Hacking a Kubernetes Cluster: A Practical Example!
HTML-код
- Опубликовано: 5 июл 2024
- In this video, we are going to get an overview of the Kubernetes attack surface through a fun demo of hacking into a Kubernetes cluster.
🆓Join our Slack Community for FREE: kode.wiki/JoinOurSlackCommunity
Full Certified Kubernetes Application Developer (CKAD) Course: kode.wiki/CKAD_YT
There are multiple areas that were vulnerable to attack and that’s what we will go over in this lecture. To begin with the Cloud itself. The infrastructure that hosted the Kubernetes cluster was not properly secured and enabled access to ports on the cluster from anywhere. If network firewalls were in place, we could have prevented remote access from the attacker's system. This is the first C in Cloud-native security. It refers to the security of the entire infrastructure hosting the servers. This could be a private or a public cloud, a data center hosting physical machines, a co-located environment. We discuss more this in the last section of the course where we talk about how to detect all phases of attack regardless of where it occurs and how it spreads.
The next is Cluster security. The attacker was easily able to gain access through the docker daemon exposed publicly, as well as the Kubernetes dashboard that was exposed publicly without proper authentication or authorization mechanisms. This could have been prevented if security best practices were followed in securing the docker daemon, the Kubernetes API as well as any GUI we used to manage the cluster such as the Kubernetes Dashboard. We look into these in much more detail in the first section of the course where we talk about Cluster setup and hardening. We will see how to secure the docker daemon and the Kubernetes dashboard as well as other best practices to be followed such as using network policies and ingress.
Next comes the container. The hacker was able to run any container of her choice with no restrictions on what repository it is from or what tag it had. The attacker was able to run a container in privileged mode, which should have been prevented. The attacker was also able to install whatever application she wanted on it without any restriction. These could have been prevented if restrictions were put in place to only run images from a secure internal repository and if running containers in the privileged mode were disallowed. And through sandboxing, containers were isolated better. We discuss these in the Minimize Microservices Vulnerabilities section as well as the Supply chain security sections of the course.
And finally Code. Code refers to the application code itself. Hard coding applications with database credentials or passing critical information through environment variables, exposing applications with TLS are bad coding practices. This is mostly out of scope for this course, however, we do cover some areas such as securing critical information with secrets and vaults, enabling metals encryption to secure pod to pod communication, etc.
To learn more about Security in Cloud-native computing and Kubernetes, check out our course on certified Kubernetes security specialists. We go in-depth in each of these areas and understand common vulnerabilities and security concerns in an environment and how to protect our systems from an attack. The course is fully hands-on with lab activities that will help you validate and remember what you learned in the videos. This will also help you prepare and pass the Certified Kubernetes Security Specialist exam.
So join our community of students at cks.kodekloud.com
#HackingaKubernetesCluster #kodekloud
![Hacking and Hardening Kubernetes Clusters by Example [I] - Brad Geesaman, Symantec](http://i.ytimg.com/vi/vTgQLzeBfRU/mqdefault.jpg)
Full Certified Kubernetes Application Developer (CKAD) Course: kode.wiki/CKAD_YT
Not a realistic production scenario. Webservers/Load Balancers are usually on a different server and network than the Kubernetes cluster. The cluster itself has no direct internet connectivity and only ports exposed to the world are the HTTP(S) ports of the load balancers
you will be surprised to know that some companies actually have scenarios like this one...
if only
Great clip with crisp coverage on security
Glad you enjoyed it! Please subscribe to our channel and keep supporting😊
amazing explanation :) great use-case
Wonderful, great hands on presentation
Many thanks! Please subscribe and encourage us to create more such quality content.
can you please share the material you used for the demo? maybe a git repo?
Excellent and eye opener....👌👌👌
Glad you liked it! Thanks:)
Thank you a fantastic video and demonstration
Glad it was helpful!
From 2021 Kubernetes (v1.20+) removes the default dependency on docker in favour of containerd. This "attack" may work on a badly configured Kubernetes version prior to that and also on a poorly configured docker swarm cluster.
Awesome 👌
What is this tools for port scanning? And where I can get it ?
I subscribed within the first few seconds of hearing the quality stuff ,lol
I can understand ssh port being open by mistake.... but I can't wrap around why docker port is opened?
Someone know how can i put a logo in my zsh terminal, like that?
Great content
Thanks:)
great content
Welcome! Please subscribe to our channel and help us create more such videos. Thanks 😊
Having the docker port exposed is simply the most stupid thing I think someone can do on a cluster. Why they did this?
Because they are dog lovers. LoL
No one did it.. it's made up scenario that teaches theater security
@@kubectlgetpo watch again at 0:40 :-)
I find it even more fascinating how the http and https ports are not open.
@@CipherNL yeah crap scenario all around
Do people really run their docker hosts with no authentication and their kubernetes dashboards exposed to the internet?
No. :-D
Marvellous
Thanks👍
Please subscribe and encourage us to provide more such quality content.
That election story surely was scary!!!
Great video, Mumshad!
Always love your videos!
Glad you liked it! Please subscribe and encourage us to create more such quality content.
What!?? Never knew I wasn’t subscribed 😭
By the way, all my DevOps friends and wannabes are tired of me talking about kodekloud
Awesome 👍
Thanks for your love and support!
This is the epitome of one jumps into kubernetes too quickly without regards to any best practices (pain points: exposed docker port + conn string as env var) whatsoever...
And sadly, the majority of people still do this...
Yes, that's true.
Nice... :)
Very good demo for people who don't know about hacking
Awesome 👍😎
Thanks! Please subscribe to the channel and help us do more such creative educational videos.
@@KodeKloud already a subscriber sir, cheers!
How did you put an icon in ZSH?
You can use powerlevel10k for custom ZSH
where can we get the dirty-cow.sh
By default docker running only as Unix service
Nice
Thanks! Please subscribe to our channel and keep supporting😊
Hi Mumshad brother, is it possible to be a DevOps engineer for a non tech person? I am an an anthropologist, had career break for children now I got interested in cloud. I am a certified cloud practitioners and courntly I am doing cybersecurity program. I am interested about cloud security though I am new in this field. How long need to I have to work in cloud then I can try for the cloud security? I am a mother of two teenage kids and fourty plass cloud savvy.
Certainly, transitioning into a DevOps or cloud security role is achievable, even without a traditional tech background. With your Cloud Practitioner certification, explore advanced cloud certifications and gain hands-on experience. Learn automation tools and DevOps practices. Leverage your unique background in anthropology for soft skills. Focus on cloud security by building on your existing cloud knowledge and pursuing security certifications.
100% !
Thank you so much : ) We are glad to be a part of your learning journey
cue fargo theme
😳
Thanks for watching our video. Cheers!
:D