SlideShare a Scribd company logo

KubeCon NA 2022 - Hardening against Kubernetes Hacks.pdf

E
Eric Smalling

The document summarizes how an attacker could exploit vulnerabilities and misconfigurations in a Kubernetes cluster to gain admin privileges. It outlines how an initial application vulnerability allows remote code execution in a container. The attacker then uses overly permissive roles and lack of security controls like read-only filesystems, pod security policies, and network policies to escalate privileges from the pod to cluster admin. Proper use of admission controls, network policies, explicit permissions and configuration, and scanning tools could help prevent this exploitation.

Technology
1 of 31
Downloaded 11 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Hardening against Kubernetes Hacks Eric Smalling Senior Developer Advocate @ Snyk @ericsmalling
Eric Smalling ● Senior Developer Advocate @ Snyk ● Based in Dallas/Fort Worth, Texas ● 20+ years enterprise software development ● 10+ years build/test/deploy automation (CI/CD) ● Docker user since 2013 (v0.6) ● 2018 Jenkins Ambassador ● Docker Captain ● CKA, CKAD & CKS Certified @ericsmalling https://github.com/snyk-labs/kubernetes-goof
https://github.com/snyk-labs/kubernetes-goof
Exploit = App Vulns + Misconfiguration https://github.com/snyk-labs/kubernetes-goof
What do we know ? 80 https://github.com/snyk-labs/kubernetes-goof
Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container https://github.com/snyk-labs/kubernetes-goof
What do we know ? 80 Internal IP 5000 https://github.com/snyk-labs/kubernetes-goof
What do we know ? 80 Internal IP IP Address 5000 https://github.com/snyk-labs/kubernetes-goof
Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container Credentials Pod Token Available inside pod https://github.com/snyk-labs/kubernetes-goof
What do we know ? 80 Internal IP IP Address 5000 External IP https://github.com/snyk-labs/kubernetes-goof
Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container Credentials Pod Token Available inside pod Permissions Pod Token Allows access to endpoints API https://github.com/snyk-labs/kubernetes-goof
What do we know ? 80 Internal IP External IP 5000 https://github.com/snyk-labs/kubernetes-goof
What do we know ? 80 Internal IP External IP Default Secure IP Address 5000 https://github.com/snyk-labs/kubernetes-goof
confidential apiVersion: v1 kind: ServiceAccount metadata: name: insecure --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: allow_pod_read rules: - apiGroups: - '*' resources: - '*' verbs: ["create", "get", "watch", "list", "patch", "delete", "deletecollection", "update"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: allow_pod_read_bind roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: allow_pod_read subjects: - kind: ServiceAccount name: insecure ● Allows service account too many permissions ● Likely bound to the ‘secure’ namespace ○ No permissions in the default namespace Insecure Role https://github.com/snyk-labs/kubernetes-goof
Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container Roles Role Gives service account too many permissions in namespace Permissions Pod Token Allows access to endpoints API Credentials Pod Token Available inside pod https://github.com/snyk-labs/kubernetes-goof
apiVersion: v1 kind: Pod # ... metadata: annotations: seccomp.security.alpha.kubernetes.io/pod: runtime/default spec: containers: - name: readonlyroot securityContext: readOnlyRootFilesystem: true ● Allows an attacker to modify the container ○ Download software ○ Change configuration ● Configure securityContext ○ readOnlyRootFilesystem: true Read Write Filesystem https://github.com/snyk-labs/kubernetes-goof
What do we know ? 80 Internal IP External IP IP Address Secure Default 5000 https://github.com/snyk-labs/kubernetes-goof
confidential spec: privileged: false # Required to prevent escalations to root. # allowPrivilegeEscalation: false # This is redundant with non-root + disallow privilege escalation, # but we can provide it for defense in depth. volumes: - '*' runAsUser: # Require the container to run without root privileges. rule: 'MustRunAsNonRoot' seLinux: # This policy assumes the nodes are using AppArmor rather than SELinux. rule: 'RunAsAny' supplementalGroups: rule: 'MustRunAs' ranges: # Forbid adding the root group. - min: 1 max: 65535 fsGroup: rule: 'MustRunAs' ranges: # Forbid adding the root group. - min: 1 max: 65535 ● Allows service account too many permissions ● Likely bound to the ‘secure’ namespace ○ No permissions in the default namespace ● allowPrivilegeEscalation is NOT redundant Pod Security Policy https://github.com/snyk-labs/kubernetes-goof
Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container Roles Role Gives service account too many permissions in namespace Credentials Pod Token Available inside pod Permissions Pod Token Allows access to endpoints API Permissions PSP Did not disallow privilege escalation https://github.com/snyk-labs/kubernetes-goof
What do we know ? 80 Internal IP External IP 5000 Default Secure IP Address IP Address 8080 https://github.com/snyk-labs/kubernetes-goof
Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container Roles Role Gives service account too many permissions in namespace Credentials Pod Token Available inside pod Permissions Pod Token Allows access to endpoints API Policy Network No network controls in place Permissions PSP Did not disallow privilege escalation https://github.com/snyk-labs/kubernetes-goof
What do we know ? 80 Internal IP External IP 5000 Default Secure IP Address IP Address 5001 8080 https://github.com/snyk-labs/kubernetes-goof
What do we know ? 80 Internal IP External IP 5000 Default Secure IP Address IP Address 8080 https://github.com/snyk-labs/kubernetes-goof
What do we know ? 80 Internal IP External IP 5000 Default Secure IP Address IP Address 8080 PRIVILEGED HOST https://github.com/snyk-labs/kubernetes-goof
Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container Roles Role Gives service account too many permissions in namespace Credentials Pod Token Available inside pod Permissions Pod Token Allows access to endpoints API Permissions PSP Did not disallow privilege escalation Policy Network No network controls in place Permissions PSP No restrictions in default ns https://github.com/snyk-labs/kubernetes-goof
What do we know ? 5000 5000 Default Secure IP Address IP Address 8080 PRIVILEGED Kube-System HOST https://github.com/snyk-labs/kubernetes-goof
What do we know ? 80 5000 Default Secure IP Address IP Address 8080 PRIVILEGED Kube-System HOST https://github.com/snyk-labs/kubernetes-goof
Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container Roles Role Gives service account too many permissions in namespace Credentials Pod Token Available inside pod Permissions Pod Token Allows access to endpoints API Permissions PSP Did not disallow privilege escalation Policy Network No network controls in place Permissions PSP No restrictions in default ns Game Over Cluster Cluster admin rights gained https://github.com/snyk-labs/kubernetes-goof
KubeCon NA 2022 - Hardening against Kubernetes Hacks.pdf
confidential ● Scan your application code ● Scan your container images ● Scan your Kubernetes YAML ● Don’t trust defaults / Be explicit ● Use Network Policies ● Use Admission Controls How could we have prevented this ?
With thanks and props to : Mark Manning ( @antitree ), Ian Coldwater ( @iancoldwater ), Duffie Cooley ( @mauilion ) , Rory McCune ( @raesene ) K8s SIG-Security, CNCF TAG-Security, OpenSSF, and many others in the Kubernetes Security community @ericsmalling

More Related Content

PDF
SCaLE 19x - Eric Smalling - Hardening against Kubernetes Hacks
Eric Smalling
 
PDF
DevOpsDays Chicago 2022 - Hands-on hacking containers and ways to prevent it
Eric Smalling
 
PDF
Kubernetes 101 for_penetration_testers_-_null_mumbai
n|u - The Open Security Community
 
PPTX
Kubernetes and container security
Volodymyr Shynkar
 
PPTX
The State of Kubernetes Security
Jimmy Mesta
 
PDF
Kubernetes - Security Journey
Jerry Jalava
 
PPTX
Secure development on Kubernetes by Andreas Falk
SBA Research
 
PPTX
12 Ways Not to get 'Hacked' your Kubernetes Cluster
Suman Chakraborty
 
SCaLE 19x - Eric Smalling - Hardening against Kubernetes Hacks
Eric Smalling
 
DevOpsDays Chicago 2022 - Hands-on hacking containers and ways to prevent it
Eric Smalling
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
n|u - The Open Security Community
 
Kubernetes and container security
Volodymyr Shynkar
 
The State of Kubernetes Security
Jimmy Mesta
 
Kubernetes - Security Journey
Jerry Jalava
 
Secure development on Kubernetes by Andreas Falk
SBA Research
 
12 Ways Not to get 'Hacked' your Kubernetes Cluster
Suman Chakraborty
 

Similar to KubeCon NA 2022 - Hardening against Kubernetes Hacks.pdf (20)

PDF
CloudNativeTurkey - Lines of Defence.pdf
Koray Oksay
 
PDF
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Michael Man
 
PPTX
Three Years of Lessons Running Potentially Malicious Code Inside Containers
Ben Hall
 
PDF
DockerCon 2023 - Live Demo_Hardening Against Kubernetes Hacks.pdf
Eric Smalling
 
PDF
Lines of Defense - Securing your Kubernetes Clusters by Koray Oksay
ContainerDay Security 2023
 
PDF
Hardening Kubernetes by Securing Pods
Suraj Deshmukh
 
PPTX
Kubernetes Security Act Now Before It’s Too Late
Michael Furman
 
PPTX
Security best practices for kubernetes deployment
Aqua Security
 
PPTX
Security best practices for kubernetes deployment
Michael Cherny
 
PDF
Securing Containerized Applications: A Primer
Phil Estes
 
PDF
Attacking and Defending Kubernetes - Nithin Jois
OWASP Hacker Thursday
 
PDF
Behind the Code 'September 2022 // by Exness
Maxim Gaponov
 
PDF
Vincent Ruijter - ~Securing~ Attacking Kubernetes
hacktivity
 
PDF
Who is afraid of privileged containers ?
Marko Bevc
 
PDF
Kubernetes Security Best Practices for DevOps
DevOps.com
 
PDF
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDays Riga
 
PDF
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
smalltown
 
PDF
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Lacework
 
PPTX
Kubernetes security
Saiyam Pathak
 
PDF
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
CloudOps2005
 
CloudNativeTurkey - Lines of Defence.pdf
Koray Oksay
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Michael Man
 
Three Years of Lessons Running Potentially Malicious Code Inside Containers
Ben Hall
 
DockerCon 2023 - Live Demo_Hardening Against Kubernetes Hacks.pdf
Eric Smalling
 
Lines of Defense - Securing your Kubernetes Clusters by Koray Oksay
ContainerDay Security 2023
 
Hardening Kubernetes by Securing Pods
Suraj Deshmukh
 
Kubernetes Security Act Now Before It’s Too Late
Michael Furman
 
Security best practices for kubernetes deployment
Aqua Security
 
Security best practices for kubernetes deployment
Michael Cherny
 
Securing Containerized Applications: A Primer
Phil Estes
 
Attacking and Defending Kubernetes - Nithin Jois
OWASP Hacker Thursday
 
Behind the Code 'September 2022 // by Exness
Maxim Gaponov
 
Vincent Ruijter - ~Securing~ Attacking Kubernetes
hacktivity
 
Who is afraid of privileged containers ?
Marko Bevc
 
Kubernetes Security Best Practices for DevOps
DevOps.com
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDays Riga
 
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
smalltown
 
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Lacework
 
Kubernetes security
Saiyam Pathak
 
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
CloudOps2005
 

More from Eric Smalling (17)

PDF
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
Eric Smalling
 
PDF
ATO 2022 - Why should devs care about container security.pdf
Eric Smalling
 
PDF
Look Ma' - Building Java and Go based container images without Dockerfiles
Eric Smalling
 
PDF
Container Stranger Danger - Why should devs care about container security
Eric Smalling
 
PDF
DockerCon 2022 - From legacy to Kubernetes, securely & quickly
Eric Smalling
 
PDF
Python Web Conference 2022 - Why should devs care about container security.pdf
Eric Smalling
 
PDF
Why should developers care about container security?
Eric Smalling
 
PDF
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
 
PDF
AWS live hack: Atlassian + Snyk OSS on AWS
Eric Smalling
 
PDF
Hacking into your containers, and how to stop it!
Eric Smalling
 
PDF
DevSecCon Lightning 2021- Container defaults are a hackers best friend
Eric Smalling
 
PDF
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
Eric Smalling
 
PDF
So. many. vulnerabilities. Why are containers such a mess and what to do abou...
Eric Smalling
 
PDF
IBM Index 2018 Conference Workshop: Modernizing Traditional Java App's with D...
Eric Smalling
 
PDF
Best Practices for Developing & Deploying Java Applications with Docker
Eric Smalling
 
PDF
Docker 101 Workshop slides (JavaOne 2017)
Eric Smalling
 
PPTX
Simply your Jenkins Projects with Docker Multi-Stage Builds
Eric Smalling
 
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
Eric Smalling
 
ATO 2022 - Why should devs care about container security.pdf
Eric Smalling
 
Look Ma' - Building Java and Go based container images without Dockerfiles
Eric Smalling
 
Container Stranger Danger - Why should devs care about container security
Eric Smalling
 
DockerCon 2022 - From legacy to Kubernetes, securely & quickly
Eric Smalling
 
Python Web Conference 2022 - Why should devs care about container security.pdf
Eric Smalling
 
Why should developers care about container security?
Eric Smalling
 
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
 
AWS live hack: Atlassian + Snyk OSS on AWS
Eric Smalling
 
Hacking into your containers, and how to stop it!
Eric Smalling
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
Eric Smalling
 
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
Eric Smalling
 
So. many. vulnerabilities. Why are containers such a mess and what to do abou...
Eric Smalling
 
IBM Index 2018 Conference Workshop: Modernizing Traditional Java App's with D...
Eric Smalling
 
Best Practices for Developing & Deploying Java Applications with Docker
Eric Smalling
 
Docker 101 Workshop slides (JavaOne 2017)
Eric Smalling
 
Simply your Jenkins Projects with Docker Multi-Stage Builds
Eric Smalling
 

Recently uploaded (20)

PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Approach and Philosophy of On baking technology
30anthuong17
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
KodekX | Application Modernization Development
KodekX
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 

KubeCon NA 2022 - Hardening against Kubernetes Hacks.pdf

  • 1. Hardening against Kubernetes Hacks Eric Smalling Senior Developer Advocate @ Snyk @ericsmalling
  • 2. Eric Smalling ● Senior Developer Advocate @ Snyk ● Based in Dallas/Fort Worth, Texas ● 20+ years enterprise software development ● 10+ years build/test/deploy automation (CI/CD) ● Docker user since 2013 (v0.6) ● 2018 Jenkins Ambassador ● Docker Captain ● CKA, CKAD & CKS Certified @ericsmalling https://github.com/snyk-labs/kubernetes-goof
  • 4. Exploit = App Vulns + Misconfiguration https://github.com/snyk-labs/kubernetes-goof
  • 5. What do we know ? 80 https://github.com/snyk-labs/kubernetes-goof
  • 6. Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container https://github.com/snyk-labs/kubernetes-goof
  • 7. What do we know ? 80 Internal IP 5000 https://github.com/snyk-labs/kubernetes-goof
  • 8. What do we know ? 80 Internal IP IP Address 5000 https://github.com/snyk-labs/kubernetes-goof
  • 9. Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container Credentials Pod Token Available inside pod https://github.com/snyk-labs/kubernetes-goof
  • 10. What do we know ? 80 Internal IP IP Address 5000 External IP https://github.com/snyk-labs/kubernetes-goof
  • 11. Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container Credentials Pod Token Available inside pod Permissions Pod Token Allows access to endpoints API https://github.com/snyk-labs/kubernetes-goof
  • 12. What do we know ? 80 Internal IP External IP 5000 https://github.com/snyk-labs/kubernetes-goof
  • 13. What do we know ? 80 Internal IP External IP Default Secure IP Address 5000 https://github.com/snyk-labs/kubernetes-goof
  • 14. confidential apiVersion: v1 kind: ServiceAccount metadata: name: insecure --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: allow_pod_read rules: - apiGroups: - '*' resources: - '*' verbs: ["create", "get", "watch", "list", "patch", "delete", "deletecollection", "update"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: allow_pod_read_bind roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: allow_pod_read subjects: - kind: ServiceAccount name: insecure ● Allows service account too many permissions ● Likely bound to the ‘secure’ namespace ○ No permissions in the default namespace Insecure Role https://github.com/snyk-labs/kubernetes-goof
  • 15. Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container Roles Role Gives service account too many permissions in namespace Permissions Pod Token Allows access to endpoints API Credentials Pod Token Available inside pod https://github.com/snyk-labs/kubernetes-goof
  • 16. apiVersion: v1 kind: Pod # ... metadata: annotations: seccomp.security.alpha.kubernetes.io/pod: runtime/default spec: containers: - name: readonlyroot securityContext: readOnlyRootFilesystem: true ● Allows an attacker to modify the container ○ Download software ○ Change configuration ● Configure securityContext ○ readOnlyRootFilesystem: true Read Write Filesystem https://github.com/snyk-labs/kubernetes-goof
  • 17. What do we know ? 80 Internal IP External IP IP Address Secure Default 5000 https://github.com/snyk-labs/kubernetes-goof
  • 18. confidential spec: privileged: false # Required to prevent escalations to root. # allowPrivilegeEscalation: false # This is redundant with non-root + disallow privilege escalation, # but we can provide it for defense in depth. volumes: - '*' runAsUser: # Require the container to run without root privileges. rule: 'MustRunAsNonRoot' seLinux: # This policy assumes the nodes are using AppArmor rather than SELinux. rule: 'RunAsAny' supplementalGroups: rule: 'MustRunAs' ranges: # Forbid adding the root group. - min: 1 max: 65535 fsGroup: rule: 'MustRunAs' ranges: # Forbid adding the root group. - min: 1 max: 65535 ● Allows service account too many permissions ● Likely bound to the ‘secure’ namespace ○ No permissions in the default namespace ● allowPrivilegeEscalation is NOT redundant Pod Security Policy https://github.com/snyk-labs/kubernetes-goof
  • 19. Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container Roles Role Gives service account too many permissions in namespace Credentials Pod Token Available inside pod Permissions Pod Token Allows access to endpoints API Permissions PSP Did not disallow privilege escalation https://github.com/snyk-labs/kubernetes-goof
  • 20. What do we know ? 80 Internal IP External IP 5000 Default Secure IP Address IP Address 8080 https://github.com/snyk-labs/kubernetes-goof
  • 21. Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container Roles Role Gives service account too many permissions in namespace Credentials Pod Token Available inside pod Permissions Pod Token Allows access to endpoints API Policy Network No network controls in place Permissions PSP Did not disallow privilege escalation https://github.com/snyk-labs/kubernetes-goof
  • 22. What do we know ? 80 Internal IP External IP 5000 Default Secure IP Address IP Address 5001 8080 https://github.com/snyk-labs/kubernetes-goof
  • 23. What do we know ? 80 Internal IP External IP 5000 Default Secure IP Address IP Address 8080 https://github.com/snyk-labs/kubernetes-goof
  • 24. What do we know ? 80 Internal IP External IP 5000 Default Secure IP Address IP Address 8080 PRIVILEGED HOST https://github.com/snyk-labs/kubernetes-goof
  • 25. Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container Roles Role Gives service account too many permissions in namespace Credentials Pod Token Available inside pod Permissions Pod Token Allows access to endpoints API Permissions PSP Did not disallow privilege escalation Policy Network No network controls in place Permissions PSP No restrictions in default ns https://github.com/snyk-labs/kubernetes-goof
  • 26. What do we know ? 5000 5000 Default Secure IP Address IP Address 8080 PRIVILEGED Kube-System HOST https://github.com/snyk-labs/kubernetes-goof
  • 27. What do we know ? 80 5000 Default Secure IP Address IP Address 8080 PRIVILEGED Kube-System HOST https://github.com/snyk-labs/kubernetes-goof
  • 28. Timeline of Doom Time Scope Initial Exploit App Vuln Allows RCE in container Roles Role Gives service account too many permissions in namespace Credentials Pod Token Available inside pod Permissions Pod Token Allows access to endpoints API Permissions PSP Did not disallow privilege escalation Policy Network No network controls in place Permissions PSP No restrictions in default ns Game Over Cluster Cluster admin rights gained https://github.com/snyk-labs/kubernetes-goof
  • 30. confidential ● Scan your application code ● Scan your container images ● Scan your Kubernetes YAML ● Don’t trust defaults / Be explicit ● Use Network Policies ● Use Admission Controls How could we have prevented this ?
  • 31. With thanks and props to : Mark Manning ( @antitree ), Ian Coldwater ( @iancoldwater ), Duffie Cooley ( @mauilion ) , Rory McCune ( @raesene ) K8s SIG-Security, CNCF TAG-Security, OpenSSF, and many others in the Kubernetes Security community @ericsmalling