2018-039-Ian Coldwater, kubernetes, container security
Published November 12, 2018
50 min
    Add to queue
    Copy URL
    Show notes

    Ian Coldwater-

    @IanColdwater  https://www.redteamsecure.com/ *new gig*


    So many different moving parts




    She’s working on speaking schedule for 2019

    How would I use these at home?



    Kubernetes - up and running



    General wikipedia article (with architecture diagram): https://en.wikipedia.org/wiki/Kubernetes


    https://twitter.com/alicegoldfuss - Alice Goldfuss


    Derbycon Talk: http://www.irongeek.com/i.php?page=videos/derbycon8/track-3-10-perfect-storm-taking-the-helm-of-kubernetes-ian-coldwater


    Tesla mis-configured Kubes env:


    From the talk: https://arstechnica.com/information-technology/2018/02/tesla-cloud-resources-are-hacked-to-run-cryptocurrency-mining-malware/


    Redlock report mentioned in Ars article:  https://redlock.io/blog/cryptojacking-tesla


    Setup your own K8s environment: https://kubernetes.io/docs/setup/pick-right-solution/#local-machine-solutions (many options to choose from)


    Securing K8s implementations: https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/


    https://github.com/aquasecurity/kube-hunter -


    Threat Model
        What R U protecting?

        Who R U protecting from?

        What R your Adversary’s capabilities?

        What R your capabilities?


    Defenders think in Lists

    Attackers think in Graphs


    What are some of the visible ports used in K8S?

        44134/tcp - Helmtiller, weave, calico

        10250/tcp - kubelet (kublet exploit)

            No authN, completely open

        10255/tcp - kublet port (read-only)

        4194/tcp - cAdvisor

        2379/tcp - etcd

            Etcd holds all the configs

            Config storage


    Engineering workflow:

        Ephemeral -  


    CVE for K8S subpath - https://kubernetes.io/blog/2018/04/04/fixing-subpath-volume-vulnerability/


    Final points:

        Advice securing K8S is standard security advice

        Use Defense in Depth, and least Privilege

        Be aware of your attack surface

        Keep your threat model in mind


    David Cybuck (questions from Slack channel)


    My questions are: 1. Talk telemetry?  What is the best first step for having my containers or kubernetes report information?  (my overlords want metrics dashboards which lead to useful metrics).


    1. How do you threat model your containers?  Has she ever or how would she begin to run a table-top exercise, a cross between a threat model and a disaster recovery walk through, for the container infrastructure?


    1. Mitre Att&ck framework, there is a spin off for mobile.  Do we need one for Kube, swarm, or DC/OS?


    heck out our Store on Teepub! https://brakesec.com/store

    Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

    #Brakesec Store!:https://www.teepublic.com/user/bdspodcast



    #Youtube Channel:  http://www.youtube.com/c/BDSPodcast

    #iTunes Store Link: https://brakesec.com/BDSiTunes

    #Google Play Store: https://brakesec.com/BDS-GooglePlay

    Our main site:  https://brakesec.com/bdswebsite

    #iHeartRadio App:  https://brakesec.com/iHeartBrakesec


    Comments, Questions, Feedback: bds.podcast@gmail.com

    Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon


    #Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

    #Player.FM : https://brakesec.com/BDS-PlayerFM

    #Stitcher Network: https://brakesec.com/BrakeSecStitcher

    #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

        0:00:00 / 0:00:00