The Hacker's Guide to Kubernetes: Reloaded

•

0 likes•15 views

Patrycja Wegrzynowicz

Codemotion Milan 2023

Technology

Patrycja Wegrzynowicz
The Hacker’s Guide to Kubernetes:
Reloaded
Lead Engineer, Form3
@yonlabs

Hello! !
• 20+ professional experience
software engineer, architect, researcher, head of R&D
• Author and speaker
JavaOne, CodeOne, Devoxx, JFokus, JavaZone, and more
• Top 10 Women in Tech in Poland
• Oracle Groundbreaker Ambassador, Oracle ACE
• Form3, Financial Cloud
Lead SRE Engineer
• Founder at Yon Labs
Automated tools for detection and refactoring of software defects.
Performance, security, concurrency.
Intro to Patrycja

Form3, Financial Cloud
Business Model
• Provides a payment platform for financial institution
• Integrates across multiple payment schemes
• Makes integration easier and quicker
Work Model
• Fully remote
• Pair programming
• Only senior engineers
Technology
• Multi-cloud platform: AWS, GCP, Azure
• Microservices: (mostly) Go and (little) Java
• Infrastructure as Code: Terraform
Why is Security Important?

Introduction to Kubernetes Architecture
Introduction to OWASP Kubernetes Top 10 &
MITRE ATT&K ® Threat Matrix for Kubernetes
Demos
Summary
01
02
03
04
Agenda

Kubernetes Components
Kubernetes Architecture
Source: https://medium.com, Kubernetes - Architecture Overview by Ashish Patel

Kubernetes Components
Kubernetes Architecture
Source: https://medium.com, Kubernetes - Architecture Overview by Ashish Patel
CNI

OWASP Kubernetes Top 10 2022
K01 Insecure Workload Configuration
K02 Supply Chain Vulnerabilities
K03 Overly Permissive RBAC Configurations
K04 Lack of Centralized Policy Enforcement
K05 Inadequate Logging and Monitoring
K06 Broken Authentication Mechanisms
K07 Missing Network Segmentation Controls
K08 Secrets Management Failures
K09 Misconfigured Cluster Components
K10 Outdated and Vulnerable Kubernetes Components

MITRE ATT&K ® – Threat Matrix for Kubernetes
Source: https://www.microsoft.com/en-us/security/blog/2021/03/23/secure-
containerized-environments-with-updated-threat-matrix-for-kubernetes/

Demo Fun Time – Overview
• Demo application
https://codemotion.yonlabs.com
(or checkout X-Twitter: https://twitter.com/yonlabs)
register a new account
each account has a secret data
log in
wait to be hacked :D
• Objective
to hack your accounts and learn your secrets
hacking 101
Let the fun begin!

Bad Pods: Kubernetes Pod Privilege Escalation
• https://bishopfox.com/blog/kubernetes-pod-
privilege-escalation
• By: Seth Art, Principal Security Consultant
Demos

Problems
• K01 Insecure Workload Configuration
root
privileged
hostPID
hostPath
hostNetwork
hostIPC
• K04 Lack of Centralized Policy Enforcement
able to create insecure workload
• K08 Secrets Management Failure
demo-secret not encrypted
Demo #1

Problems
• K01 Insecure Workload Configuration
root
privileged
hostPID
• K04 Lack of Centralized Policy Enforcement
able to create insecure workload
• Networking
unencrypted traffic
Demo #2

Bad Pods: Kubernetes Pod Privilege Escalation
• Bad Pod #1: Everything allowed
• Bad Pod #2: Privileged and hostPid
• Bad Pod #3: Privileged only
• Bad Pod #4: hostPath only
• Bad Pod #5: hostPID only
• Bad Pod #6: hostNetwork only
• Bad Pod #7: hostIPC only
• Bad Pod #8: Nothing allowed
Source: https://bishopfox.com/blog/kubernetes-pod-privilege-escalation

Similar to The Hacker's Guide to Kubernetes: Reloaded

20191201 kubernetes managed weblogic revival - part 2

makker_nl

oci-container-engine-oke-100.pdf

NandiniSinghal16

The Kubernetes WebLogic revival (part 2)

Simon Haslam

Container security within Cisco Container Platform

Sanjeev Rampal

JCON_15FactorWorkshop.pptx

Grace Jansen

DeveloperWeekEnterprise2023 - Introduction to Kubernetes Operators for Databases

Juarez Junior

Attacking and Defending Kubernetes - Nithin Jois

OWASP Hacker Thursday

Whether your applications are cloud-native, cloud-ready, or just evolving towards cloud-based deployment, you can capture the complete stack as an OpenStack Heat template. In this session, we’ll present a web-based editing experience that enables you to capture each aspect of your architecture in a ready-to-deploy and easy-to-update design based on HOT. We'll show you those Heat templates in either a rich diagram editor or a simple but powerful text editor -- all in your web browser! Advanced features like autoscaling, load balancing, deployment ordering, and object storage will all be captured as part of your application design — right along side the critical software that defines the business behavior of your workload. And it’s not just about the first time you deploy, it’s about deploying every time thereafter. We’ll show you how you can manage your software deployment pipeline as part of your Heat templates. Maybe you’re not sure what cloud to deploy to? Interested in OpenStack, but already have investments in other clouds? We’ll also demonstrate how we’ve extended the Heat language to design cloud-portable templates. So come on this journey with us, where we’ll leverage the cloud to help you build better software for your end users. - Define full stack application workloads using OpenStack HOT - Deploy and update infrastructure and application changes as part of your release pipeline - Design templates with autoscaling, load balancing, deployment ordering, and object storage as part of your application architecture

Continuously Design your Continuous Deployment

Michael Elder

Anil Info

Anil Kumar Mullapudi

Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019

Lacework

Cloud native applications offer scalability, flexibility, and optimal use of compute resources. Serverless functions interacting through events, leveraging cloud capabilities for persistent storage and automated operations take organization to the next level in IT. This session demonstrates polyglot Functions interacting with native cloud services for events and persistence (Object Storage and NoSQL Database) and leveraging the Key and Secrets Vault, Monitoring and Notifications services for operational control. A lightweight API Gateway is used to expose APIs to external consumers. Infrastructure as Code is the guiding principle in deploying both cloud resources and application components, through OCI CLI and Terraform. This session leverages many cloud native (enabling) services in Oracle Cloud Infrastructure. The session will introduce concepts, then spend most of the time on live demonstrations. All sources are shared with the audience, to allow participants to create the same application in their own cloud tenancy. What is so great about Cloud Native Applications? How do you create one? I will explain the first and demonstrate the second. On Oracle Cloud Infrastructure, using services that anyone can use for free, I will live create a cloud native application that streams, persists, notifies, scales, monitors

Cloud Native Application Development-build fast, low TCO, scalable & agile so...

Lucas Jellema

SKILup Days Container Orchestration - Kubernetes Operators for Databases

Juarez Junior

DevNexus 2015 Docker: containerizing a monolithic app into a microservice-based PaaS Convert a monolithic application into a microservice-based PaaS using Docker and related, containerization technologies. This will be the third presentation of a series of presentations that began greater than one year ago to evangelize the benefits of Docker. The scope of content spans from a development environment to a hybrid PaaS, and how Containerization is an enabler of architectural choice, innovation, scalability, and polyglot solutions. The basics of Docker will be examined including repositories, brief discussion about managing and monitoring Docker containers, service discovery, and security. New and emerging technologies will be a constant theme, particularly about microservices, in addition to the ongoing evolution of the market and what the future may bring. Common organizational issues (and tactical solutions) that may impede successful decomposition and migration of legacy monoliths will be discussed, including security, DevOps and refactoring. Hypothetical architectures will be described for building progressively more robust and complex applications and deployment models. The goal is to highlight the power, flexibility and scalability that containers enable. Examples will start simple, from a local development environment, that is a simple two container setup that encapsulate a database and application tier. Subsequent discussion will involve progressively more complex and robust deployments that include features such as service discovery, automatic load balancing, and abstractions to simplify linking of containers including service gateways. With the stopping point of a hybrid PaaS.

2015 03-11_todd-fritz_devnexus_2015

Todd Fritz

Secure Your Code Implement DevSecOps in Azure

kloia

SUGCON EU 2023 - Secure Composable SaaS.pptx

Vasiliy Fomichev

Introduction to Microservices Architecture, Docker, Kubernetes, Istio, Testing Strategies for Microservices based Apps. Security Best Practices. Kanban, DevOps, and SRE. Infrastructure Design Patterns - API Gateway - Service Discovery - Load Balancer - Circuit Breaker - Let-it-Crash Pattern Software Design Patterns - Hexagonal Architecture - Domain Driven Design - Event Sourcing and CQRS - Functional Reactive Programming

Microservices Docker Kubernetes Istio Kanban DevOps SRE

Araf Karsh Hamid

Develop and deploy Kubernetes applications with Docker - IBM Index 2018

Patrick Chanezon

Red Hat and kubernetes: awesome stuff coming your way

Johannes Brännström

In 2015, Google open sourced the core of their internal container clustering system under the name Kubernetes. Teams that previously relied upon IaaS and PaaS to run their applications quickly adopted Kubernetes instead. Today, only a few years later, Kubernetes is key to many companies and runs applications with literally billions of users. Kubernetes has become the de facto standard for deploying and running cloud native applications. We’ll give an overview of what Kubernetes is today and share our experiences from using Kubernetes in an ecormmerce and an IoT application. The future of Kubernetes could not look better. The Kubernetes ecosystem is growing, allowing to provision professionally managed databases directly within the cluster, running functions in a serverless-fashion, and even allowing us to host the code, the build pipeline and the application itself on Kubernetes. In the future, there might be only one Kubernetes to rule them all.

One Kubernetes to rule them all (ZEUS 2019 Keynote)

Simon Harrer

✭✭ NOTE: a revised version of this lab is available at https://www.slideshare.net/williamyeh/rd-kubernetes-gdg-cloud-kh-201908-version ✭✭ 90-Minute Workshop held at Taiwan Cloud Edge Summit 2019 (台灣雲端大會). * 課程簡介 Kubernetes 是目前雲端環境的顯學。可是，傳統的程式，並不是原封不動搬上去，就能夠自動享受 Kubernetes 所宣稱的種種好處。新的環境，不僅需要新的 Ops 思維，也需要新的 Dev 思維。我們將以一個半小時的時間，從軟體研發者的角度，探討軟體的設計該做哪些最起碼的改變，從實作中體驗 Kubernetes 引進的新觀念及新效益。 * 課程目標從實例中體驗，傳統 web 應用程式在搬上 Kubernetes 時，可能會經歷哪些架構面的調整，才能享受新架構的效益： - 容器化 - 微服務 - 組態管理 - 多重環境管理：本機端與雲端（以 GKE 為例）

給 RD 的 Kubernetes 初體驗

William Yeh

Similar to The Hacker's Guide to Kubernetes: Reloaded (20)

20191201 kubernetes managed weblogic revival - part 2

oci-container-engine-oke-100.pdf

The Kubernetes WebLogic revival (part 2)

Container security within Cisco Container Platform

JCON_15FactorWorkshop.pptx

DeveloperWeekEnterprise2023 - Introduction to Kubernetes Operators for Databases

Attacking and Defending Kubernetes - Nithin Jois

Continuously Design your Continuous Deployment

Anil Info

Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019

Cloud Native Application Development-build fast, low TCO, scalable & agile so...

SKILup Days Container Orchestration - Kubernetes Operators for Databases

2015 03-11_todd-fritz_devnexus_2015

Secure Your Code Implement DevSecOps in Azure

SUGCON EU 2023 - Secure Composable SaaS.pptx

Microservices Docker Kubernetes Istio Kanban DevOps SRE

Develop and deploy Kubernetes applications with Docker - IBM Index 2018

Red Hat and kubernetes: awesome stuff coming your way

One Kubernetes to rule them all (ZEUS 2019 Keynote)

給 RD 的 Kubernetes 初體驗

Recently uploaded

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

Heather Hedden, Senior Consultant at Enterprise Knowledge, presented “The Role of Taxonomy and Ontology in Semantic Layers” at a webinar hosted by Progress Semaphore on April 16, 2024. Taxonomies at their core enable effective tagging and retrieval of content, and combined with ontologies they extend to the management and understanding of related data. There are even greater benefits of taxonomies and ontologies to enhance your enterprise information architecture when applying them to a semantic layer. A survey by DBP-Institute found that enterprises using a semantic layer see their business outcomes improve by four times, while reducing their data and analytics costs. Extending taxonomies to a semantic layer can be a game-changing solution, allowing you to connect information silos, alleviate knowledge gaps, and derive new insights. Hedden, who specializes in taxonomy design and implementation, presented how the value of taxonomies shouldn’t reside in silos but be integrated with ontologies into a semantic layer. Learn about: - The essence and purpose of taxonomies and ontologies in information and knowledge management; - Advantages of semantic layers leveraging organizational taxonomies; and - Components and approaches to creating a semantic layer, including the integration of taxonomies and ontologies

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf

Enterprise Knowledge

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

Handwritten Text Recognition for manuscripts and early printed texts

Maria Levchenko

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

Evaluating the top large language models.pdf

ChristopherTHyatt

BooK Now Call us at +918448380779 to hire a gorgeous and seductive call girl for sex. Take a Delhi Escort Service. The help of our escort agency is mostly meant for men who want sexual Indian Escorts In Delhi NCR. It should be noted that any impersonator will get 100 attention from our Young Girls Escorts in Delhi. They will assume the position of reliable allies. VIP Call Girl With Original Photos Book Tonight +918448380779 Our Cheap Price 1 Hour not available 2 Hours 5000 Full Night 8000 TAG: Call Girls in Delhi, Noida, Gurgaon, Ghaziabad, Connaught Place, Greater Kailash Delhi, Lajpat Nagar Delhi, Mayur Vihar Delhi, Chanakyapuri Delhi, New Friends Colony Delhi, Majnu Ka Tilla, Karol Bagh, Malviya Nagar, Saket, Khan Market, Noida Sector 18, Noida Sector 76, Noida Sector 51, Gurgaon Mg Road, Iffco Chowk Gurgaon, Rajiv Chowk Gurgaon All Delhi Ncr Free Home Deliver

08448380779 Call Girls In Friends Colony Women Seeking Men

Delhi Call girls

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

CNv6 Instructor Chapter 6 Quality of Service

giselly40

The Raspberry Pi 5 was announced on October 2023. This new version of the popular embedded device comes with a new iteration of Broadcom’s VideoCore GPU platform, and was released with a fully open source driver stack, developed by Igalia. The presentation will discuss some of the major changes required to support this new Video Core iteration, the challenges we faced in the process and the solutions we provided in order to deliver conformant OpenGL ES and Vulkan drivers. The talk will also cover the next steps for the open source Raspberry Pi 5 graphics stack. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://eoss24.sched.com/event/1aBEx

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...

Igalia

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

Tech Trends Report 2024 Future Today Institute.pdf

hans926745

Scaling API-first – The story of a global engineering organization

Radu Cotescu

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

The presentation explores the development and application of artificial intelligence (AI) from its inception to its current status in the modern world. The term "artificial intelligence" was first coined by John McCarthy in 1956 to describe efforts to develop computer programs capable of performing tasks that typically require human intelligence. This concept was first introduced at a conference held at Dartmouth College, where programs demonstrated capabilities such as playing chess, proving theorems, and interpreting texts. In the early stages, Alan Turing contributed to the field by defining intelligence as the ability of a being to respond to certain questions intelligently, proposing what is now known as the Turing Test to evaluate the presence of intelligent behavior in machines. As the decades progressed, AI evolved significantly. The 1980s focused on machine learning, teaching computers to learn from data, leading to the development of models that could improve their performance based on their experiences. The 1990s and 2000s saw further advances in algorithms and computational power, which allowed for more sophisticated data analysis techniques, including data mining. By the 2010s, the proliferation of big data and the refinement of deep learning techniques enabled AI to become mainstream. Notable milestones included the success of Google's AlphaGo and advancements in autonomous vehicles by companies like Tesla and Waymo. A major theme of the presentation is the application of generative AI, which has been used for tasks such as natural language text generation, translation, and question answering. Generative AI uses large datasets to train models that can then produce new, coherent pieces of text or other media. The presentation also discusses the ethical implications and the need for regulation in AI, highlighting issues such as privacy, bias, and the potential for misuse. These concerns have prompted calls for comprehensive regulations to ensure the safe and equitable use of AI technologies. Artificial intelligence has also played a significant role in healthcare, particularly highlighted during the COVID-19 pandemic, where it was used in drug discovery, vaccine development, and analyzing the spread of the virus. The capabilities of AI in healthcare are vast, ranging from medical diagnostics to personalized medicine, demonstrating the technology's potential to revolutionize fields beyond just technical or consumer applications. In conclusion, AI continues to be a rapidly evolving field with significant implications for various aspects of society. The development from theoretical concepts to real-world applications illustrates both the potential benefits and the challenges that come with integrating advanced technologies into everyday life. The ongoing discussion about AI ethics and regulation underscores the importance of managing these technologies responsibly to maximize their their benefits while minimizing potential harms.

Artificial Intelligence: Facts and Myths

Joaquim Jorge

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Neo4j

08448380779 Call Girls In Civil Lines Women Seeking Men

Delhi Call girls

Recently uploaded (20)

Boost PC performance: How more available memory can improve productivity

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

Handwritten Text Recognition for manuscripts and early printed texts

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Evaluating the top large language models.pdf

08448380779 Call Girls In Friends Colony Women Seeking Men

GenAI Risks & Security Meetup 01052024.pdf

Automating Google Workspace (GWS) & more with Apps Script

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

CNv6 Instructor Chapter 6 Quality of Service

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...

Exploring the Future Potential of AI-Enabled Smartphone Processors

Tech Trends Report 2024 Future Today Institute.pdf

Scaling API-first – The story of a global engineering organization

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Artificial Intelligence: Facts and Myths

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

08448380779 Call Girls In Civil Lines Women Seeking Men

The Hacker's Guide to Kubernetes: Reloaded

1. Patrycja Wegrzynowicz The Hacker’s Guide to Kubernetes: Reloaded Lead Engineer, Form3 @yonlabs

2. Hello! ! • 20+ professional experience software engineer, architect, researcher, head of R&D • Author and speaker JavaOne, CodeOne, Devoxx, JFokus, JavaZone, and more • Top 10 Women in Tech in Poland • Oracle Groundbreaker Ambassador, Oracle ACE • Form3, Financial Cloud Lead SRE Engineer • Founder at Yon Labs Automated tools for detection and refactoring of software defects. Performance, security, concurrency. Intro to Patrycja

3. Form3, Financial Cloud Business Model • Provides a payment platform for financial institution • Integrates across multiple payment schemes • Makes integration easier and quicker Work Model • Fully remote • Pair programming • Only senior engineers Technology • Multi-cloud platform: AWS, GCP, Azure • Microservices: (mostly) Go and (little) Java • Infrastructure as Code: Terraform Why is Security Important?

4. Introduction to Kubernetes Architecture Introduction to OWASP Kubernetes Top 10 & MITRE ATT&K ® Threat Matrix for Kubernetes Demos Summary 01 02 03 04 Agenda

5. Introduction to Kubernetes Architecture

6. Kubernetes Components Kubernetes Architecture Source: https://medium.com, Kubernetes - Architecture Overview by Ashish Patel

7. Kubernetes Components Kubernetes Architecture Source: https://medium.com, Kubernetes - Architecture Overview by Ashish Patel CNI

8. Introduction to OWASP Kubernetes Top 10

9. OWASP Kubernetes Top 10 2022 K01 Insecure Workload Configuration K02 Supply Chain Vulnerabilities K03 Overly Permissive RBAC Configurations K04 Lack of Centralized Policy Enforcement K05 Inadequate Logging and Monitoring K06 Broken Authentication Mechanisms K07 Missing Network Segmentation Controls K08 Secrets Management Failures K09 Misconfigured Cluster Components K10 Outdated and Vulnerable Kubernetes Components

10. MITRE ATT&K ® – Threat Matrix for Kubernetes Source: https://www.microsoft.com/en-us/security/blog/2021/03/23/secure- containerized-environments-with-updated-threat-matrix-for-kubernetes/

11. Demos – 101 Kubernetes hacking

12. Demo Fun Time – Overview • Demo application https://codemotion.yonlabs.com (or checkout X-Twitter: https://twitter.com/yonlabs) register a new account each account has a secret data log in wait to be hacked :D • Objective to hack your accounts and learn your secrets hacking 101 Let the fun begin!

13. Bad Pods: Kubernetes Pod Privilege Escalation • https://bishopfox.com/blog/kubernetes-pod- privilege-escalation • By: Seth Art, Principal Security Consultant Demos

14. Demo #1

15. Problems • K01 Insecure Workload Configuration root privileged hostPID hostPath hostNetwork hostIPC • K04 Lack of Centralized Policy Enforcement able to create insecure workload • K08 Secrets Management Failure demo-secret not encrypted Demo #1

16. Demo #2

17. Problems • K01 Insecure Workload Configuration root privileged hostPID • K04 Lack of Centralized Policy Enforcement able to create insecure workload • Networking unencrypted traffic Demo #2

18. Summary

19. Kubernetes Security

20. Bad Pods: Kubernetes Pod Privilege Escalation • Bad Pod #1: Everything allowed • Bad Pod #2: Privileged and hostPid • Bad Pod #3: Privileged only • Bad Pod #4: hostPath only • Bad Pod #5: hostPID only • Bad Pod #6: hostNetwork only • Bad Pod #7: hostIPC only • Bad Pod #8: Nothing allowed Source: https://bishopfox.com/blog/kubernetes-pod-privilege-escalation

21. Swiss Cheese Security Model

22. A fool with a tool is only a fool

23. Continuous Learning

24. Thank you! @yonlabs

The Hacker's Guide to Kubernetes: Reloaded

Recommended

Recommended

More Related Content

Similar to The Hacker's Guide to Kubernetes: Reloaded

Similar to The Hacker's Guide to Kubernetes: Reloaded (20)

More from Patrycja Wegrzynowicz

More from Patrycja Wegrzynowicz (11)

Recently uploaded

Recently uploaded (20)

The Hacker's Guide to Kubernetes: Reloaded