Explore container and orchestrator vulnerabilities through a live hacking demonstration in this 57-minute conference talk from NDC Conferences. Witness a red team member attempt to hack a cluster while a blue team member defends it, providing real-world insights into potential security risks. Learn about developing best practices, implementing security policies, and effective service monitoring to prevent attacks. Gain valuable knowledge on topics such as image scanning, static tokens and passwords, CI/CD security, private container registries, and potential attack vectors in Kubernetes environments. Discover practical strategies for reducing host mounts, implementing RBAC, using admission controllers, and leveraging network policies to enhance container and orchestrator security.
What Vulnerabilities? Live Hacking of Containers and Orchestrators
Overview
Syllabus
Intro
MENTAL HEALTH
COMMUNITY
CLIMATE CHANGE
NOT A SECURITY EXPERT
INSPIRATION HTTPS://YOUTU.BE/IWKIQK8KDK8
KUBERNETES DASHBOARD
POP QUIZ
FIRST REACTION
LETS GET STARTED
LETS OWN A WEBSITE
LETS REVIEW
HAS ANYONE KNOWINGLY CREATED A VULNERABILITY
OWASP
WHAT IS A VULNERABILITY?
EXAMPLE HEARTBLEED
JUMP INTO THE BOX
IMAGE SCANNING
STATIC TOKENS AND PASSWORDS
TIP: SCHEDULED BUILDS
FOCUS ON CI/CD
FAIL IF ITS NOT SECURE
DON'T SSH TO PATCH
REDUCE THE ATTACK VECTOR
PRIVATE CONTAINER REGISTRIES
PULL LATEST
IMAGE TRUST AND SUPPLY CHAIN
CASE STUDY TYLENOL CYANIDE DEATHS
ESCAPE THE CONTAINER
RUNNING CONTAINERS ON KUBERNETES
WHAT COULD POSSIBLY GO WRONG?
EXFILTRATION OF SENSITIVE DATA
ELEVATE PRIVILEGES INSIDE KUBERNETES TO ACCESS ALL WORKLOADS
POTENTIALLY GAIN ROOT ACCESS TO THE KUBERNETES WORKER NODES
PERFORM LATERAL NETWORK MOVEMENT OUTSIDE THE CLUSTER
RUN A COMPROMISED POD
FEATURE DRIVEN
SECURITY FOLLOWS
BEST PRACTICE
REDUCE HOST MOUNTS
DON'T USE ROOT
USER COMMAND IN DOCKERFILE
RBAC
ROLE ASSIGNMENT
ROLE AUTHORISATION
PERMISSION AUTHORISATION
MASTER AND WORKERS
CONTROL PLANE
LAYERED SECURITY APPROACH
ADMISSION CONTROLLER
ALWAYSPULLIMAGES
DENYESCALATINGEXEC
PODSECURITYPOLICY
LIMITRANGE RESOURCEQUOTA
CAN WE SEE WHATS RUNNING
NAMESPACE
NETWORKPOLICIES
PASSING SECRETS TO CONTAINERS
TOOLS
HAIL MARY
RUNTIMES
SERVICE MESHES
RELEASE OFTEN / FAST
CHAOS ENGINEERING
SECURITY UPDATES
Taught by
NDC Conferences
