SlideShare a Scribd company logo
Hijack a Kubernetes Cluster – a Walkthrough
Continuous Lifecycle / Container Conf 2022
Nico Meisenzahl
• Head of DevOps Consulting & Operations
at white duck
• Microsoft MVP, GitLab Hero
• Cloud Native, Kubernetes & Azure
© white duck GmbH 2022
Email: nico.meisenzahl@whiteduck.de
Twitter: @nmeisenzahl
LinkedIn: https://www.linkedin.com/in/nicomeisenzahl
Blog: https://meisenzahl.org
About this talk
• this is not an in-depth security talk
• it should make you aware of common attack vectors and
how to prevent them
• you will see demos on how to hijack a cluster
• you will learn how to prevent those with common best practices
• three more slide, then we will start hijacking
• https://github.com/nmeisenzahl/hijack-kubernetes
© white duck GmbH 2022
Why do we need to care about security?
https://www.redhat.com/en/resources/state-kubernetes-security-report
What we will do
© white duck GmbH 2022
Log4Shell
https://www.splunk.com/en_us/surge/log4shell-log4j-response-overview.html
Think about
• ensure secure application / deployment code
• build secure container images
• implement Kubernetes policies
• introduce Kubernetes Network policies
• rely on Container Runtime Security
• many more…
© white duck GmbH 2022
Security quick wins through the DevOps cycle
© white duck GmbH 2022
Ensure secure application code
• automate and enforce code checks
• schedule dependency scanning
• Software Bill of Materials (SBOM)
• Dependabot / Renovate
• enforce Static Application Security Testing (SAST) in PRs
• scans your code to identify potential security vulnerabilities
• more details: https://owasp.org/www-
community/Source_Code_Analysis_Tools
© white duck GmbH 2022
Build secure container images
• build secure/small container images – less is more
• do only include required dependencies (no debugging tools!)
• use self-contained binaries, “distroless” or “(Un)distro” if
possible
• https://github.com/GoogleContainerTools/distroless
• https://github.com/wolfi-dev/os
• otherwise, use a small and secure Linux distro
• use and enforce SAST for validating your Dockerfiles
• scan your container images (on build and regularly)
© white duck GmbH 2022
Build secure container images
• build secure/small container images – less is more
• do only include required dependencies (no debugging tools!)
• use self-contained binaries, “distroless” or “(Un)distro” if
possible
• https://github.com/GoogleContainerTools/distroless
• https://github.com/wolfi-dev/os
• otherwise, use a small and secure Linux distro
• use and enforce SAST for validating your Dockerfiles
• scan your container images (on build and regularly)
© white duck GmbH 2022
Would have made it
much harder to
hijack the container
and further expend
Would have shown
the possibility of code
injection
Ensure secure deployment code
• as important as secure application code and Dockerfiles
• validate your deployment manifests using SAST
• and enforce them via PRs
• can help you to implement best practices like denying
• containers running as root
• mounting hostPath
• …
© white duck GmbH 2022
Ensure secure deployment code
• as important as secure application code and Dockerfiles
• validate your deployment manifests using SAST
• and enforce them via PRs
• can help you to implement best practices like denying
• containers running as root
• mounting hostPath
• …
© white duck GmbH 2022
Would have made it
much harder to hijack
the node
Tooling
• Source code
• https://codeql.github.com
• https://security-code-scan.github.io
• https://securego.io
• SBOM
• https://github.com/anchore/syft
• https://github.com/anchore/grype
• Dockerfiles
• https://github.com/aquasecurity/trivy
• https://github.com/bridgecrewio/checkov
• Kubernetes manifests
• https://kubesec.io
• https://github.com/aquasecurity/trivy
• https://github.com/bridgecrewio/checkov
• https://github.com/Checkmarx/kics
• Terraform
• https://github.com/tfsec/tfsec
• https://github.com/aquasecurity/trivy
• https://github.com/bridgecrewio/checkov
© white duck GmbH 2022
Kubernetes policies
• enforce compliance and governance within clusters
• verifying manifests is not enough!
• examples include enforcement of
• read-only filesystems
• denying hostPath mounts
• denying containers running as root
• …
© white duck GmbH 2022
Kubernetes policies
• enforce compliance and governance within clusters
• verifying manifests is not enough!
• examples include enforcement of
• read-only filesystems
• denying hostPath mounts
• denying containers running as root
• …
© white duck GmbH 2022
Would have made it
much harder to
further hijack the
nodes and cloud
resources
Kubernetes policy tooling
• Pod Security Admission
• stable since 1.25
• https://kubernetes.io/docs/concepts/security/pod-security-
admission
• Open Policy Agent Gatekeeper
• https://github.com/open-policy-agent/gatekeeper
• Kyverno
• https://kyverno.io
© white duck GmbH 2022
Network Policies
• granular deny or explicitly allow between containers and
ingress/egress of the cluster
• limit egress access to the internet
• limit access between applications/namespaces
• deny access to the Cloud provider metadata service
• https://kubernetes.io/docs/concepts/services-
networking/network-policies
© white duck GmbH 2022
Network Policies
• granular deny or explicitly allow between containers and
ingress/egress of the cluster
• limit egress access to the internet
• limit access between applications/namespaces
• deny access to the Cloud provider metadata service
• https://kubernetes.io/docs/concepts/services-
networking/network-policies
© white duck GmbH 2022
Would have denied
network connections
(reverse shell, Redis,
Internet, metadata
service)
Container Runtime Security
• helps to detect malicious threads and workloads
• untrusted process within container
• a shell is running inside a container
• container process mounting a sensitive path
• a process making outbound network connections
• container runtime security tools like Falco of Tetragon can
help
• https://github.com/falcosecurity
• https://github.com/cilium/tetragon
© white duck GmbH 2022
Container Runtime Security
• helps to detect malicious threads and workloads
• untrusted process within container
• a shell is running inside a container
• container process mounting a sensitive path
• a process making outbound network connections
• container runtime security tools like Falco of Tetragon can
help
• https://github.com/falcosecurity
• https://github.com/cilium/tetragon
© white duck GmbH 2022
Would have detect all
our “work” within the
containers
Further best practises
• do not
• share service accounts between applications
• enable higher access levels for the default service account if not
required
• mount service account token if not required
• https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-
account/#use-the-default-service-account-to-access-the-api-server
• changed with 1.24
• review all third-party snippets before applying them
• implement a Web Application Firewall (WAF) to further secure
your application
© white duck GmbH 2022
Further best practises
• do not
• share service accounts between applications
• enable higher access levels for the default service account if not
required
• mount service account token if not required
• https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-
account/#use-the-default-service-account-to-access-the-api-server
• changed with 1.24
• review all third-party snippets before applying them
• implement a Web Application Firewall (WAF) to further secure
your application
© white duck GmbH 2022
Wouldn’t have
allowed us to talk to
the API server
Would have denied
our code injection
Questions?
• Slides: https://www.slideshare.net/nmeisenzahl
• Demo: https://github.com/nmeisenzahl/hijack-kubernetes
© white duck GmbH 2022
Email: nico.meisenzahl@whiteduck.de
Twitter: @nmeisenzahl
LinkedIn: https://www.linkedin.com/in/nicomeisenzahl
Blog: https://meisenzahl.org

More Related Content

Similar to ContainerConf 2022: Hijack Kubernetes

ContainerConf 2022: Kubernetes is awesome - but...
ContainerConf 2022: Kubernetes is awesome - but...ContainerConf 2022: Kubernetes is awesome - but...
ContainerConf 2022: Kubernetes is awesome - but...
Nico Meisenzahl
 

Similar to ContainerConf 2022: Hijack Kubernetes (20)

Container Day Security: How to Prevent Your Kubernetes Cluster From Being Hacked
Container Day Security: How to Prevent Your Kubernetes Cluster From Being HackedContainer Day Security: How to Prevent Your Kubernetes Cluster From Being Hacked
Container Day Security: How to Prevent Your Kubernetes Cluster From Being Hacked
 
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico MeisenzahlHow to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
 
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico MeisenzahlHow to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
 
DevOpsCon London: How containerized Pipelines can boost your CI/CD
DevOpsCon London: How containerized Pipelines can boost your CI/CDDevOpsCon London: How containerized Pipelines can boost your CI/CD
DevOpsCon London: How containerized Pipelines can boost your CI/CD
 
Effiziente CI/CD-Pipelines – mit den richtigen Tools klappt das
Effiziente CI/CD-Pipelines – mit den richtigen Tools klappt dasEffiziente CI/CD-Pipelines – mit den richtigen Tools klappt das
Effiziente CI/CD-Pipelines – mit den richtigen Tools klappt das
 
GitLab London Meetup: How Containerized Pipelines and Kubernetes Can Boost Yo...
GitLab London Meetup: How Containerized Pipelines and Kubernetes Can Boost Yo...GitLab London Meetup: How Containerized Pipelines and Kubernetes Can Boost Yo...
GitLab London Meetup: How Containerized Pipelines and Kubernetes Can Boost Yo...
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
 
Virtual GitLab Meetup: How Containerized Pipelines and Kubernetes Can Boost Y...
Virtual GitLab Meetup: How Containerized Pipelines and Kubernetes Can Boost Y...Virtual GitLab Meetup: How Containerized Pipelines and Kubernetes Can Boost Y...
Virtual GitLab Meetup: How Containerized Pipelines and Kubernetes Can Boost Y...
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
 
ContainerConf 2022: Kubernetes is awesome - but...
ContainerConf 2022: Kubernetes is awesome - but...ContainerConf 2022: Kubernetes is awesome - but...
ContainerConf 2022: Kubernetes is awesome - but...
 
DevOps Gathering - How Containerized Pipelines Can Boost Your CI/CD
DevOps Gathering - How Containerized Pipelines Can Boost Your CI/CDDevOps Gathering - How Containerized Pipelines Can Boost Your CI/CD
DevOps Gathering - How Containerized Pipelines Can Boost Your CI/CD
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native Security
 
Build pipelines with bitbucket for Magento
Build pipelines with bitbucket for MagentoBuild pipelines with bitbucket for Magento
Build pipelines with bitbucket for Magento
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
 
Container Security
Container SecurityContainer Security
Container Security
 
GitHub Actions 101
GitHub Actions 101GitHub Actions 101
GitHub Actions 101
 
GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & O...
GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & O...GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & O...
GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & O...
 
GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & ...
GitLab Remote Meetup:  Enhance Your Kubernetes CI/CD Pipelines with GitLab & ...GitLab Remote Meetup:  Enhance Your Kubernetes CI/CD Pipelines with GitLab & ...
GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & ...
 
Die Evolution von Container Image Builds
Die Evolution von Container Image BuildsDie Evolution von Container Image Builds
Die Evolution von Container Image Builds
 
5 steps to take setting up a streamlined container pipeline
5 steps to take setting up a streamlined container pipeline5 steps to take setting up a streamlined container pipeline
5 steps to take setting up a streamlined container pipeline
 

More from Nico Meisenzahl

Festive Tech Calendar: Festive time with AKS networking
Festive Tech Calendar: Festive time with AKS networkingFestive Tech Calendar: Festive time with AKS networking
Festive Tech Calendar: Festive time with AKS networking
Nico Meisenzahl
 

More from Nico Meisenzahl (17)

Cloud-Native & Sustainability: How and Why to Build Sustainable Workloads
Cloud-Native & Sustainability: How and Why to Build Sustainable WorkloadsCloud-Native & Sustainability: How and Why to Build Sustainable Workloads
Cloud-Native & Sustainability: How and Why to Build Sustainable Workloads
 
Festive Tech Calendar: Festive time with AKS networking
Festive Tech Calendar: Festive time with AKS networkingFestive Tech Calendar: Festive time with AKS networking
Festive Tech Calendar: Festive time with AKS networking
 
Cloud Love Conference: Kubernetes is awesome, but...
Cloud Love Conference: Kubernetes is awesome, but...Cloud Love Conference: Kubernetes is awesome, but...
Cloud Love Conference: Kubernetes is awesome, but...
 
Azure Zürich User Group: Azure Kubernetes Service – more than just a managed ...
Azure Zürich User Group: Azure Kubernetes Service – more than just a managed ...Azure Zürich User Group: Azure Kubernetes Service – more than just a managed ...
Azure Zürich User Group: Azure Kubernetes Service – more than just a managed ...
 
azdevcom - Hijack a Kubernetes Cluster
azdevcom - Hijack a Kubernetes Clusterazdevcom - Hijack a Kubernetes Cluster
azdevcom - Hijack a Kubernetes Cluster
 
Continuous Lifecycle: Enhance Your Compliance and Governance With Policy-Base...
Continuous Lifecycle: Enhance Your Compliance and Governance With Policy-Base...Continuous Lifecycle: Enhance Your Compliance and Governance With Policy-Base...
Continuous Lifecycle: Enhance Your Compliance and Governance With Policy-Base...
 
Continuous Lifecycle: Hijack Kubernetes
Continuous Lifecycle: Hijack KubernetesContinuous Lifecycle: Hijack Kubernetes
Continuous Lifecycle: Hijack Kubernetes
 
Hijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughHijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a Walkthrough
 
GitLab Commit: Enhance your Compliance with Policy-Based CI/CD
GitLab Commit: Enhance your Compliance with Policy-Based CI/CDGitLab Commit: Enhance your Compliance with Policy-Based CI/CD
GitLab Commit: Enhance your Compliance with Policy-Based CI/CD
 
Azure Meetup Hamburg: Production-Ready Terraform Deployments on Azure
Azure Meetup Hamburg: Production-Ready Terraform Deployments on AzureAzure Meetup Hamburg: Production-Ready Terraform Deployments on Azure
Azure Meetup Hamburg: Production-Ready Terraform Deployments on Azure
 
DevOpsCon Berlin: Helm vs Operators – Do I Need to Decide?
DevOpsCon Berlin: Helm vs Operators – Do I Need to Decide?DevOpsCon Berlin: Helm vs Operators – Do I Need to Decide?
DevOpsCon Berlin: Helm vs Operators – Do I Need to Decide?
 
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
 
Azure Rosenheim Meetup: Azure Service Operator
Azure Rosenheim Meetup: Azure Service OperatorAzure Rosenheim Meetup: Azure Service Operator
Azure Rosenheim Meetup: Azure Service Operator
 
Azure Saturday Hamburg: Containerize Your .NET Microservice - the Right Way!
Azure Saturday Hamburg: Containerize Your .NET Microservice - the Right Way!Azure Saturday Hamburg: Containerize Your .NET Microservice - the Right Way!
Azure Saturday Hamburg: Containerize Your .NET Microservice - the Right Way!
 
Cloud Native Day: Cloud-native Anwendungsentwicklung im Jahr 2021
Cloud Native Day: Cloud-native Anwendungsentwicklung im Jahr 2021Cloud Native Day: Cloud-native Anwendungsentwicklung im Jahr 2021
Cloud Native Day: Cloud-native Anwendungsentwicklung im Jahr 2021
 
Azure Service Operator - Provision Your Resources in a Cloud-Native Way
Azure Service Operator - Provision Your Resources in a Cloud-Native WayAzure Service Operator - Provision Your Resources in a Cloud-Native Way
Azure Service Operator - Provision Your Resources in a Cloud-Native Way
 
GitLab Commit: Your Attackers Won't Be Happy! How GitLab Can Help You Secure ...
GitLab Commit: Your Attackers Won't Be Happy! How GitLab Can Help You Secure ...GitLab Commit: Your Attackers Won't Be Happy! How GitLab Can Help You Secure ...
GitLab Commit: Your Attackers Won't Be Happy! How GitLab Can Help You Secure ...
 

Recently uploaded

Recently uploaded (20)

SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
Buy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptxBuy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptx
 

ContainerConf 2022: Hijack Kubernetes

  • 1. Hijack a Kubernetes Cluster – a Walkthrough Continuous Lifecycle / Container Conf 2022
  • 2. Nico Meisenzahl • Head of DevOps Consulting & Operations at white duck • Microsoft MVP, GitLab Hero • Cloud Native, Kubernetes & Azure © white duck GmbH 2022 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org
  • 3. About this talk • this is not an in-depth security talk • it should make you aware of common attack vectors and how to prevent them • you will see demos on how to hijack a cluster • you will learn how to prevent those with common best practices • three more slide, then we will start hijacking • https://github.com/nmeisenzahl/hijack-kubernetes © white duck GmbH 2022
  • 4. Why do we need to care about security? https://www.redhat.com/en/resources/state-kubernetes-security-report
  • 5. What we will do © white duck GmbH 2022
  • 7. Think about • ensure secure application / deployment code • build secure container images • implement Kubernetes policies • introduce Kubernetes Network policies • rely on Container Runtime Security • many more… © white duck GmbH 2022
  • 8. Security quick wins through the DevOps cycle © white duck GmbH 2022
  • 9. Ensure secure application code • automate and enforce code checks • schedule dependency scanning • Software Bill of Materials (SBOM) • Dependabot / Renovate • enforce Static Application Security Testing (SAST) in PRs • scans your code to identify potential security vulnerabilities • more details: https://owasp.org/www- community/Source_Code_Analysis_Tools © white duck GmbH 2022
  • 10. Build secure container images • build secure/small container images – less is more • do only include required dependencies (no debugging tools!) • use self-contained binaries, “distroless” or “(Un)distro” if possible • https://github.com/GoogleContainerTools/distroless • https://github.com/wolfi-dev/os • otherwise, use a small and secure Linux distro • use and enforce SAST for validating your Dockerfiles • scan your container images (on build and regularly) © white duck GmbH 2022
  • 11. Build secure container images • build secure/small container images – less is more • do only include required dependencies (no debugging tools!) • use self-contained binaries, “distroless” or “(Un)distro” if possible • https://github.com/GoogleContainerTools/distroless • https://github.com/wolfi-dev/os • otherwise, use a small and secure Linux distro • use and enforce SAST for validating your Dockerfiles • scan your container images (on build and regularly) © white duck GmbH 2022 Would have made it much harder to hijack the container and further expend Would have shown the possibility of code injection
  • 12. Ensure secure deployment code • as important as secure application code and Dockerfiles • validate your deployment manifests using SAST • and enforce them via PRs • can help you to implement best practices like denying • containers running as root • mounting hostPath • … © white duck GmbH 2022
  • 13. Ensure secure deployment code • as important as secure application code and Dockerfiles • validate your deployment manifests using SAST • and enforce them via PRs • can help you to implement best practices like denying • containers running as root • mounting hostPath • … © white duck GmbH 2022 Would have made it much harder to hijack the node
  • 14. Tooling • Source code • https://codeql.github.com • https://security-code-scan.github.io • https://securego.io • SBOM • https://github.com/anchore/syft • https://github.com/anchore/grype • Dockerfiles • https://github.com/aquasecurity/trivy • https://github.com/bridgecrewio/checkov • Kubernetes manifests • https://kubesec.io • https://github.com/aquasecurity/trivy • https://github.com/bridgecrewio/checkov • https://github.com/Checkmarx/kics • Terraform • https://github.com/tfsec/tfsec • https://github.com/aquasecurity/trivy • https://github.com/bridgecrewio/checkov © white duck GmbH 2022
  • 15. Kubernetes policies • enforce compliance and governance within clusters • verifying manifests is not enough! • examples include enforcement of • read-only filesystems • denying hostPath mounts • denying containers running as root • … © white duck GmbH 2022
  • 16. Kubernetes policies • enforce compliance and governance within clusters • verifying manifests is not enough! • examples include enforcement of • read-only filesystems • denying hostPath mounts • denying containers running as root • … © white duck GmbH 2022 Would have made it much harder to further hijack the nodes and cloud resources
  • 17. Kubernetes policy tooling • Pod Security Admission • stable since 1.25 • https://kubernetes.io/docs/concepts/security/pod-security- admission • Open Policy Agent Gatekeeper • https://github.com/open-policy-agent/gatekeeper • Kyverno • https://kyverno.io © white duck GmbH 2022
  • 18. Network Policies • granular deny or explicitly allow between containers and ingress/egress of the cluster • limit egress access to the internet • limit access between applications/namespaces • deny access to the Cloud provider metadata service • https://kubernetes.io/docs/concepts/services- networking/network-policies © white duck GmbH 2022
  • 19. Network Policies • granular deny or explicitly allow between containers and ingress/egress of the cluster • limit egress access to the internet • limit access between applications/namespaces • deny access to the Cloud provider metadata service • https://kubernetes.io/docs/concepts/services- networking/network-policies © white duck GmbH 2022 Would have denied network connections (reverse shell, Redis, Internet, metadata service)
  • 20. Container Runtime Security • helps to detect malicious threads and workloads • untrusted process within container • a shell is running inside a container • container process mounting a sensitive path • a process making outbound network connections • container runtime security tools like Falco of Tetragon can help • https://github.com/falcosecurity • https://github.com/cilium/tetragon © white duck GmbH 2022
  • 21. Container Runtime Security • helps to detect malicious threads and workloads • untrusted process within container • a shell is running inside a container • container process mounting a sensitive path • a process making outbound network connections • container runtime security tools like Falco of Tetragon can help • https://github.com/falcosecurity • https://github.com/cilium/tetragon © white duck GmbH 2022 Would have detect all our “work” within the containers
  • 22. Further best practises • do not • share service accounts between applications • enable higher access levels for the default service account if not required • mount service account token if not required • https://kubernetes.io/docs/tasks/configure-pod-container/configure-service- account/#use-the-default-service-account-to-access-the-api-server • changed with 1.24 • review all third-party snippets before applying them • implement a Web Application Firewall (WAF) to further secure your application © white duck GmbH 2022
  • 23. Further best practises • do not • share service accounts between applications • enable higher access levels for the default service account if not required • mount service account token if not required • https://kubernetes.io/docs/tasks/configure-pod-container/configure-service- account/#use-the-default-service-account-to-access-the-api-server • changed with 1.24 • review all third-party snippets before applying them • implement a Web Application Firewall (WAF) to further secure your application © white duck GmbH 2022 Wouldn’t have allowed us to talk to the API server Would have denied our code injection
  • 24. Questions? • Slides: https://www.slideshare.net/nmeisenzahl • Demo: https://github.com/nmeisenzahl/hijack-kubernetes © white duck GmbH 2022 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org