GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Being Hijacked - a Walk-Through

•

0 likes•90 views

Cloud native environments are a double edged sword - used right, the benefits are immense. However, it also introduces multiple entry points for example security breaches. In this session, Nico will show how application vulnerabilities make it easy to hijack a Kubernetes cluster. He will also talk about why it's important to implement zero-trust to prevent data leaks and malicious workloads from being executed on a hijacked cluster. In addition, you will learn how GitLab can protect you from being hijacked. Nico will talk about how to create more secure applications by using Static Application Security Testing (SAST) as well as how to secure your Kubernetes cluster with Container Host Security, Container Network Security or a Web Application Firewall.

Technology

1
#GitLabCommit
How GitLab Can Save your Kubernetes environment
from Being Hijacked - a Walk-Through

2
#GitLabCommit
Nico Meisenzahl
● Senior Cloud & DevOps Consultant at white duck
● GitLab Hero, Microsoft MVP & Docker Community Leader
● Container, Kubernetes, Cloud-Native & DevOps
Phone: +49 8031 230159 0
Email: nico@whiteduck.de
Twitter: @nmeisenzahl
LinkedIn: https://www.linkedin.com/in/nicomeisenzahl
Blog: https://meisenzahl.org

3
#GitLabCommit
Agenda
● Demo: Hijack a Kubernetes cluster - a walk-through
● How GitLab can help to prevent an attack
● Container & Kubernetes security best practices

4
#GitLabCommit
#GitLabCommit
Demo:
Hijack a Kubernetes
cluster - a walk-through

5
#GitLabCommit
Hijack a Kubernetes cluster - a walk-through
● we will hijack the container due to a vulnerability in the code of a web
app
● we then use some available anti-patterns to gain further access within
the Kubernetes cluster

6
#GitLabCommit
Recap of the attack
● we inject custom code into the text box
○ played around a bit
○ opened a reverse shell into the container
● we used the privileged default Service Account to access the API
○ inspected secrets
○ scheduled a privileged Pod
With the privileged Pod, we could further hijack the cluster (access to
Nodes, the Control Plane and even other Cloud resources)

7
#GitLabCommit
#GitLabCommit
How GitLab can help to
prevent an attack

9
#GitLabCommit
Create stage
● Pair programming helps to get better and more eﬀicient code
● Required Merge Request Approvals allows to opt-in for multiple
sign-oﬀs (Premium, Ultimate)

10
#GitLabCommit
Secure stage
● Secret Detection analyzes Git history for leaked secrets
● Dependency Scanning analyzes your dependencies for known
vulnerabilities (Ultimate)
● Static Application Security Testing (SAST) analyzes source code for
known vulnerabilities (some features require Ultimate)
● Dynamic Application Security Testing (DAST) analyzes running web
applications for known vulnerabilities (Ultimate)
● API fuzzing finds unknown bugs and vulnerabilities in web APIs with
fuzzing (Ultimate)

11
#GitLabCommit
Configure stage
● Container Scanning scans containers for known vulnerabilities
(Ultimate)
● Auto DevOps helps to reduce the complexity of software delivery by
setting up pipelines and integrations for you

12
#GitLabCommit
Protect stage
● Web Application Firewall filters, monitors, and prevents HTTP based
attacks (deprecated, will get removed in GitLab 14.0)
● Container Host Security provides Intrusion Detection and Prevention
capabilities that can monitor and block activity inside the containers
themselves
● Container Network Security filters and secures the network traﬀic
inside a containerized environment to block attacks at the network layer
(some features require Ultimate)

13
#GitLabCommit
#GitLabCommit
Container Security &
further best practices

14
#GitLabCommit
Container & Kubernetes security best practices
● understand the manifests you apply
● do not share privileged service accounts
● deny untrusted registries
● enforce rootless containers
● enforce read-only filesystem at runtime
● deny privileged containers
● deny egress traﬀic
● use distroless containers if possible

15
#GitLabCommit
Questions?
Slides: https://www.slideshare.net/nmeisenzahl
Demo: https://gitlab.com/nico-meisenzahl/hijack-kubernetes
GitLab features: https://about.gitlab.com/features
Phone: +49 8031 230159 0
Email: nico.meisenzahl@whiteduck.de
Twitter: @nmeisenzahl
LinkedIn: https://www.linkedin.com/in/nicomeisenzahl
Blog: https://meisenzahl.org

What's hot

GitHub Actions 101

Nico Meisenzahl

Every time we start a new project or learn a new technology, we're looking for zero to hero guides to help us get started quickly and easily. In most cases, however, these guidelines are not intended to be production-ready and secure. Join Nico and dive into the secrets and best practices of how to create fast, secure and production-ready Dockerfiles for your .NET Microservice. Walk away and learn everything you need to take your container builds to the next level.

Azure Saturday Hamburg: Containerize Your .NET Microservice - the Right Way!

Nico Meisenzahl

In this session, Nico will talk about Helm and Operators as well as the battle between them. If you ever ask yourself one of the following questions, this talk is the right one for you: "Do I have to decide?" "Do I need to learn both?" "What are the best tools for my use-case?" In short: There is no battle. Both tools have different scopes. Nico will talk about the pros and cons, and what the projects themselves focus on. Join his talk to learn more!

DevOpsCon Berlin: Helm vs Operators – Do I Need to Decide?

Nico Meisenzahl

Nico will show how to hijack a Kubernetes cluster based on common attack vectors. You'll also learn why it's important to implement zero-trust to prevent data leaks and malicious workloads from being executed on a hijacked cluster. Furthermore, he will show you how to protect your cluster from being taken over by sharing useful insights, configurations, and toolsets. This talk is not intended to be an in-depth security talk, but to provide you with best practices and also make you aware of certain attack vectors and how to prevent them.

azdevcom - Hijack a Kubernetes Cluster

Nico Meisenzahl

In diesem Meetup möchten wir über Service Meshes sprechen. Was ist ein Service Mesh genau und wie funktioniert es? Wir klären euch auf! Wir starten den Abend mit einem Beispiel-Anwendung an der wir euch zeigen wie man Retry-, Timeout-Management sowie Circuit Breaker als Code implementiert um eine widerstandsfähige und belastbare Microservice zu erhalten. Des Weiteren zeigen wir auch die Implementierung von mutual TLS mit der eine sichere Kommunikation gewährleistet ist. Im Anschluss schauen wir uns nach einer Einleitung zu den Grundlagen von Service Meshes an wie man mit Hilfe von Istio die oben beschriebenen Funktionen abstrahieren und vom Code in die Infrastruktur verlagern kann. Abschließen geben wir einen Ausblick auf weitere Funktionen von Istio wie A/B testing und Fault Injection.

Was ist ein Service Mesh und wie funktioniert es?

Cloud Native Rosenheim Meetup

Learn how to eliminate any dependencies on your CI/CD build nodes and don’t bother yourself with multiple versions of your toolchain and any corresponding constraints. Walk away with knowledge and best practices that will help you to optimize your builds and deployments with containerized pipelines! Use containerized GitLab CI/CD pipelines and Kaniko to move your build and deployment workloads into your Kubernetes cluster. Build your apps and infrastructure without any external dependencies and constraints. If you are building a Go project, deploying an app to Kubernetes or just building your infrastructure. It doesn’t matter, anything is possible! Join Nico on a deep dive into the secrets of building hassle-free containerized build and deployment pipelines with GitLab CI/CD, Kubernetes and Kaniko.

Virtual GitLab Meetup: How Containerized Pipelines and Kubernetes Can Boost Y...

Nico Meisenzahl

Azure Rosenheim Meetup: Azure Service Operator

Nico Meisenzahl

Policy & Governance für Kubernetes

Nico Meisenzahl

Hijack a Kubernetes Cluster - a Walkthrough

Nico Meisenzahl

You are already running Kubernetes-based workloads on Azure Kubernetes Service and want to get more out of it? This is your session! In this talk, Nico will show you all the nice features you get with AKS besides just Kubernetes. Learn all the details about the available add-ons, integrations, and toolsets to integrate and secure your Kubernetes-based applications. Furthermore, Nico will give a preview of potential new features from the AKS roadmap.

Azure Zürich User Group: Azure Kubernetes Service – more than just a managed ...

Nico Meisenzahl

Join Nico to learn how to enhance your Kubernetes CI/CD pipelines with GitLab FOSS/CE features as well as Open Source projects. Learn how GitLab can help you to better integrate your CI/CD pipelines with Kubernetes. Nico will talk about newer GitLab FOSS/CE features like the Web Application Firewall for Kubernetes Ingress, Monitoring and Logging as well as Serverless with Knative. Besides this, you will also learn how Open Source projects like Kaniko and Kustomize can help you to streamline your pipelines. Walk away with knowledge and best practices that will help you to enhance your own Kubernetes CI/CD Pipelines with Gitlab and Open Source!

GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & ...

Nico Meisenzahl

Join Nico, Philippe, and Wayne for a session full of Containers, Kubernetes, and security! In this talk, you will learn how GitLab Defend features can help you to effectively secure your applications and services. We will guide you through different features using real-scenarios use-cases and demos with demonstrations from the perspectives of a software developer, security engineer, and hacker. You will learn how to secure your application ingress using the Web Application Firewall, securing east-west application traffic with Container Network Security as well as threat detection with Container Behaviour Analytics. Everything within your GitLab project! Walk away and know everything you need to know to successfully secure your cloud native applications and services!

GitLab Commit: Your Attackers Won't Be Happy! How GitLab Can Help You Secure ...

Nico Meisenzahl

FestiveTechCalendar2021 - Have Yourself An Azure Container Registry

Philip Welz

The Future of Workflow Automation Is Now- Hassle-Free ARM Template Deploymen...

Nico Meisenzahl

Docker Rosenheim Meetup: Policy & Governance for Kubernetes

Nico Meisenzahl

EVE Microservices Platform

Alaa Qutaish

Learn how to eliminate any dependencies on your CI/CD build nodes and don’t bother yourself with multiple versions of your toolchain and any corresponding constraints. Walk away with knowledge and best practices that will help you to optimize your builds and deployments with containerized pipelines! Use containerized Gitlab CI/CD pipelines and Kaniko to move your build and deployment workloads into your Kubernetes cluster. Build your apps and infrastructure without any external dependencies and constraints. You are building a Go project, deploying an app to Kubernetes or building your infrastructure. It doesn’t matter. Anything is possible! Nico will also introduce you to Tekton - an open source project which helps you building a cloud native toolchain by moving your whole CI/CD into Kubernetes. Join Nico on a deep dive into the secrets of building hassle-free containerized build and deployment pipelines with Gitlab CI/CD, Kaniko and Tekton.

DevOps Gathering - How Containerized Pipelines Can Boost Your CI/CD

Nico Meisenzahl

Learn how to eliminate any dependencies on your CI/CD build nodes and don’t bother yourself with multiple versions of your toolchain and any corresponding constraints. Walk away with knowledge and best practices that will help you to optimize your builds and deployments with containerized pipelines Use containerized Gitlab CI/CD pipelines and Kaniko to move your build and deployment workloads into your Kubernetes cluster. Build your apps and infrastructure without any external dependencies and constraints. You are building a Go project, deploying an app to Kubernetes or building your infrastructure. It doesn’t matter. Anything is possible! Nico will also introduce you to Tekton – an open source project which helps you building a cloud native toolchain by moving your whole CI/CD into Kubernetes. Join Nico on a deep dive into the secrets of building hassle-free containerized build and deployment pipelines with Gitlab CI/CD, Kaniko and Tekton.

DevOpsCon London: How containerized Pipelines can boost your CI/CD

Nico Meisenzahl

Global Azure Bootcamp: Container, Docker & Kubernetes Basics

Nico Meisenzahl

What's hot (19)

GitHub Actions 101

Azure Saturday Hamburg: Containerize Your .NET Microservice - the Right Way!

DevOpsCon Berlin: Helm vs Operators – Do I Need to Decide?

azdevcom - Hijack a Kubernetes Cluster

Was ist ein Service Mesh und wie funktioniert es?

Virtual GitLab Meetup: How Containerized Pipelines and Kubernetes Can Boost Y...

Azure Rosenheim Meetup: Azure Service Operator

Policy & Governance für Kubernetes

Hijack a Kubernetes Cluster - a Walkthrough

Azure Zürich User Group: Azure Kubernetes Service – more than just a managed ...

GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & ...

GitLab Commit: Your Attackers Won't Be Happy! How GitLab Can Help You Secure ...

FestiveTechCalendar2021 - Have Yourself An Azure Container Registry

The Future of Workflow Automation Is Now- Hassle-Free ARM Template Deploymen...

Docker Rosenheim Meetup: Policy & Governance for Kubernetes

EVE Microservices Platform

DevOps Gathering - How Containerized Pipelines Can Boost Your CI/CD

DevOpsCon London: How containerized Pipelines can boost your CI/CD

Global Azure Bootcamp: Container, Docker & Kubernetes Basics

Similar to GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Being Hijacked - a Walk-Through

Join us for a webinar on securing the DevOps lifecycle with GitOps. Explore the best defenses for common security threats to code repositories, and see how to apply GitOps best practices to your CICD pipelines for Kubernetes. The adoption of GitOps already increases the security and stability of your Kubernetes deployment pipelines, keeping your deployment credentials and other secrets inside of the cluster. Although GitOps improves CICD pipeline security, it shifts the security burden to Git itself. For organizations who wish to defend themselves from malicious internal or external actors, or who operate under high compliance requirements, implementing additional security measures to Git provides identity guarantees, automation of change control, and detailed audit trails. In this webinar, we’ll discuss 4 common Git attacks and how to mitigate them: 1. User impersonation 2. Malicious user tampering with the repository’s history 3. Malicious user attacking the Git platform 4. Historical attacks on Git clients and their impact

Continuous Security for GitOps

Weaveworks

FOSDEM 2017: GitLab CI

OlinData

Detecting secrets in code committed to gitlab (in real time)

Chandrapal Badshah

Learn how to eliminate any dependencies between tool chains and local machines, and never again ask if Terraform CLI can be upgraded without breaking all projects. In this session, Nico will share best practices that will help attendees to optimize their Infrastructure deployment with GitLab CI pipelines. With GitLab CI, Nico will demonstrate how to build containerized pipelines to deploy infrastructure without any external dependencies and constraints. Join Nico on a deep dive into the secrets of building hassle-free infrastructure pipelines with GitLab CI.

Gitlab Commit: How Containerized GitLab CI Pipelines Can Help You Streamline ...

Nico Meisenzahl

Everyone heard about Kubernetes. Everyone wants to use this tool. However, sometimes we forget about security, which is essential throughout the container lifecycle. Therefore, our journey with Kubernetes security should begin in the build stage when writing the code becomes the container image. Kubernetes provides innate security advantages, and together with solid container protection, it will be invincible. During the sessions, we will review all those features and highlight which are mandatory to use. We will discuss the main vulnerabilities which may cause compromising your system. Contacts: LinkedIn - https://www.linkedin.com/in/vshynkar/ GitHub - https://github.com/sqerison ------------------------------------------------------------------------------------- Materials from the video: The policies and docker files examples: https://gist.github.com/sqerison/43365e30ee62298d9757deeab7643a90 The repo with the helm chart used in a demo: https://github.com/sqerison/argo-rollouts-demo Tools that showed in the last section: https://github.com/armosec/kubescape https://github.com/aquasecurity/kube-bench https://github.com/controlplaneio/kubectl-kubesec https://github.com/Shopify/kubeaudit#installation https://github.com/eldadru/ksniff Further learning. A book released by CISA (Cybersecurity and Infrastructure Security Agency): https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF O`REILLY Kubernetes Security: https://kubernetes-security.info/ O`REILLY Container Security: https://info.aquasec.com/container-security-book Thanks for watching!

Kubernetes and container security

Volodymyr Shynkar

Git Gerrit Mit Teamforge

CollabNet

Talk on the GitLab Commit 2020: Join us to learn how we helped one of the largest financial services institutions in the world shape their cloud strategy using GitLab and Terraform. Starting on a cloud journey brings so many questions around resource provisioning & management, security, compliance, how to enable the team with easy access to definitions, and keep everyone updated. As we know, the most reliable source of truth is the code, so the use of infrastructure as code paired with an inner-source process is a solid foundation.

[2020 git lab commit] continuous infrastructure

Rodrigo Stefani Domingues

Deploy 22 microservices from scratch in 30 mins with GitOps

Opsta

Git/Gerrit with TeamForge

CollabNet

Kubernetes provides an automated platform to deployment, scaling and operations of applications across a cluster of hosts. Complementing Kubernetes with a series of build scripts in conjunction with Travis-CI, GitHub, Artifactory, and Google Cloud Platform, we can take code from a merged pull request to a deployed environment with no manual intervention on a highly scaleable and robust infrastructure.

GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...

Oleg Shalygin

By J. Henry Hinnefeld PyData New York City 2017 Git is a powerful tool for code versioning. If you follow its best practices and have good ‘commit hygiene’ it can also be a source of valuable data about your coding practices. In this talk I’ll describe a system we built at Civis that uses the metadata git collects, along with its logging and ‘blaming’ functionality to score commits in real time on their likelihood of introducing a bug.

Git risky using git metadata to predict code bug risk

PyData

Node.js Service - Best practices in 2019

Olivier Loverde

Container Days: Hijack a Kubernetes Cluster - a Walkthrough

Nico Meisenzahl

How GitLab and HackerOne help organizations innovate faster without compromis...

HackerOne

K8Guard - An Auditing System For Kubernetes

Medya Ghazizadeh

In the last decade, the way software is developed and deployed has completely changed, yet the way we secure it has stood still. Today, developers use Git and open source and deploy via devops to the cloud. All of this has introduced security risks that are being exploited by hackers. In this one hour webinar, learn the top threats facing companies from their code environments and how to address them. You will learn: How Git-based environments post a threat to enterprise security Why companies lack visibility into who has downloaded their code on unprotected devices How to mitigate the threats from code without altering or slowing down the software development process How code security must fit into an overall information security strategy Who should attend: CISOs or infosec directors Devsecops leaders and engineers Appsec leaders and engineers

Preventing Code Leaks & Other Critical Security Risks from Code

DevOps.com

Github security bug bounty hunting

vinoth kumar

Cncf checkov and bridgecrew

LibbySchulze

Rooted con 2020 - from the heaven to hell in the CI - CD

Daniel Garcia (a.k.a cr0hn)

Kubernetes 101 for_penetration_testers_-_null_mumbai

n|u - The Open Security Community

Similar to GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Being Hijacked - a Walk-Through (20)

Continuous Security for GitOps

FOSDEM 2017: GitLab CI

Detecting secrets in code committed to gitlab (in real time)

Gitlab Commit: How Containerized GitLab CI Pipelines Can Help You Streamline ...

Kubernetes and container security

Git Gerrit Mit Teamforge

[2020 git lab commit] continuous infrastructure

Deploy 22 microservices from scratch in 30 mins with GitOps

Git/Gerrit with TeamForge

GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...

Git risky using git metadata to predict code bug risk

Node.js Service - Best practices in 2019

Container Days: Hijack a Kubernetes Cluster - a Walkthrough

How GitLab and HackerOne help organizations innovate faster without compromis...

K8Guard - An Auditing System For Kubernetes

Preventing Code Leaks & Other Critical Security Risks from Code

Github security bug bounty hunting

Cncf checkov and bridgecrew

Rooted con 2020 - from the heaven to hell in the CI - CD

Kubernetes 101 for_penetration_testers_-_null_mumbai

More from Nico Meisenzahl

Cloud-native technologies have revolutionized the way we build and deploy applications, enabling greater scalability, flexibility, and reliability. In this talk, Nico will explore the concept of sustainability in the context of cloud-native workloads and discuss the benefits of building sustainable applications. Nico will cover best practices for designing and implementing sustainable cloud-native workloads, as well as share real-world examples. This talk will guide you through the technical details of sustainable cloud-native workloads and provide actionable steps for everyone interested in building sustainable applications in the cloud.

Cloud-Native & Sustainability: How and Why to Build Sustainable Workloads

Nico Meisenzahl

Nico will show how to prevent your Kubernetes cluster from being hijacked by introducing you to best practices as well as useful open-source projects based on real-world examples. You’ll learn everything you need to know to build and run secure Kubernetes clusters including: - basics like shift left and container image security - ensure supply chain security - implement Kubernetes policies - introduce Kubernetes network security - rely on Container Runtime Security - many more… Don't miss this session to learn everything you need to know to securely run your Kubernetes-based workloads.

Container Day Security: How to Prevent Your Kubernetes Cluster From Being Hacked

Nico Meisenzahl

Festive Tech Calendar: Festive time with AKS networking

Nico Meisenzahl

ContainerConf 2022: Hijack Kubernetes

Nico Meisenzahl

ContainerConf 2022: Kubernetes is awesome - but...

Nico Meisenzahl

KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked

Nico Meisenzahl

KCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough

Nico Meisenzahl

… you should also know when not to use it. This is what Philip and Nico will talk about in this session. They will share all the things they have learned and seen over the past years. Philip and Nico share real-world examples of what they've seen in projects and tell you what went wrong and what could have been done better. And why Kubernetes has been the wrong choice for some of them. Applications and use-cases that do not fit Kubernetes are just one example we will talk about. Join this talk to learn how to take full advantage of Kubernetes and learn where it fits to run your workload successfully. That said: We love Kubernetes!

Cloud Love Conference: Kubernetes is awesome, but...

Nico Meisenzahl

How to Prevent Your Kubernetes Cluster From Being Hacked

Nico Meisenzahl

Hijack a Kubernetes Cluster - a Walkthrough

Nico Meisenzahl

Microsoft DevOps Forum 2021 – DevOps & Security

Nico Meisenzahl

In this talk, Nico will introduce you to the Azure Service Operator project. The Azure Service Operator allows you to manage your Azure resources with a cloud-native approach using a Kubernetes Controllers and Custom Resource Definitions (CRDs). We will show you how Azure Service Operator works and share how customers and partners use it to take their Azure infrastructure management to the next level. Get insights into how Azure Service Operator can help you to package your application with its infrastructure dependencies, how you can use a GitOps approach to manage your Azure infrastructure, or how Azure Service Operator allows you to create your own composable abstraction to build your own implementations and self-service solutions. Walk away and know everything you need to know to successfully provision your Azure resources with Azure Service Operator.

Azure Service Operator - Provision Your Resources in a Cloud-Native Way

Nico Meisenzahl

Lernen Sie, wie Sie mit containerisierten Pipelines Abhängigkeiten in Ihren CI/CD-Umgebung eliminieren, um sich nicht mit verschiedenen Versionen Ihrer Toolchain und Abhängigkeiten herumschlagen zu müssen. Nutzen Sie die containerisierten Gitlab CI/CD-Pipelines und Kaniko, um Build- und Deployment-Workloads in Ihrem Kubernetes-Cluster zu verlagern. Stellen Sie Ihre Microservices und/oder Infrastruktur ohne externe Abhängigkeiten und Einschränkungen bereit. Nico wird Sie auch in Tekton einführen - ein Open-Source-Projekt, das Ihnen hilft, eine Cloud-native Toolchain aufzubauen, indem Sie Ihr gesamtes CI/CD (Workload sowie Konfiguration) in Kubernetes verlagern. Begleiten Sie Nico auf einem Deep Dive in die Geheimnisse von containerisierten Build und Deployment Pipelines mit Gitlab CI/CD, Kaniko und Tekton.

Effiziente CI/CD-Pipelines – mit den richtigen Tools klappt das

Nico Meisenzahl

More from Nico Meisenzahl (13)

Cloud-Native & Sustainability: How and Why to Build Sustainable Workloads

Container Day Security: How to Prevent Your Kubernetes Cluster From Being Hacked

Festive Tech Calendar: Festive time with AKS networking

ContainerConf 2022: Hijack Kubernetes

ContainerConf 2022: Kubernetes is awesome - but...

KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked

KCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough

Cloud Love Conference: Kubernetes is awesome, but...

How to Prevent Your Kubernetes Cluster From Being Hacked

Hijack a Kubernetes Cluster - a Walkthrough

Microsoft DevOps Forum 2021 – DevOps & Security

Azure Service Operator - Provision Your Resources in a Cloud-Native Way

Effiziente CI/CD-Pipelines – mit den richtigen Tools klappt das

Recently uploaded

New customer? New industry? New cloud? New team? A lot to handle! How to ensure the success of the project? Start it well! I've created the 3 areas of focus at the beginning of the project that helped me in multiple roles (BA, PO, and Consultant). Learn from real-world experiences and discover how these insights can empower you to deliver unparalleled value to your customers right from the project's start.

Powerful Start- the Key to Project Success, Barbara Laskowska

CzechDreamin

The standard Salesforce Approval process can be limiting in many ways, especially in complex scenarios. What if there was a way to implement very flexible approvals where one can use Apex code to make data updates in unrelated records, dynamically generate next steps details, and compute assignees on the fly? And still use UI-based configurations to implement concrete approval processes. In this session, we will share ideas behind such a solution and show a few lines of code to get you started.

Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder

CzechDreamin

IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx

Abida Shariff

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams. Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...

Jeffrey Haguewood

Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application. In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics. Length: 30 minutes Session Overview ------------------------------------------- During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana: - What out-of-the-box solutions are available for real-time monitoring JMeter tests? - What are the benefits of integrating InfluxDB and Grafana into the load testing stack? - Which features are provided by Grafana? - Demonstration of InfluxDB and Grafana using a practice web application To view the webinar recording, go to: https://www.rttsweb.com/jmeter-integration-webinar

JMeter webinar - integration with InfluxDB and Grafana

RTTS

Explore the core of Salesforce success in 'Salesforce Adoption – Metrics, Methods, and Motivation.' We will discuss essential metrics, effective methods to drive adoption, and the driving force behind user engagement and explore strategies for onboarding, training, and continuous support that empower users to navigate the platform seamlessly. By leveraging these tools, you can effectively measure adoption against your company’s goals and create an environment where users not only adopt Salesforce but actively contribute to its ongoing success.

Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom

CzechDreamin

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...

Product School

This talk focuses on the practical aspects of integrating various telephony systems with Salesforce, drawing on examples from implementations in the Czech scene. It aims to inform attendees about the spectrum of telephony solutions available, from small to large scale, and their compatibility with Salesforce. The presentation will highlight key considerations for selecting a telephony provider that integrates smoothly with Salesforce, including important questions to support the decision-making process. It will also discuss methods for integrating existing telephony systems with Salesforce, aimed at companies contemplating or in the process of adopting this CRM platform. The discussion is designed to provide a straightforward overview of the steps and considerations involved in telephony and Salesforce integration, with an emphasis on functionality, compatibility, and the practical experiences of Czech companies.

Integrating Telephony Systems with Salesforce: Insights and Considerations, B...

CzechDreamin

IESVE for Early Stage Design and Planning

IES VE

ScyllaDB has the potential to deliver impressive performance and scalability. The better you understand how it works, the more you can squeeze out of it. But before you squeeze, make sure you know what to monitor! Watch our experienced Postgres developer work through monitoring and performance strategies that help him understand what mistakes he’s made moving to NoSQL. And learn with him as our database performance expert offers friendly guidance on how to use monitoring and performance tuning to get his sample Rust application on the right track. This webinar focuses on using monitoring and performance tuning to discover and correct mistakes that commonly occur when developers move from SQL to NoSQL. For example: - Common issues getting up and running with the monitoring stack - Using the CQL optimizations dashboard - Common issues causing high latency in a node - Common issues causing replica imbalance - What a healthy system looks like in terms of memory - Key metrics to keep an eye on This isn’t “Death-by-Powerpoint.” We’ll walk through problems encountered while migrating a real application from Postgres to ScyllaDB – and try to fix them live as well.

Optimizing NoSQL Performance Through Observability

ScyllaDB

Mission to Decommission: Importance of Decommissioning Products to Increase E...

Product School

I'm excited to share my latest predictions on how AI, robotics, and other technological advancements will reshape industries in the coming years. The slides explore the exponential growth of computational power, the future of AI and robotics, and their profound impact on various sectors. Why this matters: The success of new products and investments hinges on precise timing and foresight into emerging categories. This deck equips founders, VCs, and industry leaders with insights to align future products with upcoming tech developments. These insights enhance the ability to forecast industry trends, improve market timing, and predict competitor actions. Highlights: ▪ Exponential Growth in Compute: How $1000 will soon buy the computational power of a human brain ▪ Scaling of AI Models: The journey towards beyond human-scale models and intelligent edge computing ▪ Transformative Technologies: From advanced robotics and brain interfaces to automated healthcare and beyond ▪ Future of Work: How automation will redefine jobs and economic structures by 2040 With so many predictions presented here, some will inevitably be wrong or mistimed, especially with potential external disruptions. For instance, a conflict in Taiwan could severely impact global semiconductor production, affecting compute costs and related advancements. Nonetheless, these slides are intended to guide intuition on future technological trends.

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl

Peter Udo Diehl

As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other? Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.

Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024

Tobias Schneck

ODC, Data Fabric and Architecture User Group

CatarinaPereira64715

In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring. Learn about: • The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks. • Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective. • Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification. • Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process. Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

Inflectra

To Graph or Not to Graph Knowledge Graph Architectures and LLMs

Paul Groth

Key Trends Shaping the Future of Infrastructure.pdf

Cheryl Hung

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...

Product School

You’ve heard good data matters in Machine Learning, but does it matter for Generative AI applications? Corporate data often differs significantly from the general Internet data used to train most foundation models. Join me for a demo on building an open source RAG (Retrieval Augmented Generation) stack using Milvus vector database for Retrieval, LangChain, Llama 3 with Ollama, Ragas RAG Eval, and optional Zilliz cloud, OpenAI.

Introduction to Open Source RAG and RAG Evaluation

Zilliz

We're living the AI revolution and Salesforce is adapting and bring new value to their customers. Einstein products are evolving rapidly and navigating their limitations, language support, and use cases can be challenging. Let's make review of what Einstein product are available currently, what are the capabilities and what can be used for in CEE region and how Rossie.ai can help to learn Salesforce speak Czech. We will explore the Einstein roadmap and I will make a short live demo (based on your vote) of some Einstein feature.

AI revolution and Salesforce, Jiří Karpíšek

CzechDreamin

Recently uploaded (20)

Powerful Start- the Key to Project Success, Barbara Laskowska

Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder

IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...

JMeter webinar - integration with InfluxDB and Grafana

Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...

Integrating Telephony Systems with Salesforce: Insights and Considerations, B...

IESVE for Early Stage Design and Planning

Optimizing NoSQL Performance Through Observability

Mission to Decommission: Importance of Decommissioning Products to Increase E...

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl

Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024

ODC, Data Fabric and Architecture User Group

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

To Graph or Not to Graph Knowledge Graph Architectures and LLMs

Key Trends Shaping the Future of Infrastructure.pdf

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...

Introduction to Open Source RAG and RAG Evaluation

AI revolution and Salesforce, Jiří Karpíšek

GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Being Hijacked - a Walk-Through

1. 1 #GitLabCommit How GitLab Can Save your Kubernetes environment from Being Hijacked - a Walk-Through

2. 2 #GitLabCommit Nico Meisenzahl ● Senior Cloud & DevOps Consultant at white duck ● GitLab Hero, Microsoft MVP & Docker Community Leader ● Container, Kubernetes, Cloud-Native & DevOps Phone: +49 8031 230159 0 Email: nico@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org

3. 3 #GitLabCommit Agenda ● Demo: Hijack a Kubernetes cluster - a walk-through ● How GitLab can help to prevent an attack ● Container & Kubernetes security best practices

4. 4 #GitLabCommit #GitLabCommit Demo: Hijack a Kubernetes cluster - a walk-through

5. 5 #GitLabCommit Hijack a Kubernetes cluster - a walk-through ● we will hijack the container due to a vulnerability in the code of a web app ● we then use some available anti-patterns to gain further access within the Kubernetes cluster

6. 6 #GitLabCommit Recap of the attack ● we inject custom code into the text box ○ played around a bit ○ opened a reverse shell into the container ● we used the privileged default Service Account to access the API ○ inspected secrets ○ scheduled a privileged Pod With the privileged Pod, we could further hijack the cluster (access to Nodes, the Control Plane and even other Cloud resources)

7. 7 #GitLabCommit #GitLabCommit How GitLab can help to prevent an attack

8. 8 #GitLabCommit GitLab feature stages

9. 9 #GitLabCommit Create stage ● Pair programming helps to get better and more eﬀicient code ● Required Merge Request Approvals allows to opt-in for multiple sign-oﬀs (Premium, Ultimate)

10. 10 #GitLabCommit Secure stage ● Secret Detection analyzes Git history for leaked secrets ● Dependency Scanning analyzes your dependencies for known vulnerabilities (Ultimate) ● Static Application Security Testing (SAST) analyzes source code for known vulnerabilities (some features require Ultimate) ● Dynamic Application Security Testing (DAST) analyzes running web applications for known vulnerabilities (Ultimate) ● API fuzzing finds unknown bugs and vulnerabilities in web APIs with fuzzing (Ultimate)

11. 11 #GitLabCommit Configure stage ● Container Scanning scans containers for known vulnerabilities (Ultimate) ● Auto DevOps helps to reduce the complexity of software delivery by setting up pipelines and integrations for you

12. 12 #GitLabCommit Protect stage ● Web Application Firewall filters, monitors, and prevents HTTP based attacks (deprecated, will get removed in GitLab 14.0) ● Container Host Security provides Intrusion Detection and Prevention capabilities that can monitor and block activity inside the containers themselves ● Container Network Security filters and secures the network traﬀic inside a containerized environment to block attacks at the network layer (some features require Ultimate)

13. 13 #GitLabCommit #GitLabCommit Container Security & further best practices

14. 14 #GitLabCommit Container & Kubernetes security best practices ● understand the manifests you apply ● do not share privileged service accounts ● deny untrusted registries ● enforce rootless containers ● enforce read-only filesystem at runtime ● deny privileged containers ● deny egress traﬀic ● use distroless containers if possible

15. 15 #GitLabCommit Questions? Slides: https://www.slideshare.net/nmeisenzahl Demo: https://gitlab.com/nico-meisenzahl/hijack-kubernetes GitLab features: https://about.gitlab.com/features Phone: +49 8031 230159 0 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org

16. 16 #GitLabCommit Thank You!

GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Being Hijacked - a Walk-Through

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Being Hijacked - a Walk-Through

Similar to GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Being Hijacked - a Walk-Through (20)

More from Nico Meisenzahl

More from Nico Meisenzahl (13)

Recently uploaded

Recently uploaded (20)

GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Being Hijacked - a Walk-Through