SlideShare a Scribd company logo

Kubecon USA 2018: Shopify's $25k bug report and the cluster takeover that didn't happen

Greg Castle
Greg Castle

In May, a security researcher reported a vulnerability in a Shopify microservice and demonstrated how it could be used to access keys from the Google Cloud metadata API. This could have led to a cluster takeover, for which Shopify awarded $25k through its bug bounty program. Shane will share his experience responding to the report, analyzing Kubernetes audit logs, and hardening the cluster to block the escalation path. Together, Greg and Shane will describe some example Kubernetes audit log queries that can help discover unusual activity in the form of Kubernetes API access, and assess the impact of credential exposure, such as in this report. The collection of example queries will be released for use by the Kubernetes community and we will also share some hardening best practices. https://kccna18.sched.com/event/GrZf/shopifys-25k-bug-report-and-the-cluster-takeover-that-didnt-happen-greg-castle-google-shane-lawrence-shopify

Internet
1 of 50
Download to read offline
Shopify’s $25K Bug Report and the cluster takeover that didn’t happen Shane Lawrence Security Infrastructure Engineer Twitter: @shaneplawrence Github: @shane-lawrence Shopify Greg Castle GKE Security Tech Lead Twitter: @mrgcastle Github: @destijl Google North America 2018
A production security story Introduction Bug report Detection TakeawaysExchange Attack & defense
Introduction
Who is shopify.com? 2017 data Shopify’s background 600K+ merchants 26B+ $processed 80K+ requests per second peak traffic
Shopify cloud platform • Scalable • Application developers don’t need to learn k8 • Self-serve with guardrails & paved roads • Security*** by default
Shopify’s bug bounty programs •   330+ hackers over 3+ years •   Merchants and buyers protected •   $1,000,000+ paid •   hackerone.com/shopify
Bug report
Security report and responses 7:39pm Report (goo.gl/dqynDa) from André Baptista (0xacb): vuln in Exchange app 7:50pm Incident declared 8:00pm Cloudsec and app dev teams contacted 8:43pm Merged commit to disable vulnerable feature 9:27pm Investigation and cleanup started (rotate credentials, contact Google, investigate logs) 1 hour
Exchange
Image of page Request screenshot Request storefront What is Exchange? Marketplace for buying & selling stores Webpage 3. Test store Test store frontpage 2. Screenshot service Headless browser 1. Exchange app Create listing Screenshots
Attack & defense
cluster control X kubeletkube-env Google service account token SSRF The attack Security researcher
Server Side Request Forgery (SSRF)
Attack: Weaponize SSRF Existing workflow Image of page Request screenshot Request storefront 2. Screenshot service Headless browser 1. Exchange app Create listing Screenshots Webpage 4. Metadata service 3. Test store Test store frontpage
Webpage 4. Metadata service 1. Exchange app Create listing Screenshots Request screenshot Request storefront 3. Test store Exploit page 2. Screenshot service Headless browser Attack: Weaponize SSRF Got token for the VM’s Google service account
Request token 4. Metadata server Default SA token v1 Attack: Weaponize SSRF Got token for the VM’s Google service account 1. Exchange app Create listing Screenshots Webpage Request storefront 3. Test store Exploit page 2. Screenshot service Headless browser Request screenshot
Sidebar: What is this Google SA? Node (VM) Metadata server Service account Pod Token Token Google APIs
Demo Token attack
403: header required 4. Metadata server Default SA token v1 1. Exchange app Create listing Screenshots Defense: Require header Metadata server requires header: Metadata-Flavor: Google Webpage Request storefront 3. Test store Exploit page Request screenshot 2. Screenshot service Headless browser
Token 4. Metadata server Default SA token v1 v1beta1 1. Exchange app Create listing Screenshots Attack: Use old API version Beta API: no request header required :( Webpage Request storefront 3. Test store Exploit page Request screenshot 2. Screenshot service Headless browser Image of token
Defense: Disable old API versions • Beta API known issue: APIs still in use • Disabled by default in new 1.12+ clusters • Opt-in now: “disable-legacy-endpoints=true” • goo.gl/JsdJbL for details
Defense: Least priv on token • Default SA least privilege from 1.10+ • May vary if users have granted extra privs • Shopify had minimal privs for log/mon/debug • Token not useful to researcher
5. Metadata server Default SA token v1 v1beta1 kube-env Request screenshot Request storefront Webpage 2. Screenshot service Headless browser kube-env 1. Exchange app Create listing Screenshots Attack: What other metadata? Metadata server = trust bootstrap for nodes Export static key from “kube-env” Image of kube-env 3. Test store Exploit page
Demo kube-env attack
Attack: Kubelet bootstrap key Kube-env Security researcher machine CA.crt client.crt client.pem GKE K8s API Server kubectl
Request screenshot Request storefront Defense: Metadata concealment Now: metadata concealment (Beta) goo.gl/u6rrMT Future: K8s TPM trust bootstrap Webpage 3. Test store Exploit page 2. Screenshot service Headless browser 403 Forbidden 4. Metadata proxy Whitelist/blacklist 1. Exchange app Create listing Screenshots 5. Metadata server Default SA token v1 v1beta1 kube-env
Defense: Minimize kubelet privs • RBAC on (ABAC off): GKE default • Node Authorization on: GKE default • Audit role bindings: GKE “kubelet-cluster-admin” (not actually cluster admin) binding if upgraded cluster https://kubernetes.io/docs/tasks/administer-clus ter/securing-a-cluster/
Demo Defenses
Detection
What’s in the logs? • K8s API audit logs: goo.gl/d8YebH • Content depends on audit policy • GKE: g.co/gke/auditlogging
Filter logs for kubelet user
Filter logs for kubelet user
Create deployment failed
Create deployment
Exec into exchange pod
Exec into exchange pod
Node CSR creation
Takeaways
Shopify’s response 1 day • Disable vulnerable service. • Start rotating credentials. • Pay $ to researcher. 1 week • Analyze audit logs. • Clean up RBAC. 1 month • Prevent unwanted redirects. • Re-enable screenshot service. • Deploy metadata proxy. • Pay $$$ to researcher. • Disclose vulnerability.
Lessons learned: K8s advice • Follow cloud provider hardening advice (GKE: g.co/gke/hardening) • Block off/filter access to any privileged network endpoints • Run RBAC and Node Authorization (GKE default) • Apply least privilege for K8s service accounts • Audit role bindings, especially upgraded clusters • Collect API logs and have them available to query (GKE default)
Links and references Shopify bug bounty: hackerone.com/shopify Bug report details: goo.gl/dqynDa GKE disable old APIs: goo.gl/JsdJbL GKE metadata conceal: goo.gl/u6rrMT K8s API audit logs: goo.gl/d8YebH GKE logging: g.co/gke/auditlogging Shane Lawrence Security Infrastructure Engineer Twitter: @shaneplawrence Github: @shane-lawrence Shopify Greg Castle GKE Security Tech Lead Twitter: @mrgcastle Github: @destijl Google
Thank you
Reference Log queries
Example log queries • Broad strokes to get you started • No standard language for queries like this • SQL seems most standard • But includes some BigQuery-isms for unpacking repeated fields • Validation/tweaking on production clusters needed • Mostly intended to point out interesting values and fields
RBAC Changes (excl system) SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE protopayload_auditlog.methodName LIKE " io.k8s.authorization.rbac.v1%" AND NOT protopayload_auditlog.authenticationInfo.principalEmail LIKE " system:%" LIMIT 100 Similarly, use these methodName strings for specific changes to roles or bindings: “io.k8s.authorization.rbac.v1.roles.%” “io.k8s.authorization.rbac.v1.rolebindings.%” “io.k8s.authorization.rbac.v1.clusterroles.%” “io.k8s.authorization.rbac.v1.clusterrolebindings.%”
Creating CSRs via K8s API SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE protoPayload_auditlog.resourceName LIKE "certificates.k8s.io/v1beta1/certificatesigningrequests%" LIMIT 100
Unauth’d web requests SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE protopayload_auditlog.authenticationInfo.principalEmail = " system:anonymous" LIMIT 100
Kubelet bootstrap identity calls (GKE specific) SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE protopayload_auditlog.authenticationInfo.principalEmail LIKE " kubelet" LIMIT 100
Node authenticated requests SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE protopayload_auditlog.authenticationInfo.principalEmail LIKE " system:node%" LIMIT 100
Calls outside IP range SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE NOT protopayload_auditlog.requestMetadata. callerIp="127.0.0.1" AND NOT protopayload_auditlog.requestMetadata. callerIp="::1" AND protopayload_auditlog.requestMetadata. callerIp NOT LIKE "8.8%" LIMIT 100

Recommended

Containerizing ContentBox CMS
Containerizing ContentBox CMSContainerizing ContentBox CMS
Containerizing ContentBox CMS
Gavin Pickin
 
Building Search for Bitbucket Cloud
Building Search for Bitbucket CloudBuilding Search for Bitbucket Cloud
Building Search for Bitbucket Cloud
Atlassian
 
Integration Testing on Steroids: Run Your Tests on the Real Things
Integration Testing on Steroids: Run Your Tests on the Real ThingsIntegration Testing on Steroids: Run Your Tests on the Real Things
Integration Testing on Steroids: Run Your Tests on the Real Things
Atlassian
 
Building a Cerberus App Without Losing Our Heads: The Passage to a Cross-Plat...
Building a Cerberus App Without Losing Our Heads: The Passage to a Cross-Plat...Building a Cerberus App Without Losing Our Heads: The Passage to a Cross-Plat...
Building a Cerberus App Without Losing Our Heads: The Passage to a Cross-Plat...
Atlassian
 
Scaling Indexing and Replication in Jira Data Center Apps
Scaling Indexing and Replication in Jira Data Center AppsScaling Indexing and Replication in Jira Data Center Apps
Scaling Indexing and Replication in Jira Data Center Apps
Atlassian
 
Leaning into Server to Cloud App Migration
Leaning into Server to Cloud App MigrationLeaning into Server to Cloud App Migration
Leaning into Server to Cloud App Migration
Atlassian
 
Preparing for Data Residency and Custom Domains
Preparing for Data Residency and Custom DomainsPreparing for Data Residency and Custom Domains
Preparing for Data Residency and Custom Domains
Atlassian
 
Spec-first API Design for Speed and Safety
Spec-first API Design for Speed and SafetySpec-first API Design for Speed and Safety
Spec-first API Design for Speed and Safety
Atlassian
 

Recommended

Containerizing ContentBox CMS
Containerizing ContentBox CMSContainerizing ContentBox CMS
Containerizing ContentBox CMS
Gavin Pickin
 
Building Search for Bitbucket Cloud
Building Search for Bitbucket CloudBuilding Search for Bitbucket Cloud
Building Search for Bitbucket Cloud
Atlassian
 
Integration Testing on Steroids: Run Your Tests on the Real Things
Integration Testing on Steroids: Run Your Tests on the Real ThingsIntegration Testing on Steroids: Run Your Tests on the Real Things
Integration Testing on Steroids: Run Your Tests on the Real Things
Atlassian
 
Building a Cerberus App Without Losing Our Heads: The Passage to a Cross-Plat...
Building a Cerberus App Without Losing Our Heads: The Passage to a Cross-Plat...Building a Cerberus App Without Losing Our Heads: The Passage to a Cross-Plat...
Building a Cerberus App Without Losing Our Heads: The Passage to a Cross-Plat...
Atlassian
 
Scaling Indexing and Replication in Jira Data Center Apps
Scaling Indexing and Replication in Jira Data Center AppsScaling Indexing and Replication in Jira Data Center Apps
Scaling Indexing and Replication in Jira Data Center Apps
Atlassian
 
Leaning into Server to Cloud App Migration
Leaning into Server to Cloud App MigrationLeaning into Server to Cloud App Migration
Leaning into Server to Cloud App Migration
Atlassian
 
Preparing for Data Residency and Custom Domains
Preparing for Data Residency and Custom DomainsPreparing for Data Residency and Custom Domains
Preparing for Data Residency and Custom Domains
Atlassian
 
Spec-first API Design for Speed and Safety
Spec-first API Design for Speed and SafetySpec-first API Design for Speed and Safety
Spec-first API Design for Speed and Safety
Atlassian
 
A realtime infrastructure for Android apps: Firebase may be what you need..an...
A realtime infrastructure for Android apps: Firebase may be what you need..an...A realtime infrastructure for Android apps: Firebase may be what you need..an...
A realtime infrastructure for Android apps: Firebase may be what you need..an...
Alessandro Martellucci
 
9 steps to awesome with kubernetes
9 steps to awesome with kubernetes9 steps to awesome with kubernetes
9 steps to awesome with kubernetes
BaraniBuuny
 
Creating Your Own Server Add-on that Customizes Confluence or JIRA
Creating Your Own Server Add-on that Customizes Confluence or JIRACreating Your Own Server Add-on that Customizes Confluence or JIRA
Creating Your Own Server Add-on that Customizes Confluence or JIRA
Atlassian
 
Alfresco Integrations - Alfresco Devcon 2012
Alfresco Integrations - Alfresco Devcon 2012Alfresco Integrations - Alfresco Devcon 2012
Alfresco Integrations - Alfresco Devcon 2012
Jared Ottley
 
Integrating Jira Software Cloud With the AWS Code Suite
Integrating Jira Software Cloud With the AWS Code SuiteIntegrating Jira Software Cloud With the AWS Code Suite
Integrating Jira Software Cloud With the AWS Code Suite
Atlassian
 
Introduction to Google Cloud Endpoints: Speed Up Your API Development
Introduction to Google Cloud Endpoints: Speed Up Your API DevelopmentIntroduction to Google Cloud Endpoints: Speed Up Your API Development
Introduction to Google Cloud Endpoints: Speed Up Your API Development
Colin Su
 
Ten Battle-Tested Tips for Atlassian Connect Add-ons
Ten Battle-Tested Tips for Atlassian Connect Add-onsTen Battle-Tested Tips for Atlassian Connect Add-ons
Ten Battle-Tested Tips for Atlassian Connect Add-ons
Atlassian
 
Atlassian Connect on Serverless Platforms: Low Cost Add-Ons
Atlassian Connect on Serverless Platforms: Low Cost Add-OnsAtlassian Connect on Serverless Platforms: Low Cost Add-Ons
Atlassian Connect on Serverless Platforms: Low Cost Add-Ons
Atlassian
 
Gentle App Engine Intro
Gentle App Engine IntroGentle App Engine Intro
Gentle App Engine Intro
robinb123
 
Forge: Under the Hood
Forge: Under the HoodForge: Under the Hood
Forge: Under the Hood
Atlassian
 
From AUI to Atlaskit - Streamlining Development for Server & Cloud Apps
From AUI to Atlaskit - Streamlining Development for Server & Cloud AppsFrom AUI to Atlaskit - Streamlining Development for Server & Cloud Apps
From AUI to Atlaskit - Streamlining Development for Server & Cloud Apps
Atlassian
 
An Exploration of Cross-product App Experiences
An Exploration of Cross-product App ExperiencesAn Exploration of Cross-product App Experiences
An Exploration of Cross-product App Experiences
Atlassian
 
Designing and Running a GraphQL API
Designing and Running a GraphQL APIDesigning and Running a GraphQL API
Designing and Running a GraphQL API
Atlassian
 
Shipping to Server and Cloud with Docker
Shipping to Server and Cloud with DockerShipping to Server and Cloud with Docker
Shipping to Server and Cloud with Docker
Atlassian
 
Cloud Workflows What's new in serverless orchestration and automation
Cloud Workflows What's new in serverless orchestration and automationCloud Workflows What's new in serverless orchestration and automation
Cloud Workflows What's new in serverless orchestration and automation
Márton Kodok
 
Presente e Futuro: Java EE.next()
Presente e Futuro: Java EE.next()Presente e Futuro: Java EE.next()
Presente e Futuro: Java EE.next()
Bruno Borges
 
Spring5 New Features - Nov, 2017
Spring5 New Features - Nov, 2017Spring5 New Features - Nov, 2017
Spring5 New Features - Nov, 2017
VMware Tanzu Korea
 
The User Who Must Not be Named: GDPR and Your Jira App
The User Who Must Not be Named: GDPR and Your Jira AppThe User Who Must Not be Named: GDPR and Your Jira App
The User Who Must Not be Named: GDPR and Your Jira App
Atlassian
 
What's new in Spring Boot 2.0
What's new in Spring Boot 2.0What's new in Spring Boot 2.0
What's new in Spring Boot 2.0
VMware Tanzu
 
Resilient and Adaptable Systems with Cloud Native APIs
Resilient and Adaptable Systems with Cloud Native APIsResilient and Adaptable Systems with Cloud Native APIs
Resilient and Adaptable Systems with Cloud Native APIs
VMware Tanzu
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
Inon Shkedy
 
Exploring Google APIs with Python
Exploring Google APIs with PythonExploring Google APIs with Python
Exploring Google APIs with Python
wesley chun
 

More Related Content

What's hot

A realtime infrastructure for Android apps: Firebase may be what you need..an...
A realtime infrastructure for Android apps: Firebase may be what you need..an...A realtime infrastructure for Android apps: Firebase may be what you need..an...
A realtime infrastructure for Android apps: Firebase may be what you need..an...
Alessandro Martellucci
 
9 steps to awesome with kubernetes
9 steps to awesome with kubernetes9 steps to awesome with kubernetes
9 steps to awesome with kubernetes
BaraniBuuny
 
Creating Your Own Server Add-on that Customizes Confluence or JIRA
Creating Your Own Server Add-on that Customizes Confluence or JIRACreating Your Own Server Add-on that Customizes Confluence or JIRA
Creating Your Own Server Add-on that Customizes Confluence or JIRA
Atlassian
 
Alfresco Integrations - Alfresco Devcon 2012
Alfresco Integrations - Alfresco Devcon 2012Alfresco Integrations - Alfresco Devcon 2012
Alfresco Integrations - Alfresco Devcon 2012
Jared Ottley
 
Integrating Jira Software Cloud With the AWS Code Suite
Integrating Jira Software Cloud With the AWS Code SuiteIntegrating Jira Software Cloud With the AWS Code Suite
Integrating Jira Software Cloud With the AWS Code Suite
Atlassian
 
Introduction to Google Cloud Endpoints: Speed Up Your API Development
Introduction to Google Cloud Endpoints: Speed Up Your API DevelopmentIntroduction to Google Cloud Endpoints: Speed Up Your API Development
Introduction to Google Cloud Endpoints: Speed Up Your API Development
Colin Su
 
Ten Battle-Tested Tips for Atlassian Connect Add-ons
Ten Battle-Tested Tips for Atlassian Connect Add-onsTen Battle-Tested Tips for Atlassian Connect Add-ons
Ten Battle-Tested Tips for Atlassian Connect Add-ons
Atlassian
 
Atlassian Connect on Serverless Platforms: Low Cost Add-Ons
Atlassian Connect on Serverless Platforms: Low Cost Add-OnsAtlassian Connect on Serverless Platforms: Low Cost Add-Ons
Atlassian Connect on Serverless Platforms: Low Cost Add-Ons
Atlassian
 
Gentle App Engine Intro
Gentle App Engine IntroGentle App Engine Intro
Gentle App Engine Intro
robinb123
 
Forge: Under the Hood
Forge: Under the HoodForge: Under the Hood
Forge: Under the Hood
Atlassian
 
From AUI to Atlaskit - Streamlining Development for Server & Cloud Apps
From AUI to Atlaskit - Streamlining Development for Server & Cloud AppsFrom AUI to Atlaskit - Streamlining Development for Server & Cloud Apps
From AUI to Atlaskit - Streamlining Development for Server & Cloud Apps
Atlassian
 
An Exploration of Cross-product App Experiences
An Exploration of Cross-product App ExperiencesAn Exploration of Cross-product App Experiences
An Exploration of Cross-product App Experiences
Atlassian
 
Designing and Running a GraphQL API
Designing and Running a GraphQL APIDesigning and Running a GraphQL API
Designing and Running a GraphQL API
Atlassian
 
Shipping to Server and Cloud with Docker
Shipping to Server and Cloud with DockerShipping to Server and Cloud with Docker
Shipping to Server and Cloud with Docker
Atlassian
 
Cloud Workflows What's new in serverless orchestration and automation
Cloud Workflows What's new in serverless orchestration and automationCloud Workflows What's new in serverless orchestration and automation
Cloud Workflows What's new in serverless orchestration and automation
Márton Kodok
 
Presente e Futuro: Java EE.next()
Presente e Futuro: Java EE.next()Presente e Futuro: Java EE.next()
Presente e Futuro: Java EE.next()
Bruno Borges
 
Spring5 New Features - Nov, 2017
Spring5 New Features - Nov, 2017Spring5 New Features - Nov, 2017
Spring5 New Features - Nov, 2017
VMware Tanzu Korea
 
The User Who Must Not be Named: GDPR and Your Jira App
The User Who Must Not be Named: GDPR and Your Jira AppThe User Who Must Not be Named: GDPR and Your Jira App
The User Who Must Not be Named: GDPR and Your Jira App
Atlassian
 
What's new in Spring Boot 2.0
What's new in Spring Boot 2.0What's new in Spring Boot 2.0
What's new in Spring Boot 2.0
VMware Tanzu
 
Resilient and Adaptable Systems with Cloud Native APIs
Resilient and Adaptable Systems with Cloud Native APIsResilient and Adaptable Systems with Cloud Native APIs
Resilient and Adaptable Systems with Cloud Native APIs
VMware Tanzu
 

What's hot (20)

A realtime infrastructure for Android apps: Firebase may be what you need..an...
A realtime infrastructure for Android apps: Firebase may be what you need..an...A realtime infrastructure for Android apps: Firebase may be what you need..an...
A realtime infrastructure for Android apps: Firebase may be what you need..an...
 
9 steps to awesome with kubernetes
9 steps to awesome with kubernetes9 steps to awesome with kubernetes
9 steps to awesome with kubernetes
 
Creating Your Own Server Add-on that Customizes Confluence or JIRA
Creating Your Own Server Add-on that Customizes Confluence or JIRACreating Your Own Server Add-on that Customizes Confluence or JIRA
Creating Your Own Server Add-on that Customizes Confluence or JIRA
 
Alfresco Integrations - Alfresco Devcon 2012
Alfresco Integrations - Alfresco Devcon 2012Alfresco Integrations - Alfresco Devcon 2012
Alfresco Integrations - Alfresco Devcon 2012
 
Integrating Jira Software Cloud With the AWS Code Suite
Integrating Jira Software Cloud With the AWS Code SuiteIntegrating Jira Software Cloud With the AWS Code Suite
Integrating Jira Software Cloud With the AWS Code Suite
 
Introduction to Google Cloud Endpoints: Speed Up Your API Development
Introduction to Google Cloud Endpoints: Speed Up Your API DevelopmentIntroduction to Google Cloud Endpoints: Speed Up Your API Development
Introduction to Google Cloud Endpoints: Speed Up Your API Development
 
Ten Battle-Tested Tips for Atlassian Connect Add-ons
Ten Battle-Tested Tips for Atlassian Connect Add-onsTen Battle-Tested Tips for Atlassian Connect Add-ons
Ten Battle-Tested Tips for Atlassian Connect Add-ons
 
Atlassian Connect on Serverless Platforms: Low Cost Add-Ons
Atlassian Connect on Serverless Platforms: Low Cost Add-OnsAtlassian Connect on Serverless Platforms: Low Cost Add-Ons
Atlassian Connect on Serverless Platforms: Low Cost Add-Ons
 
Gentle App Engine Intro
Gentle App Engine IntroGentle App Engine Intro
Gentle App Engine Intro
 
Forge: Under the Hood
Forge: Under the HoodForge: Under the Hood
Forge: Under the Hood
 
From AUI to Atlaskit - Streamlining Development for Server & Cloud Apps
From AUI to Atlaskit - Streamlining Development for Server & Cloud AppsFrom AUI to Atlaskit - Streamlining Development for Server & Cloud Apps
From AUI to Atlaskit - Streamlining Development for Server & Cloud Apps
 
An Exploration of Cross-product App Experiences
An Exploration of Cross-product App ExperiencesAn Exploration of Cross-product App Experiences
An Exploration of Cross-product App Experiences
 
Designing and Running a GraphQL API
Designing and Running a GraphQL APIDesigning and Running a GraphQL API
Designing and Running a GraphQL API
 
Shipping to Server and Cloud with Docker
Shipping to Server and Cloud with DockerShipping to Server and Cloud with Docker
Shipping to Server and Cloud with Docker
 
Cloud Workflows What's new in serverless orchestration and automation
Cloud Workflows What's new in serverless orchestration and automationCloud Workflows What's new in serverless orchestration and automation
Cloud Workflows What's new in serverless orchestration and automation
 
Presente e Futuro: Java EE.next()
Presente e Futuro: Java EE.next()Presente e Futuro: Java EE.next()
Presente e Futuro: Java EE.next()
 
Spring5 New Features - Nov, 2017
Spring5 New Features - Nov, 2017Spring5 New Features - Nov, 2017
Spring5 New Features - Nov, 2017
 
The User Who Must Not be Named: GDPR and Your Jira App
The User Who Must Not be Named: GDPR and Your Jira AppThe User Who Must Not be Named: GDPR and Your Jira App
The User Who Must Not be Named: GDPR and Your Jira App
 
What's new in Spring Boot 2.0
What's new in Spring Boot 2.0What's new in Spring Boot 2.0
What's new in Spring Boot 2.0
 
Resilient and Adaptable Systems with Cloud Native APIs
Resilient and Adaptable Systems with Cloud Native APIsResilient and Adaptable Systems with Cloud Native APIs
Resilient and Adaptable Systems with Cloud Native APIs
 

Similar to Kubecon USA 2018: Shopify's $25k bug report and the cluster takeover that didn't happen

API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
Inon Shkedy
 
Exploring Google APIs with Python
Exploring Google APIs with PythonExploring Google APIs with Python
Exploring Google APIs with Python
wesley chun
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIs
Apigee | Google Cloud
 
Google App Engine – niekonwencjonalna platforma aplikacji SaaS do Twojego nas...
Google App Engine – niekonwencjonalna platforma aplikacji SaaS do Twojego nas...Google App Engine – niekonwencjonalna platforma aplikacji SaaS do Twojego nas...
Google App Engine – niekonwencjonalna platforma aplikacji SaaS do Twojego nas...
3camp
 
The journey of Moving from AWS ELK to GCP Data Pipeline
The journey of Moving from AWS ELK to GCP Data PipelineThe journey of Moving from AWS ELK to GCP Data Pipeline
The journey of Moving from AWS ELK to GCP Data Pipeline
Randy Huang
 
Creating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services APICreating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services API
David Keener
 
Gluecon 2017 - GoMake | Flying Dreams: Real-Time Communication from the Edge ...
Gluecon 2017 - GoMake | Flying Dreams: Real-Time Communication from the Edge ...Gluecon 2017 - GoMake | Flying Dreams: Real-Time Communication from the Edge ...
Gluecon 2017 - GoMake | Flying Dreams: Real-Time Communication from the Edge ...
Jonathan Barton
 
App Engine Overview Cloud Futures Publish
App Engine Overview Cloud Futures PublishApp Engine Overview Cloud Futures Publish
App Engine Overview Cloud Futures Publish
Chris Schalk
 
Scale By The Bay | 2020 | Gimel
Scale By The Bay | 2020 | GimelScale By The Bay | 2020 | Gimel
Scale By The Bay | 2020 | Gimel
Deepak Chandramouli
 
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
wesley chun
 
Gimel at Dataworks Summit San Jose 2018
Gimel at Dataworks Summit San Jose 2018Gimel at Dataworks Summit San Jose 2018
Gimel at Dataworks Summit San Jose 2018
Romit Mehta
 
Dataworks | 2018-06-20 | Gimel data platform
Dataworks | 2018-06-20 | Gimel data platformDataworks | 2018-06-20 | Gimel data platform
Dataworks | 2018-06-20 | Gimel data platform
Deepak Chandramouli
 
Introduction to Google's Cloud Technologies
Introduction to Google's Cloud TechnologiesIntroduction to Google's Cloud Technologies
Introduction to Google's Cloud Technologies
Chris Schalk
 
Walls Within Walls: What if your attacker knows parkour?
Walls Within Walls: What if your attacker knows parkour?Walls Within Walls: What if your attacker knows parkour?
Walls Within Walls: What if your attacker knows parkour?
Greg Castle
 
The Powerful and Comprehensive API for Mobile App Development and Testing
The Powerful and Comprehensive API for Mobile App Development and TestingThe Powerful and Comprehensive API for Mobile App Development and Testing
The Powerful and Comprehensive API for Mobile App Development and Testing
Bitbar
 
What's new in App Engine and intro to App Engine for Business
What's new in App Engine and intro to App Engine for BusinessWhat's new in App Engine and intro to App Engine for Business
What's new in App Engine and intro to App Engine for Business
Chris Schalk
 
Getting Started with API Management – Why It's Needed On-prem and in the Cloud
Getting Started with API Management – Why It's Needed On-prem and in the CloudGetting Started with API Management – Why It's Needed On-prem and in the Cloud
Getting Started with API Management – Why It's Needed On-prem and in the Cloud
Revelation Technologies
 
04/2010 - Google App Engine
04/2010 - Google App Engine04/2010 - Google App Engine
04/2010 - Google App Engine
daveayan
 
Introduction to Google Cloud Platform Technologies
Introduction to Google Cloud Platform TechnologiesIntroduction to Google Cloud Platform Technologies
Introduction to Google Cloud Platform Technologies
Chris Schalk
 
Javaedge 2010-cschalk
Javaedge 2010-cschalkJavaedge 2010-cschalk
Javaedge 2010-cschalk
Chris Schalk
 

Similar to Kubecon USA 2018: Shopify's $25k bug report and the cluster takeover that didn't happen (20)

API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
 
Exploring Google APIs with Python
Exploring Google APIs with PythonExploring Google APIs with Python
Exploring Google APIs with Python
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIs
 
Google App Engine – niekonwencjonalna platforma aplikacji SaaS do Twojego nas...
Google App Engine – niekonwencjonalna platforma aplikacji SaaS do Twojego nas...Google App Engine – niekonwencjonalna platforma aplikacji SaaS do Twojego nas...
Google App Engine – niekonwencjonalna platforma aplikacji SaaS do Twojego nas...
 
The journey of Moving from AWS ELK to GCP Data Pipeline
The journey of Moving from AWS ELK to GCP Data PipelineThe journey of Moving from AWS ELK to GCP Data Pipeline
The journey of Moving from AWS ELK to GCP Data Pipeline
 
Creating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services APICreating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services API
 
Gluecon 2017 - GoMake | Flying Dreams: Real-Time Communication from the Edge ...
Gluecon 2017 - GoMake | Flying Dreams: Real-Time Communication from the Edge ...Gluecon 2017 - GoMake | Flying Dreams: Real-Time Communication from the Edge ...
Gluecon 2017 - GoMake | Flying Dreams: Real-Time Communication from the Edge ...
 
App Engine Overview Cloud Futures Publish
App Engine Overview Cloud Futures PublishApp Engine Overview Cloud Futures Publish
App Engine Overview Cloud Futures Publish
 
Scale By The Bay | 2020 | Gimel
Scale By The Bay | 2020 | GimelScale By The Bay | 2020 | Gimel
Scale By The Bay | 2020 | Gimel
 
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
 
Gimel at Dataworks Summit San Jose 2018
Gimel at Dataworks Summit San Jose 2018Gimel at Dataworks Summit San Jose 2018
Gimel at Dataworks Summit San Jose 2018
 
Dataworks | 2018-06-20 | Gimel data platform
Dataworks | 2018-06-20 | Gimel data platformDataworks | 2018-06-20 | Gimel data platform
Dataworks | 2018-06-20 | Gimel data platform
 
Introduction to Google's Cloud Technologies
Introduction to Google's Cloud TechnologiesIntroduction to Google's Cloud Technologies
Introduction to Google's Cloud Technologies
 
Walls Within Walls: What if your attacker knows parkour?
Walls Within Walls: What if your attacker knows parkour?Walls Within Walls: What if your attacker knows parkour?
Walls Within Walls: What if your attacker knows parkour?
 
The Powerful and Comprehensive API for Mobile App Development and Testing
The Powerful and Comprehensive API for Mobile App Development and TestingThe Powerful and Comprehensive API for Mobile App Development and Testing
The Powerful and Comprehensive API for Mobile App Development and Testing
 
What's new in App Engine and intro to App Engine for Business
What's new in App Engine and intro to App Engine for BusinessWhat's new in App Engine and intro to App Engine for Business
What's new in App Engine and intro to App Engine for Business
 
Getting Started with API Management – Why It's Needed On-prem and in the Cloud
Getting Started with API Management – Why It's Needed On-prem and in the CloudGetting Started with API Management – Why It's Needed On-prem and in the Cloud
Getting Started with API Management – Why It's Needed On-prem and in the Cloud
 
04/2010 - Google App Engine
04/2010 - Google App Engine04/2010 - Google App Engine
04/2010 - Google App Engine
 
Introduction to Google Cloud Platform Technologies
Introduction to Google Cloud Platform TechnologiesIntroduction to Google Cloud Platform Technologies
Introduction to Google Cloud Platform Technologies
 
Javaedge 2010-cschalk
Javaedge 2010-cschalkJavaedge 2010-cschalk
Javaedge 2010-cschalk
 

Recently uploaded

Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
GNAMBIKARAO
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
dtagbe
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
Infosec train
 

Recently uploaded (11)

Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
 

Kubecon USA 2018: Shopify's $25k bug report and the cluster takeover that didn't happen

  • 1. Shopify’s $25K Bug Report and the cluster takeover that didn’t happen Shane Lawrence Security Infrastructure Engineer Twitter: @shaneplawrence Github: @shane-lawrence Shopify Greg Castle GKE Security Tech Lead Twitter: @mrgcastle Github: @destijl Google North America 2018
  • 2. A production security story Introduction Bug report Detection TakeawaysExchange Attack & defense
  • 4. Who is shopify.com? 2017 data Shopify’s background 600K+ merchants 26B+ $processed 80K+ requests per second peak traffic
  • 5. Shopify cloud platform • Scalable • Application developers don’t need to learn k8 • Self-serve with guardrails & paved roads • Security*** by default
  • 6. Shopify’s bug bounty programs •   330+ hackers over 3+ years •   Merchants and buyers protected •   $1,000,000+ paid •   hackerone.com/shopify
  • 8. Security report and responses 7:39pm Report (goo.gl/dqynDa) from André Baptista (0xacb): vuln in Exchange app 7:50pm Incident declared 8:00pm Cloudsec and app dev teams contacted 8:43pm Merged commit to disable vulnerable feature 9:27pm Investigation and cleanup started (rotate credentials, contact Google, investigate logs) 1 hour
  • 10. Image of page Request screenshot Request storefront What is Exchange? Marketplace for buying & selling stores Webpage 3. Test store Test store frontpage 2. Screenshot service Headless browser 1. Exchange app Create listing Screenshots
  • 12. cluster control X kubeletkube-env Google service account token SSRF The attack Security researcher
  • 13. Server Side Request Forgery (SSRF)
  • 14. Attack: Weaponize SSRF Existing workflow Image of page Request screenshot Request storefront 2. Screenshot service Headless browser 1. Exchange app Create listing Screenshots Webpage 4. Metadata service 3. Test store Test store frontpage
  • 15. Webpage 4. Metadata service 1. Exchange app Create listing Screenshots Request screenshot Request storefront 3. Test store Exploit page 2. Screenshot service Headless browser Attack: Weaponize SSRF Got token for the VM’s Google service account
  • 16. Request token 4. Metadata server Default SA token v1 Attack: Weaponize SSRF Got token for the VM’s Google service account 1. Exchange app Create listing Screenshots Webpage Request storefront 3. Test store Exploit page 2. Screenshot service Headless browser Request screenshot
  • 17. Sidebar: What is this Google SA? Node (VM) Metadata server Service account Pod Token Token Google APIs
  • 19. 403: header required 4. Metadata server Default SA token v1 1. Exchange app Create listing Screenshots Defense: Require header Metadata server requires header: Metadata-Flavor: Google Webpage Request storefront 3. Test store Exploit page Request screenshot 2. Screenshot service Headless browser
  • 20. Token 4. Metadata server Default SA token v1 v1beta1 1. Exchange app Create listing Screenshots Attack: Use old API version Beta API: no request header required :( Webpage Request storefront 3. Test store Exploit page Request screenshot 2. Screenshot service Headless browser Image of token
  • 21. Defense: Disable old API versions • Beta API known issue: APIs still in use • Disabled by default in new 1.12+ clusters • Opt-in now: “disable-legacy-endpoints=true” • goo.gl/JsdJbL for details
  • 22. Defense: Least priv on token • Default SA least privilege from 1.10+ • May vary if users have granted extra privs • Shopify had minimal privs for log/mon/debug • Token not useful to researcher
  • 23. 5. Metadata server Default SA token v1 v1beta1 kube-env Request screenshot Request storefront Webpage 2. Screenshot service Headless browser kube-env 1. Exchange app Create listing Screenshots Attack: What other metadata? Metadata server = trust bootstrap for nodes Export static key from “kube-env” Image of kube-env 3. Test store Exploit page
  • 25. Attack: Kubelet bootstrap key Kube-env Security researcher machine CA.crt client.crt client.pem GKE K8s API Server kubectl
  • 26. Request screenshot Request storefront Defense: Metadata concealment Now: metadata concealment (Beta) goo.gl/u6rrMT Future: K8s TPM trust bootstrap Webpage 3. Test store Exploit page 2. Screenshot service Headless browser 403 Forbidden 4. Metadata proxy Whitelist/blacklist 1. Exchange app Create listing Screenshots 5. Metadata server Default SA token v1 v1beta1 kube-env
  • 27. Defense: Minimize kubelet privs • RBAC on (ABAC off): GKE default • Node Authorization on: GKE default • Audit role bindings: GKE “kubelet-cluster-admin” (not actually cluster admin) binding if upgraded cluster https://kubernetes.io/docs/tasks/administer-clus ter/securing-a-cluster/
  • 30. What’s in the logs? • K8s API audit logs: goo.gl/d8YebH • Content depends on audit policy • GKE: g.co/gke/auditlogging
  • 31. Filter logs for kubelet user
  • 32. Filter logs for kubelet user
  • 39. Shopify’s response 1 day • Disable vulnerable service. • Start rotating credentials. • Pay $ to researcher. 1 week • Analyze audit logs. • Clean up RBAC. 1 month • Prevent unwanted redirects. • Re-enable screenshot service. • Deploy metadata proxy. • Pay $$$ to researcher. • Disclose vulnerability.
  • 40. Lessons learned: K8s advice • Follow cloud provider hardening advice (GKE: g.co/gke/hardening) • Block off/filter access to any privileged network endpoints • Run RBAC and Node Authorization (GKE default) • Apply least privilege for K8s service accounts • Audit role bindings, especially upgraded clusters • Collect API logs and have them available to query (GKE default)
  • 41. Links and references Shopify bug bounty: hackerone.com/shopify Bug report details: goo.gl/dqynDa GKE disable old APIs: goo.gl/JsdJbL GKE metadata conceal: goo.gl/u6rrMT K8s API audit logs: goo.gl/d8YebH GKE logging: g.co/gke/auditlogging Shane Lawrence Security Infrastructure Engineer Twitter: @shaneplawrence Github: @shane-lawrence Shopify Greg Castle GKE Security Tech Lead Twitter: @mrgcastle Github: @destijl Google
  • 44. Example log queries • Broad strokes to get you started • No standard language for queries like this • SQL seems most standard • But includes some BigQuery-isms for unpacking repeated fields • Validation/tweaking on production clusters needed • Mostly intended to point out interesting values and fields
  • 45. RBAC Changes (excl system) SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE protopayload_auditlog.methodName LIKE " io.k8s.authorization.rbac.v1%" AND NOT protopayload_auditlog.authenticationInfo.principalEmail LIKE " system:%" LIMIT 100 Similarly, use these methodName strings for specific changes to roles or bindings: “io.k8s.authorization.rbac.v1.roles.%” “io.k8s.authorization.rbac.v1.rolebindings.%” “io.k8s.authorization.rbac.v1.clusterroles.%” “io.k8s.authorization.rbac.v1.clusterrolebindings.%”
  • 46. Creating CSRs via K8s API SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE protoPayload_auditlog.resourceName LIKE "certificates.k8s.io/v1beta1/certificatesigningrequests%" LIMIT 100
  • 47. Unauth’d web requests SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE protopayload_auditlog.authenticationInfo.principalEmail = " system:anonymous" LIMIT 100
  • 48. Kubelet bootstrap identity calls (GKE specific) SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE protopayload_auditlog.authenticationInfo.principalEmail LIKE " kubelet" LIMIT 100
  • 49. Node authenticated requests SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE protopayload_auditlog.authenticationInfo.principalEmail LIKE " system:node%" LIMIT 100
  • 50. Calls outside IP range SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE NOT protopayload_auditlog.requestMetadata. callerIp="127.0.0.1" AND NOT protopayload_auditlog.requestMetadata. callerIp="::1" AND protopayload_auditlog.requestMetadata. callerIp NOT LIKE "8.8%" LIMIT 100