SlideShare a Scribd company logo

Hijack a Kubernetes Cluster - a Walkthrough

Nico Meisenzahl, profile picture
Nico Meisenzahl

The document presents a walkthrough on how to hijack a Kubernetes cluster while highlighting common attack vectors and preventive measures. It emphasizes secure application code, container image building, secure deployment practices, and the importance of Kubernetes and network policies to enhance security. Additionally, it offers recommendations for best practices to minimize security risks in cloud environments.

Technology
1 of 22
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Hijack a Kubernetes Cluster – a Walkthrough
Nico Meisenzahl • Senior Cloud & DevOps Consultant at white duck • Microsoft MVP, GitLab Hero • Cloud Native, Kubernetes & Azure © white duck GmbH 2022 Phone: +49 8031 230159 0 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org
About this talk • this is not an in-depth security talk • it should make you aware of common attack vectors and how to prevent them • you will see demos on how to hijack a cluster • you will learn how to prevent those with common best practices • one more slide, then we will start hijacking • https://github.com/nmeisenzahl/hijack-kubernetes © white duck GmbH 2022
What we will do © white duck GmbH 2022
Security quick wins through the DevOps cycle © white duck GmbH 2022
Ensure secure application code • automate and enforce code checks • schedule dependency scanning • e.g. Dependabot • enforce Static Application Security Testing (SAST) in PRs • scans your code to identify potential security vulnerabilities • more details: https://owasp.org/www- community/Source_Code_Analysis_Tools © white duck GmbH 2022
Ensure secure application code • automate and enforce code checks • schedule dependency scanning • e.g. Dependabot • enforce Static Application Security Testing (SAST) in PRs • scans your code to identify potential security vulnerabilities • more details: https://owasp.org/www- community/Source_Code_Analysis_Tools © white duck GmbH 2022 Would have shown the possibility of code injection
Build secure container images • build secure/small container images – less is more • do only include required dependencies (no debugging tools!) • use self-contained binaries or “distroless” if possible • https://github.com/GoogleContainerTools/distroless • otherwise, use a small and secure Linux distro • use and enforce SAST for validating your Dockerfiles • scan your container images (on build and regularly) © white duck GmbH 2022
Build secure container images • build secure/small container images – less is more • do only include required dependencies (no debugging tools!) • use self-contained binaries or “distroless” if possible • https://github.com/GoogleContainerTools/distroless • otherwise, use a small and secure Linux distro • use and enforce SAST for validating your Dockerfiles • scan your container images (on build and regularly) © white duck GmbH 2022 Would have made it much harder to hijack the container and further expend
Ensure secure deployment code • as important as secure application code and Dockerfiles • validate your deployment manifests using SAST • and enforce them via PRs • can help you to implement best practices like denying • containers running as root • mounting hostPath • … © white duck GmbH 2022
Ensure secure deployment code • as important as secure application code and Dockerfiles • validate your deployment manifests using SAST • and enforce them via PRs • can help you to implement best practices like denying • containers running as root • mounting hostPath • … © white duck GmbH 2022 Would have made it much harder to hijack the node
SAST Tooling • Source code • https://codeql.github.com • https://security-code-scan.github.io • https://securego.io • Kubernetes manifests • https://kubesec.io • https://github.com/aquasecurity/trivy • Dockerfiles • https://github.com/aquasecurity/trivy • Terraform • https://github.com/tfsec/tfsec • https://github.com/aquasecurity/trivy © white duck GmbH 2022
Kubernetes policies • enforce compliance and governance within clusters • verifying manifests is not enough! • examples include enforcement of • read-only filesystems • denying hostPath mounts • denying containers running as root • … © white duck GmbH 2022
Kubernetes policies • enforce compliance and governance within clusters • verifying manifests is not enough! • examples include enforcement of • read-only filesystems • denying hostPath mounts • denying containers running as root • … © white duck GmbH 2022 Would have made it much harder to further hijack the nodes and cloud resources
Kubernetes policy Tooling • Open Policy Agent Gatekeeper • https://github.com/open-policy-agent/gatekeeper • Kyverno • https://kyverno.io • Azure Policies • based on Open Policy Agent Gatekeeper • https://docs.microsoft.com/azure/aks/use-azure-policy © white duck GmbH 2022
Network Policies • granular deny or explicitly allow between containers and ingress/egress of the cluster • limit egress access to the internet • limit access between applications/namespaces • deny access to the Cloud provider metadata service • https://kubernetes.io/docs/concepts/services- networking/network-policies © white duck GmbH 2022
Network Policies • granular deny or explicitly allow between containers and ingress/egress of the cluster • limit egress access to the internet • limit access between applications/namespaces • deny access to the Cloud provider metadata service • https://kubernetes.io/docs/concepts/services- networking/network-policies © white duck GmbH 2022 Would have denied network connections (reverse shell, Redis, Internet, metadata service)
Container Runtime Security • helps to detect malicious threads and workloads • untrusted process within container • a shell is running inside a container • container process mounting a sensitive path • a process making outbound network connections • container runtime security tools like Falco can help • https://github.com/falcosecurity/falco © white duck GmbH 2022
Container Runtime Security • helps to detect malicious threads and workloads • untrusted process within container • a shell is running inside a container • container process mounting a sensitive path • a process making outbound network connections • container runtime security tools like Falco can help • https://github.com/falcosecurity/falco © white duck GmbH 2022 Would have detect all our “work” within the containers
Further best practises • do not • share service accounts between applications • enable higher access levels for the default service account if not required • mount service account token if not required • https://kubernetes.io/docs/tasks/configure-pod-container/configure-service- account/#use-the-default-service-account-to-access-the-api-server • review all third-party snippets before applying them • implement a Web Application Firewall (WAF) to further secure your application © white duck GmbH 2022
Further best practises • do not • share service accounts between applications • enable higher access levels for the default service account if not required • mount service account token if not required • https://kubernetes.io/docs/tasks/configure-pod-container/configure-service- account/#use-the-default-service-account-to-access-the-api-server • review all third-party snippets before applying them • implement a Web Application Firewall (WAF) to further secure your application © white duck GmbH 2022 Wouldn’t have allowed us to talk to the API server Would have denied our code injection
Questions? • Slides: https://www.slideshare.net/nmeisenzahl • Demo: https://github.com/nmeisenzahl/hijack-kubernetes © white duck GmbH 2022 Phone: +49 8031 230159 0 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org

More Related Content

PDF
EVE Microservices Platform
Alaa Qutaish
 
PDF
Neues aus dem Docker-Universum
Nicholas Dille
 
PDF
Virtual GitLab Meetup: How Containerized Pipelines and Kubernetes Can Boost Y...
Nico Meisenzahl
 
PDF
Azure Zürich User Group: Azure Kubernetes Service – more than just a managed ...
Nico Meisenzahl
 
PDF
DevOpsCon Berlin: Helm vs Operators – Do I Need to Decide?
Nico Meisenzahl
 
PPTX
FestiveTechCalendar2021 - Have Yourself An​ Azure Container Registry
Philip Welz
 
PDF
Enhance Your Kubernetes CI/CD Pipelines With GitLab & Open Source
Nico Meisenzahl
 
PDF
Docker Rosenheim Meetup: Policy & Governance for Kubernetes
Nico Meisenzahl
 
EVE Microservices Platform
Alaa Qutaish
 
Neues aus dem Docker-Universum
Nicholas Dille
 
Virtual GitLab Meetup: How Containerized Pipelines and Kubernetes Can Boost Y...
Nico Meisenzahl
 
Azure Zürich User Group: Azure Kubernetes Service – more than just a managed ...
Nico Meisenzahl
 
DevOpsCon Berlin: Helm vs Operators – Do I Need to Decide?
Nico Meisenzahl
 
FestiveTechCalendar2021 - Have Yourself An​ Azure Container Registry
Philip Welz
 
Enhance Your Kubernetes CI/CD Pipelines With GitLab & Open Source
Nico Meisenzahl
 
Docker Rosenheim Meetup: Policy & Governance for Kubernetes
Nico Meisenzahl
 

What's hot (20)

PDF
Global Azure Bootcamp: Container, Docker & Kubernetes Basics
Nico Meisenzahl
 
PPTX
Securing your Cloud Environment v2
ShapeBlue
 
PDF
Web Application Firewall - Friend of your DevOps Chain?
Franziska Buehler
 
PPTX
Kube Apps in action
Karthik Gaekwad
 
PDF
Mihai Criveti - PyCon Ireland - Automate Everything
Mihai Criveti
 
PDF
Jenkins in the real world - DevOpsCon 2017
Gianluca Arbezzano
 
PDF
Introduction to Kubernetes Security (Aqua & Weaveworks)
Weaveworks
 
PPTX
Kubernetes Security
Karthik Gaekwad
 
PDF
ThoughtWorks Technology Radar Roadshow - Brisbane
Thoughtworks
 
PDF
Kubernetes security and you
Karthik Gaekwad
 
PPTX
Microservices and Container Management with NGINX Plus and Mesosphere DC/OS
NGINX, Inc.
 
PPTX
KubeSecOps
Karthik Gaekwad
 
PDF
Rebuilding Legacy Apps with Domain-Driven Design - Lessons learned
Kacper Gunia
 
PPTX
Monitoring mayhem - Using Prometheus
Brian Christner
 
PDF
Cloud native development without the toil
Ambassador Labs
 
PPTX
Continuous delivery applied (RJUG)
Mike McGarr
 
PDF
LJC 4/21"Easy Debugging of Java Microservices Running on Kubernetes with Tele...
Daniel Bryant
 
PDF
Dockers zero to hero
Nicolas De Loof
 
PPTX
AzDevCom2021 - Bicep vs Terraform
Philip Welz
 
PDF
KUBERNETES AS A FRAMEWORK FOR WRITING DEVOPS & MICROSERVICES TOOLING
CodeOps Technologies LLP
 
Global Azure Bootcamp: Container, Docker & Kubernetes Basics
Nico Meisenzahl
 
Securing your Cloud Environment v2
ShapeBlue
 
Web Application Firewall - Friend of your DevOps Chain?
Franziska Buehler
 
Kube Apps in action
Karthik Gaekwad
 
Mihai Criveti - PyCon Ireland - Automate Everything
Mihai Criveti
 
Jenkins in the real world - DevOpsCon 2017
Gianluca Arbezzano
 
Introduction to Kubernetes Security (Aqua & Weaveworks)
Weaveworks
 
Kubernetes Security
Karthik Gaekwad
 
ThoughtWorks Technology Radar Roadshow - Brisbane
Thoughtworks
 
Kubernetes security and you
Karthik Gaekwad
 
Microservices and Container Management with NGINX Plus and Mesosphere DC/OS
NGINX, Inc.
 
KubeSecOps
Karthik Gaekwad
 
Rebuilding Legacy Apps with Domain-Driven Design - Lessons learned
Kacper Gunia
 
Monitoring mayhem - Using Prometheus
Brian Christner
 
Cloud native development without the toil
Ambassador Labs
 
Continuous delivery applied (RJUG)
Mike McGarr
 
LJC 4/21"Easy Debugging of Java Microservices Running on Kubernetes with Tele...
Daniel Bryant
 
Dockers zero to hero
Nicolas De Loof
 
AzDevCom2021 - Bicep vs Terraform
Philip Welz
 
KUBERNETES AS A FRAMEWORK FOR WRITING DEVOPS & MICROSERVICES TOOLING
CodeOps Technologies LLP
 
Ad

Similar to Hijack a Kubernetes Cluster - a Walkthrough (20)

PPTX
Hijack a Kubernetes Cluster - a Walkthrough
Nico Meisenzahl
 
PDF
Container Days: Hijack a Kubernetes Cluster - a Walkthrough
Nico Meisenzahl
 
PDF
ContainerConf 2022: Hijack Kubernetes
Nico Meisenzahl
 
PDF
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
Nico Meisenzahl
 
PDF
How to Prevent Your Kubernetes Cluster From Being Hacked
Nico Meisenzahl
 
PDF
Microsoft DevOps Forum 2021 – DevOps & Security
Nico Meisenzahl
 
PDF
KCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
Nico Meisenzahl
 
PPTX
Kubernetes and container security
Volodymyr Shynkar
 
PDF
Container Day Security: How to Prevent Your Kubernetes Cluster From Being Hacked
Nico Meisenzahl
 
PDF
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
ContainerDay Security 2023
 
PDF
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
ContainerDay Security 2023
 
PDF
GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & O...
Cloud Native Rosenheim Meetup
 
PDF
GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & ...
Nico Meisenzahl
 
PDF
ContainerConf 2022: Kubernetes is awesome - but...
Nico Meisenzahl
 
PDF
Secure Your Code Implement DevSecOps in Azure
kloia
 
PDF
GitLab London Meetup: How Containerized Pipelines and Kubernetes Can Boost Yo...
Nico Meisenzahl
 
PDF
DevOpsCon London: How containerized Pipelines can boost your CI/CD
Nico Meisenzahl
 
PDF
Effiziente CI/CD-Pipelines – mit den richtigen Tools klappt das
Nico Meisenzahl
 
PDF
GitHub Actions 101
Nico Meisenzahl
 
PDF
Cloud Love Conference: Kubernetes is awesome, but...
Nico Meisenzahl
 
Hijack a Kubernetes Cluster - a Walkthrough
Nico Meisenzahl
 
Container Days: Hijack a Kubernetes Cluster - a Walkthrough
Nico Meisenzahl
 
ContainerConf 2022: Hijack Kubernetes
Nico Meisenzahl
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
Nico Meisenzahl
 
How to Prevent Your Kubernetes Cluster From Being Hacked
Nico Meisenzahl
 
Microsoft DevOps Forum 2021 – DevOps & Security
Nico Meisenzahl
 
KCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
Nico Meisenzahl
 
Kubernetes and container security
Volodymyr Shynkar
 
Container Day Security: How to Prevent Your Kubernetes Cluster From Being Hacked
Nico Meisenzahl
 
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
ContainerDay Security 2023
 
How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl
ContainerDay Security 2023
 
GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & O...
Cloud Native Rosenheim Meetup
 
GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & ...
Nico Meisenzahl
 
ContainerConf 2022: Kubernetes is awesome - but...
Nico Meisenzahl
 
Secure Your Code Implement DevSecOps in Azure
kloia
 
GitLab London Meetup: How Containerized Pipelines and Kubernetes Can Boost Yo...
Nico Meisenzahl
 
DevOpsCon London: How containerized Pipelines can boost your CI/CD
Nico Meisenzahl
 
Effiziente CI/CD-Pipelines – mit den richtigen Tools klappt das
Nico Meisenzahl
 
GitHub Actions 101
Nico Meisenzahl
 
Cloud Love Conference: Kubernetes is awesome, but...
Nico Meisenzahl
 
Ad

More from Nico Meisenzahl (15)

PDF
Cloud-Native & Sustainability: How and Why to Build Sustainable Workloads
Nico Meisenzahl
 
PDF
Festive Tech Calendar: Festive time with AKS networking
Nico Meisenzahl
 
PDF
azdevcom - Hijack a Kubernetes Cluster
Nico Meisenzahl
 
PDF
Continuous Lifecycle: Enhance Your Compliance and Governance With Policy-Base...
Nico Meisenzahl
 
PDF
Continuous Lifecycle: Hijack Kubernetes
Nico Meisenzahl
 
PDF
Hijack a Kubernetes Cluster - a Walkthrough
Nico Meisenzahl
 
PDF
GitLab Commit: Enhance your Compliance with Policy-Based CI/CD
Nico Meisenzahl
 
PDF
Azure Meetup Hamburg: Production-Ready Terraform Deployments on Azure
Nico Meisenzahl
 
PDF
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
Nico Meisenzahl
 
PDF
Azure Rosenheim Meetup: Azure Service Operator
Nico Meisenzahl
 
PDF
Azure Saturday Hamburg: Containerize Your .NET Microservice - the Right Way!
Nico Meisenzahl
 
PDF
Cloud Native Day: Cloud-native Anwendungsentwicklung im Jahr 2021
Nico Meisenzahl
 
PDF
Die Evolution von Container Image Builds
Nico Meisenzahl
 
PDF
Azure Service Operator - Provision Your Resources in a Cloud-Native Way
Nico Meisenzahl
 
PDF
GitLab Commit: Your Attackers Won't Be Happy! How GitLab Can Help You Secure ...
Nico Meisenzahl
 
Cloud-Native & Sustainability: How and Why to Build Sustainable Workloads
Nico Meisenzahl
 
Festive Tech Calendar: Festive time with AKS networking
Nico Meisenzahl
 
azdevcom - Hijack a Kubernetes Cluster
Nico Meisenzahl
 
Continuous Lifecycle: Enhance Your Compliance and Governance With Policy-Base...
Nico Meisenzahl
 
Continuous Lifecycle: Hijack Kubernetes
Nico Meisenzahl
 
Hijack a Kubernetes Cluster - a Walkthrough
Nico Meisenzahl
 
GitLab Commit: Enhance your Compliance with Policy-Based CI/CD
Nico Meisenzahl
 
Azure Meetup Hamburg: Production-Ready Terraform Deployments on Azure
Nico Meisenzahl
 
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
Nico Meisenzahl
 
Azure Rosenheim Meetup: Azure Service Operator
Nico Meisenzahl
 
Azure Saturday Hamburg: Containerize Your .NET Microservice - the Right Way!
Nico Meisenzahl
 
Cloud Native Day: Cloud-native Anwendungsentwicklung im Jahr 2021
Nico Meisenzahl
 
Die Evolution von Container Image Builds
Nico Meisenzahl
 
Azure Service Operator - Provision Your Resources in a Cloud-Native Way
Nico Meisenzahl
 
GitLab Commit: Your Attackers Won't Be Happy! How GitLab Can Help You Secure ...
Nico Meisenzahl
 

Recently uploaded (20)

PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 

Hijack a Kubernetes Cluster - a Walkthrough

  • 1. Hijack a Kubernetes Cluster – a Walkthrough
  • 2. Nico Meisenzahl • Senior Cloud & DevOps Consultant at white duck • Microsoft MVP, GitLab Hero • Cloud Native, Kubernetes & Azure © white duck GmbH 2022 Phone: +49 8031 230159 0 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org
  • 3. About this talk • this is not an in-depth security talk • it should make you aware of common attack vectors and how to prevent them • you will see demos on how to hijack a cluster • you will learn how to prevent those with common best practices • one more slide, then we will start hijacking • https://github.com/nmeisenzahl/hijack-kubernetes © white duck GmbH 2022
  • 4. What we will do © white duck GmbH 2022
  • 5. Security quick wins through the DevOps cycle © white duck GmbH 2022
  • 6. Ensure secure application code • automate and enforce code checks • schedule dependency scanning • e.g. Dependabot • enforce Static Application Security Testing (SAST) in PRs • scans your code to identify potential security vulnerabilities • more details: https://owasp.org/www- community/Source_Code_Analysis_Tools © white duck GmbH 2022
  • 7. Ensure secure application code • automate and enforce code checks • schedule dependency scanning • e.g. Dependabot • enforce Static Application Security Testing (SAST) in PRs • scans your code to identify potential security vulnerabilities • more details: https://owasp.org/www- community/Source_Code_Analysis_Tools © white duck GmbH 2022 Would have shown the possibility of code injection
  • 8. Build secure container images • build secure/small container images – less is more • do only include required dependencies (no debugging tools!) • use self-contained binaries or “distroless” if possible • https://github.com/GoogleContainerTools/distroless • otherwise, use a small and secure Linux distro • use and enforce SAST for validating your Dockerfiles • scan your container images (on build and regularly) © white duck GmbH 2022
  • 9. Build secure container images • build secure/small container images – less is more • do only include required dependencies (no debugging tools!) • use self-contained binaries or “distroless” if possible • https://github.com/GoogleContainerTools/distroless • otherwise, use a small and secure Linux distro • use and enforce SAST for validating your Dockerfiles • scan your container images (on build and regularly) © white duck GmbH 2022 Would have made it much harder to hijack the container and further expend
  • 10. Ensure secure deployment code • as important as secure application code and Dockerfiles • validate your deployment manifests using SAST • and enforce them via PRs • can help you to implement best practices like denying • containers running as root • mounting hostPath • … © white duck GmbH 2022
  • 11. Ensure secure deployment code • as important as secure application code and Dockerfiles • validate your deployment manifests using SAST • and enforce them via PRs • can help you to implement best practices like denying • containers running as root • mounting hostPath • … © white duck GmbH 2022 Would have made it much harder to hijack the node
  • 12. SAST Tooling • Source code • https://codeql.github.com • https://security-code-scan.github.io • https://securego.io • Kubernetes manifests • https://kubesec.io • https://github.com/aquasecurity/trivy • Dockerfiles • https://github.com/aquasecurity/trivy • Terraform • https://github.com/tfsec/tfsec • https://github.com/aquasecurity/trivy © white duck GmbH 2022
  • 13. Kubernetes policies • enforce compliance and governance within clusters • verifying manifests is not enough! • examples include enforcement of • read-only filesystems • denying hostPath mounts • denying containers running as root • … © white duck GmbH 2022
  • 14. Kubernetes policies • enforce compliance and governance within clusters • verifying manifests is not enough! • examples include enforcement of • read-only filesystems • denying hostPath mounts • denying containers running as root • … © white duck GmbH 2022 Would have made it much harder to further hijack the nodes and cloud resources
  • 15. Kubernetes policy Tooling • Open Policy Agent Gatekeeper • https://github.com/open-policy-agent/gatekeeper • Kyverno • https://kyverno.io • Azure Policies • based on Open Policy Agent Gatekeeper • https://docs.microsoft.com/azure/aks/use-azure-policy © white duck GmbH 2022
  • 16. Network Policies • granular deny or explicitly allow between containers and ingress/egress of the cluster • limit egress access to the internet • limit access between applications/namespaces • deny access to the Cloud provider metadata service • https://kubernetes.io/docs/concepts/services- networking/network-policies © white duck GmbH 2022
  • 17. Network Policies • granular deny or explicitly allow between containers and ingress/egress of the cluster • limit egress access to the internet • limit access between applications/namespaces • deny access to the Cloud provider metadata service • https://kubernetes.io/docs/concepts/services- networking/network-policies © white duck GmbH 2022 Would have denied network connections (reverse shell, Redis, Internet, metadata service)
  • 18. Container Runtime Security • helps to detect malicious threads and workloads • untrusted process within container • a shell is running inside a container • container process mounting a sensitive path • a process making outbound network connections • container runtime security tools like Falco can help • https://github.com/falcosecurity/falco © white duck GmbH 2022
  • 19. Container Runtime Security • helps to detect malicious threads and workloads • untrusted process within container • a shell is running inside a container • container process mounting a sensitive path • a process making outbound network connections • container runtime security tools like Falco can help • https://github.com/falcosecurity/falco © white duck GmbH 2022 Would have detect all our “work” within the containers
  • 20. Further best practises • do not • share service accounts between applications • enable higher access levels for the default service account if not required • mount service account token if not required • https://kubernetes.io/docs/tasks/configure-pod-container/configure-service- account/#use-the-default-service-account-to-access-the-api-server • review all third-party snippets before applying them • implement a Web Application Firewall (WAF) to further secure your application © white duck GmbH 2022
  • 21. Further best practises • do not • share service accounts between applications • enable higher access levels for the default service account if not required • mount service account token if not required • https://kubernetes.io/docs/tasks/configure-pod-container/configure-service- account/#use-the-default-service-account-to-access-the-api-server • review all third-party snippets before applying them • implement a Web Application Firewall (WAF) to further secure your application © white duck GmbH 2022 Wouldn’t have allowed us to talk to the API server Would have denied our code injection
  • 22. Questions? • Slides: https://www.slideshare.net/nmeisenzahl • Demo: https://github.com/nmeisenzahl/hijack-kubernetes © white duck GmbH 2022 Phone: +49 8031 230159 0 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org