Scaling Kubernetes Security with Kubernetes Goat - All Day DevOps 2022

Transcript

1. TRACK: DEVSECOPS NOVEMBER 10, 2022 Madhu Akula, Pragmatic Security Leader

   Scaling Kubernetes Security with Kubernetes Goat

2. TRACK: DEVSECOPS Welcome to Amazing All Day DevOps DevSecOps Track

   2022 🎉

3. TRACK: DEVSECOPS 🙏 About - Madhu Akula • Founder, Advisor

   & Pragmatic Security Leader • Creator of Kubernetes Goat, Hacker Container, tools.tldr.run, many other OSS projects. • Speaker & Trainer at Blackhat, DEFCON, GitHub, USENIX, OWASP, All Day DevOps, SANS, DevSecCon, CNCF, c0c0n, Nullcon, SACON, null, many others. • Author of Security Automation with Ansible2, OWASP KSTG, whitepapers, etc. • Technical reviewer (multiple books) & Review board member of multiple conferences, organizations, communities, etc. • Found security vulnerabilities in 200+ organizations and products including Google, Microsoft, AT&T, Adobe, WordPress, Ntop, etc. • Certified Kubernetes (CKA/CKS), Offensive Security Certified Professional (OSCP), etc. • Never ending learner!

4. TRACK: DEVSECOPS Why Kubernetes Security? https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ @madhuakula

5. TRACK: DEVSECOPS Why Kubernetes Security? https://github.com/cncf/financial-user-group/blob/master/projects/k8s-threat-model/AttackTrees/AccessSensitiveData.md @madhuakula

6. TRACK: DEVSECOPS What is Kubernetes Goat 🐐 Kubernetes Goat is

   an interactive Kubernetes security learning playground. Intentionally vulnerable by design scenarios to showcase the common misconfigurations, real-world vulnerabilities, and security issues in Kubernetes clusters, containers, and cloud native environments. @madhuakula

7. TRACK: DEVSECOPS Kubernetes Goat has intentionally created vulnerabilities, applications, and

   configurations to attack and gain access to your cluster and workloads. Please DO NOT run alongside your production environments and infrastructure. So we highly recommend running this in a safe and isolated environment. Kubernetes Goat is used for educational purposes only, do not test or apply these attacks on any systems without permission. Kubernetes Goat comes with absolutely no warranties, by using it you take full responsibility for all the outcomes. 🚨 Disclaimer @madhuakula

8. TRACK: DEVSECOPS Can I use from Kubernetes Goat 🤔 Kubernetes

   Goat is intended for a variety of audiences and end-users. Which includes hackers, attackers, defenders, developers, architects, DevOps teams, engineers, researchers, products, vendors, and anyone interested in learning about Kubernetes Security. Below are some of the very high-level categories of audience 💥 Attackers & Red Teams 🛡 Defenders & Blue Teams 🧰 Products & Vendors 🔐 Developers & DevOps Teams 💡 Interested in Kubernetes Security @madhuakula

9. TRACK: DEVSECOPS 🔥 Kubernetes Goat Audience @madhuakula

10. TRACK: DEVSECOPS 1. Sensitive keys in codebases 2. DIND (docker-in-docker)

    exploitation 3. SSRF in the Kubernetes (K8S) world 4. Container escape to the host system 5. Docker CIS benchmarks analysis 6. Kubernetes CIS benchmarks analysis 7. Attacking private registry 8. NodePort exposed services 9. Helm v2 tiller to PwN the cluster - [Deprecated] 10. Analyzing crypto miner container 11. Kubernetes namesapces bypass 12. Gaining environment information 13. DoS the memory/cpu resources 14. Hacker Container preview 15. Hidden in layers 16. RBAC Least Privileges Misconfiguration 17. KubeAudit - Audit Kubernetes Clusters 18. Sysdig Falco - Runtime Security Monitoring & Detection 19. Popeye - A Kubernetes Cluster Sanitizer 20. Secure network boundaries using NSP Scenarios in Kubernetes Goat 🚀 15+ more scenarios releasing soon… ❤ Scenarios going to be updated with defenders, developers, tools & vendor sections for reach scenario 🥳 @madhuakula

11. TRACK: DEVSECOPS 🚀 Katacoda Playground - Free Online in-browser ☸

    Vanilla Kubernetes Cluster ☁ AWS Kubernetes (EKS) ☁ GCP Kubernetes (GKE) ☁ Azure Kubernetes (AKS) ☸ Kubernetes IN Docker (KiND) ☸ Lightweight Kubernetes (K3S) - Coming soon 👀 ☸ Digital Ocean, Vagrant, Many others… ⚙ How can I setup Kubernetes Goat @madhuakula

12. TRACK: DEVSECOPS • Make sure you have Kubernetes cluster with

    cluster-admin privileges. Also kubectl and helm installed in your system before running the following commands to setup the Kubernetes Goat ⎈ Setting up in your Kubernetes Cluster $ git clone https://github.com/madhuakula/kubernetes-goat.git $ cd kubernetes-goat $ bash setup-kubernetes-goat.sh $ bash access-kubernetes-goat.sh • Now you can access the Kubernetes Goat by navigating to http://127.0.0.1:1234 @madhuakula

13. TRACK: DEVSECOPS ⚡ Get Started with Kubernetes Goat 🐐 @madhuakula

14. TRACK: DEVSECOPS ⚡ Get Started with Kubernetes Goat 🐐 @madhuakula

15. TRACK: DEVSECOPS ⚡ Get Started with Kubernetes Goat 🐐 @madhuakula

    https://madhuakula.com/kubernetes-goat

16. TRACK: DEVSECOPS ☸ 🐐 Demo Time 🤞 🙏 @madhuakula

17. TRACK: DEVSECOPS @madhuakula Why do we need to scale Kubernetes

    Security? • Nature of immutable infrastructure • Matching the speed of containers, infrastructure with security • Frequency of deployments and workloads • Size of the teams, deployments from both dev, ops, engineering and security • How frequently and repetitively we fix certain issues • Education, knowledge and skill gap • Maturity of the security and the alignment with stakeholders • Many others…

18. TRACK: DEVSECOPS @madhuakula What should we do & how should

    we go about it? • I think there is no single answer, approach here • Always look at the core problem and root cause and fix at that layer • Try to be self-service model by providing patterns in an actionable way • Be an helping hand for DevOps, SRE and Engineering teams rather pointing just issues ◦ Helping them to create secure and safe Helm charts, Dockerfiles, Templates, etc. ◦ Removing the blockers by being pragmatic and empathetic ◦ Eliminate the possible things early and at scale • Repeat after me: Education, Education, Education ◦ Most people don’t even understand the technology, leave about security. So educating them by teaching and practicing is the way to go 🚀

19. TRACK: DEVSECOPS ☸ 🐐 Demo Time 🤞 🙏 @madhuakula

20. TRACK: DEVSECOPS 🚀 Key Takeaways @madhuakula ✅ Security is everyone’s

    responsibility (Dev, Ops, Security, Management, etc.) ⚠ Threat model your architecture and identify risks/threats 🙌 Follow and apply secure defaults 📚Know what you have (Inventory of assets) 🧱Adopt zero trust model (Zoning, Containment & Segmentation) 🎯Apply security at each layer (Defense in depth strategy) 🚨Follow least privilege principle 👮AuthN & AuthZ 🔐Encryption at REST & TRANSIT 🛡Proactive monitoring & Active defense 🔁Continuously analyse and apply feedback loops 👉 Crawl 🐢, Walk 🚶, Run 🏃, Fly ✈

21. TRACK: DEVSECOPS 👉 https://madhuakula.com/content 👉 https://kubernetes.io 👉 https://github.com/madhuakula/hacker-container 👉 https://kubernetes-security.info

    👉 https://github.com/kelseyhightower/kubernetes-the-hard-way 👉 https://container.training 👉 https://github.com/freach/kubernetes-security-best-practice 👉 https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster 👉 https://github.com/docker/labs 👉 https://labs.play-with-docker.com 👉 https://labs.play-with-k8s.com 👉 https://landscape.cncf.io 🔖 Resources & References @madhuakula 👉 https://github.com/cncf/sig-security/tree/master/security-whitepaper 👉 https://tools.tldr.run 👉 https://github.com/magnologan/awesome-k8s-security 👉 https://github.com/ramitsurana/awesome-kubernetes 👉 https://github.com/tomhuang12/awesome-k8s-resources 👉 CNCF Slack 👉 Kubernetes Slack 👉 https://k8s.af 👉 https://contained.af 👉 https://github.com/genuinetools/img 👉 https://github.com/genuinetools/bane 👉 https://github.com/genuinetools/amicontained 👉 CNCF YouTube Playlists for the KubeCon

22. TRACK: DEVSECOPS Thank you 🙏 @madhuakula https://madhuakula.com @madhuakula https://madhuakula.com Want

    to learn more, have some idea, or just wanted to say 👋

23. TRACK: DEVSECOPS