Kubernetes Security: Attacking and Defending K8s Clusters

The presentation discusses different attack scenarios on Kubernetes clusters and provides best practices for securing them.

• Overview of Kubernetes architecture and components
• Using K8s Threat Matrix and MITRE ATT&CK for Containers to demonstrate attack phases
• Best practices for securing Kubernetes clusters
• Anecdote about a vulnerable Drupal web application used for modeling attacks

The presenter used a vulnerable Drupal web application from three years ago to demonstrate how attackers can compromise a Kubernetes cluster through a remote command execution vulnerability. The attacker can then move laterally and compromise worker nodes or the cloud environment. This highlights the importance of securing vulnerable applications and controlling access to the Kubernetes API server.

Abstract:​This presentation aims to talk about different attack scenarios leveraging Kubernetes clusters. We'll dig deeper into a real-world attack scenario using real-world applications to demonstrate different ways attackers and malicious users can use to exploit your cluster and the applications running on it. But first, we’ll give an overview about Kubernetes and its architecture, covering the main components from the Control Plane and the Worker Nodes. Then, we'll use the K8s Threat Matrix and the MITRE ATT&CK for Containers published this year to discuss the Tactics, Techniques and Procedures to demonstrate the Recon, Exploitation and Post-Exploitation phases. After that, we'll provide some best practices to securing your cluster based on the scenarios and the CIS Benchmarks for Kubernetes. We'll show how to use Role-based access control (RBAC)  for Access Control, to enable audit logs for security and troubleshooting, and we'll set up some network policies to avoid communication between pods and prevent any lateral movement from attackers​​​