Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DIY Kubernetes Pen Testing

Liz Rice
May 23, 2019
Technology
1
290

DIY Kubernetes Pen Testing

Check for insecure configurations with kube-hunter! This talk shows what kube-hunter is doing and how an attacker might take advantage of insecure configurations in a kubernetes cluster. You can watch a recording of this talk from KubeCon Barcelona here: https://www.youtube.com/watch?v=fVqCAUJiIn0

Liz Rice

May 23, 2019
Tweet

More Decks by Liz Rice

See All by Liz Rice
Unleashing the kernel with eBPF
lizrice
0
130
eBPF's Abilities and Limitations: The Truth
lizrice
0
240
Simplifying multi-cloud and multi-cluster Kubernetes deployments with Cilium
lizrice
0
140
When is a Secure Connection not encrypted? And other stories
lizrice
1
63
Keeping it simple: Cilium Mesh - networking for multi-cloud Kubernetes and beyond
lizrice
1
570
How Many Proxies Do You Need
lizrice
1
120
eBPF for Security Observability
lizrice
0
1.2k
Beginner's Guide to eBPF Programming for Networking
lizrice
1
2.2k
Contributing to Open Source - what's in it for my business?
lizrice
0
43

Other Decks in Technology

See All in Technology
ノーコードデータ分析ツールで体験する時系列データ分析超入門
negi111111
0
410
誰も全体を知らない ~ ロールの垣根を超えて引き上げる開発生産性 / Boosting Development Productivity Across Roles
kakehashi
1
230
AWS Media Services 最新サービスアップデート 2024
eijikominami
0
200
リンクアンドモチベーション ソフトウェアエンジニア向け紹介資料 / Introduction to Link and Motivation for Software Engineers
lmi
4
300k
[CV勉強会@関東 ECCV2024 読み会] オンラインマッピング x トラッキング MapTracker: Tracking with Strided Memory Fusion for Consistent Vector HD Mapping (Chen+, ECCV24)
abemii
0
220
複雑なState管理からの脱却
sansantech
PRO
1
150
rootlessコンテナのすゝめ - 研究室サーバーでもできる安全なコンテナ管理
kitsuya0828
3
380
Why App Signing Matters for Your Android Apps - Android Bangkok Conference 2024
akexorcist
0
130
信頼性に挑む中で拡張できる・得られる1人のスキルセットとは?
ken5scal
2
530
SREによる隣接領域への越境とその先の信頼性
shonansurvivors
2
520
組織成長を加速させるオンボーディングの取り組み
sudoakiy
2
150
OCI Vault 概要
oracle4engineer
PRO
0
9.7k

Featured

See All Featured
Faster Mobile Websites
deanohume
305
30k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
BBQ
matthewcrist
85
9.3k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
250
21k
Code Reviewing Like a Champion
maltzj
520
39k
No one is an island. Learnings from fostering a developers community.
thoeni
19
3k
StorybookのUI Testing Handbookを読んだ
zakiyama
27
5.3k
RailsConf 2023
tenderlove
29
900
Agile that works and the tools we love
rasmusluckow
327
21k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k

Transcript

  1. None

  2. • • • • Image Jefferson Santos on Unsplash

  3. Image nmap.org

  4. None

  5. ▪ ▪ ▪ github.com/aquasecurity/kube-hunter

  6. Image mario on Flick

  7. Welcome to Club KubeCon Free entry! Show me your ID

    If you’re not on the list, you’re not coming in Image Channel 4

  8. Image Foundry Co from Pixabay

  9. Image Kerstin Riemer from Pixabay

  10. • curl <IP address>:8080 curl <IP address>:8080/api/v1 curl <IP address>:8080/api/v1/namespaces

    curl <IP address>:8080/api/v1/namespaces/default/pods

  11. • curl -k https://<IP address>:6443

  12. Image Pixabay

  13. • curl -k https://<IP address>:6443/swaggerapi curl -k https://<IP address>:6443/healthz curl

    -k https://<IP address>:6443/api/v1

  14. Image Rudy and Peter Skitterians on Pixabay

  15. Kubernetes cluster pod token API server

  16. → Image cocoparisienne on Pixabay

  17. None

  18. curl -k https://<IP address>:2379 curl -k https://<IP address>:2379/version

  19. None

  20. curl -k https://<IP address>:10250 curl -k https://<IP address>:10250/metrics curl -k

    https://<IP address>:10250/pods
  21. None
  22. None

  23. Kubernetes cluster pod token API server

  24. ▪ ▪

  25. Image Free-Photos on Pixabay

  26. Image IAOM-US on Pixabay

  27. @handler.subscribe(NewHostEvent) class PortDiscovery(Hunter): def execute(self): for p in default_ports: if

    self.test_connection(self.host, p): self.publish_event(OpenPortEvent(port=p))

  28. @handler.subscribe(OpenPortEvent, predicate= lambda x: x.port == 10255 or x.port ==

    10250) class KubeletDiscovery(Hunter): def get_read_access(self): r = requests.get("http://{host}:{port}/metrics") if r.status_code == 200: self.publish_event(ReadKubeletEvent())

  29. @handler.subscribe(ReadKubeletEvent) class ReadKubeletPortHunter(Hunter): def execute(self): k8s_version = self.get_k8s_version() if k8s_version:

    self.publish_event(K8sVersionDisclosure( version=k8s_version))

  30. class K8sVersionDisclosure(Vulnerability, Event): def __init__(self, version): Vulnerability.__init__(self, Kubelet, "K8s Version

    Disclosure", category=InformationDisclosure) self.evidence = version

  31. Image Rolf Johansson on Pixabay

  32. None