Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Applied Kubernetes Security Pitfalls
Search
Michael Schubert
October 25, 2018
Technology
0
2.3k
Applied Kubernetes Security Pitfalls
Michael Schubert
October 25, 2018
Tweet
Share
More Decks by Michael Schubert
See All by Michael Schubert
A gentle introduction to [e]BPF @ Open Source Summit LinuxCon 2017
schu
1
830
Landlock LSM: Towards unprivileged sandboxing @ All Systems Go! 2017
schu
0
760
gobpf - utilizing eBPF from Go @ FOSDEM 2017
schu
0
1.2k
gobpf - utilizing eBPF from Go @ GDG Golang Berlin
schu
1
200
Other Decks in Technology
See All in Technology
新機能VPCリソースエンドポイント機能検証から得られた考察
duelist2020jp
0
220
社内イベント管理システムを1週間でAKSからACAに移行した話し
shingo_kawahara
0
190
watsonx.ai Dojo #5 ファインチューニングとInstructLAB
oniak3ibm
PRO
0
160
Microsoft Azure全冠になってみた ~アレを使い倒した者が試験を制す!?~/Obtained all Microsoft Azure certifications Those who use "that" to the full will win the exam! ?
yuj1osm
2
110
20241214_WACATE2024冬_テスト設計技法をチョット俯瞰してみよう
kzsuzuki
3
450
AI時代のデータセンターネットワーク
lycorptech_jp
PRO
1
290
KubeCon NA 2024 Recap / Running WebAssembly (Wasm) Workloads Side-by-Side with Container Workloads
z63d
1
250
プロダクト開発を加速させるためのQA文化の築き方 / How to build QA culture to accelerate product development
mii3king
1
260
Fanstaの1年を大解剖! 一人SREはどこまでできるのか!?
syossan27
2
170
Snykで始めるセキュリティ担当者とSREと開発者が楽になる脆弱性対応 / Getting started with Snyk Vulnerability Response
yamaguchitk333
2
180
.NET 9 のパフォーマンス改善
nenonaninu
0
920
20241220_S3 tablesの使い方を検証してみた
handy
4
460
Featured
See All Featured
Designing for Performance
lara
604
68k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
44
9.3k
Reflections from 52 weeks, 52 projects
jeffersonlam
347
20k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
26
1.9k
Automating Front-end Workflow
addyosmani
1366
200k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
247
1.3M
Docker and Python
trallard
42
3.1k
Statistics for Hackers
jakevdp
796
220k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
28
900
A Modern Web Designer's Workflow
chriscoyier
693
190k
It's Worth the Effort
3n
183
28k
Speed Design
sergeychernyshev
25
670
Transcript
Applied Kubernetes Security Pitfalls
Kubernetes today ❏ Many means available to make clusters more
secure ❏ Continued efforts towards secure-by-default ❏ Fairly good security track record
None
apiVersion: v1 kind: Pod … volumeMounts: - mountPath: /test name:
test subPath: malicious-symlink volumes: - name: test hostPath: path: /tmp/test type: Directory
“Complexity is insecurity” Complexity correlated with the presence of security
vulnerabilities
Capture the flag http://tiny.cc/k8sminictf PS: No DoS and wrongdoing please
:)
kube-apiserver: auth delegation ❏ Needed for e.g. API extensions --requestheader-client-ca-file
--requestheader-group-headers --requestheader-username-headers --requestheader-allowed-names (~optional) --requestheader-extra-headers-prefix (optional)
kube-apiserver: auth delegation [Service] ExecStart=/usr/local/bin/kube-apiserver \ --authorization-mode=Node,RBAC \ --client-ca-file=/etc/k8s/ca.pem \
--bind-address=0.0.0.0 \ […] --requestheader-client-ca-file=/etc/k8s/ca.pem \ --requestheader-group-headers=X-Remote-Group \ --requestheader-username-headers=X-Remote-User CTF: Demo #1 http://tiny.cc/k8sminictf
PodSecurityPolicy (PSP) ❏ Added with v1.10 ❏ Administrators decide what
contexts pods can run in ❏ Would have been a way to mitigate CVE-2017-1002101 ... with the right policy
apiVersion: policy/v1beta1 kind: PodSecurityPolicy … privileged: false volumes: - 'hostPath'
allowedHostPaths: - pathPrefix: /tmp runAsUser: rule: 'MustRunAs' ranges: - min: 1 max: 65535 CTF: Demo #2 http://tiny.cc/k8sminictf
Server-side request forgery (SSRF) ❏ “... is a type of
exploit where an attacker abuses the functionality of a server causing it to access or manipulate information in the realm of that server ...”
Server-side request forgery (SSRF) <script> window.location="http://metadata.google.internal/…; </script> https://hackerone.com/reports/341876 Kudos Shopify!
Thank you
[email protected]
@schux00 @
[email protected]
[email protected]
Resources ❏ https://github.com/kubernetes/kubernetes/issues/60813 ❏ https://www.daemonology.net/blog/2009-09-04-complexity-is-insecurity.html ❏ https://www.schneier.com/blog/archives/2018/06/thomas_dullien_.html ❏ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-syst ems
❏ https://en.wikipedia.org/wiki/Server-side_request_forgery ❏ https://hackerone.com/reports/341876