Attacking and Defending Kubernetes, with Ian Coldwater

Kubernetes Podcast from Google

Episode | Podcast

Date: Tue, 06 Aug 2019 14:46:12 +0000

<p><a href="https://twitter.com/iancoldwater">Ian Coldwater</a> specializes in breaking and hardening Kubernetes, containers, and cloud native infrastructure. A pre-eminent voice in the Kubernetes security community, they are currently a Lead Platform Security Engineer at Heroku. Ian joins <a href="https://kubernetespodcast.com/about">Adam and Craig</a> to talk about the offensive and defensive arts.</p> <p>Do you have something cool to share? Some questions? Let us know:</p> <ul> <li>web: <a href="https://kubernetespodcast.com">kubernetespodcast.com</a></li> <li>mail: <a href="mailto:kubernetespodcast@google.com">kubernetespodcast@google.com</a></li> <li>twitter: <a href="https://twitter.com/kubernetespod">@kubernetespod</a></li> </ul> <h3 id="chatter-of-the-week">Chatter of the week</h3> <ul> <li><a href="https://www.blackhat.com/us-19/">Black Hat USA</a></li> <li><a href="https://www.defcon.org/">DEFCON</a> <ul> <li><a href="http://defconscavhunt.com/">Scavenger hunts</a></li> <li><a href="https://www.vice.com/en_us/article/ypw4wb/when-the-fbi-found-out-about-def-cons-spot-the-fed-contest"> An example of Spot the Fed</a></li> <li><a href="https://www.wired.com/2009/08/defcon-17-mystery-challenge/">An example of the Mystery Challenge</a></li> </ul> </li> </ul> <h3 id="news-of-the-week">News of the week</h3> <ul> <li><a href="https://techcrunch.com/2019/08/05/mesosphere-changes-name-to-d2iq-shifts-focus-to-kubernetes-cloud-native/"> Mesosphere becomes D2iQ</a></li> <li><a href="https://cloud.google.com/blog/topics/hybrid-cloud/bringing-hybrid-and-multi-cloud-to-our-apac-customers-with-anthos"> Google Cloud launches Migrate for Anthos in Beta</a></li> <li><a href="https://cloud.google.com/game-servers/">Google Cloud Game Servers coming soon</a> <ul> <li><a href="https://kubernetespodcast.com/episode/026-agones/">Episode 26: Agones, with Mark Mandel and Cyril Tovena</a></li> </ul> </li> <li><a href="https://www.cncf.io/blog/2019/07/31/announcing-kubernetes-summits-seoul-and-sydney-expanding-cloud-native-engagement-across-the-globe/"> Announcing Kubernetes Summits in Seoul and Sydney</a></li> <li><a href="https://groups.google.com/forum/#!topic/kubernetes-security-announce/vUtEcSEY6SM"> Security updates of the week</a> <ul> <li><a href="https://github.com/kubernetes/kubernetes/issues/80983">CVE-2019-11247: API server allows access to custom resources via wrong scope</a></li> <li><a href="https://github.com/kubernetes/kubernetes/issues/80984">CVE-2019-11249: kubectl cp</a> (round 3!)</li> </ul> </li> <li>IBM and Red Hat: <ul> <li><a href="https://www.ibm.com/cloud/blog/red-hat-openshift-on-ibm-cloud">OpenShift on IBM Cloud</a></li> <li><a href="https://www.ibm.com/blogs/systems/announcing-our-direction-for-red-hat-openshift-for-ibm-z-and-linuxone/"> OpenShift coming to Z Series and LinuxONE</a></li> <li><a href="https://www.ibm.com/blogs/services/2019/08/01/ibm-services-drives-digital-reinvention-enabled-by-hybrid-cloud-with-red-hat/"> Cloud Paks and services</a></li> </ul> </li> <li><a href="https://blogs.cisco.com/news/cisco-microsoft">Cisco Container Platform now supports Microsoft AKS</a></li> <li><a href="https://kubedex.com/helm-deployments/">Helm deployments at the Kubedex</a></li> <li><a href="https://medium.com/@Alibaba_Cloud/how-can-kubernetes-be-used-for-genetic-analysis-26167584ea77"> How Kubernetes can be used for genetic analysis</a> by Mu Huan and Eric Li Alibaba Cloud</li> <li><a href="https://www.cloudbees.com/blog/announcing-cloudbees-jenkins-x-distribution"> Announcing CloudBees Jenkins X Distribution</a> <ul> <li><a href="https://kubernetespodcast.com/episode/044-continuous-delivery-foundation/"> Episode 44, Continuous Delivery Foundation, with Tracy Miranda</a></li> </ul> </li> <li><a href="https://pingcap.com/blog/database-cluster-deployment-and-management-made-easy-with-kubernetes/"> TiDB Operator now Generally Available</a></li> </ul> <h3 id="links-from-the-interview">Links from the interview</h3> <ul> <li><a href="https://en.wikipedia.org/wiki/Red_team">Red teams</a> and <a href="https://en.wikipedia.org/wiki/Penetration_test">penetration testing</a></li> <li><a href="https://en.wikipedia.org/wiki/Fuzzing">Fuzzing</a></li> <li><a href="https://blog.ropnop.com/attacking-default-installs-of-helm-on-kubernetes/"> Attacking Helm’s Tiller</a></li> <li><a href="https://en.wikipedia.org/wiki/Black-box_testing#Hacking">Black-box</a> and <a href="https://en.wikipedia.org/wiki/White-box_testing#Hacking">white-box</a> testing</li> <li><a href="https://blog.sonatype.com/less-gates-more-guardrails-devsecops-lessons-learned-in-2017"> DevSecOps: guard rails, not gates</a></li> <li><a href="https://www.owasp.org/index.php/Main_Page">OWASP</a> - the Open Web Application Security Project</li> <li><a href="https://www.isaca.org/Journal/archives/2014/Volume-4/Pages/JOnline-An-Enhanced-Risk-Formula-for-Software-Security-Vulnerabilities.aspx"> The math behind calculating security risk</a></li> <li><a href="https://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_System"> CVSS score</a></li> <li><a href="https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/"> etcd: encrypt it at rest!</a></li> <li><a href="https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/"> Admission control</a></li> <li>Technologies for isolation: <ul> <li><a href="https://kubernetes.io/docs/tutorials/clusters/apparmor/">AppArmor</a></li> <li><a href="https://kubernetes.io/docs/tasks/configure-pod-container/security-context/"> Seccomp</a></li> <li><a href="https://gvisor.dev/">gVisor</a></li> <li><a href="https://firecracker-microvm.github.io/">Firecracker</a> (not yet supported with Kubernetes)</li> </ul> </li> <li>“Kubernetes is powerful, and it’s insecure by design” <ul> <li><a href="https://www.blackhat.com/us-19/briefings/schedule/#the-path-less-traveled-abusing-kubernetes-defaults-17049"> Ian and Duffie Cooley’s BlackHat talk</a></li> <li><a href="https://twitter.com/iancoldwater/status/1156567668838871040">Cloud doesn’t make it better!</a></li> </ul> </li> <li><a href="https://en.wikipedia.org/wiki/Threat_model">Threat modelling</a></li> <li><a href="https://kubernetes.io/docs/concepts/storage/volumes/#hostpath">hostpath</a> - “a powerful escape hatch” <ul> <li><a href="https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/"> Trail of Bits blog</a>: understanding Docker container escapes</li> </ul> </li> <li>Recommended watching: <ul> <li><a href="https://www.youtube.com/watch?v=KR0o9WnAJMY">Ship of Fools</a> by Ian Coldwater (<a href="https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1541608899.pdf">slides</a>)</li> <li><a href="https://www.youtube.com/watch?v=vTgQLzeBfRU">Hacking and Hardening Kubernetes by Example</a> by Brad Geesaman (<a href="https://github.com/sbueringer/kubecon-slides/blob/master/slides/2017-kubecon-na/Hacking%20and%20Hardening%20Kubernetes%20Clusters%20by%20Example%20%5BI%5D%20-%20Brad%20Geesaman%2C%20Symantec%20-%20Hacking%20and%20Hardening%20Kubernetes%20By%20Example%20v2.pdf">slides</a>)</li> <li><a href="https://www.youtube.com/watch?v=dxKpCO2dAy8">A Hackers Guide to Kubernetes and the Cloud</a> by Rory McCune (and his <a href="https://www.blackhat.com/us-19/training/schedule/index.html#mastering-container-security-14020"> upcoming Black Hat training</a>)</li> <li><a href="https://www.youtube.com/watch?v=fVqCAUJiIn0">DIY Pen Testing for your Kubernetes Cluster</a> by Liz Rice (<a href="https://kubernetespodcast.com/episode/019-kube-hunter-and-kubecon/">our guest on episode 19</a>)</li> </ul> </li> <li><a href="https://twitter.com/iancoldwater">Ian Coldwater on Twitter</a></li> </ul>