Defenders Guide to Kubernetes Security - Dutch Microsoft & Security NL - Summer Security Night (+BBQ)

Transcript

1. Madhu Akula Defenders Guide to Kubernetes Security @madhuakula

2. • Creator of Kubernetes Goat, Hacker Container, tools.tldr.run, many other

   OSS projects. • Speaker & Trainer at Blackhat, DEFCON, GitHub, USENIX, OWASP, All Day DevOps, SANS, DevSecCon, CNCF, c0c0n, Nullcon, SACON, null, many others. • Author of Security Automation with Ansible2, OWASP KSTG, whitepapers, etc. • Technical reviewer (multiple books) & Review board member of multiple conferences, organizations, communities, etc. • Found security vulnerabilities in 200+ organizations and products including Google, Microsoft, AT&T, Adobe, WordPress, Ntop, etc. • Community member of null, ADDO, AWS, CNCF, OWASP, USENIX, Snyk Ambassadors, etc. • Certified Kubernetes Administrator, Offensive Security Certified Professional, etc. • Never ending learner! About Me 😊 @madhuakula

3. Kubernetes is an open source container orchestration engine for automating

   deployment, scaling, and management of containerized applications. The open source project is hosted by the Cloud Native Computing Foundation (CNCF). Overview of the Kubernetes @madhuakula

4. Why do we have to think about Security? @madhuakula

5. Why do we have to think about Security? @madhuakula https://github.com/cncf/financial-user-group/blob/master/projects/k8s-threat-model/AttackTrees/AccessSensitiveData.md

6. Oops! that isn't good @madhuakula https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/

7. That's Crazy! Isn't our managed providers solving this? @madhuakula https://medium.com/@pkerrison/pizza-as-a-service-2-0-5085cd4c365e

8. Okay, Let's start by writing a simple Microservice? @madhuakula https://github.com/GoogleCloudPlatform/microservices-demo/

   Online Boutique is a cloud-native demo application with 10 microservices showcasing Kubernetes, Istio, gRPC and OpenCensus.

9. Okay, Let's start by writing a simple Microservice? @madhuakula https://github.com/cncf/financial-user-group/tree/master/projects/k8s-threat-model

10. • Code quality analysis (Ex: SonarQube) • Security linters (Ex:

    Findsecbugs) • Sensitive Info/Secrets Analysis • Dependency security Analysis Checks • Supply chain security analysis • Static Code Security Analysis • Dynamic Security Analysis • Semantic/Variant Analysis (Ex: Semgrep, CodeQL) • Many more... Write the application code @madhuakula import flask import yaml app = flask.Flask(__name__) app.config["DEBUG"] = True @app.route('/', methods=['GET']) def home(): return "Welcome to Kubernetes world!" app.run() pip install ‘pyyaml==5.4’

11. • Dockerfile best practices • Linters, tools, techniques • BuildKit

    for the safety • Hadolint, Dockle, Checkov, KICS, etc. • docker-slim for looking deeper layers • dive: explore layers! • IDE integrations (VSCode, k8slens.dev, IntelliJ, etc.) • OPA & Conftest with custom policies & Rego • Always context matters 😎 Package the application into a container aka Dockerfile @madhuakula FROM randomuser/python:latest ENV SECRET AKIGG23244GN2344GHG USER root WORKDIR /app COPY requirements.txt requirements.txt RUN pip3 install -r requirements.txt COPY . . CMD [ "flask", "run", "--host=0.0.0.0" ] https://medium.com/miro-engineering/a-practical-guide-to-writing-secure-dockerfiles-bf561224dd80

12. • Pre/Post commit hooks • Secrets scanning (cool project: OWASP

    WrongSecrets) - Trufflehog, Gitleaks, etc. • Scanning for the container vulnerabilities (System, SBOM, Dependencies, Packages, etc.) • Supply chain security risks (signing, verification, packages, artefacts, etc.) • Permissions, privileges and changes • Risk analysis of the code, packages, permissions, build • All the amazing automation comes here 😊 Push these changes to Version Control System @madhuakula

13. So, what happens now? @madhuakula

14. • Build systems, configuration and the context • Runners, segmentation,

    privileges, socket mounts, volumes, many other… • All your pipelines comes handy here ◦ SCA, SAST, DAST, Secrets, Container, IaC, Code, Supply Chain, RBAC, etc. • Having policies, processes for registries, artefacts • Podman, Distroless, Docker-Slim, Custom stuff • Short-lived, Least privileged access for the infrastructure • Many others… It's time for the CI/CD stuff! @madhuakula

15. I'm ready now, where do I go? @madhuakula

16. • Infrastructure Code (Terraform, Ansible, AMIs, Configurations, etc.) ◦ KICS,

    Kubescape, Checkov, Kubesec.io, etc. for performing scanning for these IaC • Hardening using standards and benchmarks like CIS, NSA, etc. • Applying sane secure defaults (AppArmor, gVisor, NSP, PSS, RBAC, OPA, many others.) • Handling the operations well (Secrets Management, TLS, mTLS, Ingress, LB, Storage, etc.) • Cloud providers security configurations and best practices (Metadata, IAM, NSG, etc.) • Preventive & Detective controls (OPA, Kyverno, SecurityContext, PSS, Webhooks, etc.) • Continuous security visibility, monitoring, detection and alerting in place ◦ Audits, Risk analysis, Runtime Sandboxing, External Connections, Add-ons, etc. Here comes the Infrastructure aka our K8S cluster ⎈ @madhuakula

17. Oh! This is pretty cool, how can I be more

    awesome? @madhuakula Maturity Level 3 Maturity Level 2 Maturity Level 1 Go beyond normal paranoia and threat actors🕵

18. I think something went wrong!!! @madhuakula https://github.com/cilium/hubble

19. https://twitter.com/david_das_neves/status/1544367262093791232 Cool, anything else? @madhuakula AKS - MindMap

20. It’s enough! I love this stuff ❤ How can I

    learn, practice, and implement? @madhuakula

21. Welcome to Kubernetes Goat 🎉 @madhuakula

22. What is Kubernetes Goat 🐐 Kubernetes Goat is an interactive

    Kubernetes security learning playground. Intentionally vulnerable by design scenarios to showcase the common misconfigurations, real-world vulnerabilities, and security issues in Kubernetes clusters, containers, and cloud native environments. @madhuakula

23. Kubernetes Goat has intentionally created vulnerabilities, applications, and configurations to

    attack and gain access to your cluster and workloads. Please DO NOT run alongside your production environments and infrastructure. So we highly recommend running this in a safe and isolated environment. Kubernetes Goat is used for educational purposes only, do not test or apply these attacks on any systems without permission. Kubernetes Goat comes with absolutely no warranties, by using it you take full responsibility for all the outcomes. 🚨 Disclaimer @madhuakula

24. Can I use Kubernetes Goat for ___? 🤔 Kubernetes Goat

    is intended for a variety of audiences and end-users. Which includes hackers, attackers, defenders, developers, architects, DevOps teams, engineers, researchers, products, vendors, and anyone interested in learning about Kubernetes Security. Below are some of the very high-level categories of audience 💥 Attackers & Red Teams 🛡 Defenders & Blue Teams 🧰 Products & Vendors 🔐 Developers & DevOps Teams 💡 Interested in Kubernetes Security @madhuakula

25. 🔥 Kubernetes Goat Audience @madhuakula

26. 12. Gaining environment information 13. DoS the memory/cpu resources 14.

    Hacker Container preview 15. Hidden in layers 16. RBAC Least Privileges Misconfiguration 17. KubeAudit - Audit Kubernetes Clusters 18. Sysdig Falco - Runtime Security Monitoring & Detection 19. Popeye - A Kubernetes Cluster Sanitizer 20. Secure network boundaries using NSP 1. Sensitive keys in codebases 2. DIND (docker-in-docker) exploitation 3. SSRF in the Kubernetes (K8S) world 4. Container escape to the host system 5. Docker CIS benchmarks analysis 6. Kubernetes CIS benchmarks analysis 7. Attacking private registry 8. NodePort exposed services 9. Helm v2 tiller to PwN the cluster - [Deprecated] 10. Analyzing crypto miner container Scenarios in Kubernetes Goat 🚀 15+ more scenarios releasing soon… ❤ Scenarios going to be updated with defenders, developers, tools & vendor sections for reach scenario 🥳 @madhuakula

27. • Make sure you have Kubernetes cluster with cluster-admin privileges.

    Also kubectl and helm installed in your system before running the following commands to setup the Kubernetes Goat ⎈ Setting up in your Kubernetes Cluster $ git clone https://github.com/madhuakula/kubernetes-goat.git $ cd kubernetes-goat $ bash setup-kubernetes-goat.sh $ bash access-kubernetes-goat.sh • Now you can access the Kubernetes Goat by navigating to http://127.0.0.1:1234 @madhuakula

28. ⚡ Get Started with Kubernetes Goat 🐐 @madhuakula

29. ⚡ Get Started with Kubernetes Goat 🐐 @madhuakula

30. ⚡ Get Started with Kubernetes Goat 🐐 @madhuakula https://madhuakula.com/kubernetes-goat

31. ☸ 🐐 Demo Time 🤞 🙏 @madhuakula

32. Key Takeaways! @madhuakula BBQ en borrel 🥳

33. ✅ Security is everyone’s responsibility (Dev, Ops, Security, Management, etc.)

    ⚠ Threat model your architecture and identify risks/threats 🙌 Follow and apply secure defaults 📚Know what you have (Inventory of assets) 🧱Adopt zero trust model (Zoning, Containment & Segmentation) 🎯Apply security at each layer (Defense in depth strategy) 🚨Follow least privilege principle 👮AuthN & AuthZ 🔐Encryption at REST & TRANSIT 🛡Proactive monitoring & Active defense 🔁Continuously analyse and apply feedback loops 👉 Crawl 🐢, Walk 🚶, Run 🏃, Fly ✈ Key Takeaways! @madhuakula

34. 👉 https://madhuakula.com/content 👉 https://kubernetes.io 👉 https://github.com/madhuakula/hacker-container 👉 https://kubernetes-security.info 👉 https://github.com/kelseyhightower/kubernetes-the-hard-way

    👉 https://container.training 👉 https://github.com/freach/kubernetes-security-best-practice 👉 https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster 👉 https://github.com/docker/labs 👉 https://labs.play-with-docker.com 👉 https://labs.play-with-k8s.com 👉 https://landscape.cncf.io 👉 https://github.com/cncf/sig-security/tree/master/security-whitepaper 👉 https://tools.tldr.run 👉 https://github.com/magnologan/awesome-k8s-security 👉 https://github.com/ramitsurana/awesome-kubernetes 👉 https://github.com/tomhuang12/awesome-k8s-resources 👉 CNCF Slack 👉 Kubernetes Slack 👉 https://k8s.af 👉 https://contained.af 👉 https://github.com/genuinetools/img 👉 https://github.com/genuinetools/bane 👉 https://github.com/genuinetools/amicontained 👉 CNCF YouTube Playlists for the KubeCon 🔖 Resources & References @madhuakula

35. 🙌 Give it a try 🚀 Contribute ideas & suggestions

    🤝 Work with the project & improve 🙏 Share your valuable feedback 🌟 Star in our GitHub 🎉 Spread the word in social media Spread the ❤ Kubernetes Goat https://madhuakula.com/kubernetes-goat/docs/wall-of-love Awesome Kubernetes Goat Stickers, T-Shirts & Some cool goodies on the way 🥳 @madhuakula

36. Dank je wel 🙏 @madhuakula https://madhuakula.com @madhuakula https://madhuakula.com Want to

    learn more, have some idea, or just wanted to say 👋