Trampoline Pods: Node to Admin PrivEsc Built Into Popular K8s Platforms

The presentation discusses the need to address powerful permissions in Kubernetes clusters and provides solutions to identify and mitigate them.

• Multi-tenant scenarios do not increase the chances of container escape equaling cluster admin, but they do increase the chance of container escapes due to the presence of malicious tenants.
• The least privileged paradigm needs more attention, and it is feasible to arrive at a point where most nodes in the cluster do not host powerful privileges.
• The presentation introduces Albert Police, an open-source tool that retrieves the permissions of pods, service accounts, and nodes in a Kubernetes cluster and evaluates them based on policies written in Rigo.
• The presentation emphasizes the importance of researching and documenting Kubernetes security issues to address vague areas in Kubernetes security.

The presentation provides an example of how Albert Police can be used to identify powerful pods in a cluster. The output shows that Celium can modify pods and alerts on the specific service accounts and pods in the cluster that are actually powerful.

Security teams work to prevent the next container escape while attackers do the opposite. Inevitably, we sometimes lose this battle, but we can still win the fight! It's all about *containing* the next container escape - making sure a rogue node cannot take over the entire cluster. K8s has done a great job at de-privileging the node agent, the Kubelet, but nodes also host other credentials - their pods' service account tokens. Following an escape, the attacker can easily harvest and abuse tokens of neighboring pods.In this talk, Yuval and Shaul will introduce the concept of Trampoline Pods - pods so powerful that if their node goes rogue, it could launch devastating attacks against the cluster and in some cases completely take over it. Covering managed K8s services and common cluster add-ons, they'll reveal the trampoline pods installed by popular K8s platforms. They'll also demo exploits, discuss mitigations, and release rbac-police: a tool that detects trampoline pods and K8s privEscs.Click here to view captioning/translation in the MeetingPlay platform!