What Vulnerabilities? Live Hacking of Containers and Orchestrators

Intro
MENTAL HEALTH
COMMUNITY
CLIMATE CHANGE
NOT A SECURITY EXPERT
INSPIRATION HTTPS://YOUTU.BE/IWKIQK8KDK8
KUBERNETES DASHBOARD
POP QUIZ
FIRST REACTION
LETS GET STARTED
LETS OWN A WEBSITE
LETS REVIEW
HAS ANYONE KNOWINGLY CREATED A VULNERABILITY
OWASP
WHAT IS A VULNERABILITY?
EXAMPLE HEARTBLEED
JUMP INTO THE BOX
IMAGE SCANNING
STATIC TOKENS AND PASSWORDS
TIP: SCHEDULED BUILDS
FOCUS ON CI/CD
FAIL IF ITS NOT SECURE
DON'T SSH TO PATCH
REDUCE THE ATTACK VECTOR
PRIVATE CONTAINER REGISTRIES
PULL LATEST
IMAGE TRUST AND SUPPLY CHAIN
CASE STUDY TYLENOL CYANIDE DEATHS
ESCAPE THE CONTAINER
RUNNING CONTAINERS ON KUBERNETES
WHAT COULD POSSIBLY GO WRONG?
EXFILTRATION OF SENSITIVE DATA
ELEVATE PRIVILEGES INSIDE KUBERNETES TO ACCESS ALL WORKLOADS
POTENTIALLY GAIN ROOT ACCESS TO THE KUBERNETES WORKER NODES
PERFORM LATERAL NETWORK MOVEMENT OUTSIDE THE CLUSTER
RUN A COMPROMISED POD
FEATURE DRIVEN
SECURITY FOLLOWS
BEST PRACTICE
REDUCE HOST MOUNTS
DON'T USE ROOT
USER COMMAND IN DOCKERFILE
RBAC
ROLE ASSIGNMENT
ROLE AUTHORISATION
PERMISSION AUTHORISATION
MASTER AND WORKERS
CONTROL PLANE
LAYERED SECURITY APPROACH
ADMISSION CONTROLLER
ALWAYSPULLIMAGES
DENYESCALATINGEXEC
PODSECURITYPOLICY
LIMITRANGE RESOURCEQUOTA
CAN WE SEE WHATS RUNNING
NAMESPACE
NETWORKPOLICIES
PASSING SECRETS TO CONTAINERS
TOOLS
HAIL MARY
RUNTIMES
SERVICE MESHES
RELEASE OFTEN / FAST
CHAOS ENGINEERING
SECURITY UPDATES