Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Applied Kubernetes Security Pitfalls
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Michael Schubert
October 25, 2018
Technology
2.5k
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Applied Kubernetes Security Pitfalls
Michael Schubert
October 25, 2018
More Decks by Michael Schubert
See All by Michael Schubert
A gentle introduction to [e]BPF @ Open Source Summit LinuxCon 2017
schu
1
920
Landlock LSM: Towards unprivileged sandboxing @ All Systems Go! 2017
schu
0
880
gobpf - utilizing eBPF from Go @ FOSDEM 2017
schu
0
1.3k
gobpf - utilizing eBPF from Go @ GDG Golang Berlin
schu
1
220
Other Decks in Technology
See All in Technology
2026.06.13_AI時代に事業会社が「SIer出身エンジニア」を求める理由 / Why Businesses Seek Engineers with a System Integrator Background in the AI Era
jumtech
0
1.1k
FDE という解 ― 暗黙知と明示知をつなぐ、伴走型エンジニアリング ―
otanet
0
140
【Cyber-sec+】経営層を"動かす"ための考え方
hssh2_bin
0
150
2026TECHFRESH畢業分享會 - AI 時代的人生存檔點
line_developers_tw
PRO
0
910
2026TECHFRESH畢業分享會 - Lightning Talk - E起 See See : 電商推薦讀心術? 數據說了算
line_developers_tw
PRO
0
900
人材育成分科会.pdf
_awache
0
120
なぜ Platform Engineering の土台に Kubernetes を選ぶのか
r4ynode
2
610
フロンティアAIのゲート化と地政学リスク
nagatsu
0
130
AIはどのように 組織のアジリティを変えるのか?
junki
1
600
あなたの知らないPDFのアクセシビリティ
lycorptech_jp
PRO
0
130
2026 TECHFRESH 畢業分享會 - AI-Native 重塑軟體工程與虛擬講師
line_developers_tw
PRO
0
910
チームで進めるAI駆動アジャイル×ウォーターフォール
kumaiu
0
160
Featured
See All Featured
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
55k
HDC tutorial
michielstock
2
700
New Earth Scene 8
popppiees
3
2.3k
Typedesign – Prime Four
hannesfritz
42
3.1k
Build The Right Thing And Hit Your Dates
maggiecrowley
39
3.2k
What Being in a Rock Band Can Teach Us About Real World SEO
427marketing
0
250
The State of eCommerce SEO: How to Win in Today's Products SERPs - #SEOweek
aleyda
2
11k
Claude Code どこまでも/ Claude Code Everywhere
nwiizo
65
56k
The Cult of Friendly URLs
andyhume
79
6.9k
Efficient Content Optimization with Google Search Console & Apps Script
katarinadahlin
PRO
1
610
Test your architecture with Archunit
thirion
1
2.3k
The innovator’s Mindset - Leading Through an Era of Exponential Change - McGill University 2025
jdejongh
PRO
1
200
Transcript
Applied Kubernetes Security Pitfalls
Kubernetes today ❏ Many means available to make clusters more
secure ❏ Continued efforts towards secure-by-default ❏ Fairly good security track record
None
apiVersion: v1 kind: Pod … volumeMounts: - mountPath: /test name:
test subPath: malicious-symlink volumes: - name: test hostPath: path: /tmp/test type: Directory
“Complexity is insecurity” Complexity correlated with the presence of security
vulnerabilities
Capture the flag http://tiny.cc/k8sminictf PS: No DoS and wrongdoing please
:)
kube-apiserver: auth delegation ❏ Needed for e.g. API extensions --requestheader-client-ca-file
--requestheader-group-headers --requestheader-username-headers --requestheader-allowed-names (~optional) --requestheader-extra-headers-prefix (optional)
kube-apiserver: auth delegation [Service] ExecStart=/usr/local/bin/kube-apiserver \ --authorization-mode=Node,RBAC \ --client-ca-file=/etc/k8s/ca.pem \
--bind-address=0.0.0.0 \ […] --requestheader-client-ca-file=/etc/k8s/ca.pem \ --requestheader-group-headers=X-Remote-Group \ --requestheader-username-headers=X-Remote-User CTF: Demo #1 http://tiny.cc/k8sminictf
PodSecurityPolicy (PSP) ❏ Added with v1.10 ❏ Administrators decide what
contexts pods can run in ❏ Would have been a way to mitigate CVE-2017-1002101 ... with the right policy
apiVersion: policy/v1beta1 kind: PodSecurityPolicy … privileged: false volumes: - 'hostPath'
allowedHostPaths: - pathPrefix: /tmp runAsUser: rule: 'MustRunAs' ranges: - min: 1 max: 65535 CTF: Demo #2 http://tiny.cc/k8sminictf
Server-side request forgery (SSRF) ❏ “... is a type of
exploit where an attacker abuses the functionality of a server causing it to access or manipulate information in the realm of that server ...”
Server-side request forgery (SSRF) <script> window.location="http://metadata.google.internal/…; </script> https://hackerone.com/reports/341876 Kudos Shopify!
Thank you
[email protected]
@schux00 @
[email protected]
[email protected]
Resources ❏ https://github.com/kubernetes/kubernetes/issues/60813 ❏ https://www.daemonology.net/blog/2009-09-04-complexity-is-insecurity.html ❏ https://www.schneier.com/blog/archives/2018/06/thomas_dullien_.html ❏ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-syst ems
❏ https://en.wikipedia.org/wiki/Server-side_request_forgery ❏ https://hackerone.com/reports/341876
schu
jumtech
otanet
hssh2_bin
line_developers_tw
_awache
r4ynode
nagatsu
junki
lycorptech_jp
kumaiu
destraynor
michielstock
popppiees
hannesfritz
maggiecrowley
427marketing
aleyda
nwiizo
andyhume
katarinadahlin
thirion
jdejongh
![kube-apiserver: auth delegation [Service] ExecStart=/usr/local/bin/kube-apiserver \ --authorization-mode=Node,RBAC \ --client-ca-file=/etc/k8s/ca.pem \](https://files.speakerdeck.com/presentations/a22fd8e9d7374d91bd15f872193ad751/slide_7.jpg){kind=link}
![Thank you [email protected] @schux00 @[email protected] [email protected]](https://files.speakerdeck.com/presentations/a22fd8e9d7374d91bd15f872193ad751/slide_12.jpg){kind=link}
