logo

Prevent Embarrassing Cluster Takeovers with This One Simple Trick!

2023-04-21

Authors:   Shane Lawrence, Daniele Santos


Summary

The presentation discusses the importance of identifying and preventing common misconfigurations in Kubernetes workloads to avoid cyber attacks and data breaches. The speakers demonstrate how to use Kubeaudit, an open source scanner, to detect and mitigate configuration risks without adding undue friction for developers.
  • Misconfigured settings, insecure defaults, and overly permissive controls are common causes of cyber attacks and data breaches
  • Kubeaudit is an open source scanner that provides a user-friendly way to detect and automatically mitigate configuration risks
  • Challenges of securing 1,000,000 running pods along with configuration files in a GitHub org with 15,000 repos are discussed
  • Attendees learn how to detect and resolve configuration issues without needing expert knowledge while keeping developers happy
The speakers discuss a vulnerability called AzureEscape, which allowed a user of a public cloud service to break out of their environment and execute code in an environment belonging to other users in the same public cloud service. This vulnerability was caused by a misconfiguration in the container runtime, which had not been patched for two years. The speakers suggest that leveraging security contacts in Kubernetes configuration and setting run as user to something other than user zero could have prevented this vulnerability.

Abstract

Most cyber attacks and data breaches are caused by misconfigured settings, insecure defaults, and overly permissive controls. To avoid business impact, financial penalties, and embarrassment, we need to identify common mistakes and implement measures to prevent them without adding undue friction for developers. In this talk, Dani and Shane will demonstrate simple ways that malicious actors can exploit common misconfigurations in workloads to gain unauthorized access without relying on sophisticated attacks or 0-day vulnerabilities. They'll show how to avoid these risks using Kubeaudit, an open source scanner developed by their team at Shopify that provides a user-friendly way to detect and automatically mitigate configuration risks. They'll also discuss some of the challenges they've faced securing 1,000,000 running pods along with configuration files in a GitHub org with 15,000 repos. Attendees will learn a number of mistakes that could put their clusters at risk. They'll see how to detect and resolve these issues, without needing expert knowledge, while keeping developers happy.

Materials:

Post a comment

Related work

Authors: Gabriel L. Manor
2023-02-15

Conference:  Defcon 31
Authors: Tal Skverer Security Research Team Lead, Astrix Security
2023-08-01