SlideShare a Scribd company logo

Container Days: Hijack a Kubernetes Cluster - a Walkthrough

Nico Meisenzahl, profile picture
Nico Meisenzahl

The document outlines a talk about hijacking Kubernetes clusters and emphasizes awareness of common attack vectors and preventive measures. It covers best practices for securing application code, container images, deployment manifests, and enforcing Kubernetes policies and network restrictions. Additionally, it provides resources and tools for improving container runtime security and maintaining compliance within clusters.

Technology
1 of 25
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Hijack a Kubernetes Cluster – a Walkthrough ContainerDays 2022
Nico Meisenzahl • Head of DevOps Consulting & Operations at white duck • Microsoft MVP, GitLab Hero • Cloud Native, Kubernetes & Azure © white duck GmbH 2022 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org
About this talk • this is not an in-depth security talk • it should make you aware of common attack vectors and how to prevent them • you will see demos on how to hijack a cluster • you will learn how to prevent those with common best practices • three more slide, then we will start hijacking • https://github.com/nmeisenzahl/hijack-kubernetes © white duck GmbH 2022
Why do we need to care about security? https://www.redhat.com/en/resources/state-kubernetes-security-report
What we will do © white duck GmbH 2022
Log4Shell https://www.splunk.com/en_us/surge/log4shell-log4j-response-overview.html
Security quick wins through the DevOps cycle © white duck GmbH 2022
Ensure secure application code • automate and enforce code checks • schedule dependency scanning • e.g. Dependabot • enforce Static Application Security Testing (SAST) in PRs • scans your code to identify potential security vulnerabilities • more details: https://owasp.org/www- community/Source_Code_Analysis_Tools © white duck GmbH 2022
Build secure container images • build secure/small container images – less is more • do only include required dependencies (no debugging tools!) • use self-contained binaries or “distroless” if possible • https://github.com/GoogleContainerTools/distroless • otherwise, use a small and secure Linux distro • use and enforce SAST for validating your Dockerfiles • scan your container images (on build and regularly) © white duck GmbH 2022
Build secure container images • build secure/small container images – less is more • do only include required dependencies (no debugging tools!) • use self-contained binaries or “distroless” if possible • https://github.com/GoogleContainerTools/distroless • otherwise, use a small and secure Linux distro • use and enforce SAST for validating your Dockerfiles • scan your container images (on build and regularly) © white duck GmbH 2022 Would have made it much harder to hijack the container and further expend Would have shown the possibility of code injection
Ensure secure deployment code • as important as secure application code and Dockerfiles • validate your deployment manifests using SAST • and enforce them via PRs • can help you to implement best practices like denying • containers running as root • mounting hostPath • … © white duck GmbH 2022
Ensure secure deployment code • as important as secure application code and Dockerfiles • validate your deployment manifests using SAST • and enforce them via PRs • can help you to implement best practices like denying • containers running as root • mounting hostPath • … © white duck GmbH 2022 Would have made it much harder to hijack the node
SAST Tooling • Source code • https://codeql.github.com • https://security-code-scan.github.io • https://securego.io • Kubernetes manifests • https://kubesec.io • https://github.com/aquasecurity/trivy • https://github.com/bridgecrewio/checkov • Dockerfiles • https://github.com/aquasecurity/trivy • https://github.com/bridgecrewio/checkov • Terraform • https://github.com/tfsec/tfsec • https://github.com/aquasecurity/trivy • https://github.com/bridgecrewio/checkov © white duck GmbH 2022
Kubernetes policies • enforce compliance and governance within clusters • verifying manifests is not enough! • examples include enforcement of • read-only filesystems • denying hostPath mounts • denying containers running as root • … © white duck GmbH 2022
Kubernetes policies • enforce compliance and governance within clusters • verifying manifests is not enough! • examples include enforcement of • read-only filesystems • denying hostPath mounts • denying containers running as root • … © white duck GmbH 2022 Would have made it much harder to further hijack the nodes and cloud resources
Kubernetes policy tooling • Pod Security Admission • stable since 1.25 • https://kubernetes.io/docs/concepts/security/pod-security- admission • Open Policy Agent Gatekeeper • https://github.com/open-policy-agent/gatekeeper • Kyverno • https://kyverno.io © white duck GmbH 2022
Network Policies • granular deny or explicitly allow between containers and ingress/egress of the cluster • limit egress access to the internet • limit access between applications/namespaces • deny access to the Cloud provider metadata service • https://kubernetes.io/docs/concepts/services- networking/network-policies © white duck GmbH 2022
Network Policies • granular deny or explicitly allow between containers and ingress/egress of the cluster • limit egress access to the internet • limit access between applications/namespaces • deny access to the Cloud provider metadata service • https://kubernetes.io/docs/concepts/services- networking/network-policies © white duck GmbH 2022 Would have denied network connections (reverse shell, Redis, Internet, metadata service)
Container Runtime Security • helps to detect malicious threads and workloads • untrusted process within container • a shell is running inside a container • container process mounting a sensitive path • a process making outbound network connections • container runtime security tools like Falco of Tetragon can help © white duck GmbH 2022
Container Runtime Security • helps to detect malicious threads and workloads • untrusted process within container • a shell is running inside a container • container process mounting a sensitive path • a process making outbound network connections • container runtime security tools like Falco of Tetragon can help © white duck GmbH 2022
Container Runtime Security • helps to detect malicious threads and workloads • untrusted process within container • a shell is running inside a container • container process mounting a sensitive path • a process making outbound network connections • container runtime security tools like Falco of Tetragon can help © white duck GmbH 2022 Would have detect all our “work” within the containers
Further best practises • do not • share service accounts between applications • enable higher access levels for the default service account if not required • mount service account token if not required • https://kubernetes.io/docs/tasks/configure-pod-container/configure-service- account/#use-the-default-service-account-to-access-the-api-server • changed with 1.24 • review all third-party snippets before applying them • implement a Web Application Firewall (WAF) to further secure your application © white duck GmbH 2022
Further best practises • do not • share service accounts between applications • enable higher access levels for the default service account if not required • mount service account token if not required • https://kubernetes.io/docs/tasks/configure-pod-container/configure-service- account/#use-the-default-service-account-to-access-the-api-server • changed with 1.24 • review all third-party snippets before applying them • implement a Web Application Firewall (WAF) to further secure your application © white duck GmbH 2022 Wouldn’t have allowed us to talk to the API server Would have denied our code injection
ContainerDays 2022 Post-Conference Meetup • https://www.meetup.com/hamburg-kubernetes-meetup/events/287713443 © white duck GmbH 2022
Questions? • Slides: https://www.slideshare.net/nmeisenzahl • Demo: https://github.com/nmeisenzahl/hijack-kubernetes © white duck GmbH 2022 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org

More Related Content

PPTX
Hijack a Kubernetes Cluster - a Walkthrough
Nico Meisenzahl
 
PDF
Hijack a Kubernetes Cluster - a Walkthrough
Nico Meisenzahl
 
PDF
ContainerConf 2022: Hijack Kubernetes
Nico Meisenzahl
 
PDF
How to Prevent Your Kubernetes Cluster From Being Hacked
Nico Meisenzahl
 
PDF
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
Nico Meisenzahl
 
PDF
KCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
Nico Meisenzahl
 
PDF
Microsoft DevOps Forum 2021 – DevOps & Security
Nico Meisenzahl
 
PPTX
Kubernetes and container security
Volodymyr Shynkar
 
Hijack a Kubernetes Cluster - a Walkthrough
Nico Meisenzahl
 
Hijack a Kubernetes Cluster - a Walkthrough
Nico Meisenzahl
 
ContainerConf 2022: Hijack Kubernetes
Nico Meisenzahl
 
How to Prevent Your Kubernetes Cluster From Being Hacked
Nico Meisenzahl
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
Nico Meisenzahl
 
KCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
Nico Meisenzahl
 
Microsoft DevOps Forum 2021 – DevOps & Security
Nico Meisenzahl
 
Kubernetes and container security
Volodymyr Shynkar
 

Similar to Container Days: Hijack a Kubernetes Cluster - a Walkthrough (20)

PDF
ContainerConf 2022: Kubernetes is awesome - but...
Nico Meisenzahl
 
PDF
Cloud Love Conference: Kubernetes is awesome, but...
Nico Meisenzahl
 
PDF
Container Day Security: How to Prevent Your Kubernetes Cluster From Being Hacked
Nico Meisenzahl
 
PDF
GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & O...
Cloud Native Rosenheim Meetup
 
PDF
GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & ...
Nico Meisenzahl
 
PDF
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
ContainerDay Security 2023
 
PDF
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
ContainerDay Security 2023
 
PDF
Secure Your Code Implement DevSecOps in Azure
kloia
 
PDF
Effiziente CI/CD-Pipelines – mit den richtigen Tools klappt das
Nico Meisenzahl
 
PDF
DevOpsCon London: How containerized Pipelines can boost your CI/CD
Nico Meisenzahl
 
PDF
GitLab London Meetup: How Containerized Pipelines and Kubernetes Can Boost Yo...
Nico Meisenzahl
 
PDF
Virtual GitLab Meetup: How Containerized Pipelines and Kubernetes Can Boost Y...
Nico Meisenzahl
 
PPTX
FestiveTechCalendar2021 - Have Yourself An​ Azure Container Registry
Philip Welz
 
PPTX
Kubernetes Security
Karthik Gaekwad
 
PDF
Mitigate potential compliance risks
Jürgen Brüder
 
PPTX
Aleksei Dremin - Application Security Pipeline - phdays9
Alexey Dremin
 
PPTX
10 tips for Cloud Native Security
Karthik Gaekwad
 
PPTX
Secure your web app presentation
Frans Lytzen
 
PDF
Docker Rosenheim Meetup: Policy & Governance for Kubernetes
Nico Meisenzahl
 
PPTX
Tips and best practices for Docker
Calidad Infotech
 
ContainerConf 2022: Kubernetes is awesome - but...
Nico Meisenzahl
 
Cloud Love Conference: Kubernetes is awesome, but...
Nico Meisenzahl
 
Container Day Security: How to Prevent Your Kubernetes Cluster From Being Hacked
Nico Meisenzahl
 
GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & O...
Cloud Native Rosenheim Meetup
 
GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & ...
Nico Meisenzahl
 
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
ContainerDay Security 2023
 
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
ContainerDay Security 2023
 
Secure Your Code Implement DevSecOps in Azure
kloia
 
Effiziente CI/CD-Pipelines – mit den richtigen Tools klappt das
Nico Meisenzahl
 
DevOpsCon London: How containerized Pipelines can boost your CI/CD
Nico Meisenzahl
 
GitLab London Meetup: How Containerized Pipelines and Kubernetes Can Boost Yo...
Nico Meisenzahl
 
Virtual GitLab Meetup: How Containerized Pipelines and Kubernetes Can Boost Y...
Nico Meisenzahl
 
FestiveTechCalendar2021 - Have Yourself An​ Azure Container Registry
Philip Welz
 
Kubernetes Security
Karthik Gaekwad
 
Mitigate potential compliance risks
Jürgen Brüder
 
Aleksei Dremin - Application Security Pipeline - phdays9
Alexey Dremin
 
10 tips for Cloud Native Security
Karthik Gaekwad
 
Secure your web app presentation
Frans Lytzen
 
Docker Rosenheim Meetup: Policy & Governance for Kubernetes
Nico Meisenzahl
 
Tips and best practices for Docker
Calidad Infotech
 
Ad

More from Nico Meisenzahl (18)

PDF
Cloud-Native & Sustainability: How and Why to Build Sustainable Workloads
Nico Meisenzahl
 
PDF
Festive Tech Calendar: Festive time with AKS networking
Nico Meisenzahl
 
PDF
Azure Zürich User Group: Azure Kubernetes Service – more than just a managed ...
Nico Meisenzahl
 
PDF
azdevcom - Hijack a Kubernetes Cluster
Nico Meisenzahl
 
PDF
Continuous Lifecycle: Enhance Your Compliance and Governance With Policy-Base...
Nico Meisenzahl
 
PDF
Continuous Lifecycle: Hijack Kubernetes
Nico Meisenzahl
 
PDF
Hijack a Kubernetes Cluster - a Walkthrough
Nico Meisenzahl
 
PDF
GitLab Commit: Enhance your Compliance with Policy-Based CI/CD
Nico Meisenzahl
 
PDF
Azure Meetup Hamburg: Production-Ready Terraform Deployments on Azure
Nico Meisenzahl
 
PDF
DevOpsCon Berlin: Helm vs Operators – Do I Need to Decide?
Nico Meisenzahl
 
PDF
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
Nico Meisenzahl
 
PDF
GitHub Actions 101
Nico Meisenzahl
 
PDF
Azure Rosenheim Meetup: Azure Service Operator
Nico Meisenzahl
 
PDF
Azure Saturday Hamburg: Containerize Your .NET Microservice - the Right Way!
Nico Meisenzahl
 
PDF
Cloud Native Day: Cloud-native Anwendungsentwicklung im Jahr 2021
Nico Meisenzahl
 
PDF
Die Evolution von Container Image Builds
Nico Meisenzahl
 
PDF
Azure Service Operator - Provision Your Resources in a Cloud-Native Way
Nico Meisenzahl
 
PDF
GitLab Commit: Your Attackers Won't Be Happy! How GitLab Can Help You Secure ...
Nico Meisenzahl
 
Cloud-Native & Sustainability: How and Why to Build Sustainable Workloads
Nico Meisenzahl
 
Festive Tech Calendar: Festive time with AKS networking
Nico Meisenzahl
 
Azure Zürich User Group: Azure Kubernetes Service – more than just a managed ...
Nico Meisenzahl
 
azdevcom - Hijack a Kubernetes Cluster
Nico Meisenzahl
 
Continuous Lifecycle: Enhance Your Compliance and Governance With Policy-Base...
Nico Meisenzahl
 
Continuous Lifecycle: Hijack Kubernetes
Nico Meisenzahl
 
Hijack a Kubernetes Cluster - a Walkthrough
Nico Meisenzahl
 
GitLab Commit: Enhance your Compliance with Policy-Based CI/CD
Nico Meisenzahl
 
Azure Meetup Hamburg: Production-Ready Terraform Deployments on Azure
Nico Meisenzahl
 
DevOpsCon Berlin: Helm vs Operators – Do I Need to Decide?
Nico Meisenzahl
 
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
Nico Meisenzahl
 
GitHub Actions 101
Nico Meisenzahl
 
Azure Rosenheim Meetup: Azure Service Operator
Nico Meisenzahl
 
Azure Saturday Hamburg: Containerize Your .NET Microservice - the Right Way!
Nico Meisenzahl
 
Cloud Native Day: Cloud-native Anwendungsentwicklung im Jahr 2021
Nico Meisenzahl
 
Die Evolution von Container Image Builds
Nico Meisenzahl
 
Azure Service Operator - Provision Your Resources in a Cloud-Native Way
Nico Meisenzahl
 
GitLab Commit: Your Attackers Won't Be Happy! How GitLab Can Help You Secure ...
Nico Meisenzahl
 
Ad

Recently uploaded (20)

PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
A Presentation on Artificial Intelligence
memembruh336
 
Cloud computing and distributed systems.
kkkkkhan
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
MYSQL Presentation for SQL database connectivity
Swati270511
 

Container Days: Hijack a Kubernetes Cluster - a Walkthrough

  • 1. Hijack a Kubernetes Cluster – a Walkthrough ContainerDays 2022
  • 2. Nico Meisenzahl • Head of DevOps Consulting & Operations at white duck • Microsoft MVP, GitLab Hero • Cloud Native, Kubernetes & Azure © white duck GmbH 2022 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org
  • 3. About this talk • this is not an in-depth security talk • it should make you aware of common attack vectors and how to prevent them • you will see demos on how to hijack a cluster • you will learn how to prevent those with common best practices • three more slide, then we will start hijacking • https://github.com/nmeisenzahl/hijack-kubernetes © white duck GmbH 2022
  • 4. Why do we need to care about security? https://www.redhat.com/en/resources/state-kubernetes-security-report
  • 5. What we will do © white duck GmbH 2022
  • 7. Security quick wins through the DevOps cycle © white duck GmbH 2022
  • 8. Ensure secure application code • automate and enforce code checks • schedule dependency scanning • e.g. Dependabot • enforce Static Application Security Testing (SAST) in PRs • scans your code to identify potential security vulnerabilities • more details: https://owasp.org/www- community/Source_Code_Analysis_Tools © white duck GmbH 2022
  • 9. Build secure container images • build secure/small container images – less is more • do only include required dependencies (no debugging tools!) • use self-contained binaries or “distroless” if possible • https://github.com/GoogleContainerTools/distroless • otherwise, use a small and secure Linux distro • use and enforce SAST for validating your Dockerfiles • scan your container images (on build and regularly) © white duck GmbH 2022
  • 10. Build secure container images • build secure/small container images – less is more • do only include required dependencies (no debugging tools!) • use self-contained binaries or “distroless” if possible • https://github.com/GoogleContainerTools/distroless • otherwise, use a small and secure Linux distro • use and enforce SAST for validating your Dockerfiles • scan your container images (on build and regularly) © white duck GmbH 2022 Would have made it much harder to hijack the container and further expend Would have shown the possibility of code injection
  • 11. Ensure secure deployment code • as important as secure application code and Dockerfiles • validate your deployment manifests using SAST • and enforce them via PRs • can help you to implement best practices like denying • containers running as root • mounting hostPath • … © white duck GmbH 2022
  • 12. Ensure secure deployment code • as important as secure application code and Dockerfiles • validate your deployment manifests using SAST • and enforce them via PRs • can help you to implement best practices like denying • containers running as root • mounting hostPath • … © white duck GmbH 2022 Would have made it much harder to hijack the node
  • 13. SAST Tooling • Source code • https://codeql.github.com • https://security-code-scan.github.io • https://securego.io • Kubernetes manifests • https://kubesec.io • https://github.com/aquasecurity/trivy • https://github.com/bridgecrewio/checkov • Dockerfiles • https://github.com/aquasecurity/trivy • https://github.com/bridgecrewio/checkov • Terraform • https://github.com/tfsec/tfsec • https://github.com/aquasecurity/trivy • https://github.com/bridgecrewio/checkov © white duck GmbH 2022
  • 14. Kubernetes policies • enforce compliance and governance within clusters • verifying manifests is not enough! • examples include enforcement of • read-only filesystems • denying hostPath mounts • denying containers running as root • … © white duck GmbH 2022
  • 15. Kubernetes policies • enforce compliance and governance within clusters • verifying manifests is not enough! • examples include enforcement of • read-only filesystems • denying hostPath mounts • denying containers running as root • … © white duck GmbH 2022 Would have made it much harder to further hijack the nodes and cloud resources
  • 16. Kubernetes policy tooling • Pod Security Admission • stable since 1.25 • https://kubernetes.io/docs/concepts/security/pod-security- admission • Open Policy Agent Gatekeeper • https://github.com/open-policy-agent/gatekeeper • Kyverno • https://kyverno.io © white duck GmbH 2022
  • 17. Network Policies • granular deny or explicitly allow between containers and ingress/egress of the cluster • limit egress access to the internet • limit access between applications/namespaces • deny access to the Cloud provider metadata service • https://kubernetes.io/docs/concepts/services- networking/network-policies © white duck GmbH 2022
  • 18. Network Policies • granular deny or explicitly allow between containers and ingress/egress of the cluster • limit egress access to the internet • limit access between applications/namespaces • deny access to the Cloud provider metadata service • https://kubernetes.io/docs/concepts/services- networking/network-policies © white duck GmbH 2022 Would have denied network connections (reverse shell, Redis, Internet, metadata service)
  • 19. Container Runtime Security • helps to detect malicious threads and workloads • untrusted process within container • a shell is running inside a container • container process mounting a sensitive path • a process making outbound network connections • container runtime security tools like Falco of Tetragon can help © white duck GmbH 2022
  • 20. Container Runtime Security • helps to detect malicious threads and workloads • untrusted process within container • a shell is running inside a container • container process mounting a sensitive path • a process making outbound network connections • container runtime security tools like Falco of Tetragon can help © white duck GmbH 2022
  • 21. Container Runtime Security • helps to detect malicious threads and workloads • untrusted process within container • a shell is running inside a container • container process mounting a sensitive path • a process making outbound network connections • container runtime security tools like Falco of Tetragon can help © white duck GmbH 2022 Would have detect all our “work” within the containers
  • 22. Further best practises • do not • share service accounts between applications • enable higher access levels for the default service account if not required • mount service account token if not required • https://kubernetes.io/docs/tasks/configure-pod-container/configure-service- account/#use-the-default-service-account-to-access-the-api-server • changed with 1.24 • review all third-party snippets before applying them • implement a Web Application Firewall (WAF) to further secure your application © white duck GmbH 2022
  • 23. Further best practises • do not • share service accounts between applications • enable higher access levels for the default service account if not required • mount service account token if not required • https://kubernetes.io/docs/tasks/configure-pod-container/configure-service- account/#use-the-default-service-account-to-access-the-api-server • changed with 1.24 • review all third-party snippets before applying them • implement a Web Application Firewall (WAF) to further secure your application © white duck GmbH 2022 Wouldn’t have allowed us to talk to the API server Would have denied our code injection
  • 24. ContainerDays 2022 Post-Conference Meetup • https://www.meetup.com/hamburg-kubernetes-meetup/events/287713443 © white duck GmbH 2022
  • 25. Questions? • Slides: https://www.slideshare.net/nmeisenzahl • Demo: https://github.com/nmeisenzahl/hijack-kubernetes © white duck GmbH 2022 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org