and
why
this
is
important,
it's
important,
because
if
I'm
operating
you
know
within
the
system,
I
don't
necessarily
want
to
do
it
from
within
the
system.
I
it's
as
an
attacker.
It's
way
more
easy
for
easier
for
me
to
do
it
from
the
outside.
I
I
have
to
clean
up
less
less
after
myself.
C
Okay
doing
that
now,
let's
just
to
when
I
see
that
we
have
a
few
questions
here
so
well
literally
asked
I
would
imagine,
tokens
should
only
be
able
to
list
you
not
much
harm
unless
arbuck
is
messed
up.
So
it's
a
good
point.
Okay,
there
are,
it
depends
really,
you
know,
what
are
you
doing?
C
Okay,
there
are
public
facing
pods,
I
mean
public
facing
you
know
a
positive
charity,
you
know,
can
be
accessible
from
the
public
internet
which
do
have
do
you
have
a
service
account
which
is
meaningful
so
by
this
a
default
service
account
usually
doesn't
have
any
interesting.
C
Authorizations
in
the
rbx
system,
but
but
their
love,
which
do
okay
and
and
while
I'm
I,
I
really
appreciate
you-
know
that
you're
saying
that
the
artwork
is
messed
up
and
I
more
or
less
I
agree
with
you,
but
but
but
sometimes
you
know,
for
example,
monitoring
tools
which
are
used
from
remotely
to
monitor
systems
usually
need.
You
know,
need
a
lot
of
authorization
and
they're
also
public
facing,
so
it's
a
kind
of
a
good
target
in
this
case.
C
Okay,
in
this
case,
you
know
what
we
are
going
to
do.
We
are
going
to
use
this
service
account
token
to
start
to
talk
to
the
kubernetes
api
server.
So
there
is
a
simple
prepared,
simple
comment
here,
which
I
want
to
you
know:
do
a
very
fast
walkthrough
with
you.
So
the
interesting
part
is
that
I'm
I'm
obviously
I'm
using
curl
in
this
case,
but
I've
added
a
header
authorization
header
to
the
curl
request,
authorization
where
the
bearer
is
contains
this
token
with
just
which
we've
just
copied
here.
C
Okay
and-
and
you
know,
I'm
going
to
the
api
server
host,
which
you
know
can
be
found-
you
know
more
or
less
easily
and
I'm
turn
to
api
v1
namespace
is
default
bot.
So
what
I'm
going
to
do
here?
I'm
going
to
show
you
that
that
using
only
curl
and
this
the
service
account
token,
while
not
running
inside
the
kubernetes
cluster,
I'm
I'm
able
to
to
do
to
connect
this
the
kubernetes
api
server,
so
I'm
just
need
to
set
up
here.
C
From
the
outside
world,
at
port
443.
C
See
I've
just
got
a
response
using
the
this
token
from
the
api
server
from
the
public
internet
and
not
with
inside
the
cluster.
C
So
it
is,
it
is
also,
you
know,
prove
a
small
proof
of
concept.
Okay,
that
you
can
start.
You
know
to
er
to
operate
against
the
api
server.
Using
this
token,
as.
C
Going
to
show
you,
okay,
that
that
I,
using
this
token,
okay
and
and
and
I
agree
with
one
of
the
questions-
obviously
this
so
the
service
account-
has
privileges
here
in
the
system,
but
I'm
I'm
able
to
to
to
start
to
dump
kubernetes
secrets.
So
just.
C
C
Okay
and
I
get
answer
okay
from
from
the
cube
api
also,
I
can
go
to
the
hipster
shop
namespace.
C
So
obviously
you
know
if
someone
starts
to
access
your
secrets
from
remote
it.
It
is
a
problem,
and
this
is
something
you
know
you
should,
you
know
be
sure,
okay
to
to
to
white,
okay
and-
and
I
was
able
you
know
to
to
to
dump
the
secrets
remotely.
You
know
using
only
curl
and
and
this
token,
but
also
you
know,
I
have
other
secrets
here
like
the
the
recipe
of
of
big
mac.
Sauce
and
here
are
the
ingredients,
so
you
know,
have
you
have.
C
You
have
here
a
a
lot
of
you
know
stuff
here
taking
from
the
api
server,
so.
A
Yeah
server
for
interrupt,
we
have
a
question
very
interesting.
That
is
how
oh,
no,
how
you
know
the
api
server
in
the
point,
yeah.
A
Talk
about
you
are
talk
about,
maintain
or
hit
end
security,
security
key
and,
of
course,
you
can
use
it
everywhere
yeah,
but
to
use
it
you
you,
one
thing
you
need
is
the
door
and
the
door
is
the
the
end
point.
So
this.
C
Is
a
good
question
yeah?
So,
okay,
I
didn't
want
to
cover
here
because
I
I
didn't
see
it
very
interesting.
You
know
in
this
talk,
but
but
there
is
an
easy
strategy:
okay,
so
scanning
scanning
you
know
and
crawling
you
know,
eyepiece
and
and
more
or
less
you
know
the
ip
ranges
used
by
google
for
for
for
kubernetes
api
ends.
Points
are
are
pretty
clear
and
you
know
finding
out
which
one
is
answering
you
know
taking
my
oath.
Mr
my
service
account
token
and
and
agreeing
accepting
it.
C
A
Our
friend
our
friend,
valid
ask
you
if
you
can
show
how
much
access
you
have
yeah.
C
C
Yeah,
I
I'm
going
to
show
show
it
at
the
end,
but
but
I
cannot,
but
obviously
okay,
just
just
at
all
before.
Obviously
you
know,
this
is
a
elevated
service
account?
Okay,
I
I
don't
have
you
know
I'm
I
I
agree
with
you
that
that
obviously
it
has
authorizations,
but
just
think
about
you
know
any
any
monitoring
tool
that
monitors,
cube
objects
and
even
secrets
against
the
cube
api
needs
these
authorization
levels.
C
So
so
it's
not
really.
You
know
farfetch'd
thing
that
that
they
that
they
do
have
this
account.
So
this
account
you
have
elevated
privileges.
You
know
beyond
the
simple
things
so
returning.
Okay,
I've
showed
you
that
that
that
I've
just
was
able
to
to
you
know
to
take
the
the
secrets
and
dumb
the
secret
cell.
Now
as
the
last
part,
and
we
are
getting
to
the
last
part
of
of
this
remote
attack.
C
What
I'm
going
to
do
is
is
creating
you
know
more
more
persistency
in
in
the
system
and
and
in
order
to
do
that,
I'm
going
to
exit
the
the
this
pod
and
not
just
I'm,
going
to
create
a
new
pod
in
the
system.
Okay,
which
is
going
to
mount
mount
a
host
mounted
host
file
system,
and
it's
going
not
going
to
be
what
we
call
a
privileged
part.
C
It
only
you
know,
amounts
the
node
file
system
and
what
I'm
going
to
do
is
I'm
going
to
take
from
there
the
the
private,
key
and
and
certificate
of
the
kubernetes
node,
which
is
used
to
authenticate
the
node
against
the
kubernetes.
C
So,
as
I
told
you
again,
I
still
have.
B
B
B
C
I
did
is
I've
created
a
new
deployment?
Okay,
just
let
me
show
you
what
we
have
here
so
within
this
new
deployment.
Okay,
you
have
again
the
same
curl
request
more
or
less
against
the
cp
apf
server
and
host,
and-
and
you
know
what
within
this
new
namespace,
which
is
called
that
namespace,
I
I've
pushed-
I
created
a
new
deployment
and
just
to
show
you
know
there
is
nothing
really
curious
about
about
this
deployment.
C
But
what
you
have
to
what
you
need
to
see
here,
that
there
is
a
amount,
a
volume
mount
within
this
pod
mounted
from
the
host
the
root
directory
of
the
host
and
and-
and
you
know,
I'm
I'm
going
to
connect
this
and
in
order
to
start
to
look
on
the
host.
So
let's
see
the
questions.
A
C
Yeah,
okay,
it's
going
to
be
a
comment
so
yeah.
Where
were
we?
So
this
is
the
for
me.
You
know
doing
these
tricks.
You
know.
The
interesting
part
was
that
I've
never
used
the
kubernetes
api
directly
beforehand
from
curl
and-
and
you
know
here,
I
started
to
use
it
from
curl
and
at
this
stage
of
the
attack
you
know
I
I
want
to
start
to
execute
processes
from
using
the
this
authentication
mechanism
and
and
in
order
to
do
that,
you
know.
C
In
the
one
hand
I
wanted
to
use
curl
and
in
the
other
hand
you
know
I
I
I
I
need
to
connect
the
exact
api
of
the
pod
in
kubernetes.
Now,
honestly,
you
know
I've
never
went
this
to
this
side,
so
for
me,
I'm
sure
that
most
for
most
of
the
audience
it's
not,
but
for
me
it
was.
C
It
was
new
that
to
see
that
the
that
the
exact
api
in
kubernetes
is
actually
a
web
socket
api,
and
you
know
when
I
realized
that
I
I
saw
that
that
that
you
know
doing
web
sockets
in
curl
is,
is
not
a
you
know,
it's
not
an
easy
thing
to
do.
So.
That's
why
I've
just
wrote
myself
a
python
code.
You
know
which,
which
actually
does
this
connection
for
me.
C
You
know
based
based
on
on
this
authentication
token,
so
I
took
some
code
from
anything
code
from
from
our
stuff.
Okay
and
the
interesting
part
is
here
more
or
less.
You
know
this
line,
okay,
which
which
I'm
using
here
to
create
the
the
configuration
for
the
python
module
in
order
to
think
that
we
are
running
inside
the
cluster,
so
I
wouldn't
call
this
an
attack,
but
it's
an
interesting
thing.
C
You
know
that
it's
you,
you
know
that
you
can
convince
your
python,
build
a
kubernetes
module
that
that,
to
take
the
token
and
certificate
you
want
from
a
different
place,
it
usually
takes,
and
then
I'm
I'm
I'm
connecting
this
python
module
in
order
to
to
to
execute
comments
on
on
the
destination
pod.
So
what
I'm
going
to
do
here
is
I'm
going
to
get
the
the
pod
name
for
for
us,
which
is
what's
bad
name,
space
in
spaces,
pods
graph
name?
C
Okay,
so
I
have
this
engine
deployment
name
here,
so
I
have
here
another
thing
here,
so
what
we
are
going
to
do
here
is
is
start
to
look
on
on
this
pod,
which
which
has
mounted
this
volume,
and
we
are
running
into
that
name
space.
C
C
C
Yeah,
I
know
it's
actually
I
think
I
did.
I
do
think
that
I
had
a
type
over
there.
I
just
reconnecting.
C
Yeah,
okay,
now
it's
working
so
actually
again
using
this
distort
and
the
stolen
token.
Okay,
I've
looked
into
the
the
host
a
file
system
under
wireless
cubelet,
pki
and
and
yeah
I
I
know
that
again,
I
see
the
comments,
but
the
pam
actually
with
the
a.
I
know
that
I
did
it
before
a
typo
and
that's
why
I
deliberately
used
pam
so
return
to
this
so
with.
C
If
someone
looks,
has
the
whole
host
file
system
in
and
especially
you
know,
under
water
leave,
cubelet
pki,
you
know
there
are
these
certificates
here
certificate
files
which
actually
contain
not
just
the
certificates
but
also
private
keys?
So
if
I'm,
if
I'm
looking
into
this
okay,
I
you
see
that
I
got
the
elected
curve
private
key
here
and
the
related
certificate
there.
So
in
my
if
I
taking
and
parsing
it.
B
C
So,
if
I'm
taking
away
this
certificate-
and
I
have
I
can
have
a
permanent,
I
have
permanent
access
for
the
next
five
years
to
to
this
cluster
from
within
and
obviously
it's
a
good
thing
for
the
attacker
to
take
it
has
I
can
connect,
you
know
the
control
plane
of
kubernetes
and
start
to
get
everything
you
have
in
this
dcd
for
any
type
and
manipulating
it.
So
it's
also
a
good
thing.
You
know
to
take
away
if
something
is
random.
C
If
I'm,
you
know
looking
into
the
falco
logs.
Actually
just
you
know
here
to
show
that
that
since
I've
been
you
know
using
this
thing
remotely
and
also
you
know
I
I
I
haven't
there
wasn't-
I
haven't
used
a
privileged
pod
here.
I
I
didn't
get
any
notification
from
falco
about
you
know
about
any
suspicious
activity
here,
and
you
know
I
from
my
point
of
view.
You
know
it's
it's
more
or
less.
You
know
a
game
over
okay
in
this
case.
C
So,
just
you
know
recapping
this
stuff,
so
we
went
from
you
know
from
doing
initial
penetration
to
the
to
the
cluster
using
a
front,
a
front-end
application,
which
was
in
in
my
case
it
it
contained
the
malware,
but
just
as
it
contained
the
malware,
it
could
have
a
software
vulnerability.
C
So
I
see
I
I
think
I
saw
last
week
very
interesting,
another
video
which
was
posted
in
in
the
slack
in
the
kubernetes
security
group
when
someone
did
the
same
initial
penetration
using
a
well-known
vulnerability
in
drupal,
but
in
the
in
our
case
we
used
a
a
malware
and
we've
packed
the
malware
malware
to
to
connect
it,
and
this
malware
was
was
what
we
call
packed
using
a
tool
called
azure.
C
It's
an
open
source
tool
and
it's
it
it
encrypts
and
decrypts
the
malware
with
in
the
ram.
So,
therefore,
it
is
pretty
pretty
stealth
and
it's
hard
to
detect
and
when
we
attack
connected
this
back
door.
We
start
we
took
as
the
service
account
tokens
for
authentication
from
the
pawn
then
start
to
use.
This
service
account
token
from
here
till
the
end
in
order
to
authenticate
ourselves
from
outside
the
cluster.
C
Using
this
token-
and
we
show
that
you
know
easily,
if
we
have,
if
you
have
access
to
the
cube
api
from
the
outside,
you
know
you
can
start
to.
Obviously
you
can
start
to
read
secrets.
You
can
start
to
bring
up
pods
and
in
our
case
we
brought
the
pod
and
and
also
taken
from
from
our
syste,
our
pod.
C
We
used
it
to
to
mount
the
host
file
system
and
taken
the
node
certificate
of
private
key,
and
so
let's
go
to
to
some
more
to
more
questions.
So
I
will
question
from
what
would
you?
What
would
you
do
if
you
wanted
to
defend
against
this
attack?
C
Okay,
now
I
I
obviously
I
have
a
problem
with
answering
okay,
because
armor
is,
is
all
one.
My
company
is
actually
doing
protections
against
such
such
attacks.
But
obviously
you
know,
one
of
the
most
important
thing
here
is
to
be
sure
where
we
are
taking
your
your
software
updates
from
okay
sublime
chain
is,
is
a
very
delicate
thing
and
it,
and
obviously
as
not
just
from
commercial
point
of
view,
but
from
you
know,
as
a
community.
C
You
know
we
have
to
think
of
of
how
we
can
better
protect
supply
chains
and
how
we
can
better.
You
know
look
for
for
such
packed
malwares
and
obviously
you
know
taking
taking
versions
where
you
have
a
pretty
decent.
You
know
respect
from
the
place
where
you
have
you
have
taken
it,
and,
and
also
you
know
I
I
do
think
that
that
that
we
need
to
improve
our
our
runtime
detections.
C
Obviously
I
I
I
do
feel
that,
although
I
understand
why,
but
I
do
feel
that
it's
not
a
good
thing
that
that
you
can
authenticate
using
a
service
account
from
the
outside
of
the
public,
inter
from
the
public
internet
against
the
cube
api
and
cube
cover
cube
api
is
not
checking
the
source
ip.
Although
again
I
I
do
think
that
there
is
there.
C
I
know
that
there
is
design
reason
for
that,
but
but,
but
still
I
feel
that
there
can
be
some
improvement
here
and-
and
obviously
you
know
just
as
well,
it
said
you
know
our
boxer
and
elevated
pods
are
a
problem
yeah
and
more
questions.
Yeah,
so
paul
asked
about
this
drupal
thing.
I
think
that
yeah
I'm
going
to
post
it.
I
yeah
it's
here
in
this.
In
the
security
thread
it
was
posted,
I'm
I'm
going
to
write
it
down,
I'm
going
to
try
to
share
it
afterwards,
more
questions.
C
For
example,
you
cannot
block
a
psr
within
the
enterprise,
for
example,
and
it's
weird
using
githubs
and
we're
going
to
focus
for
cuts
yeah.
So
it's
also
a
good
question.
Okay,
that
why
falco
has
not
not
reported
access
to,
etc,
brett's
pka
files.
There
is
a
good
reason
for
that,
because
these
files
are
like
can
be
used
legitimately.
Also,
the
service
account
files
can
be
used
legitimately,
okay,
so
these
are
legit
files
which
which
are
accessed
by
some
of
the
processes.
C
Now
the
question
is
how
you
can
differentiate
between
the
good
process
and
that
bad
process,
because
only
obviously
cubelet
is
accessing
the
the
private
key
files
and
within
the
pod.
Also,
you
know,
maybe
the
application
itself
uses
the
service
account.
So
it's
pretty
hard
for
falco
to
to
not
going
into
a
lot
of
another
false
alerts
here,
yeah,
I'm
I
I
will
I'm
going
to
share
with
you
also
polo.
Where
should
we
share
everything?
Every
the
you
know,
the
things
we
we've
just
shown
here.
A
Yeah
yeah
this
the
show
will
it
is
being
recorded,
and
I
invite
everyone
to
join
us
in
chats
for
cncf
and,
of
course,
invite
ben
to
to
be
present
in
cncf
slack,
because
there
we
can
share
other
contents
and,
after
all,
please
put
your
twitter
account
because
you
can
share
the
your
gear,
get
your
git
entry
to
people,
get
their
files,
etc.
It's
so
much
important.
Of
course.
Again.
Everyone
is
welcome
to
be
part
of
cncf
slack
community
and
richard
ritchie.
Is
there
and
ask
anything?
A
Of
course
I
I
know
that's
sometimes
it's
difficult
to
to
make
questions.
We
have
a
audience
from
everywhere
youtube
to
really
linkedin.
It's
it's
it's
amazing,
but
sometimes
it's
difficult
to
manage
all
questions
and,
at
the
same
time,
we'll
answer
everything
and
everyone
be
represented.
So
some
please,
everyone
come
on
richards
and
sans
have
slack
channels
and
we'll
be
there
to
help.
My
my
my
entry
point
for
for
slack
is
pa
is
is
like
the
twitter
I
put
here
and
then
we
will
put
in
you
you.
A
C
Put,
let's
see
how
I
can
put
in
the
chat,
my
twitter
and
I
yeah.
C
A
We
will
yeah
and
let
me
please
put
the
yeah
security.
C
C
You
know
to
talk
to
me:
I'm
going
to
stay
for
at
least
for
a
half
an
hour
to
in
the
security
slack,
so
I
will
be.
You
know,
happy
to
to
answer,
and
I
hope
this
talk
was
interesting.
I
was
really
it
was
fun
for
me.
I
hope
it
was.
You
know
it
gave
you
some
interesting
insights.
A
You
you,
you
showed
the
falco
running
from
this
amazing
project.
It's
a
it's
a
project
inside
the
safe
landscape.
Yesterday
I
was
with
dan
pop
chatting
talking
about
falco.
Yes,
really
amazing,
yeah,
and
it's
what
what
what
I
can
see
here
today
was
with
us
a
set
of
best
practices
together
with
tools
and
the
questions,
and
what
about
the
security,
secure
security
issues
when
you.
A
Again,
the
internet,
please,
if
you
want,
can
send
a
cable
for
me.
I
will
be
amazing
because
I'm
lost
every
day
every
time.
My
connection
is
terrible.
Okay
bien,
I
see,
can
I
meet
no
oh
yeah,
so
good,
oh
ben,
I
saw
many
many
good
bad
best
breaks.
Of
course
you
showed
the
patterns
when
you
have
attacks
etc.
Do
you
have
any?
Oh,
I
like
libraries,
I
like
reference
when
I
can,
when
I
can
read
more
about
that
you
you
have
a
your
your
page.
A
Your
your
armor
has
a
blog
that
show
more
about
this
security.
How
can
I
learn
more
because
learn
it's
difficult.
It's
amazing
to
see
your
showing
you
will
watch
again
the
show,
but
we
want
to
get
something
in
the
hands
to
learn
to
read.
What
do
you
think
to
have
something
that
can
show
to
us.
C
Yes,
so
so
well,
I
you,
I
really,
you
know,
I'm
restarting
my
screen
share,
sorry
because
I've
just
removed
that
sure,
oh,
but
you
don't
see
that
yeah
okay,
so
you
have
armorsecio.
C
Okay,
our
homepage
and
you
have
here,
you
know
our
blog,
which
I
you
know
I
I
really
you
know
tell
you
that
you
should.
You
know,
follow
and.
B
C
On
linkedin
we
are,
we
are
publishing
everything
every
week,
some
interesting
reading
here.
You
know
this
thing
about.
I
I
haven't
published
about
this
remote
service
account
token
issue,
because
I
I
reported
it
just
a
week
ago.
C
So
so
therefore
I
didn't
want
to
make
a
big
buzz
around
that,
but
obviously
you
know
I'm
going
to
make
you.
You
know
write
up
here
in
this
blog
and
and
and
will
you
know
you
you
can
follow
us
here
and
and
read
here
and
also
in
our
linkedin
and
twitter
accounts.
You
can
follow
us.
A
Oh
great,
thank
you
of
course
again,
I
I
I
want
to
say
you.
You
are
ready
to
answer
questions
in
in
offline
of
course,
so
you
can
where?
Where
is
the
better
place
to
meet
to
reach
you
down?
You
are
from
your
tuition
or
from
your
our
lives.
I
prefer
our
exact
cncf,
of
course,
because
this
is
a
community.
C
I
I'm
on
slack
you
you're,
welcome,
really
to
write
me
on
slack.
I
I'm
trying
to
my
most.
You
know
to
to
to
answer
you
on
on
slack
and
if
not
I'm
I'm
when
I
open
it,
I'm
I'm
sure
I'm
going
to
answer
every
every
questions.
Also,
you
know
I
linked
it
on
twitter.
C
These
are
my
main
places
where
I
publish
but
but
lucky,
if
you
want
to,
you,
know,
discuss
me
with
me
and
I
love
discussions
about
security
and
also
about
kubernetes,
so
so
you're
really
welcome
to
connect
me
on
on
slack
ben
hirschberg,
and
you
know
find
me
there.
C
Yeah,
I
do
think,
but
but
I
I
think
that
I'm
I'm
I'm
not
sure
where
it,
where
is
it
we'll
we'll
bust
it
here?
Okay,.
C
A
Okay,
you
have
a
link
in
the
account
okay,
you
can
reach
you
in
the
linkaging
too.
Amazing
ben,
of
course.
Wasn't
me,
of
course,
was
amazing.
I
don't
have
more
questions
here.
Oh
our
value
asking
that
could
not
see
in
any
message
related
what
you
said
in
the
sig
six
sec.
I
suppose
that
is
on
six
sex
from
governance
or
census.
What
what
do
you
follow
me?
But
there
is
a
paolo,
my
friend
from
italy,
maybe
because
paolo
is
italy
and
we
can.
Of
course
we
can
try
this
again.
Another
time
really.
A
So
again,
other
other,
oh
my
god,
fading
again.
Oh
yes,
come
back
sorry!
Oh
that's
the
problem
living
in
some
place
where
the
telecommunication
is
very
good.
It's
here
in
brazil.
Sometimes
you
have
problem
with
tech,
communications.
Okay,
our
4g
is
like
3g.
Our
5g
is
like
2g,
sometimes
ok.
So
what
is
amazing?
A
Break
the
things
with
you
bien
and
want
to
invite
you
again
for
next
time
talk
up
more
about
security
secrets.
This
is
the
point.
It's
a
devsec.
Ops
securities
is
a
point
very,
very
important
for
us
and
we
are
increasing
that
we.
We
can
see
the
the
the
how
much
the
battle
the
the
attacks.
The
cyber
attacks
are
growing
the
world
we
are
doing
every
day
when
you
open
newspaper,
you
can
see
that
someone
have
a
data
branch
or
something
else.
A
My
accounts
are
breaking
many
times
so
really
really
important
this
this
subject,
and
so
I
want
to
I
can
to
invite
you
to
present
for
us
and
you
can
choose,
I
can't
understand
and
do
a
deep
dive
or
or
another
town
to
this,
and,
of
course
I
want
to
invite
you
ben
and
everyone
from
armory
and
from
the
set
for
our
cubicle
in
europe.
You
have
a
session
for
secured
right.
Keep
it
secure
today
will
be
amazing.
A
My
friend,
ambassador
hicado,
is
doing
a
great
job
in
the
doing
the
working
the
the
commentary
from
this
this
this
event
you'll,
be
there
you'll,
be
there
brown.
B
A
Oh
excellent,
we
can,
we
can
reach
you
there.
Okay,
oh
bam!
Thank
you.
So
much
for
this
to
show
today
this
show
we
don't
have
more
questions,
I'm
seeing
your
blog.
This
is
amazing
here
I
I
I
open
here.
You
have
a
container
drip.
Another
example
of
why
http
based
capture
case
is
flowed.
C
Okay,
so
yeah
so
yeah
I
mean
there,
we
have,
you
know
interesting
people,
and-
and
you
know
you
really
should
you
know
go
in
here
and
you
know
if
you
want
to
you
know,
broaden
your
your
your
security
mindset.
You
know
these
are
really
really
good
blogs,
because
I
think
we
do
really
have
here
a
big
opportunity
in
when
you
know
the
industry
is
going
to
cloud
and
cloud
native.
We
have
a
great
opportunity
to
enhance
our
security
and.
A
Yes
for
sure
at
the
at
the
list,
it's
cloud
native
is
a
distributed
computer
and
when
you
have
a
microservices
that
is
is
is
like
a
gremlin.
You
don't
know
what
disagreement,
though,
because
it's
a
film
very
old
like
me,
but
you
know,
democracies
are
grammarly.
Yes,
every
grammy,
when
you
put
some
water,
they
transform
in
a.
A
Crazy
destructor,
so
we
can
have
care
with
security
in
many
aspects,
so
thank
you
so
much
again,
dan
was
amazing.
We
will
watch
it
again.
The
the
your
presentation,
because
I
want
to
learn
more
with
you-
was
amazing.
I
want
to
thank
you
for
armor.
A
That
has
gives
you
opportunity
to
be
here
with
us,
and
I
want
to
thank
you,
everyone,
so
guys.
Thank
you
for
joining
us
at
this
last
episode
of
the
our
this
week
in
the
club.
Dave
is
our
live
stream.
The
cloud
native
live
stream.
It's
amazing
our
cloud
native
tv.
A
It
was
great
to
have
you
ben
with
us,
talk
about
security
aspects
of
kubernetes
and
break
everything,
and
we
also
really
love
the
interaction
and
questions
from
the
algebras
was
amazing:
we'd
not
talk
about
the
big
mac
recipe,
but
okay,
I
don't
know
why
you
eat
a
big
mac.
Today
was
amazing
too,
and
we
bring
you
and
we
bring
you
the
last
cloud
native
code,
every
wednesday
at
3
p.m.
Eastern
time,
next
week
we
will
have
someone
very
very
good
to
present
something
amazing
like
bam.
Thank
you
ben
to
join
us.
Thank
you.