2019-033-Part 2 of the Kubernetes security audit discussion (Jay Beale & Aaron Small) episode artwork

EPISODE · Sep 16, 2019 · 44 MIN

2019-033-Part 2 of the Kubernetes security audit discussion (Jay Beale & Aaron Small)

from BrakeSec Education Podcast

  Topics:Infosec Campout report   Jay Beale (co-lead for audit) *Bust-a-Kube*   Aaron Small (product mgr at GKE/Google)   Atreides Partners Trail of Bits   What was the Audit?  How did it come about?    Who were the players?     Kubernetes Working Group         Aaron, Craig, Jay, Joel     Outside vendors:         Atredis: Josh, Nathan Keltner         Trail of Bits: Stefan Edwards, Bobby Tonic , Dominik     Kubernetes Project Leads/Devs         Interviewed devs -- this was much of the info that went into the threat model         Rapid Risk Assessments - let's put the GitHub repository in the show notes     What did it produce?     Vuln Report     Threat Model - https://github.com/kubernetes/community/blob/master/wg-security-audit/findings/Kubernetes%20Threat%20Model.pdf     White Papers     https://github.com/kubernetes/community/tree/master/wg-security-audit/findings       Discuss the results:         Threat model findings             Controls silently fail, leading to a false sense of security                 Pod Security Policies, Egress Network Rules             Audit model isn't strong enough for non-repudiation                 By default, API server doesn't log user movements through system             TLS Encryption weaknesses                 Most components accept cleartext HTTP                 Boot strapping to add Kubelets is particularly weak                        Multiple components do not check certificates and/or use self-signed certs                 HTTPS isn't enforced                 Certificates are long-lived, with no revocation capability                 Etcd doesn't authenticate connections by default             Controllers all Bundled together                 Confused Deputy: b/c lower priv controllers bundled in same binary as higher             Secrets not encrypted at rest by default             Etcd doesn't have signatures on its write-ahead log             DoS attack: you can set anti-affinity on your pods to get nothing else scheduled on their nodes               Port 10255 has an unauthenticated HTTP server for status and health checking           Vulns / Findings (not complete list, but interesting)             Hostpath pod security policy bypass via persistent volumes             TOCTOU when moving PID to manager's group             Improperly patched directory traversal in kubectl cp             Bearer tokens revealed in logs             Lots of MitM risk:             SSH not checking fingerprints: InsecureIgnoreHostKey             gRPC transport seems all set to WithInsecure() HTTPS connections not checking certs              Some HTTPS connections are unauthenticated             Output encoding on JSON construction                 This might lead to further work, as JSON can get written to logs that may be consumed elsewhere.             Non-constant time check on passwords Lack of re-use / library-ification of code       Who will use these findings and how? Devs, google, bad guys?      Any new audit tools created from this?    Brad geesaman "Hacking and Hardening Kubernetes Clusters by Example [I] - Brad Geesaman, Symantec   https://www.youtube.com/watch?v=vTgQLzeBfRU   Aaron Small:  https://cloud.google.com/blog/products/gcp/precious-cargo-securing-containers-with-kubernetes-engine-18  https://cloud.google.com/blog/products/gcp/exploring-container-security-running-a-tight-ship-with-kubernetes-engine-1-10 https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster    CNCF:  https://www.youtube.com/watch?v=90kZRyPcRZw    Findings:       Scope for testing:         Source code review (what languages did they have to review?)             Golang, shell, ...   Networking (discuss the networking *internal* *external* Cryptography (TLS, data stores) AuthN/AuthZ  RBAC (which roles were tested? Just admin/non-admin *best practice is no admin/least priv*) Secrets Namespace traversals Namespace claims   Methodology:   Setup a bunch of environments?     Primarily set up a single environment IIRC     Combination of code audit and active ?fuzzing?         What does one fuzz on a K8s environment? Tested with latest alpha or production versions?     Version 1.13 or 1.14 - version locked at whatever was current - K8S releases a new version every 3 months, so this is a challenge and means we have to keep auditing. Tested mulitple different types of k8s implementations?     Tested primarily against kubespray (https://github.com/kubernetes-sigs/kubespray)   Bug Bounty program: https://github.com/kubernetes/community/blob/master/contributors/guide/bug-bounty.md   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec  

NOW PLAYING

2019-033-Part 2 of the Kubernetes security audit discussion (Jay Beale & Aaron Small)

0:00 44:26

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

Big Old Life: Heather Blackbird interviews people on planet earth. Heather Blackbird loves asking questions. This podcast is a learning experience. Join me, Heather Blackbird, as I talk to people about their lives. Frequency of new episodes is a little all over the place and I'm learning as I go. Big Old Life is a small way of talking about the vastness of life, one person at a time. If you are reading this or found this podcast it's probably because someone you know gave you a link to it. :) Explicit The Sacred +Profane Podcast nephtaragrace The Sacred + Profane Podcast is a provocative conversation dedicated to cementing a better future for all. We specialize in unpacking the nuances of what is considered sacred and profane, particularly focusing on sex, death, and all that pertains to the circle of life. Our aim in focusing on such ”taboo” subject matter is to demystify what is unconscious, bring to light what has been known for centuries as ”the occult,” and empower the rapid transformation that is occurring on the Planet. Explicit Undeniable w/ Braxton Curtis Braxton Curtis The official Podcast of Braxton Curtis.A Father, Husband, and Business Owner just trying to figure it all out. Explicit Bitcoin Gateway Lea meakin Welcome to Bitcoin Gateway, the podcast where we dive deep into the world of Bitcoin, hosted by Lea Meakin. This show is for anyone who’s ever felt overwhelmed by the complex world of cryptocurrencies and wants a simple, straightforward explanation. Each episode, we’ll break down the basics of Bitcoin, explore its history, and discuss its potential impact on the future of finance. Whether you’re a complete beginner or just looking to expand your knowledge, Bitcoin Gateway is here to help you understand Bitcoin, one episode at a time. Explicit

Frequently Asked Questions

How long is this episode of BrakeSec Education Podcast?

This episode is 44 minutes long.

When was this BrakeSec Education Podcast episode published?

This episode was published on September 16, 2019.

What is this episode about?

  Topics:Infosec Campout report   Jay Beale (co-lead for audit) *Bust-a-Kube*   Aaron Small (product mgr at GKE/Google)   Atreides Partners Trail of Bits   What was the Audit?  How did it come about?    Who were the players?     Kubernetes Working...

Can I download this BrakeSec Education Podcast episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!