SlideShare uma empresa Scribd logo

KubeCon NA 2022 - Hardening against Kubernetes Hacks.pdf

E
Eric Smalling

Slides to go with the Kubernetes hacking session presented as a Co-Located event at KubeCon NA 2022

Tecnologia
1 de 31
Baixar para ler offline
Hardening against Kubernetes Hacks Eric Smalling Senior Developer Advocate @ Snyk @ericsmalling
Eric Smalling ● Senior Developer Advocate @ Snyk ● Based in Dallas/Fort Worth, Texas ● 20+ years enterprise software development ● 10+ years build/test/deploy automation (CI/CD) ● Docker user since 2013 (v0.6) ● 2018 Jenkins Ambassador ● Docker Captain ● CKA, CKAD & CKS Certified @ericsmalling https://github.com/snyk-labs/kubernetes-goof
https://github.com/snyk-labs/kubernetes-goof
Exploit = App Vulns + Misconfiguration https://github.com/snyk-labs/kubernetes-goof
What do we know ? 80 https://github.com/snyk-labs/kubernetes-goof
Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container https://github.com/snyk-labs/kubernetes-goof
What do we know ? 80 Internal IP 5000 https://github.com/snyk-labs/kubernetes-goof
What do we know ? 80 Internal IP IP Address 5000 https://github.com/snyk-labs/kubernetes-goof
Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container Credentials Pod Token Available inside pod https://github.com/snyk-labs/kubernetes-goof
What do we know ? 80 Internal IP IP Address 5000 External IP https://github.com/snyk-labs/kubernetes-goof
Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container Credentials Pod Token Available inside pod Permissions Pod Token Allows access to endpoints API https://github.com/snyk-labs/kubernetes-goof
What do we know ? 80 Internal IP External IP 5000 https://github.com/snyk-labs/kubernetes-goof
What do we know ? 80 Internal IP External IP Default Secure IP Address 5000 https://github.com/snyk-labs/kubernetes-goof
confidential apiVersion: v1 kind: ServiceAccount metadata: name: insecure --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: allow_pod_read rules: - apiGroups: - '*' resources: - '*' verbs: ["create", "get", "watch", "list", "patch", "delete", "deletecollection", "update"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: allow_pod_read_bind roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: allow_pod_read subjects: - kind: ServiceAccount name: insecure ● Allows service account too many permissions ● Likely bound to the ‘secure’ namespace ○ No permissions in the default namespace Insecure Role https://github.com/snyk-labs/kubernetes-goof
Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container Roles Role Gives service account too many permissions in namespace Permissions Pod Token Allows access to endpoints API Credentials Pod Token Available inside pod https://github.com/snyk-labs/kubernetes-goof
apiVersion: v1 kind: Pod # ... metadata: annotations: seccomp.security.alpha.kubernetes.io/pod: runtime/default spec: containers: - name: readonlyroot securityContext: readOnlyRootFilesystem: true ● Allows an attacker to modify the container ○ Download software ○ Change configuration ● Configure securityContext ○ readOnlyRootFilesystem: true Read Write Filesystem https://github.com/snyk-labs/kubernetes-goof
What do we know ? 80 Internal IP External IP IP Address Secure Default 5000 https://github.com/snyk-labs/kubernetes-goof
confidential spec: privileged: false # Required to prevent escalations to root. # allowPrivilegeEscalation: false # This is redundant with non-root + disallow privilege escalation, # but we can provide it for defense in depth. volumes: - '*' runAsUser: # Require the container to run without root privileges. rule: 'MustRunAsNonRoot' seLinux: # This policy assumes the nodes are using AppArmor rather than SELinux. rule: 'RunAsAny' supplementalGroups: rule: 'MustRunAs' ranges: # Forbid adding the root group. - min: 1 max: 65535 fsGroup: rule: 'MustRunAs' ranges: # Forbid adding the root group. - min: 1 max: 65535 ● Allows service account too many permissions ● Likely bound to the ‘secure’ namespace ○ No permissions in the default namespace ● allowPrivilegeEscalation is NOT redundant Pod Security Policy https://github.com/snyk-labs/kubernetes-goof
Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container Roles Role Gives service account too many permissions in namespace Credentials Pod Token Available inside pod Permissions Pod Token Allows access to endpoints API Permissions PSP Did not disallow privilege escalation https://github.com/snyk-labs/kubernetes-goof
What do we know ? 80 Internal IP External IP 5000 Default Secure IP Address IP Address 8080 https://github.com/snyk-labs/kubernetes-goof
Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container Roles Role Gives service account too many permissions in namespace Credentials Pod Token Available inside pod Permissions Pod Token Allows access to endpoints API Policy Network No network controls in place Permissions PSP Did not disallow privilege escalation https://github.com/snyk-labs/kubernetes-goof
What do we know ? 80 Internal IP External IP 5000 Default Secure IP Address IP Address 5001 8080 https://github.com/snyk-labs/kubernetes-goof
What do we know ? 80 Internal IP External IP 5000 Default Secure IP Address IP Address 8080 https://github.com/snyk-labs/kubernetes-goof
What do we know ? 80 Internal IP External IP 5000 Default Secure IP Address IP Address 8080 PRIVILEGED HOST https://github.com/snyk-labs/kubernetes-goof
Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container Roles Role Gives service account too many permissions in namespace Credentials Pod Token Available inside pod Permissions Pod Token Allows access to endpoints API Permissions PSP Did not disallow privilege escalation Policy Network No network controls in place Permissions PSP No restrictions in default ns https://github.com/snyk-labs/kubernetes-goof
What do we know ? 5000 5000 Default Secure IP Address IP Address 8080 PRIVILEGED Kube-System HOST https://github.com/snyk-labs/kubernetes-goof
What do we know ? 80 5000 Default Secure IP Address IP Address 8080 PRIVILEGED Kube-System HOST https://github.com/snyk-labs/kubernetes-goof
Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container Roles Role Gives service account too many permissions in namespace Credentials Pod Token Available inside pod Permissions Pod Token Allows access to endpoints API Permissions PSP Did not disallow privilege escalation Policy Network No network controls in place Permissions PSP No restrictions in default ns Game Over Cluster Cluster admin rights gained https://github.com/snyk-labs/kubernetes-goof
confidential ● Scan your application code ● Scan your container images ● Scan your Kubernetes YAML ● Don’t trust defaults / Be explicit ● Use Network Policies ● Use Admission Controls How could we have prevented this ?
With thanks and props to : Mark Manning ( @antitree ), Ian Coldwater ( @iancoldwater ), Duffie Cooley ( @mauilion ) , Rory McCune ( @raesene ) K8s SIG-Security, CNCF TAG-Security, OpenSSF, and many others in the Kubernetes Security community @ericsmalling

Recomendados

DevOpsDays Chicago 2022 - Hands-on hacking containers and ways to prevent it
DevOpsDays Chicago 2022 - Hands-on hacking containers and ways to prevent itDevOpsDays Chicago 2022 - Hands-on hacking containers and ways to prevent it
DevOpsDays Chicago 2022 - Hands-on hacking containers and ways to prevent itEric Smalling
 
SCaLE 19x - Eric Smalling - Hardening against Kubernetes Hacks
SCaLE 19x - Eric Smalling - Hardening against Kubernetes HacksSCaLE 19x - Eric Smalling - Hardening against Kubernetes Hacks
SCaLE 19x - Eric Smalling - Hardening against Kubernetes HacksEric Smalling
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsDevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsAmazon Web Services
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsAnthony D Hendricks
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Amazon Web Services
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbain|u - The Open Security Community
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendEric Smalling
 

Recomendados

DevOpsDays Chicago 2022 - Hands-on hacking containers and ways to prevent it
DevOpsDays Chicago 2022 - Hands-on hacking containers and ways to prevent itDevOpsDays Chicago 2022 - Hands-on hacking containers and ways to prevent it
DevOpsDays Chicago 2022 - Hands-on hacking containers and ways to prevent itEric Smalling
 
SCaLE 19x - Eric Smalling - Hardening against Kubernetes Hacks
SCaLE 19x - Eric Smalling - Hardening against Kubernetes HacksSCaLE 19x - Eric Smalling - Hardening against Kubernetes Hacks
SCaLE 19x - Eric Smalling - Hardening against Kubernetes HacksEric Smalling
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsDevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsAmazon Web Services
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsAnthony D Hendricks
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Amazon Web Services
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbain|u - The Open Security Community
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendEric Smalling
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?Eric Smalling
 
Three Years of Lessons Running Potentially Malicious Code Inside Containers
Three Years of Lessons Running Potentially Malicious Code Inside ContainersThree Years of Lessons Running Potentially Malicious Code Inside Containers
Three Years of Lessons Running Potentially Malicious Code Inside ContainersBen Hall
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes SecurityKarthik Gaekwad
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDays Riga
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes securityThomas Fricke
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in ProductionGianluca Arbezzano
 
Effective Testing with Ansible and InSpec
Effective Testing with Ansible and InSpecEffective Testing with Ansible and InSpec
Effective Testing with Ansible and InSpecNathen Harvey
 
Building Portable Applications with Kubernetes
Building Portable Applications with KubernetesBuilding Portable Applications with Kubernetes
Building Portable Applications with KubernetesKublr
 
Appsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation SlidesAppsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation SlidesAppsecco
 
Drone CI/CD Platform
Drone CI/CD PlatformDrone CI/CD Platform
Drone CI/CD PlatformBo-Yi Wu
 
Automate Your Automation | DrupalCon Vienna
Automate Your Automation | DrupalCon ViennaAutomate Your Automation | DrupalCon Vienna
Automate Your Automation | DrupalCon ViennaPantheon
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native SecurityKarthik Gaekwad
 
Continuous Testing and New Tools for Automation - Presentation from StarWest ...
Continuous Testing and New Tools for Automation - Presentation from StarWest ...Continuous Testing and New Tools for Automation - Presentation from StarWest ...
Continuous Testing and New Tools for Automation - Presentation from StarWest ...Sauce Labs
 
Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Miguel Zuniga
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
 
Python Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdfPython Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdfEric Smalling
 
Container Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container securityContainer Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container securityEric Smalling
 
Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?All Things Open
 
ATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdfATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdfEric Smalling
 
DockerCon 2023 - Live Demo_Hardening Against Kubernetes Hacks.pdf
DockerCon 2023 - Live Demo_Hardening Against Kubernetes Hacks.pdfDockerCon 2023 - Live Demo_Hardening Against Kubernetes Hacks.pdf
DockerCon 2023 - Live Demo_Hardening Against Kubernetes Hacks.pdfEric Smalling
 
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...Eric Smalling
 

Mais conteúdo relacionado

Semelhante a KubeCon NA 2022 - Hardening against Kubernetes Hacks.pdf

Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?Eric Smalling
 
Three Years of Lessons Running Potentially Malicious Code Inside Containers
Three Years of Lessons Running Potentially Malicious Code Inside ContainersThree Years of Lessons Running Potentially Malicious Code Inside Containers
Three Years of Lessons Running Potentially Malicious Code Inside ContainersBen Hall
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDays Riga
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in ProductionGianluca Arbezzano
 
Effective Testing with Ansible and InSpec
Effective Testing with Ansible and InSpecEffective Testing with Ansible and InSpec
Effective Testing with Ansible and InSpecNathen Harvey
 
Building Portable Applications with Kubernetes
Building Portable Applications with KubernetesBuilding Portable Applications with Kubernetes
Building Portable Applications with KubernetesKublr
 
Appsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation SlidesAppsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation SlidesAppsecco
 
Drone CI/CD Platform
Drone CI/CD PlatformDrone CI/CD Platform
Drone CI/CD PlatformBo-Yi Wu
 
Automate Your Automation | DrupalCon Vienna
Automate Your Automation | DrupalCon ViennaAutomate Your Automation | DrupalCon Vienna
Automate Your Automation | DrupalCon ViennaPantheon
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native SecurityKarthik Gaekwad
 
Continuous Testing and New Tools for Automation - Presentation from StarWest ...
Continuous Testing and New Tools for Automation - Presentation from StarWest ...Continuous Testing and New Tools for Automation - Presentation from StarWest ...
Continuous Testing and New Tools for Automation - Presentation from StarWest ...Sauce Labs
 
Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Miguel Zuniga
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
 
Python Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdfPython Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdfEric Smalling
 
Container Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container securityContainer Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container securityEric Smalling
 
Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?All Things Open
 
ATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdfATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdfEric Smalling
 

Semelhante a KubeCon NA 2022 - Hardening against Kubernetes Hacks.pdf (20)

Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?
 
Three Years of Lessons Running Potentially Malicious Code Inside Containers
Three Years of Lessons Running Potentially Malicious Code Inside ContainersThree Years of Lessons Running Potentially Malicious Code Inside Containers
Three Years of Lessons Running Potentially Malicious Code Inside Containers
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in Production
 
Effective Testing with Ansible and InSpec
Effective Testing with Ansible and InSpecEffective Testing with Ansible and InSpec
Effective Testing with Ansible and InSpec
 
Building Portable Applications with Kubernetes
Building Portable Applications with KubernetesBuilding Portable Applications with Kubernetes
Building Portable Applications with Kubernetes
 
Appsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation SlidesAppsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation Slides
 
Drone CI/CD Platform
Drone CI/CD PlatformDrone CI/CD Platform
Drone CI/CD Platform
 
Automate Your Automation | DrupalCon Vienna
Automate Your Automation | DrupalCon ViennaAutomate Your Automation | DrupalCon Vienna
Automate Your Automation | DrupalCon Vienna
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native Security
 
Continuous Testing and New Tools for Automation - Presentation from StarWest ...
Continuous Testing and New Tools for Automation - Presentation from StarWest ...Continuous Testing and New Tools for Automation - Presentation from StarWest ...
Continuous Testing and New Tools for Automation - Presentation from StarWest ...
 
Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
 
Python Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdfPython Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdf
 
Container Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container securityContainer Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container security
 
Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?
 
ATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdfATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdf
 

Mais de Eric Smalling

DockerCon 2023 - Live Demo_Hardening Against Kubernetes Hacks.pdf
DockerCon 2023 - Live Demo_Hardening Against Kubernetes Hacks.pdfDockerCon 2023 - Live Demo_Hardening Against Kubernetes Hacks.pdf
DockerCon 2023 - Live Demo_Hardening Against Kubernetes Hacks.pdfEric Smalling
 
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...Eric Smalling
 
Look Ma' - Building Java and Go based container images without Dockerfiles
Look Ma' - Building Java and Go based container images without DockerfilesLook Ma' - Building Java and Go based container images without Dockerfiles
Look Ma' - Building Java and Go based container images without DockerfilesEric Smalling
 
DockerCon 2022 - From legacy to Kubernetes, securely & quickly
DockerCon 2022 - From legacy to Kubernetes, securely & quicklyDockerCon 2022 - From legacy to Kubernetes, securely & quickly
DockerCon 2022 - From legacy to Kubernetes, securely & quicklyEric Smalling
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSEric Smalling
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling
 
Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Eric Smalling
 
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your doorLFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your doorEric Smalling
 
So. many. vulnerabilities. Why are containers such a mess and what to do abou...
So. many. vulnerabilities. Why are containers such a mess and what to do abou...So. many. vulnerabilities. Why are containers such a mess and what to do abou...
So. many. vulnerabilities. Why are containers such a mess and what to do abou...Eric Smalling
 
IBM Index 2018 Conference Workshop: Modernizing Traditional Java App's with D...
IBM Index 2018 Conference Workshop: Modernizing Traditional Java App's with D...IBM Index 2018 Conference Workshop: Modernizing Traditional Java App's with D...
IBM Index 2018 Conference Workshop: Modernizing Traditional Java App's with D...Eric Smalling
 
Best Practices for Developing & Deploying Java Applications with Docker
Best Practices for Developing & Deploying Java Applications with DockerBest Practices for Developing & Deploying Java Applications with Docker
Best Practices for Developing & Deploying Java Applications with DockerEric Smalling
 
Docker 101 Workshop slides (JavaOne 2017)
Docker 101 Workshop slides (JavaOne 2017)Docker 101 Workshop slides (JavaOne 2017)
Docker 101 Workshop slides (JavaOne 2017)Eric Smalling
 
Simply your Jenkins Projects with Docker Multi-Stage Builds
Simply your Jenkins Projects with Docker Multi-Stage BuildsSimply your Jenkins Projects with Docker Multi-Stage Builds
Simply your Jenkins Projects with Docker Multi-Stage BuildsEric Smalling
 

Mais de Eric Smalling (13)

DockerCon 2023 - Live Demo_Hardening Against Kubernetes Hacks.pdf
DockerCon 2023 - Live Demo_Hardening Against Kubernetes Hacks.pdfDockerCon 2023 - Live Demo_Hardening Against Kubernetes Hacks.pdf
DockerCon 2023 - Live Demo_Hardening Against Kubernetes Hacks.pdf
 
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
 
Look Ma' - Building Java and Go based container images without Dockerfiles
Look Ma' - Building Java and Go based container images without DockerfilesLook Ma' - Building Java and Go based container images without Dockerfiles
Look Ma' - Building Java and Go based container images without Dockerfiles
 
DockerCon 2022 - From legacy to Kubernetes, securely & quickly
DockerCon 2022 - From legacy to Kubernetes, securely & quicklyDockerCon 2022 - From legacy to Kubernetes, securely & quickly
DockerCon 2022 - From legacy to Kubernetes, securely & quickly
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!
 
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your doorLFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
 
So. many. vulnerabilities. Why are containers such a mess and what to do abou...
So. many. vulnerabilities. Why are containers such a mess and what to do abou...So. many. vulnerabilities. Why are containers such a mess and what to do abou...
So. many. vulnerabilities. Why are containers such a mess and what to do abou...
 
IBM Index 2018 Conference Workshop: Modernizing Traditional Java App's with D...
IBM Index 2018 Conference Workshop: Modernizing Traditional Java App's with D...IBM Index 2018 Conference Workshop: Modernizing Traditional Java App's with D...
IBM Index 2018 Conference Workshop: Modernizing Traditional Java App's with D...
 
Best Practices for Developing & Deploying Java Applications with Docker
Best Practices for Developing & Deploying Java Applications with DockerBest Practices for Developing & Deploying Java Applications with Docker
Best Practices for Developing & Deploying Java Applications with Docker
 
Docker 101 Workshop slides (JavaOne 2017)
Docker 101 Workshop slides (JavaOne 2017)Docker 101 Workshop slides (JavaOne 2017)
Docker 101 Workshop slides (JavaOne 2017)
 
Simply your Jenkins Projects with Docker Multi-Stage Builds
Simply your Jenkins Projects with Docker Multi-Stage BuildsSimply your Jenkins Projects with Docker Multi-Stage Builds
Simply your Jenkins Projects with Docker Multi-Stage Builds
 

Último

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 

Último (20)

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 

KubeCon NA 2022 - Hardening against Kubernetes Hacks.pdf

  • 1. Hardening against Kubernetes Hacks Eric Smalling Senior Developer Advocate @ Snyk @ericsmalling
  • 2. Eric Smalling ● Senior Developer Advocate @ Snyk ● Based in Dallas/Fort Worth, Texas ● 20+ years enterprise software development ● 10+ years build/test/deploy automation (CI/CD) ● Docker user since 2013 (v0.6) ● 2018 Jenkins Ambassador ● Docker Captain ● CKA, CKAD & CKS Certified @ericsmalling https://github.com/snyk-labs/kubernetes-goof
  • 4. Exploit = App Vulns + Misconfiguration https://github.com/snyk-labs/kubernetes-goof
  • 5. What do we know ? 80 https://github.com/snyk-labs/kubernetes-goof
  • 6. Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container https://github.com/snyk-labs/kubernetes-goof
  • 7. What do we know ? 80 Internal IP 5000 https://github.com/snyk-labs/kubernetes-goof
  • 8. What do we know ? 80 Internal IP IP Address 5000 https://github.com/snyk-labs/kubernetes-goof
  • 9. Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container Credentials Pod Token Available inside pod https://github.com/snyk-labs/kubernetes-goof
  • 10. What do we know ? 80 Internal IP IP Address 5000 External IP https://github.com/snyk-labs/kubernetes-goof
  • 11. Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container Credentials Pod Token Available inside pod Permissions Pod Token Allows access to endpoints API https://github.com/snyk-labs/kubernetes-goof
  • 12. What do we know ? 80 Internal IP External IP 5000 https://github.com/snyk-labs/kubernetes-goof
  • 13. What do we know ? 80 Internal IP External IP Default Secure IP Address 5000 https://github.com/snyk-labs/kubernetes-goof
  • 14. confidential apiVersion: v1 kind: ServiceAccount metadata: name: insecure --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: allow_pod_read rules: - apiGroups: - '*' resources: - '*' verbs: ["create", "get", "watch", "list", "patch", "delete", "deletecollection", "update"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: allow_pod_read_bind roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: allow_pod_read subjects: - kind: ServiceAccount name: insecure ● Allows service account too many permissions ● Likely bound to the ‘secure’ namespace ○ No permissions in the default namespace Insecure Role https://github.com/snyk-labs/kubernetes-goof
  • 15. Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container Roles Role Gives service account too many permissions in namespace Permissions Pod Token Allows access to endpoints API Credentials Pod Token Available inside pod https://github.com/snyk-labs/kubernetes-goof
  • 16. apiVersion: v1 kind: Pod # ... metadata: annotations: seccomp.security.alpha.kubernetes.io/pod: runtime/default spec: containers: - name: readonlyroot securityContext: readOnlyRootFilesystem: true ● Allows an attacker to modify the container ○ Download software ○ Change configuration ● Configure securityContext ○ readOnlyRootFilesystem: true Read Write Filesystem https://github.com/snyk-labs/kubernetes-goof
  • 17. What do we know ? 80 Internal IP External IP IP Address Secure Default 5000 https://github.com/snyk-labs/kubernetes-goof
  • 18. confidential spec: privileged: false # Required to prevent escalations to root. # allowPrivilegeEscalation: false # This is redundant with non-root + disallow privilege escalation, # but we can provide it for defense in depth. volumes: - '*' runAsUser: # Require the container to run without root privileges. rule: 'MustRunAsNonRoot' seLinux: # This policy assumes the nodes are using AppArmor rather than SELinux. rule: 'RunAsAny' supplementalGroups: rule: 'MustRunAs' ranges: # Forbid adding the root group. - min: 1 max: 65535 fsGroup: rule: 'MustRunAs' ranges: # Forbid adding the root group. - min: 1 max: 65535 ● Allows service account too many permissions ● Likely bound to the ‘secure’ namespace ○ No permissions in the default namespace ● allowPrivilegeEscalation is NOT redundant Pod Security Policy https://github.com/snyk-labs/kubernetes-goof
  • 19. Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container Roles Role Gives service account too many permissions in namespace Credentials Pod Token Available inside pod Permissions Pod Token Allows access to endpoints API Permissions PSP Did not disallow privilege escalation https://github.com/snyk-labs/kubernetes-goof
  • 20. What do we know ? 80 Internal IP External IP 5000 Default Secure IP Address IP Address 8080 https://github.com/snyk-labs/kubernetes-goof
  • 21. Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container Roles Role Gives service account too many permissions in namespace Credentials Pod Token Available inside pod Permissions Pod Token Allows access to endpoints API Policy Network No network controls in place Permissions PSP Did not disallow privilege escalation https://github.com/snyk-labs/kubernetes-goof
  • 22. What do we know ? 80 Internal IP External IP 5000 Default Secure IP Address IP Address 5001 8080 https://github.com/snyk-labs/kubernetes-goof
  • 23. What do we know ? 80 Internal IP External IP 5000 Default Secure IP Address IP Address 8080 https://github.com/snyk-labs/kubernetes-goof
  • 24. What do we know ? 80 Internal IP External IP 5000 Default Secure IP Address IP Address 8080 PRIVILEGED HOST https://github.com/snyk-labs/kubernetes-goof
  • 25. Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container Roles Role Gives service account too many permissions in namespace Credentials Pod Token Available inside pod Permissions Pod Token Allows access to endpoints API Permissions PSP Did not disallow privilege escalation Policy Network No network controls in place Permissions PSP No restrictions in default ns https://github.com/snyk-labs/kubernetes-goof
  • 26. What do we know ? 5000 5000 Default Secure IP Address IP Address 8080 PRIVILEGED Kube-System HOST https://github.com/snyk-labs/kubernetes-goof
  • 27. What do we know ? 80 5000 Default Secure IP Address IP Address 8080 PRIVILEGED Kube-System HOST https://github.com/snyk-labs/kubernetes-goof
  • 28. Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container Roles Role Gives service account too many permissions in namespace Credentials Pod Token Available inside pod Permissions Pod Token Allows access to endpoints API Permissions PSP Did not disallow privilege escalation Policy Network No network controls in place Permissions PSP No restrictions in default ns Game Over Cluster Cluster admin rights gained https://github.com/snyk-labs/kubernetes-goof
  • 29.
  • 30. confidential ● Scan your application code ● Scan your container images ● Scan your Kubernetes YAML ● Don’t trust defaults / Be explicit ● Use Network Policies ● Use Admission Controls How could we have prevented this ?
  • 31. With thanks and props to : Mark Manning ( @antitree ), Ian Coldwater ( @iancoldwater ), Duffie Cooley ( @mauilion ) , Rory McCune ( @raesene ) K8s SIG-Security, CNCF TAG-Security, OpenSSF, and many others in the Kubernetes Security community @ericsmalling