This document provides an overview of attacking and defending Kubernetes clusters. It begins with introductions to containers, container orchestration with Kubernetes, and Kubernetes architecture and components. It then discusses the Kubernetes threat model and common attack vectors such as compromising nodes, pods, and secrets. The document outlines Kubernetes authentication and authorization methods like RBAC and discusses admission controllers. It covers securing Kubernetes with practices like pod security policies and network policies. Finally, it notes some limitations and gotchas regarding secrets management in Kubernetes.
[DevDay 2016] OpenStack and approaches for new users - Speaker: Chi Le – Head...DevDay.org
OpenStack is an open source cloud computing platform providing infrastructure as a service (IaaS). The presentation will encapsulate the contents of OpenStack, amplified by practical demo and simple but effective guidelines to access OpenStack.
———
Speaker: Chi Le – Head of Infrastructure System at Da Nang ICT Infrastructure Development Center
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
OpenStack Identity Service (Keystone) seminar.
Distributed Systems course at Engineering and Computer Science (ECS), University of Messina.
By Lorenzo Carnevale and Silvio Tavilla.
Seminar’s topics
❖ OpenStack Identity - Keystone (liberty)
❖ Installation and first configuration of Keystone
❖ Identity service configuration
➢ Identity API protection with RBAC
➢ Use Trusts
➢ Certificates for PKI
❖ Hierarchical Projects
❖ Identity API v3 client example
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
OpenStack Identity Service (Keystone) seminar.
Distributed Systems course at Engineering and Computer Science (ECS), University of Messina.
By Lorenzo Carnevale and Silvio Tavilla.
Seminar’s topics
❖ OpenStack Identity - Keystone (kilo)
❖ Installation and first configuration of Keystone
❖ Workshop
❖ Identity service configuration
➢ Identity API protection with RBAC
➢ Use Trusts
➢ Certificates for PKI
❖ Hierarchical Projects
❖ Identity API v3 client example
Henry Nash, OpenStack Lead, CSI, IBM
The OpenStack project provides an open source Infrastructure as a Service (IaaS) platform. Its mission: to produce the ubiquitous Open Source Cloud Computing platform that will meet the needs of public and private clouds regardless of size, by being simple to implement and massively scalable. To this end, OpenStack is composed of a wide variety of sub-projects focused specifically on compute resources, network infrastructure, object and block storage, metering and orchestration - all of which are exposed via APIs.
This talk will introduce Keystone, the token-based identity component of OpenStack. It will cover the security needs and challenges around authentication and authorization for protecting the diverse needs of OpenStack projects, as well as ideas for solving these problems in the future.
Deep Dive into Keystone Tokens and Lessons LearnedPriti Desai
Keystone supports four different types of tokens, UUID, PKI, PKIZ, and Fernet. Let’s take a deep dive into:
Understanding token formats
Pros and Cons of each format in Production
Performance across multiple data centers
Token revocation workflow for each of the formats
Horizon usage of the different token types
We previously deployed UUID and PKI in Production and are now moving towards the latest format, Fernet. We would like to share our lessons learned with different formats and help you decide on which format is suitable for your cloud.
[DevDay 2016] OpenStack and approaches for new users - Speaker: Chi Le – Head...DevDay.org
OpenStack is an open source cloud computing platform providing infrastructure as a service (IaaS). The presentation will encapsulate the contents of OpenStack, amplified by practical demo and simple but effective guidelines to access OpenStack.
———
Speaker: Chi Le – Head of Infrastructure System at Da Nang ICT Infrastructure Development Center
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
OpenStack Identity Service (Keystone) seminar.
Distributed Systems course at Engineering and Computer Science (ECS), University of Messina.
By Lorenzo Carnevale and Silvio Tavilla.
Seminar’s topics
❖ OpenStack Identity - Keystone (liberty)
❖ Installation and first configuration of Keystone
❖ Identity service configuration
➢ Identity API protection with RBAC
➢ Use Trusts
➢ Certificates for PKI
❖ Hierarchical Projects
❖ Identity API v3 client example
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
OpenStack Identity Service (Keystone) seminar.
Distributed Systems course at Engineering and Computer Science (ECS), University of Messina.
By Lorenzo Carnevale and Silvio Tavilla.
Seminar’s topics
❖ OpenStack Identity - Keystone (kilo)
❖ Installation and first configuration of Keystone
❖ Workshop
❖ Identity service configuration
➢ Identity API protection with RBAC
➢ Use Trusts
➢ Certificates for PKI
❖ Hierarchical Projects
❖ Identity API v3 client example
Henry Nash, OpenStack Lead, CSI, IBM
The OpenStack project provides an open source Infrastructure as a Service (IaaS) platform. Its mission: to produce the ubiquitous Open Source Cloud Computing platform that will meet the needs of public and private clouds regardless of size, by being simple to implement and massively scalable. To this end, OpenStack is composed of a wide variety of sub-projects focused specifically on compute resources, network infrastructure, object and block storage, metering and orchestration - all of which are exposed via APIs.
This talk will introduce Keystone, the token-based identity component of OpenStack. It will cover the security needs and challenges around authentication and authorization for protecting the diverse needs of OpenStack projects, as well as ideas for solving these problems in the future.
Deep Dive into Keystone Tokens and Lessons LearnedPriti Desai
Keystone supports four different types of tokens, UUID, PKI, PKIZ, and Fernet. Let’s take a deep dive into:
Understanding token formats
Pros and Cons of each format in Production
Performance across multiple data centers
Token revocation workflow for each of the formats
Horizon usage of the different token types
We previously deployed UUID and PKI in Production and are now moving towards the latest format, Fernet. We would like to share our lessons learned with different formats and help you decide on which format is suitable for your cloud.
Building IAM for OpenStack, presented at CIS (Cloud Identity Summit) 2015.
Discuss Identity Sources, Authentication, Managing Access and Federating Identities
Security is often an afterthought; configured and applied at the last minute before rolling out a new system. Instaclustr has deployed Cassandra for customers with many different requirements.
From deployments in Heroku requiring total public access through to private data centres, we will walk you through securing Cassandra the right way.
Uploading the presentation given at the OpenStack Summit, Austin in April, 2016. The video link is here ,
https://www.openstack.org/videos/video/multi-tenancy-for-docker-containers-with-keystone-and-adding-quota-limits
CIS 2015- Building IAM for OpenStack- Steve MartinelliCloudIDSummit
Keystone is the IAM project for OpenStack, and as such has to handle many different methods of deployment - On-Prem, Hybrid, Hosted - at many differing levels of scale. Some deployments are no more than a VM used for development purposes, while others are 100,000s of cores across multiple data centers and continents. This session will cover details of Keystone, what can be accomplished with it today, how OpenStack integrates with your enterprise identity solution, the OpenStack model of access management today and our plans for the future.
OpenStack Neutron Havana Overview - Oct 2013Edgar Magana
Presentation about OpenStack Neutron Overview presented during three meet-ups in NYC, Connecticut and Philadelphia during October 2013 by Edgar Magana from PLUMgrid
Prowler: Cloud Security Assessment, Auditing, Hardening, Compliance and Forensics Readiness Tool
Prowler helps to assess, audit and harden your AWS account configuration and resources. It also helps to check your configuration with CIS recommendations, and check if your cloud infrastructure is GDPR compliance or if you are ready for a proper forensic investigation. It is a command line tool that provides direct and clear information about configuration status related to security of a given AWS account, it performs more than 80 checks.
When companies endeavor to move their applications and services to the cloud, they tend to worry more about security up front. Interestingly, platforms such as Azure provide an even more secure environment than most self-managed co-location facilities can hope to offer, not to mention the plethora of features on the platform that help you secure your solutions end to end. In this session Michele will review the mini-avalanche that comprises Azure security across features. Taking the architect's view of the platform (with demos) she’ll cover best practices for securing Azure solutions end to end and discuss the tangential benefits of moving to Azure and how it can help you with checking the boxes on those pesky security surveys.
Kerberoasting has become the red team’s best friend over the past several years, with various tools being built to support this technique. However, by failing to understand a fundamental detail concerning account encryption support, we haven’t understood the entire picture. This talk will revisit our favorite TTP, bringing a deeper understanding to how the attack works, what we’ve been missing, and what new tooling and approaches to kerberoasting exist.
The Blockchain for the Internet of Things (IoT) has considered to "change the future." Despite a myriad of studies on the blockchain IoT, few studies have investigated how an IoT blockchain system develops with open source technologies, open standards, web technologies, and a p2p network. In this presentation, Jollen will share the Flowchain case study, an open source IoT blockchain project in Node.js; he will discuss the practice, the technical challenges, and the engineering experiences. Furthermore, to provide the real-time data transaction capabilities for current IoT requirements, he will utilize the "virtual block" idea to facilitate such technical challenges.
In this webinar, we review the benefits of deploying a microservices architecture with Cassandra as your backbone in order to ensure your applications become incredibly reliable. We discuss in detail:
- How to create microservices in Node.js with ExpressJs and Seneca
- Tuning the Node.js driver for Cassandra: error handling, load balancing and degrees of parallelism
- Additional best practices to ensure your systems are highly performant and available
The sample service is available on GitHub: https://github.com/jorgebay/killr-service
12 Ways Not to get 'Hacked' your Kubernetes ClusterSuman Chakraborty
Kubernetes enable enterprises to automate many aspects of application deployment, providing tremendous business benefits. This talk aims to discuss best practices around Kubernetes security and how threats and exploits can be mitigated, minimizing service disruption on Kubernetes platform.
Building IAM for OpenStack, presented at CIS (Cloud Identity Summit) 2015.
Discuss Identity Sources, Authentication, Managing Access and Federating Identities
Security is often an afterthought; configured and applied at the last minute before rolling out a new system. Instaclustr has deployed Cassandra for customers with many different requirements.
From deployments in Heroku requiring total public access through to private data centres, we will walk you through securing Cassandra the right way.
Uploading the presentation given at the OpenStack Summit, Austin in April, 2016. The video link is here ,
https://www.openstack.org/videos/video/multi-tenancy-for-docker-containers-with-keystone-and-adding-quota-limits
CIS 2015- Building IAM for OpenStack- Steve MartinelliCloudIDSummit
Keystone is the IAM project for OpenStack, and as such has to handle many different methods of deployment - On-Prem, Hybrid, Hosted - at many differing levels of scale. Some deployments are no more than a VM used for development purposes, while others are 100,000s of cores across multiple data centers and continents. This session will cover details of Keystone, what can be accomplished with it today, how OpenStack integrates with your enterprise identity solution, the OpenStack model of access management today and our plans for the future.
OpenStack Neutron Havana Overview - Oct 2013Edgar Magana
Presentation about OpenStack Neutron Overview presented during three meet-ups in NYC, Connecticut and Philadelphia during October 2013 by Edgar Magana from PLUMgrid
Prowler: Cloud Security Assessment, Auditing, Hardening, Compliance and Forensics Readiness Tool
Prowler helps to assess, audit and harden your AWS account configuration and resources. It also helps to check your configuration with CIS recommendations, and check if your cloud infrastructure is GDPR compliance or if you are ready for a proper forensic investigation. It is a command line tool that provides direct and clear information about configuration status related to security of a given AWS account, it performs more than 80 checks.
When companies endeavor to move their applications and services to the cloud, they tend to worry more about security up front. Interestingly, platforms such as Azure provide an even more secure environment than most self-managed co-location facilities can hope to offer, not to mention the plethora of features on the platform that help you secure your solutions end to end. In this session Michele will review the mini-avalanche that comprises Azure security across features. Taking the architect's view of the platform (with demos) she’ll cover best practices for securing Azure solutions end to end and discuss the tangential benefits of moving to Azure and how it can help you with checking the boxes on those pesky security surveys.
Kerberoasting has become the red team’s best friend over the past several years, with various tools being built to support this technique. However, by failing to understand a fundamental detail concerning account encryption support, we haven’t understood the entire picture. This talk will revisit our favorite TTP, bringing a deeper understanding to how the attack works, what we’ve been missing, and what new tooling and approaches to kerberoasting exist.
The Blockchain for the Internet of Things (IoT) has considered to "change the future." Despite a myriad of studies on the blockchain IoT, few studies have investigated how an IoT blockchain system develops with open source technologies, open standards, web technologies, and a p2p network. In this presentation, Jollen will share the Flowchain case study, an open source IoT blockchain project in Node.js; he will discuss the practice, the technical challenges, and the engineering experiences. Furthermore, to provide the real-time data transaction capabilities for current IoT requirements, he will utilize the "virtual block" idea to facilitate such technical challenges.
In this webinar, we review the benefits of deploying a microservices architecture with Cassandra as your backbone in order to ensure your applications become incredibly reliable. We discuss in detail:
- How to create microservices in Node.js with ExpressJs and Seneca
- Tuning the Node.js driver for Cassandra: error handling, load balancing and degrees of parallelism
- Additional best practices to ensure your systems are highly performant and available
The sample service is available on GitHub: https://github.com/jorgebay/killr-service
12 Ways Not to get 'Hacked' your Kubernetes ClusterSuman Chakraborty
Kubernetes enable enterprises to automate many aspects of application deployment, providing tremendous business benefits. This talk aims to discuss best practices around Kubernetes security and how threats and exploits can be mitigated, minimizing service disruption on Kubernetes platform.
Kubernetes have been widely adopted. The next challenge of scaling Kubernetes through the organization is multi-tenancy. This session will walk through how we can do multi-tenancy on Kubernetes with access control, fair sharing, and isolation.
Youtube Recorded: https://youtu.be/oCEL-nWhc-w
TechTalkThai Conference: Kubernetes Trends
September 16, 2021
Appsecco Kubernetes Hacking Masterclass. The slides used during the class with links to the commands, scripts and setup information.
These slides are to be used with the masterclass video recording on YouTube -
Hands on exercises are highly recommended to get the most out of this class!
My cloud native security talk I gave at Innotech Austin 2018. I cover container and Kubernetes security topics, security features in Kubernetes, including opensource projects you will want to consider while building and maintaining cloud native applications.
Consolidating Infrastructure with Azure Kubernetes ServiceEng Teong Cheah
In this session, see how Tailwind Traders took a containerized application and deployed it to Azure Kubernetes Service (AKS). You’ll walk away with a deep understanding of major Kubernetes concepts and how to put it all to use with industry standard tooling.
Everyone heard about Kubernetes. Everyone wants to use this tool. However, sometimes we forget about security, which is essential throughout the container lifecycle.
Therefore, our journey with Kubernetes security should begin in the build stage when writing the code becomes the container image.
Kubernetes provides innate security advantages, and together with solid container protection, it will be invincible.
During the sessions, we will review all those features and highlight which are mandatory to use. We will discuss the main vulnerabilities which may cause compromising your system.
Contacts:
LinkedIn - https://www.linkedin.com/in/vshynkar/
GitHub - https://github.com/sqerison
-------------------------------------------------------------------------------------
Materials from the video:
The policies and docker files examples:
https://gist.github.com/sqerison/43365e30ee62298d9757deeab7643a90
The repo with the helm chart used in a demo:
https://github.com/sqerison/argo-rollouts-demo
Tools that showed in the last section:
https://github.com/armosec/kubescape
https://github.com/aquasecurity/kube-bench
https://github.com/controlplaneio/kubectl-kubesec
https://github.com/Shopify/kubeaudit#installation
https://github.com/eldadru/ksniff
Further learning.
A book released by CISA (Cybersecurity and Infrastructure Security Agency):
https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF
O`REILLY Kubernetes Security:
https://kubernetes-security.info/
O`REILLY Container Security:
https://info.aquasec.com/container-security-book
Thanks for watching!
Container security Familiar problems in new technologyFrank Victory
Container adoption is on the rise across companies of every size and industry. While containerization is a new and exciting paradigm, it brings with it some of the same technical and organizational issues that security teams have always faced. This presentation will dive into a selection of these familiar issues and suggested solutions to help security teams get a better handle on containers and keep up with the deployment pace that DevOps requires.
Check out the Denver Chapter of OWASP!
meetup.com/denver-owasp and our annual conference
www.snowfroc.com
From Containerized Application to Secure and Scaling With KubernetesShikha Srivastava
Discuss following:
What does it really take to make sure your application is production ready?
With new privacy regulations being added, many aspects need to be taken into account when deciding when to deliver your final application is ready for production.
Can your application handle multiple users with different levels of access?
Can you extend your application to use existing authentication and authorization platforms?
Have you invested in using Mutual TLS for communication between components?
How do you manage the certificates and passwords used within your product?
Is CICD your friend or your enemy when it comes to delivering your product?
Have you considered the availability and scalability of the application?
The presentation was given on 11/12/2018 on CloudExpo NY. The presentation talks about software portability approaches and technologies on Kubernetes, microservices, service mesh, and serverless platforms
(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...Priyanka Aash
Kubernetes (K8s) is an open-source system for automating deployment, scaling, and management of containerized applications. K8s groups containers that make up an application into logical units for easy management and discovery. It was originally designed by Google and is now maintained by the Cloud Native Computing Foundation. As organizations accelerate their adoption of containers and container orchestrators, they will need to take necessary steps to protect such a critical part of their compute infrastructure.
How this topic is relevant 1 out of 5 organization going for container installation Container security attack vectors are rising Recently major vulnerability discovered in containers and got good media attention Duration (Mentioned on sacon.io, if not as per program committee call).
Similar to Attacking and Defending Kubernetes - Nithin Jois (20)
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
6. Containers What??..
● OS level virtualization for running
multiple isolated* systems using
host resources
● Abstraction layer that packages
code and dependencies together
Copyright - we45, 2020
10. Copyright - we45, 2020
Image Registry
Node 4
Node 3
Node 2
Node 1
API
CLI
UI
User
Interface
Command Line
Interface
Kubernetes Master
API
Server
Scheduler Controller
etcd
Kubernetes Architecture
11. Kubernetes Terms
• Cluster = > A Collection of Worker Nodes (that run workloads) and a Kubernetes
Master (that controls the workers)
• Node => A Worker Machine
• Pod => Smallest K8s Object. Represents set of running containers in the cluster
• Deployment => Object that manages a replicated application.
• Service => An Object that how applications are accessed. Typically described Ports
and LoadBalancers
Copyright - we45, 2020
14. The Kubernetes Threat Model
Copyright - we45, 2020
K8s Threat Model
User compromises
the cluster
Users can access Cluster/Controller without authentication
Users can access the Cluster with stolen secrets/ tokens to perform sensitive operations on Cluster
User can tamper with user cert settings and gain access to Cluster as a genuine user
User has unrestricted access across the Cluster
User has highly privileged access across the Cluster
Malicious App (Container)
Compromises the Cluster
Attacker is able to RCE into a container and subsequently gain access
to other services, pods etc on the Cluster to steal sensitive information
Org runs backdoored/Compromised container in the Cluster, that is
able to access other resources on/ across the cluster and steal sensitive information
Attacker is able to perform CPU/mem intensive Ops across the cluster
and bring it down
Attacker gets a trojanized image to run on the cluster and
compromise sensitive information
Backdoored/ compromised container accesses shared resources
and runs ransomware / affects availability to shared resources
Compromise secrets
Gain access to DB/ FS/ Sensitive Information
Gain access to other namespaces for
Cross-Cluster compromise
Access Kube API and Controller to access
K8s Management Sensitive Info
Compromise secrets
Gain access to DB/ FS/ Sensitive Information
Gain access to other namespaces for
Cross-Cluster compromise
Access Kube API and Controller to access
K8s Management Sensitive Info
Malicious node
compromises
the cluster
Malicious node registers itself as a genuine node to the cluster and compromises the node therefrom
Exploit against Node escalates privileges to Kube deployment and compromises cluster
15. K8s Services - Cluster
Copyright - we45, 2020
Port Process Description
4149/TCP kubelet Default Port for Container Metrics
10250/TCP kubelet API that allows full node access
10255/TCP kubelet
Unauthenticated Read-only port with
access to node state
10256/TCP kube-proxy Health check server for Kube Proxy
9099/TCP calico-felix Healthcheck for Calico-Canal (SDN)
6443/TCP kube-apiserver K8s API Port
18. Application Layer
• Vulnerable Application - Insecure Deserialization
• Insecure Secrets Management - No Protection of
Encryption Key
• Redis - No Authentication
19. Container Layer
• Running as “root"
• No Hardening of Container Runtime
• Insecure Secrets in Container Environment
Variables
20. K8s Cluster Layer
• No Network Policy
• Especially Egress Controls
• No Authentication or Access Control
• No Logical Segmentation - Namespaces
• No Pod Security Controls
• Lack of Monitoring
22. K8s Security Model
Copyright - we45, 2020
• Restrict access to kubectl
• Use RBAC
• Use a network policy
• Use namespaces
• Bootstrap TLS
Set up a cluster
Follow security hygiene
• Keep Kubernetes updated
• Use a minimal OS
• Use minimal IAM roles
• Use private IPs on your nodes
• Monitor access with audit logging
• Verify binaries that are deployed
• Disable dashboard
• Disable default service
account token
• Protect node metadata
• Scan images for known
vulnerabilities
Prevent known attacks
• Set a pod security policy
• Protect secrets
• Consider sandboxing
• Limit the identity used by pods
• Use a service mesh for
authentication/ encryption
Prevent/limit impact of
microservice compromise
23. K8s Authentication and Access Control
•Authentication
•Access Control
•Admission Controller
Copyright - we45, 2020
24. K8s Authentication - Users
• Kubernetes has two types of users:
• Service Accounts => Managed by Kubernetes
• Managed by the K8s API, bound to specific namespaces
• Normal Users => Managed by an outside service
• The user typing kubectl must authenticate or be an anonymous user
Copyright - we45, 2020
25. K8s Authentication Methods
•Authentication Strategies:
•Client Certificates (X.509)
•HTTP Basic Authentication
•Bearer Tokens
•Authentication Proxies or Webhook
•LDAP, SAML, Kerberos
•You can use multiple authentication methods at once
Copyright - we45, 2020
26. Client Certificates
• Certificate Signing request for user “abhay” who is part of two groups, “app1” and
“app2”
• You can also use comprehensive secrets management system like Hashicorp Vault to
be the CA
Copyright - we45, 2020
openssl req -new -key abhay.pem -out abhay-csr.pem
-subj “/CN=abhay/O=app1/O=app2"
27. Static Token File
• Inject Bearer Tokens into the Kubernetes cluster with the
• -- token-auth-file=SOMEFILE CLI arg
• Token Files CANNOT be changed without restarting the API Server
• Tokens are FOREVER. They last indefinitely
Copyright - we45, 2020
token,user,uid,"group1,group2,group3"
Authorization: Bearer 31ada4fd-adec-460c-809a-9e56ceb75269
28. HTTP Basic Auth - Static Password Files
• Similar to tokens
• Inject Static password files into K8s cluster with the flag
• --basic-auth-file=SOMEFILE
• Password CANNOT be changed without starting the API Server
Copyright - we45, 2020
minikube mount $PWD:/var/lib/localkube/certs/pass
minikube start --extra-config=apiserver.basic-auth-
file=/var/lib/localkube/certs/pass/mypass
Authorization: Basic Base64Encoded(username:password)
29. Authentication Proxies/Webhooks
• Authentication using Proxies/Webhooks
• OpenID Connect Tokens (OAuth2 Flavor) - Azure Active Directory, Salesforce,
Google
• Access Token returned with ID Token (JWT)
Copyright - we45, 2020
X-Remote-User: fido
X-Remote-Group: dogs
X-Remote-Group: dachshunds
X-Remote-Extra-Acme.com%2Fproject: some-project
X-Remote-Extra-Scopes: openid
X-Remote-Extra-Scopes: profile
30. Service Accounts
• You can create service accounts for services (CI, Apps, etc) to access the cluster to perform operations
• Example: Jenkins builds a new docker image and deploys the image to the cluster on the staging
namespace
• Service accounts typically use JWTs signed with the API’s TLS Server OR a PEM file provided by the
user
Copyright - we45, 2020
kubectl create serviceaccount jenkins
serviceaccount "jenkins" created
$ kubectl get serviceaccounts jenkins -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
# ...
secrets:
- name: jenkins-token-1yvwg
31. Service Account Secrets
• Service Accounts for the namespace are injected into the Pod at the
• /run/secrets/kubernetes.io/serviceaccount path
Copyright - we45, 2020
kubectl get secret jenkins-token-1yvwg -o yaml
apiVersion: v1
data:
ca.crt: (APISERVER'S CA BASE64 ENCODED)
namespace: ZGVmYXVsdA==
token: (BEARER TOKEN BASE64 ENCODED)
kind: Secret
metadata:
# ...
type: kubernetes.io/service-account-token
32. Authorization - K8s
• K8s has a clear separation between Authentication (various strategies) and
Authorization
• Types of Authorization:
• Node
• RBAC => Role Based Access Control
• ABAC => Attribute Based Access Control
• Webhooks
Copyright - we45, 2020
33. RBAC K8s Authorization
• RBAC Authorization refers to Roles that contain
rules of Permissions
• Permissions are only additive (No Deny)
• Easy to manage, when you have a a clearly defined
set of privileges for the roles
• Two Types:
• ClusterRole => Role that applies across the
Cluster (across Namespaces)
• Role => applies to Permissions that work
across a single namespace
kind: Role
apiVersion:
rbac.authorization.k8s.io/
v1
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""] # ""
indicates the core API
group
resources: ["pods"]
verbs: ["get", "watch",
"list"]
35. ABAC Authorization
• ABAC == “Attribute Based Authentication System”
• Simple mapping (JSON) of user access to specific resources based on their attributes
• Load the ABAC Policy with a --authorization-policy-file=SomeFile, format of one object
per line
{"apiVersion":
"abac.authorization.kubernet
es.io/v1beta1", "kind":
"Policy", "spec": {"user":
"alice", "namespace": "*",
"resource": "*", "apiGroup":
"*"}}
user ‘alice’ has access to all
namespaces/resources in the
cluster
{"apiVersion":
"abac.authorization.kubernetes
.io/v1beta1", "kind":
"Policy", "spec": {"user":
"bob", "namespace": "owasp",
"resource": "pods",
"readonly": true}}
user ‘bob’ can only read pods in
the ‘owasp’ namespace
37. Admission Controllers
• Admission Controller is an additional Access Control Layer for the Kubernetes API
• Think of it like a Validation Filter that validates admission/rejection based on certain
rules/features enabled
• Admission Controllers work AFTER the user/account is authenticated and
authorized
• They are enabled based on the Cluster Administrator’s configuration of the same
Copyright - we45, 2020
kube-apiserver --enable-admission-
plugins=NamespaceLifecyle,LimitRanger ...
38. Useful Admission Controller Plugins
• AlwaysPullImages => forces the pod image pull policy to always. Ensures that
private images are authenticated when there’s a pull.
• DenyEscalatingExec => Deny ‘exec’ or ‘attach’ operations to Pods that run
with elevated privileges (host access). Pods => Privileges, Host IPC Namespace, Host
PID Namespace
• EventRateLimit => Rate Limit for K8s API. Prevents DoS
• LimitRanger => Enforce the LimitRange directive to protect against excessive
consumption by Pod
Copyright - we45, 2020
39. Useful Admission Controller Plugins - 2
• PodSecurityPolicy => Multiple Configuration Parameters (including Seccomp,
AppArmor), etc to protect Pod against attacks (rule based)
• NamespaceLifecycle => Prevents against loading resources in “to-be-deleted”
namespaces. Also prevents against resources being allocated in default, kube-system
and kube-public namespaces
• NodeRestriction => Node Authorization Privileges for the kubelet
• ResourceQuota => Enforces Consumable Resources by a Pod
Copyright - we45, 2020
40. Other Access Control Good Practices
• Secure/Disable Dashboard
• Never run LoadBalancer on Dashboard Service
• Leverage RBAC
• Create and Enforce controls on Namespaces
• Logical Segmentation (however weak)
• Better way to think about Access Control
Copyright - we45, 2020
42. Pod Security Policy
•Ruleset that defines specific rules for a
Pod to run in a K8s cluster
•Optional, but highly recommended
•Admission Controller - Disallows
containers from being loaded on the
Pod, if it violates the rules
43. Pod Security Policy - Parameters
• Privileged/UnPrivileged
• Host Namespaces
• Host Networking and Ports
• Volumes
• Paths
• User and Group IDs for the
Containers
Copyright - we45, 2020
• Linux Capabilities
• SELinux
• AppArmor/Seccomp
• ReadOnly RootFS
• Allow/Disallow PrivilegeEscalation
44. Copyright - we45, 2020
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities:
- ALL
# Allow core volume types.
45. Copyright - we45, 2020
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
# Assume that persistentVolumes set up by the cluster admin are safe to use.
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: 'MustRunAsNonRoot'
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
47. Pod Security Policy - Gotchas
•AppArmor/Seccomp is not a silver-bullet! Attackers can still perform
Network Layer Attacks, if your apps are vulnerable
•Profiling Syscalls for appropriate restrictions - especially of interpreted
languages, is 😥
•Doesn’t protect against Network Layer Attacks
Copyright - we45, 2020
49. K8s Secrets
• Kubernetes has a secrets object that you can use to store secrets
• Secrets can be injected into the containers as ENVVARs or Mounted FilePaths, or
injected from files
• Access to Secrets can also be restricted with Authorization Systems
Copyright - we45, 2020
# from file
kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./
password.txt
#from literal
kubectl create secret generic prod-db-secret --from-literal=username=produser --from-
literal=password=Y4nys7f11
50. Points to Ponder…
• Secrets are NOT encrypted at rest
• Not in Memory
• Not in etcd
• Injected Secrets (into Container) are in plaintext/base64encoded
• K8s has an experimental plugin that encrypts secrets in etcd:
• But, they are still decrypted and injected to the container in plaintext
Copyright - we45, 2020
51. Secret Input/Output
• Input
• Secrets from Literals
• Secrets from file/data
• Output
• Volume Mount
• Environment Variables
Copyright - we45, 2020
52. Secrets Gotchas
• Secrets get committed to repos (sometimes, public ones)
• Secrets can get exposed to unauthorized users within the cluster
• Secrets are available unencrypted in etcd and to cluster resources
Copyright - we45, 2020
54. Common Characteristics
• Secrets Management Solutions
• Centralized Storehouse of secrets and encrypted
datasets
• Secrets Management solutions in the cloud -
Plethora of APIs and reousrces to handle this
requirement
• Data is decrypted before being injected into the
cluster
• Data is (usually) stored in etcd with encryption
55. Kubeseal - Sealed Secrets
• New Third Party Resource from BitNami Engineering
• Idea => Anyone can create a secret, but nobody but the controller can decrypt the
secret
Copyright - we45, 2020
LifeofaSealedSecret
Secret
Sealed Secret
Kubeseal
encrypts secret
Safe to post publicly
Secret
Sealed Secret
Kubernetes cluster
Decrypted by
Controller
56. Sealed Secrets - Process
Copyright - we45, 2020
Encryption Process
Decryption Process
58. Dynamic Secrets
• Generated on-demand and unique to each client/pod
• Destroys secret/credential when lease expires
Copyright - we45, 2020
Vault
Request DB credential
Return dynamic credential
Valid for 7 days
Create user…
With password…
60. Auditing kube-apiserver
• Helps Cluster Admins and Security teams to answer the following:
Copyright - we45, 2020
•What happened?
•When?
•Who initiated it?
•What did it happen on?
•Where was it observed?
•Where was it initiated?
•Where was it going?
61. Audit policy Example
Copyright - we45, 2020
# Log all requests at RequestResponse level
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: RequestResponse
67. Potential flaws in K8s YAML Spec
● Storage of Sensitive Info in YAML resources
● Using unencrypted ENV vars and secrets
● Insecure Network, Volume/mountPath configurations
● Lack of resource limits in place
● Privileged access to pods
● Extensive Kernel Capabilities
Copyright - we45, 2020
68. K8s CIS-Benchmark Checks
● Setup Authentication and Authorization
● Secure Data in Transit
● Secure Data at Rest
● Employ Least Privileges
● Additional Runtime Controls
Copyright - we45, 2020
69. CIS Best-Practices - kube-bench
● Checks if K8s deployment is secure by
running checks documented in CIS-K8s-
Benchmark.
● Checks can be performed on both Master
and Node machines
● Checks performed are stored as YAML specs,
making it easy to modify
● Results are given in Pass, Fail and Info format
Copyright - we45, 2020
70. Scanning K8s Cluster - kube-hunter
● Scans for security issues on K8s clusters
● Has three scanning options
○ Remote Scanning: kube-hunter.py --remote some.node.com
○ Internal Scanning : kube-hunter.py --internal
○ Network Scanning: kube-hunter.py --cidr 192.168.0.0/24
● For a more ‘Attack’ like scan, ‘--active’ flag can be used.
○ Exploits vulnerabilities found to explore further
○ kube-hunter.py --remote some.domain.com --active
■ Can change state of the cluster, which could be harmful
Copyright - we45, 2020