Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DIY Kubernetes Pen Testing

Liz Rice
May 23, 2019
Technology
1
280

DIY Kubernetes Pen Testing

Check for insecure configurations with kube-hunter! This talk shows what kube-hunter is doing and how an attacker might take advantage of insecure configurations in a kubernetes cluster. You can watch a recording of this talk from KubeCon Barcelona here: https://www.youtube.com/watch?v=fVqCAUJiIn0

Liz Rice

May 23, 2019
Tweet

More Decks by Liz Rice

See All by Liz Rice
Unleashing the kernel with eBPF
lizrice
0
130
eBPF's Abilities and Limitations: The Truth
lizrice
0
220
Simplifying multi-cloud and multi-cluster Kubernetes deployments with Cilium
lizrice
0
130
When is a Secure Connection not encrypted? And other stories
lizrice
1
60
Keeping it simple: Cilium Mesh - networking for multi-cloud Kubernetes and beyond
lizrice
1
560
How Many Proxies Do You Need
lizrice
1
120
eBPF for Security Observability
lizrice
0
1.2k
Beginner's Guide to eBPF Programming for Networking
lizrice
1
2.2k
Contributing to Open Source - what's in it for my business?
lizrice
0
42

Other Decks in Technology

See All in Technology
omakaseしないための.rubocop.yml のつくりかた / How to Build Your .rubocop.yml to Avoid Omakase #kaigionrails
linkers_tech
3
730
[AWS JAPAN 生成AIハッカソン] Dialog の紹介
yoshimi0227
0
150
【技術書典17】OpenFOAM(自宅で極める流体解析)2次元円柱まわりの流れ
kamakiri1225
0
210
Aurora_BlueGreenDeploymentsやってみた
tsukasa_ishimaru
1
120
Autify Company Deck
autifyhq
1
39k
Vueで Webコンポーネントを作って Reactで使う / 20241030-cloudsign-vuefes_after_night
bengo4com
4
2.5k
新卒1年目が挑む!生成AI × マルチエージェントで実現する次世代オンボーディング / operation-ai-onboarding
cyberagentdevelopers
PRO
1
160
Figma Dev Modeで進化するデザインとエンジニアリングの協働 / figma-with-engineering
cyberagentdevelopers
PRO
1
430
Gradle: The Build System That Loves To Hate You
aurimas
2
140
君は隠しイベントを見つけれるか?
mujyun
0
280
コンテンツを支える 若手ゲームクリエイターの アートディレクションの事例紹介 / cagamefi-game
cyberagentdevelopers
PRO
1
120
カメラを用いた店内計測におけるオプトインの仕組みの実現 / ai-optin-camera
cyberagentdevelopers
PRO
1
120

Featured

See All Featured
Adopting Sorbet at Scale
ufuk
73
9k
10 Git Anti Patterns You Should be Aware of
lemiorhan
654
59k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
228
52k
Fireside Chat
paigeccino
32
3k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.6k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
A Tale of Four Properties
chriscoyier
156
23k
How GitHub (no longer) Works
holman
311
140k
Making Projects Easy
brettharned
115
5.9k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Faster Mobile Websites
deanohume
304
30k
Teambox: Starting and Learning
jrom
132
8.7k

Transcript

  1. None

  2. • • • • Image Jefferson Santos on Unsplash

  3. Image nmap.org

  4. None

  5. ▪ ▪ ▪ github.com/aquasecurity/kube-hunter

  6. Image mario on Flick

  7. Welcome to Club KubeCon Free entry! Show me your ID

    If you’re not on the list, you’re not coming in Image Channel 4

  8. Image Foundry Co from Pixabay

  9. Image Kerstin Riemer from Pixabay

  10. • curl <IP address>:8080 curl <IP address>:8080/api/v1 curl <IP address>:8080/api/v1/namespaces

    curl <IP address>:8080/api/v1/namespaces/default/pods

  11. • curl -k https://<IP address>:6443

  12. Image Pixabay

  13. • curl -k https://<IP address>:6443/swaggerapi curl -k https://<IP address>:6443/healthz curl

    -k https://<IP address>:6443/api/v1

  14. Image Rudy and Peter Skitterians on Pixabay

  15. Kubernetes cluster pod token API server

  16. → Image cocoparisienne on Pixabay

  17. None

  18. curl -k https://<IP address>:2379 curl -k https://<IP address>:2379/version

  19. None

  20. curl -k https://<IP address>:10250 curl -k https://<IP address>:10250/metrics curl -k

    https://<IP address>:10250/pods
  21. None
  22. None

  23. Kubernetes cluster pod token API server

  24. ▪ ▪

  25. Image Free-Photos on Pixabay

  26. Image IAOM-US on Pixabay

  27. @handler.subscribe(NewHostEvent) class PortDiscovery(Hunter): def execute(self): for p in default_ports: if

    self.test_connection(self.host, p): self.publish_event(OpenPortEvent(port=p))

  28. @handler.subscribe(OpenPortEvent, predicate= lambda x: x.port == 10255 or x.port ==

    10250) class KubeletDiscovery(Hunter): def get_read_access(self): r = requests.get("http://{host}:{port}/metrics") if r.status_code == 200: self.publish_event(ReadKubeletEvent())

  29. @handler.subscribe(ReadKubeletEvent) class ReadKubeletPortHunter(Hunter): def execute(self): k8s_version = self.get_k8s_version() if k8s_version:

    self.publish_event(K8sVersionDisclosure( version=k8s_version))

  30. class K8sVersionDisclosure(Vulnerability, Event): def __init__(self, version): Vulnerability.__init__(self, Kubelet, "K8s Version

    Disclosure", category=InformationDisclosure) self.evidence = version

  31. Image Rolf Johansson on Pixabay

  32. None