Recommended
More Related Content
What's hot
What's hot (20)
Recently uploaded
Recently uploaded (20)
Kubernetes Security for AppSec Professionals
- 1. SECURITY APPSEC DHARSHIN DE SILVA @DHARSHIN HTTP://LI.DHARSHIN.COM
- 2. MY OWN NOT Dharshin De Silva @ AppSec Australia 18 May 2021 2
- 3. • ENTHUSIAST • SECURITY ARCHITECT • INTERESTED IN DISTRIBUTED COMPUTING, APPSEC/DEVSECOPS AND CLOUD SECURITY • Dharshin De Silva @ AppSec Australia 18 May 2021 3
- 4. • INTRODUCTION • • APPSEC POLICIES GOVERN • NOT LIST Dharshin De Silva @ AppSec Australia 18 May 2021 4
- 5. “KUBERNETES K8S DEPLOYMENT SCALING MANAGEMENT CONTAINERIZED APPLICATIONS Dharshin De Silva @ AppSec Australia 18 May 2021 5
- 6. • SMALLEST DEPLOYABLE ONE OR MORE • STATELESS • AN ABSTRACT (IPTABLES + DNS) WAY TO EXPOSE AN APP RUNNING ON A SET OF PODS AS A NETWORK SERVICE Dharshin De Silva @ AppSec Australia 18 May 2021 6
- 7. Source: https://platform9.com Dharshin De Silva @ AppSec Australia 18 May 2021 7
- 8. Source: https://ssup2.github.io/theory_analysis/Kubernetes_PKI/ Dharshin De Silva @ AppSec Australia 18 May 2021 8
- 9. BOLD Source: https://ssup2.github.io/theory_analysis/Kubernetes_PKI/ Dharshin De Silva @ AppSec Australia 18 May 2021 9
- 10. • • SERVICE ACCOUNTS • USERS • • CLUSTER-INDEPENDENT SERVICE • • STATIC FILE • EXTERNAL OPENID CONNECT WEBHOOK AUTHENTICATION PROXY Dharshin De Silva @ AppSec Australia 18 May 2021 10
- 11. • • CSR • CA API SERVER TRUSTS • • USERNAME COMMON NAME SUBJECT • • NO REVOKE ACCESS CLUSTER RE-KEY’ED ALL BE RE-ISSUED • BREAK-GLASS SCENARIOS Image source: https://www.magalix.com/blog/kubernetes-authentication Dharshin De Silva @ AppSec Australia 18 May 2021 11
- 12. • • • STRONGER AUTHENTICATION 2FA WEBAUTHN • • • Image source: https://www.magalix.com/blog/kubernetes-authentication Dharshin De Silva @ AppSec Australia 18 May 2021 12
- 13. • • • • • OPENSHIFT KUBE-ADMIN EKSCTL TERRAFORM KIND MINIKUBE • Dharshin De Silva @ AppSec Australia 18 May 2021 13
- 15. • UNAUTHENTICATED EXPOSED • • • • SUPPLY CHAIN • • • GITOPS • CONFUSED DEPUTIES” IN MULTI-TENANTED ENVIRONMENTS Dharshin De Silva @ AppSec Australia 18 May 2021 15
- 16. NOT PASSWORD PROTECTED Dharshin De Silva @ AppSec Australia 18 May 2021 16
- 17. DEMO: KUBECTL PROXY Dharshin De Silva @ AppSec Australia 18 May 2021 17
- 18. NEVER MIND! Dharshin De Silva @ AppSec Australia 18 May 2021 18
- 19. Dharshin De Silva @ AppSec Australia 18 May 2021 19
- 20. Dharshin De Silva @ AppSec Australia 18 May 2021 20
- 21. 21
- 22. Dharshin De Silva @ AppSec Australia 18 May 2021 22
- 23. EXTREMELY DIFFICULT Dharshin De Silva @ AppSec Australia 18 May 2021 23
- 24. • EXPOSURE • • DYNAMIC SCANNING • CSI BENCHMARKS • • PRIVATE ENDPOINTS • NODEPORT • BACKDOORS INDIRECT • • IDENTITIES PRIVILEGED Dharshin De Silva @ AppSec Australia 18 May 2021 24
- 25. • WHO WHAT • • EXTERNAL IDP • FOR USERS • • • DYNAMIC CREDENTIALS • Who Dharshin De Silva @ AppSec Australia 18 May 2021 25
- 26. • STRICT RBAC • • SCANNING CONTENT • • ADMISSION CONTROLLERS what Dharshin De Silva @ AppSec Australia 18 May 2021 26
- 27. • • • • Dharshin De Silva @ AppSec Australia 18 May 2021 27
- 28. • • • • • • HTTPS://AQUASECURITY.GITHUB.IO/KUBE- HUNTER/KBINDEX.HTML Dharshin De Silva @ AppSec Australia 18 May 2021 28
- 29. • • • CLOUD PROVIDER APIS KUBERNETES • • • Dharshin De Silva @ AppSec Australia 18 May 2021 29
- 30. • APPS DEPLOYED • MANAGEMENT • • PRIVILEGE ESCALATION • SERVICE ACCOUNTS, HOSTPATH MOUNTS (DOCKER SOCKET), METADATA INTERFACE ACCESS, SECRETS, ENVIRONMENT VARIABLES • CONTAINER EVASION TECHNIQUE Dharshin De Silva @ AppSec Australia 18 May 2021 30
- 31. • LEAST PRIVILEGED • • HOST’S METADATA • • • INIT CONTAINERS • • DEFAULT DENY • Dharshin De Silva @ AppSec Australia 18 May 2021 31
- 32. • • HAS THREE MODES: 1. MANIFEST MODE – AUDIT KUBERNETES MANIFEST FILES (STATIC ANALYSIS) 2. LOCAL MODE – REMOTELY CONNECT TO A CLUSTER USING THE KUBECONFIG 3. CLUSTER MODE – DEPLOYED AS A POD IN THE CLUSTER AND AUDIT KUBERNETES RESOURCE IN THE CLUSTER (DYNAMIC) • GITHUB.COM/SHOPIFY/KUBEAUDIT Dharshin De Silva @ AppSec Australia 18 May 2021 32
- 33. • • • Dharshin De Silva @ AppSec Australia 18 May 2021 33
- 34. • • • • Dharshin De Silva @ AppSec Australia 18 May 2021 34
- 35. • WHAT GETS IN • GATEKEEPER • GRANULARITY • • • ACCEPT REJECT Dharshin De Silva @ AppSec Australia 18 May 2021 35
- 36. TLS / Request Validati on RBAC Dharshin De Silva @ AppSec Australia 18 May 2021 36
- 37. Dharshin De Silva @ AppSec Australia 18 May 2021 37
- 38. • • DEPRECATED Dharshin De Silva @ AppSec Australia 18 May 2021 38
- 39. APIVERSION: ADMISSIONREGISTRATION.K8S.IO/V1 KIND: VALIDATINGWEBHOOKCONFIGURATION METADATA: NAME: "POD-POLICY.EXAMPLE.COM" WEBHOOKS: - NAME: "POD-POLICY.EXAMPLE.COM" RULES: - APIGROUPS: [""] APIVERSIONS: ["V1"] OPERATIONS: ["CREATE"] RESOURCES: ["PODS"] SCOPE: "NAMESPACED" CLIENTCONFIG: SERVICE: NAMESPACE: “POLICY-CONTROL" NAME: “POLICY-SERVICE" CABUNDLE: "…" ADMISSIONREVIEWVERSIONS: ["V1", "V1BETA1"] SIDEEFFECTS: NONE TIMEOUTSECONDS: 5 Dharshin De Silva @ AppSec Australia 18 May 2021 39
- 40. • • GATEKEEPER / OPA • K-RAIL • KYVERNO • • • • Dharshin De Silva @ AppSec Australia 18 May 2021 40
- 41. • TRUSTED IMAGE • PRIVILEGED • CAPABILITIES • • • • BIND MOUNTS PERSISTENT VOLUME • HOST NETWORK PID • • • • SECCOMP Dharshin De Silva @ AppSec Australia 18 May 2021 41
- 42. • OPEN CLOSE • • • ANNOTATIONS LABELS • • • • • Dharshin De Silva @ AppSec Australia 18 May 2021 42
- 43. Dharshin De Silva @ AppSec Australia 18 May 2021 43
- 44. DEMO: ADMISSION CONTROLLERS IN ACTION Dharshin De Silva @ AppSec Australia 18 May 2021 44
- 45. • KUBERNETES CONFIGURATION • CONTAINER IMAGES • • • DENIED EXEMPTED • • • • • Dharshin De Silva @ AppSec Australia 18 May 2021 45
- 46. Source: https://sysdig.com/blog/kubernetes-admission-controllers/ Dharshin De Silva @ AppSec Australia 18 May 2021 46
- 47. • SECURE DEFAULTS • • ASSURANCE • • • ADMISSION CONTAINER SECURITY EXEMPTION • • Dharshin De Silva @ AppSec Australia 18 May 2021 47
- 48. QUESTIONS? Dharshin De Silva @ AppSec Australia 18 May 2021 48