All Your Containers Are Belong To Us
1 like361 views
The document is a presentation by James Condon that covers Kubernetes security, focusing on components like the dashboard, API server, and etcd. It provides insights into vulnerabilities and offers recommendations for managing and securing Kubernetes clusters. Key findings highlight the widespread exposure of dashboard and API servers, particularly in cloud environments like AWS.
All Your Containers Are Belong To Us
- 1. ALL YOUR CONTAINERS ARE BELONG TO US James Condon BSidesSF19 March 4th, 2019
- 2. AGENDA • whoami • Kubernetes overview • Dashboard • API Server • etcd • Final thoughts
- 3. whoami • James Condon, Director of Research @ Lacework • Former USAF OSI, Mandiant, and ProtectWise • Network Forensics, Incident Response, Threat Intelligence, Cloud Security @laceworklabs @jameswcondon
- 6. RESEARCH DISCLAIMERS • No containers were harmed in the making of this presentation • Promote awareness & enhance security • Recommendations for managing your own cluster
- 7. KUBERNETES DASHBOARD • Cluster management UI • Web based • Default service account needs RBAC • Dashboards in the news
- 9. DASHBOARD FINDINGS 500+ 75% AWS 10% GCP + Azure Ports 80, 443, 8080
- 10. DASHBOARD RECOMMENDATIONS • Disable (if possible) • Ensure RBAC is enabled • Don’t elevate privileges on default service account • Avoid internet access, otherwise use VPN, Bastion, etc
- 11. KUBERNETES API SERVER • Fundamental component of Kubernetes • REST API • Handles authentication and authorization • Secure & insecure port by default • CVE-2018-1002105
- 13. API SERVER FINDINGS 21K+ 92% AWS, ~3% GCP + Azure ’18: 21K+ for K8s, Meso, OpenShift, & Swarm Cert CNs: kubernetes-master 88%, system:apiserver 4%, apiserver 2%
- 14. API SERVER FINDINGS (INSECURE PORT) 800+
- 15. API SERVER RECOMMENDATIONS • Restrict network access • Disable insecure port • Enable RBAC • Look into advanced authentication options • Upgrade
- 16. ETCD • Distributed key value datastore • Maintains cluster state and secrets • No authentication by default • No encryption at rest by default • REST & gRPC APIs • The Luke Hemsworth of unsecured DBs
- 19. ETCD RECOMMENDATIONS • Only API server should have access • Use TLS for peer communications • Use certification authentication • Encrypt data at rest
- 20. FINAL THOUGHTS • Large scale exposure • Internet exposure is just one piece of the security puzzle • K8s has lots of security features, understand what they are • Know what defaults are set with config tools
- 21. 1. Kubernetes Illustrated Children's Guide: https://youtu.be/4ht22ReBjno 2. Tesla Exposed Dashboard https://redlock.io/blog/cryptojacking-tesla 3. Weight Watchers Exposed Dashboard https://kromtech.com/blog/security-center/weightwatchers- exposure-a-simple-yet-powerful-lesson-in-cloud-security 4. Censys https://censys.io/ 5. Lacework Containers at Risk Report https://info.lacework.com/hubfs/Containers%20At- Risk_%20A%20Review%20of%2021,000%20Cloud%20Environments.pdf 6. CVE-2018-1002105 Github Page https://github.com/kubernetes/kubernetes/issues/71411 7. Shodan https://www.shodan.io/ 8. Exposed etcd Clusters Blog https://elweb.co/the-security-footgun-in-etcd/ 9. Lacework exposed etcd Clusters Blog https://www.lacework.com/etcd-thousands-of-clusters-open/ 10.Lacework Securing K8s Blog https://www.lacework.com/art-into-science-conference-securing-k8s/ RESOURCES