15. @laceworklabs
EXPOSED API SERVER
• Handles all client interactions to the K8s API
• REST API
• Handles authentication and authorization
• Secure & insecure port by default
• Risks & Threats
• Access to insecure port allows complete
access of cluster
• CVE-2018-1002105
• Information leaks
20. @laceworklabs
EXPOSED KUBELET
• Daemon on nodes to bridge compute resources, facilitate communicates, and aide
in pod health
• Risks & Threats
• Allows anonymous requests by default
• “AlwaysAllow” is the default for authenticated requests rest by default
• Contains credentials that can be used to access other components in the
cluster
21. @laceworklabs
EXEC ON RUNNING CONTAINER THROUGH KUBELET
• PoC by Security Engineer @ Handy (K8 v1.9)
• Issue POST request to targeted Pod
• Follow with GET request via SPDY or websocket client
22. @laceworklabs
REPLAYING KUBELET CREDENTIALS
• SSRF in vulnerable service used by Shopify
• Kubelet credentials leaks via vulnerability
• Credentials replayed to gain root access in any container
24. @laceworklabs
ETCD
• Distributed key value datastore
• REST & gRPC APIs
• Responsible for storing objects, state, etc.
• Risks & Threats
• No authentication or encryption at rest by
default
• Maintains cluster secrets
• The Luke Hemsworth of unsecured DBs
31. @laceworklabs
• allows containers using subPath volume mounts to access files or
directories outside of the volume, including the host’s filesystemCVE-2017-1002101
• Flaw in runc, allows potential container escapeCVE-2019-5736
• Options for accessing host systemPrivileged Containers
• Default service accounts are overprivileged and have too much
access that an attacker could leverageService Accounts
• Authenticated users with permission to exec/attach/portforward
could escalated to run additional commands against Kubelet APICVE-2018-1002105
LATERAL MOVEMENT
36. @laceworklabs
ROLE BASED ACCESS CONTROL
Critical for division on access
Segregates roles and permissions
Decreases attack surface
Reduce default permissions of service
accounts
41. @laceworklabs
AUDIT LOGGING
Audit Logging for ALL API requests
API is largest attack surface
Log as much as you can afford
Store, glacier, have them avail/query
Audit logs big forensics firehouse
42. @laceworklabs
RT COMPLIANCE / CONFIG
CIS Benchmarks
Realtime / runtime auditing critical
Infrastructure as code = wider paper cuts
Security vulnerabilities often config’s
Identify, alert, fix, measure (repeat)
43. @laceworklabs
HOST LOGGING / HIDS / EDR
Ephemeral workloads make logging more
important
Understand process, applications, network
Building net “sensors” hard / blind
Correlate IOC’s + events (ML+)
Opensource + SaaS options
Build / buy centralized warehouse
Auditd, /proc, pcap,etc..
44. @laceworklabs
FINAL THOUGHTS
• K8s is complex “5 minutes to deploy, 5 years
to learn”
• Reported attacks are primarily
cryptojacking, pivoting to CSP, and data leak
• Misconfiguration and pod compromise are
the major vectors
• Use traditional security, DevSecOps, and K8s
features to harden your cluster
45. @laceworklabs
resources
1. Tesla Exposed Dashboard https://redlock.io/blog/cryptojacking-tesla
2. Weight Watchers Exposed Dashboard https://kromtech.com/blog/security-center/weightwatchers-exposure-a-
simple-yet-powerful-lesson-in-cloud-security
3. Lacework Containers at Risk Report https://info.lacework.com/hubfs/Containers%20At-
Risk_%20A%20Review%20of%2021,000%20Cloud%20Environments.pdf
4. CVE-2018-1002105 Github Page https://github.com/kubernetes/kubernetes/issues/71411
5. Kubelet Reference Page https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-
authentication-authorization/
6. Compromising Kubernetes Through Kubelet Blog https://medium.com/handy-tech/analysis-of-a-kubernetes-
hack-backdooring-through-kubelet-823be5c3d67c
7. Shopify Hack https://hackerone.com/reports/341876
8. Exposed etcd Clusters Blog https://elweb.co/the-security-footgun-in-etcd/
9. Lacework exposed etcd Clusters Blog https://www.lacework.com/etcd-thousands-of-clusters-open/
10. Backdoored Docker Images https://arstechnica.com/information-technology/2018/06/backdoored-images-
downloaded-5-million-times-finally-removed-from-docker-hub/
11. Twistlock Blog on CVE-2017-1002101https://www.twistlock.com/labs-blog/deep-dive-severe-kubernetes-
vulnerability-date-cve-2017-1002101/
12. Attacking and Defending a Kubernetes Cluster Webinar https://vimeo.com/277901517
13. Kubernetes Illustrated Children's Guide: https://youtu.be/4ht22ReBjno