The Path Less Traveled: Abusing Kubernetes Defaults

Presented at Black Hat USA 2019, Aug. 7, 2019, 1:30 p.m. (50 minutes).

<p class="p1"><span class="s1">Kubernetes is a container orchestration framework that is increasingly widely used in enterprise and elsewhere. While the industry is starting to pay some attention to Kubernetes security, there are many attack paths that aren’t well-documented, and are rarely discussed. This lack of information can make your clusters vulnerable.</span></p><p class="p1"><span class="s1">In this live demonstration-filled talk, we are going to walk through the Kubernetes control plane before using <a href="https://protect-us.mimecast.com/s/s_7_CERZP5f3wyqz8sN8f3a?domain=sigs.k8s.io" data-mce-href="https://protect-us.mimecast.com/s/s_7_CERZP5f3wyqz8sN8f3a?domain=sigs.k8s.io" style="outline: none;" data-mce-style="outline: none;"><span class="s2">sigs.k8s.io/kind</span></a> to show some of the attack surface exposed by a default configuration of Kubernetes. There will be multiple exploits involving various moving parts, including cluster takeovers and host escapes. We’ll show you mitigations, and then show you how to get around those.</span></p><p class="p1"><span class="s1">Everything in this talk exploits features, not bugs! Kubernetes is powerful, and it’s insecure by design. Let’s see what it can do, and then let us show you how to better secure it.</span></p><p class="p1"><span class="s1">The audience will walk away from this talk with a better understanding of Kubernetes’ default attack surface, how it can be exploited, and how to keep their clusters safer.</span></p>

Presenters:

  • Ian Coldwater - Lead Platform Security Engineer, Heroku
    Ian Coldwater is a grown teenage hacker turned Lead Platform Security Engineer at Heroku, who specializes in hacking and hardening Kubernetes, containers and cloud-native infrastructure. In their spare time, they like to go on cross-country road trips, participate in Capture the Flag competitions, and eat a lot of pie. Ian lives in Minneapolis and tweets @IanColdwater.
  • Duffie Cooley - Staff Cloud Native Architect, VMware
    Duffie Cooley is a Staff Cloud Native Architect at VMware. He is focused on enabling the adoption of this new cloud native model by enterprises around the world. Having navigated a few generations of distributed systems, he enjoys troubleshooting and helping folks!

Links:

Similar Presentations: