KCD Indonesia 2024 - Letting Hacker Into Your Kubernetes Cluster

Letting Hackers
Into Your
Kubernetes Cluster
Muhammad Yuga Nugraha
Sr. DevSecOps Engineer
AT Practical DevSecOps

KUBERNETES COMMUNITY DAYS INDONESIA 2024 2
• YAML engineer
• Infrastructure engineer focused on product security (mostly cloud)
• Co-author of product security certifications (CDP, CCSE, CCNSE, CSSE)
• Speaker at: PyCon APAC 2024, AWS Community Day Indonesia 2024
• CCSKv4, eJPT, CKA & CKS (has already expired 😆 )
Who Am I?

Agenda
Introduction
How to Get Hacked
Demo
Lessons Learned

KUBERNETES COMMUNITY DAYS INDONESIA 2024
Introduction
Discover the fundamentals of the Cloud
Native ecosystem
4

“An approach to building applications using cloud-based models”
“An approach that uses technologies such as containers,
Kubernetes, immutable infrastructure, and microservices to develop
scalable applications”
What is Cloud Native

30
Do we need to remember the entire Cloud
Native technology stack?

Kubernetes is the one and only platform we love

Kubernetes Architecture
9

Managed Kubernetes
10

Google Kubernetes Engine
11

DigitalOcean
12

Self-Managed Kubernetes
13

kubeadm
14

Kubernetes-free???
15

30
Which one do you think is better?

The 4C’s of Kubernetes Security
17

It always starts with the application/code
18

How to Get Hacked
Make our cluster vulnerable to attacker 😈
19

Didn’t {care} about security
20

In{secure} configuration by default
21

Scenario: Compromised pod
• Initial Access
• The application is vulnerable
• Execution
• The attacker gained access inside the pod
• Privilege Escalation
• Pod is running with the securityContext.privileged
mode set to true
• Pod escape to node and take over the cluster

Use un{trusted} container image
24

Scenario: Compromised container registry
• Initial Access
• Container registry is compromised
• Persistence
• Container image being backdoor by attacker
• Discovery
• Backdoor container performing scanning for known
vulnerabilities

Give full access to the user
28

👨💻 (Developer) : “I want to test something within the cluster”
👨💻 (DevOps/SRE) : “Here's your access. I've set you up with full access so
you can just play around and run your tests without bothering me”
Dilemma

Asterisk (*) is the way 😎

Scenario: Permissive RBAC
• Initial Access
• kubeconfig file is exposed and has cluster admin access.
• Persistence
• Privilege Escalation
• …….
• Impact
• Take over a cluster

Guess, what’s wrong?

What can pod/exec do?
• Execution
• Access into the pod
• Lateral Movement
• Use the service account to talk with Kubernetes API
• Privilege Escalation??

How about this?

Allow all images to be pulled
36

Do not use NetworkPolicy
37

Without NetworkPolicy

With NetworkPolicy

Threat Matrix for Kubernetes

OWASP Kubernetes Top 10

Have you heard this term before?
44

Advanced Persistent Threat (APT)

30
“Is a sophisticated, sustained cyberattack where an intruder establishes an
undetected presence in a network to steal sensitive data over a prolonged
period. In short, it's a cyberattack targeting a specific organization.”

It doesn’t stop here, many more ……
48

Business loss 💰
Securing has become complex 😵💫
Hiring has become hard 🤦
New division? 🛡
Challenges???

30
“Securing a system is challenging, while making a system
vulnerable is easy”

Demo
A scenario in which an attacker can take
over the cluster 💥
51

NetSpy Solutions has a product named LookDNS. The team at NetSpy comprises
of 4 members- a founder, two sales and marketing personnel, and one engineer.
It’s interesting to note that it's solely this one engineer who is responsible for
building and deploying the product on Kubernetes. Named Michael, this
engineer, however, is not aware of security.
A Short Story

It’s Showtime!!! 🎬
55

Workflow

Obfuscated Shell Script

What does this good evil script do?

Download kubectl and configure the
context

Generate SSH keys

Create Kubernetes Job

Pod Naming

Job Naming

It doesn’t looks malicious 😏

Sounds legit!!!
66

Are there any differences when deploying in the
cloud?
67

Cloud Instance Metadata Attack ⚔
68

Lesson Learned
What are the key takeaways?
69

• Engineer must be aware of security
• Understand security framework (OWASP, NIST, etc)
• Adopt shift-left in the SDLC
• Hire a dedicated person (👮 )
• The Principle Of Least Privilege (POLP) is a must!
• Do not trust outsourced applications (always check & verify)
• Automation is the key
In General

• Threat Modeling
• Securing the supply chain (package)
• Runtime Security
• Security Monitoring
• Compliance
• …
Etc

Thanks to Cloud Native Ecosystem!

• Keep Hackers Out of Your Cluster with These 5 Simple Tricks -
Christophe Tafani-Dereeper & Frederic Beguiler
• Hacking & Defending Kubernetes Clusters: We'll Do It LIVE!! - Fabian
Kammel & James Cleverley-Prance
• Threat Modelling Kubernetes: A Lightspeed Introduction - Lewis
Denham-Parry, Control Plane
• Kubernetes Supply Chain Security: The Software Factory - Andrew
Martin, Control Plane
• ………
A good talk must be watched

THANK
YOU
74

KCD Indonesia 2024 - Letting Hacker Into Your Kubernetes Cluster

More Related Content

Similar to KCD Indonesia 2024 - Letting Hacker Into Your Kubernetes Cluster (20)

Recently uploaded (20)

KCD Indonesia 2024 - Letting Hacker Into Your Kubernetes Cluster