logo

Kubernetes Exposed! Seven of Nine Hidden Secrets That Will Give You Pause

2021-10-13

Authors:   Brad Geesaman, Ian Coldwater


Summary

The presentation discusses the potential security vulnerabilities in Kubernetes and how to secure it.
  • External IP services can be powerful and cause problems, so admission control policies should be used to block or restrict them
  • DNS can be used as a command and control channel for attackers, so even with strict network policies, it is important to monitor DNS traffic
  • Validating web hooks can also be vulnerable to attacks
  • To secure Kubernetes, it is important to understand how it works and not just assume its behavior
  • Resources and links are provided for further reading and viewing
The presenters demonstrate how a pod can be deployed in a cluster to simulate an exfiltration system, and how DNS can be used as a command and control channel for attackers. They also mention the potential vulnerabilities of validating web hooks. The presentation emphasizes the importance of understanding how Kubernetes works in order to secure it.

Abstract

Think you know Kubernetes? Think again. Kubernetes is full of uncommon knowledge and doesn’t always behave the way we assume, containing unexpected gotchas and surprising behaviors that’ll make you say, “how come nobody told me this earlier?” In this talk, Ian Coldwater and Brad Geesaman will shine a light on hidden secrets in Kubernetes, demonstrating scary science such as pods in non-existent namespaces, bypassing network policies via DNS, fun with capable sidecar containers, and one weird trick attackers don’t want you to know. Defenders hate it! Don’t build your next threat model before watching this! Attendees will learn how not to get caught off guard by learning what to watch out for and how to better secure their systems. You won’t believe what happens next.

Materials:

Post a comment

Related work