Nico Meisenzahl, profile picture
Uploaded byNico Meisenzahl
PDF, PPTX140 views

Hijack a Kubernetes Cluster - a Walkthrough

The document presents a walkthrough on how to hijack a Kubernetes cluster while highlighting common attack vectors and preventive measures. It emphasizes secure application code, container image building, secure deployment practices, and the importance of Kubernetes and network policies to enhance security. Additionally, it offers recommendations for best practices to minimize security risks in cloud environments.

Embed presentation

Download as PDF, PPTX
Hijack a Kubernetes Cluster – a Walkthrough
Nico Meisenzahl • Senior Cloud & DevOps Consultant at white duck • Microsoft MVP, GitLab Hero • Cloud Native, Kubernetes & Azure © white duck GmbH 2022 Phone: +49 8031 230159 0 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org
About this talk • this is not an in-depth security talk • it should make you aware of common attack vectors and how to prevent them • you will see demos on how to hijack a cluster • you will learn how to prevent those with common best practices • one more slide, then we will start hijacking • https://github.com/nmeisenzahl/hijack-kubernetes © white duck GmbH 2022
What we will do © white duck GmbH 2022
Security quick wins through the DevOps cycle © white duck GmbH 2022
Ensure secure application code • automate and enforce code checks • schedule dependency scanning • e.g. Dependabot • enforce Static Application Security Testing (SAST) in PRs • scans your code to identify potential security vulnerabilities • more details: https://owasp.org/www- community/Source_Code_Analysis_Tools © white duck GmbH 2022
Ensure secure application code • automate and enforce code checks • schedule dependency scanning • e.g. Dependabot • enforce Static Application Security Testing (SAST) in PRs • scans your code to identify potential security vulnerabilities • more details: https://owasp.org/www- community/Source_Code_Analysis_Tools © white duck GmbH 2022 Would have shown the possibility of code injection
Build secure container images • build secure/small container images – less is more • do only include required dependencies (no debugging tools!) • use self-contained binaries or “distroless” if possible • https://github.com/GoogleContainerTools/distroless • otherwise, use a small and secure Linux distro • use and enforce SAST for validating your Dockerfiles • scan your container images (on build and regularly) © white duck GmbH 2022
Build secure container images • build secure/small container images – less is more • do only include required dependencies (no debugging tools!) • use self-contained binaries or “distroless” if possible • https://github.com/GoogleContainerTools/distroless • otherwise, use a small and secure Linux distro • use and enforce SAST for validating your Dockerfiles • scan your container images (on build and regularly) © white duck GmbH 2022 Would have made it much harder to hijack the container and further expend
Ensure secure deployment code • as important as secure application code and Dockerfiles • validate your deployment manifests using SAST • and enforce them via PRs • can help you to implement best practices like denying • containers running as root • mounting hostPath • … © white duck GmbH 2022
Ensure secure deployment code • as important as secure application code and Dockerfiles • validate your deployment manifests using SAST • and enforce them via PRs • can help you to implement best practices like denying • containers running as root • mounting hostPath • … © white duck GmbH 2022 Would have made it much harder to hijack the node
SAST Tooling • Source code • https://codeql.github.com • https://security-code-scan.github.io • https://securego.io • Kubernetes manifests • https://kubesec.io • https://github.com/aquasecurity/trivy • Dockerfiles • https://github.com/aquasecurity/trivy • Terraform • https://github.com/tfsec/tfsec • https://github.com/aquasecurity/trivy © white duck GmbH 2022
Kubernetes policies • enforce compliance and governance within clusters • verifying manifests is not enough! • examples include enforcement of • read-only filesystems • denying hostPath mounts • denying containers running as root • … © white duck GmbH 2022
Kubernetes policies • enforce compliance and governance within clusters • verifying manifests is not enough! • examples include enforcement of • read-only filesystems • denying hostPath mounts • denying containers running as root • … © white duck GmbH 2022 Would have made it much harder to further hijack the nodes and cloud resources
Kubernetes policy Tooling • Open Policy Agent Gatekeeper • https://github.com/open-policy-agent/gatekeeper • Kyverno • https://kyverno.io • Azure Policies • based on Open Policy Agent Gatekeeper • https://docs.microsoft.com/azure/aks/use-azure-policy © white duck GmbH 2022
Network Policies • granular deny or explicitly allow between containers and ingress/egress of the cluster • limit egress access to the internet • limit access between applications/namespaces • deny access to the Cloud provider metadata service • https://kubernetes.io/docs/concepts/services- networking/network-policies © white duck GmbH 2022
Network Policies • granular deny or explicitly allow between containers and ingress/egress of the cluster • limit egress access to the internet • limit access between applications/namespaces • deny access to the Cloud provider metadata service • https://kubernetes.io/docs/concepts/services- networking/network-policies © white duck GmbH 2022 Would have denied network connections (reverse shell, Redis, Internet, metadata service)
Container Runtime Security • helps to detect malicious threads and workloads • untrusted process within container • a shell is running inside a container • container process mounting a sensitive path • a process making outbound network connections • container runtime security tools like Falco can help • https://github.com/falcosecurity/falco © white duck GmbH 2022
Container Runtime Security • helps to detect malicious threads and workloads • untrusted process within container • a shell is running inside a container • container process mounting a sensitive path • a process making outbound network connections • container runtime security tools like Falco can help • https://github.com/falcosecurity/falco © white duck GmbH 2022 Would have detect all our “work” within the containers
Further best practises • do not • share service accounts between applications • enable higher access levels for the default service account if not required • mount service account token if not required • https://kubernetes.io/docs/tasks/configure-pod-container/configure-service- account/#use-the-default-service-account-to-access-the-api-server • review all third-party snippets before applying them • implement a Web Application Firewall (WAF) to further secure your application © white duck GmbH 2022
Further best practises • do not • share service accounts between applications • enable higher access levels for the default service account if not required • mount service account token if not required • https://kubernetes.io/docs/tasks/configure-pod-container/configure-service- account/#use-the-default-service-account-to-access-the-api-server • review all third-party snippets before applying them • implement a Web Application Firewall (WAF) to further secure your application © white duck GmbH 2022 Wouldn’t have allowed us to talk to the API server Would have denied our code injection
Questions? • Slides: https://www.slideshare.net/nmeisenzahl • Demo: https://github.com/nmeisenzahl/hijack-kubernetes © white duck GmbH 2022 Phone: +49 8031 230159 0 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org

More Related Content

PDF
Azure Zürich User Group: Azure Kubernetes Service – more than just a managed ...
byNico Meisenzahl
 
PDF
Virtual GitLab Meetup: How Containerized Pipelines and Kubernetes Can Boost Y...
byNico Meisenzahl
 
PPTX
FestiveTechCalendar2021 - Have Yourself An​ Azure Container Registry
byPhilip Welz
 
PDF
Docker Rosenheim Meetup: Policy & Governance for Kubernetes
byNico Meisenzahl
 
PDF
DevOpsCon Berlin: Helm vs Operators – Do I Need to Decide?
byNico Meisenzahl
 
PDF
Enhance Your Kubernetes CI/CD Pipelines With GitLab & Open Source
byNico Meisenzahl
 
PDF
Neues aus dem Docker-Universum
byNicholas Dille
 
PDF
EVE Microservices Platform
byAlaa Qutaish
 
Azure Zürich User Group: Azure Kubernetes Service – more than just a managed ...
byNico Meisenzahl
 
Virtual GitLab Meetup: How Containerized Pipelines and Kubernetes Can Boost Y...
byNico Meisenzahl
 
FestiveTechCalendar2021 - Have Yourself An​ Azure Container Registry
byPhilip Welz
 
Docker Rosenheim Meetup: Policy & Governance for Kubernetes
byNico Meisenzahl
 
DevOpsCon Berlin: Helm vs Operators – Do I Need to Decide?
byNico Meisenzahl
 
Enhance Your Kubernetes CI/CD Pipelines With GitLab & Open Source
byNico Meisenzahl
 
Neues aus dem Docker-Universum
byNicholas Dille
 
EVE Microservices Platform
byAlaa Qutaish
 

What's hot

PPTX
Kubernetes Security
byKarthik Gaekwad
 
PPTX
AzDevCom2021 - Bicep vs Terraform
byPhilip Welz
 
PDF
Kubernetes security and you
byKarthik Gaekwad
 
PDF
Introduction to Kubernetes Security (Aqua & Weaveworks)
byWeaveworks
 
PPTX
Securing your Cloud Environment v2
byShapeBlue
 
PDF
Cloud native development without the toil
byAmbassador Labs
 
PPTX
Kube Apps in action
byKarthik Gaekwad
 
PDF
KUBERNETES AS A FRAMEWORK FOR WRITING DEVOPS & MICROSERVICES TOOLING
byCodeOps Technologies LLP
 
PDF
Jenkins in the real world - DevOpsCon 2017
byGianluca Arbezzano
 
PPTX
Monitoring mayhem - Using Prometheus
byBrian Christner
 
PDF
LJC 4/21"Easy Debugging of Java Microservices Running on Kubernetes with Tele...
byDaniel Bryant
 
PPTX
Continuous delivery applied (RJUG)
byMike McGarr
 
PDF
Global Azure Bootcamp: Container, Docker & Kubernetes Basics
byNico Meisenzahl
 
PDF
Mihai Criveti - PyCon Ireland - Automate Everything
byMihai Criveti
 
PPTX
Microservices and Container Management with NGINX Plus and Mesosphere DC/OS
byNGINX, Inc.
 
PDF
Dockers zero to hero
byNicolas De Loof
 
PDF
Web Application Firewall - Friend of your DevOps Chain?
byFranziska Buehler
 
PDF
ThoughtWorks Technology Radar Roadshow - Brisbane
byThoughtworks
 
PPTX
KubeSecOps
byKarthik Gaekwad
 
PDF
Rebuilding Legacy Apps with Domain-Driven Design - Lessons learned
byKacper Gunia
 
Kubernetes Security
byKarthik Gaekwad
 
AzDevCom2021 - Bicep vs Terraform
byPhilip Welz
 
Kubernetes security and you
byKarthik Gaekwad
 
Introduction to Kubernetes Security (Aqua & Weaveworks)
byWeaveworks
 
Securing your Cloud Environment v2
byShapeBlue
 
Cloud native development without the toil
byAmbassador Labs
 
Kube Apps in action
byKarthik Gaekwad
 
KUBERNETES AS A FRAMEWORK FOR WRITING DEVOPS & MICROSERVICES TOOLING
byCodeOps Technologies LLP
 
Jenkins in the real world - DevOpsCon 2017
byGianluca Arbezzano
 
Monitoring mayhem - Using Prometheus
byBrian Christner
 
LJC 4/21"Easy Debugging of Java Microservices Running on Kubernetes with Tele...
byDaniel Bryant
 
Continuous delivery applied (RJUG)
byMike McGarr
 
Global Azure Bootcamp: Container, Docker & Kubernetes Basics
byNico Meisenzahl
 
Mihai Criveti - PyCon Ireland - Automate Everything
byMihai Criveti
 
Microservices and Container Management with NGINX Plus and Mesosphere DC/OS
byNGINX, Inc.
 
Dockers zero to hero
byNicolas De Loof
 
Web Application Firewall - Friend of your DevOps Chain?
byFranziska Buehler
 
ThoughtWorks Technology Radar Roadshow - Brisbane
byThoughtworks
 
KubeSecOps
byKarthik Gaekwad
 
Rebuilding Legacy Apps with Domain-Driven Design - Lessons learned
byKacper Gunia
 

Similar to Hijack a Kubernetes Cluster - a Walkthrough

PDF
How to Prevent Your Kubernetes Cluster From Being Hacked
byNico Meisenzahl
 
PPTX
Kubernetes and container security
byVolodymyr Shynkar
 
PDF
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
byJames Anderson
 
PPTX
Kubernetes Security Act Now Before It’s Too Late
byMichael Furman
 
PDF
Hacking Kubernetes Threat Driven Analysis and Defense 1st Edition Andrew Martin
bynoniqclarah
 
PPTX
Hijack a Kubernetes Cluster - a Walkthrough
byNico Meisenzahl
 
PDF
Container Days: Hijack a Kubernetes Cluster - a Walkthrough
byNico Meisenzahl
 
PDF
ContainerConf 2022: Hijack Kubernetes
byNico Meisenzahl
 
PDF
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
byNico Meisenzahl
 
PDF
KCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
byNico Meisenzahl
 
PDF
Container Day Security: How to Prevent Your Kubernetes Cluster From Being Hacked
byNico Meisenzahl
 
PDF
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
byContainerDay Security 2023
 
PDF
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
byContainerDay Security 2023
 
PDF
ContainerConf 2022: Kubernetes is awesome - but...
byNico Meisenzahl
 
PDF
Cloud Love Conference: Kubernetes is awesome, but...
byNico Meisenzahl
 
PPTX
DevSecOps in a cloudnative world
byKarthik Gaekwad
 
PDF
The Future of Security and Productivity in Our Newly Remote World
byDevOps.com
 
PPTX
12 Ways Not to get 'Hacked' your Kubernetes Cluster
bySuman Chakraborty
 
PDF
Continuous Security: From tins to containers - now what!
byMichael Man
 
PPTX
Secure development on Kubernetes by Andreas Falk
bySBA Research
 
How to Prevent Your Kubernetes Cluster From Being Hacked
byNico Meisenzahl
 
Kubernetes and container security
byVolodymyr Shynkar
 
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
byJames Anderson
 
Kubernetes Security Act Now Before It’s Too Late
byMichael Furman
 
Hacking Kubernetes Threat Driven Analysis and Defense 1st Edition Andrew Martin
bynoniqclarah
 
Hijack a Kubernetes Cluster - a Walkthrough
byNico Meisenzahl
 
Container Days: Hijack a Kubernetes Cluster - a Walkthrough
byNico Meisenzahl
 
ContainerConf 2022: Hijack Kubernetes
byNico Meisenzahl
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
byNico Meisenzahl
 
KCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
byNico Meisenzahl
 
Container Day Security: How to Prevent Your Kubernetes Cluster From Being Hacked
byNico Meisenzahl
 
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
byContainerDay Security 2023
 
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
byContainerDay Security 2023
 
ContainerConf 2022: Kubernetes is awesome - but...
byNico Meisenzahl
 
Cloud Love Conference: Kubernetes is awesome, but...
byNico Meisenzahl
 
DevSecOps in a cloudnative world
byKarthik Gaekwad
 
The Future of Security and Productivity in Our Newly Remote World
byDevOps.com
 
12 Ways Not to get 'Hacked' your Kubernetes Cluster
bySuman Chakraborty
 
Continuous Security: From tins to containers - now what!
byMichael Man
 
Secure development on Kubernetes by Andreas Falk
bySBA Research
 

More from Nico Meisenzahl

PDF
GitHub Actions 101
byNico Meisenzahl
 
PDF
Azure Meetup Hamburg: Production-Ready Terraform Deployments on Azure
byNico Meisenzahl
 
PDF
Azure Service Operator - Provision Your Resources in a Cloud-Native Way
byNico Meisenzahl
 
PDF
Hijack a Kubernetes Cluster - a Walkthrough
byNico Meisenzahl
 
PDF
Cloud-Native & Sustainability: How and Why to Build Sustainable Workloads
byNico Meisenzahl
 
PDF
GitLab Commit: Enhance your Compliance with Policy-Based CI/CD
byNico Meisenzahl
 
PDF
Microsoft DevOps Forum 2021 – DevOps & Security
byNico Meisenzahl
 
PDF
DevOpsCon London: How containerized Pipelines can boost your CI/CD
byNico Meisenzahl
 
PDF
Effiziente CI/CD-Pipelines – mit den richtigen Tools klappt das
byNico Meisenzahl
 
PDF
Azure Rosenheim Meetup: Azure Service Operator
byNico Meisenzahl
 
PDF
azdevcom - Hijack a Kubernetes Cluster
byNico Meisenzahl
 
PDF
Continuous Lifecycle: Hijack Kubernetes
byNico Meisenzahl
 
PDF
Die Evolution von Container Image Builds
byNico Meisenzahl
 
PDF
Continuous Lifecycle: Enhance Your Compliance and Governance With Policy-Base...
byNico Meisenzahl
 
PDF
Festive Tech Calendar: Festive time with AKS networking
byNico Meisenzahl
 
PDF
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
byNico Meisenzahl
 
PDF
Cloud Native Day: Cloud-native Anwendungsentwicklung im Jahr 2021
byNico Meisenzahl
 
PDF
Azure Saturday Hamburg: Containerize Your .NET Microservice - the Right Way!
byNico Meisenzahl
 
PDF
GitLab Commit: Your Attackers Won't Be Happy! How GitLab Can Help You Secure ...
byNico Meisenzahl
 
GitHub Actions 101
byNico Meisenzahl
 
Azure Meetup Hamburg: Production-Ready Terraform Deployments on Azure
byNico Meisenzahl
 
Azure Service Operator - Provision Your Resources in a Cloud-Native Way
byNico Meisenzahl
 
Hijack a Kubernetes Cluster - a Walkthrough
byNico Meisenzahl
 
Cloud-Native & Sustainability: How and Why to Build Sustainable Workloads
byNico Meisenzahl
 
GitLab Commit: Enhance your Compliance with Policy-Based CI/CD
byNico Meisenzahl
 
Microsoft DevOps Forum 2021 – DevOps & Security
byNico Meisenzahl
 
DevOpsCon London: How containerized Pipelines can boost your CI/CD
byNico Meisenzahl
 
Effiziente CI/CD-Pipelines – mit den richtigen Tools klappt das
byNico Meisenzahl
 
Azure Rosenheim Meetup: Azure Service Operator
byNico Meisenzahl
 
azdevcom - Hijack a Kubernetes Cluster
byNico Meisenzahl
 
Continuous Lifecycle: Hijack Kubernetes
byNico Meisenzahl
 
Die Evolution von Container Image Builds
byNico Meisenzahl
 
Continuous Lifecycle: Enhance Your Compliance and Governance With Policy-Base...
byNico Meisenzahl
 
Festive Tech Calendar: Festive time with AKS networking
byNico Meisenzahl
 
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
byNico Meisenzahl
 
Cloud Native Day: Cloud-native Anwendungsentwicklung im Jahr 2021
byNico Meisenzahl
 
Azure Saturday Hamburg: Containerize Your .NET Microservice - the Right Way!
byNico Meisenzahl
 
GitLab Commit: Your Attackers Won't Be Happy! How GitLab Can Help You Secure ...
byNico Meisenzahl
 

Recently uploaded

PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PDF
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
PDF
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PPTX
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
PPTX
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
PDF
Incident Response Planning with a Foundation Model
byKim Hammar
 
PDF
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
Incident Response Planning with a Foundation Model
byKim Hammar
 
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 

Hijack a Kubernetes Cluster - a Walkthrough

  • 1.
    Hijack a KubernetesCluster – a Walkthrough
  • 2.
    Nico Meisenzahl • SeniorCloud & DevOps Consultant at white duck • Microsoft MVP, GitLab Hero • Cloud Native, Kubernetes & Azure © white duck GmbH 2022 Phone: +49 8031 230159 0 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org
  • 3.
    About this talk •this is not an in-depth security talk • it should make you aware of common attack vectors and how to prevent them • you will see demos on how to hijack a cluster • you will learn how to prevent those with common best practices • one more slide, then we will start hijacking • https://github.com/nmeisenzahl/hijack-kubernetes © white duck GmbH 2022
  • 4.
    What we willdo © white duck GmbH 2022
  • 5.
    Security quick winsthrough the DevOps cycle © white duck GmbH 2022
  • 6.
    Ensure secure applicationcode • automate and enforce code checks • schedule dependency scanning • e.g. Dependabot • enforce Static Application Security Testing (SAST) in PRs • scans your code to identify potential security vulnerabilities • more details: https://owasp.org/www- community/Source_Code_Analysis_Tools © white duck GmbH 2022
  • 7.
    Ensure secure applicationcode • automate and enforce code checks • schedule dependency scanning • e.g. Dependabot • enforce Static Application Security Testing (SAST) in PRs • scans your code to identify potential security vulnerabilities • more details: https://owasp.org/www- community/Source_Code_Analysis_Tools © white duck GmbH 2022 Would have shown the possibility of code injection
  • 8.
    Build secure containerimages • build secure/small container images – less is more • do only include required dependencies (no debugging tools!) • use self-contained binaries or “distroless” if possible • https://github.com/GoogleContainerTools/distroless • otherwise, use a small and secure Linux distro • use and enforce SAST for validating your Dockerfiles • scan your container images (on build and regularly) © white duck GmbH 2022
  • 9.
    Build secure containerimages • build secure/small container images – less is more • do only include required dependencies (no debugging tools!) • use self-contained binaries or “distroless” if possible • https://github.com/GoogleContainerTools/distroless • otherwise, use a small and secure Linux distro • use and enforce SAST for validating your Dockerfiles • scan your container images (on build and regularly) © white duck GmbH 2022 Would have made it much harder to hijack the container and further expend
  • 10.
    Ensure secure deploymentcode • as important as secure application code and Dockerfiles • validate your deployment manifests using SAST • and enforce them via PRs • can help you to implement best practices like denying • containers running as root • mounting hostPath • … © white duck GmbH 2022
  • 11.
    Ensure secure deploymentcode • as important as secure application code and Dockerfiles • validate your deployment manifests using SAST • and enforce them via PRs • can help you to implement best practices like denying • containers running as root • mounting hostPath • … © white duck GmbH 2022 Would have made it much harder to hijack the node
  • 12.
    SAST Tooling • Sourcecode • https://codeql.github.com • https://security-code-scan.github.io • https://securego.io • Kubernetes manifests • https://kubesec.io • https://github.com/aquasecurity/trivy • Dockerfiles • https://github.com/aquasecurity/trivy • Terraform • https://github.com/tfsec/tfsec • https://github.com/aquasecurity/trivy © white duck GmbH 2022
  • 13.
    Kubernetes policies • enforcecompliance and governance within clusters • verifying manifests is not enough! • examples include enforcement of • read-only filesystems • denying hostPath mounts • denying containers running as root • … © white duck GmbH 2022
  • 14.
    Kubernetes policies • enforcecompliance and governance within clusters • verifying manifests is not enough! • examples include enforcement of • read-only filesystems • denying hostPath mounts • denying containers running as root • … © white duck GmbH 2022 Would have made it much harder to further hijack the nodes and cloud resources
  • 15.
    Kubernetes policy Tooling •Open Policy Agent Gatekeeper • https://github.com/open-policy-agent/gatekeeper • Kyverno • https://kyverno.io • Azure Policies • based on Open Policy Agent Gatekeeper • https://docs.microsoft.com/azure/aks/use-azure-policy © white duck GmbH 2022
  • 16.
    Network Policies • granulardeny or explicitly allow between containers and ingress/egress of the cluster • limit egress access to the internet • limit access between applications/namespaces • deny access to the Cloud provider metadata service • https://kubernetes.io/docs/concepts/services- networking/network-policies © white duck GmbH 2022
  • 17.
    Network Policies • granulardeny or explicitly allow between containers and ingress/egress of the cluster • limit egress access to the internet • limit access between applications/namespaces • deny access to the Cloud provider metadata service • https://kubernetes.io/docs/concepts/services- networking/network-policies © white duck GmbH 2022 Would have denied network connections (reverse shell, Redis, Internet, metadata service)
  • 18.
    Container Runtime Security •helps to detect malicious threads and workloads • untrusted process within container • a shell is running inside a container • container process mounting a sensitive path • a process making outbound network connections • container runtime security tools like Falco can help • https://github.com/falcosecurity/falco © white duck GmbH 2022
  • 19.
    Container Runtime Security •helps to detect malicious threads and workloads • untrusted process within container • a shell is running inside a container • container process mounting a sensitive path • a process making outbound network connections • container runtime security tools like Falco can help • https://github.com/falcosecurity/falco © white duck GmbH 2022 Would have detect all our “work” within the containers
  • 20.
    Further best practises •do not • share service accounts between applications • enable higher access levels for the default service account if not required • mount service account token if not required • https://kubernetes.io/docs/tasks/configure-pod-container/configure-service- account/#use-the-default-service-account-to-access-the-api-server • review all third-party snippets before applying them • implement a Web Application Firewall (WAF) to further secure your application © white duck GmbH 2022
  • 21.
    Further best practises •do not • share service accounts between applications • enable higher access levels for the default service account if not required • mount service account token if not required • https://kubernetes.io/docs/tasks/configure-pod-container/configure-service- account/#use-the-default-service-account-to-access-the-api-server • review all third-party snippets before applying them • implement a Web Application Firewall (WAF) to further secure your application © white duck GmbH 2022 Wouldn’t have allowed us to talk to the API server Would have denied our code injection
  • 22.
    Questions? • Slides: https://www.slideshare.net/nmeisenzahl •Demo: https://github.com/nmeisenzahl/hijack-kubernetes © white duck GmbH 2022 Phone: +49 8031 230159 0 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org