Course Description
In an era where container orchestration is vital to scaling and managing applications, Kubernetes stands out as a pivotal technology. But with its vast landscape comes a multitude of attack vectors. This 3 day workshop is meticulously crafted for those seeking a deep, technical, hands-on immersion into the world of Kubernetes security. We begin by laying the groundwork with Kubernetes basics, understanding its architecture, and delving into its potential security pitfalls. Participants will be initiated into the intricate details of Kubernetes attack surfaces, with hands-on labs focusing on real-world vulnerabilities and their corresponding exploits.Using advanced exploitation techniques, our session will unravel sophisticated Kubernetes attack methodologies, from manipulating Role-Based Access Controls to advanced container breakout strategies. But, it’s not just about offense; we also cover the art of defense.
Learn how to seal your secrets, enforce stringent network policies with Cilium, and employ advanced detection mechanisms using tools like Falco and EFK.The workshop consists of a Capture The Flag (CTF) challenge, designed to test the mettle of participants, pitting their newly acquired offensive and defensive skills against real-world Kubernetes scenarios.By the end of our intensive three-day journey, attendees will not only have an expanded skill set but also the confidence to identify, exploit, and protect Kubernetes clusters in real-world environments.
Key aspects of the workshop include (see the course content for details):
- Understanding of Kubernetes core concepts and security layers.
- Attacking & Enumerating kubernetes clusters.
- Exploiting cluster via container breakout & web based vulnerabilities
- Vulnerability scanning of Kubernetes’s attack surface and exploring the exploitation of documented bugs/CVEs in a production environment.
- Breakout of advanced container strategies and Role Based Access Control (RBAC) breaches.
- Hands-on sessions on enforcing Kubernetes secrets, network policies, and internal security measures.
- Detecting advanced attacks with sophisticated detection mechanisms involving Falcon and EFK
- Bypassing Falco Container Runtime Security
- CTF contest aimed at assessing attendees’ competencies in live situations with Kyverno, Falco, cilium & istio mesh.
Note: Attendees will get Cloud Based IDE for running labs free for learning for the entire course period.
Course contents
Day 1: Decoding Kubernetes – Setting the Attack StageDiving into the Core of Containers & Kubernetes
- Lecture: Introduction To Container Security
- Lecture: Preparing the Environment for Lab Setup
- Lecture: Unmasking Container Security Layers
- Lab: Docker Layers Security & Dockerfile
- Lab: Exploring Dive For Secret Exfiltration
Kubernetes Core Concepts
- Lecture: Decoding the Kubernetes Basics
- Lecture: Explanation of Key Kubernetes Components & Terminologies
- Lab: Orchestrating a Kubernetes Cluster via Cilium
- Lab: Setup Cluster via Kind
- Lab: Kind Cluster Validation
- Lecture: Demystifying Cluster Setups: minikube, k3s, Kind & kubeadm
- Lab: Validation of Cluster Configuration
- Lecture: K8s Authentication & Authorization Under Attack
- Lab: Authentication In K8s
- Lab: RBAC via Role & RoleBinding
- Lab: RBAC via Cluster Role & ClusterRoleBinding
Attack Preparedness
- Lecture: Services in Kubernetes & Their Security Implications
- Lab: Kubectl CLI Mastery
- Lecture: Dissecting the Kubernetes Cluster
- Lecture: Deciphering Helm Charts
- Lab: Deploy the Vulnerable Application using Helm
- Lab: Deploying & Breaking a Sample Application
- Lecture: Kubernetes Security Testing
Day 2: Kubernetes Reconnaissance & Exploitation – Mastering the Attack
Demo: Exposing the Kubernetes Attack Surface
Deep Dive into Kubernetes Cluster Enumeration
- Lab: External Kubernetes Cluster Enumeration
- Lab: Internal Kubernetes Cluster Enumeration
- Lab: Exploiting Vulnerable K8s Applications
Breaching Role-Based Access Controls
- Lab: RBAC Misconfiguration Exploitation
Advanced Container Breakout Techniques
- Lab: Escaping the Container via Host PID True
- Lab: Exploiting Host Network True
- Lab: Bypassing Restrictions with Host IPC True
- Lab: Evasive Persistence with Host Volume Mount
- Lab: Performing Privileged Escapes to Host
Post-Exploitation Attacks & Deep Dive
- Demo: Abusing Docker Socket Mounts – DIND
- Demo: Setup Misconfigured Kube API Server
- Lab: Exploiting Misconfigured Kube API Server
- Demo: Exploiting Unauthenticated Kubernetes Dashboard
- Lab: Unauthenticated Kubernetes Dashboard
- Cleanup: Terminating Misconfigured Cluster
- Lab: Stealing from Private Docker Registry
- Lab: Backdooring Docker Images to Reverse Shell
- Lecture: CVE-2021-25741 & Other Critical Vulnerabilities
- Lecture: Docker Capabilities & Misuse
- Lecture: Mapping OWASP Kubernetes Top 10
Automated Kubernetes Vulnerability Discovery
- Lab: RBAC scan via Kubernetes-rbac-audit
- Lab: Audit via Kubiscape
- Lab: Automated Scan via Kube-bench
- Lab: Cluster scan via Kube-hunter
- Lab: Scanning via Checkov
Day 3: Defense & Countermeasures – Shielding Kubernetes
Demo: Crafting Effective Protection Strategies
Network Security in Kubernetes
- Lab: Implementing Secure Network Policies
Authorization Reinforcement
- Lab: RBAC Authorization Techniques
Lecture: Securing Secrets in Kubernetes
- Lab: Exploiting Kubernetes Secrets
- Lab: Sealed Secrets Implementation
Securing Kubernetes Internals
- Setup & Demo: Kyverno Admission Controller
- Lab: Basic of Kyverno
- Demo: Basic of Cilium CNI
- Lab: Policy via Cilium CNI
Hardening Kubernetes
- Lab: Configure a Basic Security Context
- Lab: Configure AppArmor Profiles
- Lab: Configure Seccomp Profiles
Lecture: Istio Service Mesh Security & Monitoring
- Lab: Deploying Istio For Security
- Demo: Kiali Dashboard Exploration
Detection & Incident Response in Kubernetes
- Lab: Falco & EFK Logging for Monitoring & Breach Detection
- Lab: Bypassing Falco container runtime
Kubernetes Security Testing & CTF Challenge
- Lecture: AWS Architecture Explanation
- Lecture: Kubernetes Cluster Explanation
- Lecture: Enumeration From Vulnerable Cluster Web UI
- Lab: Engage in Real-world Scenarios & Conquer the Kubernetes CTF Challenge
Pre-requisites
- Basic knowledge of the Linux command line.
- Familiarity with system administration tasks like server and application configuration and deployment
- A basic understanding of container environments like Docker and distributed systems is advantageous.
Requirements
- Laptop with firefox browser & a minimum of 4GB RAM and 2 CPU cores.
- Firefox browser installed, specifically for Windows environments.
- Access to wireless internet connectivity for online activities and lab exercises.
- For the Participants using a Windows laptop should have administrative privileges and also have endpoint security, antivirus, and VPN functionalities turned off.
Target Audiences
- Security Researchers & Professionals: Those looking to delve deep into the world of Kubernetes vulnerabilities, from discovery to exploitation.
- Developers & DevOps Experts: For those who architect and deploy Kubernetes, and need to understand its attack vectors and defense strategies.
- DevSecOps Practitioners: Integrating security into DevOps is crucial. Grasp the nuances of Kubernetes security to elevate your organization’s defense posture.
- Pentesters & Cloud Engineers: Master techniques to test the resilience of Kubernetes deployments and understand common misconfigurations.
- Red Teams and Blue Teams: Experience both the offensive techniques to exploit Kubernetes and the defensive measures to protect it.
- Beginners in Kubernetes Security: Start your journey with a comprehensive understanding of the threatscape in the Kubernetes ecosystem.
What would the attendees gain?
- Valuable Offensive and Defensive Assets: Receive a comprehensive PPT presentation, a cheat sheet for Kubernetes pentesting.
- In-depth Learning Materials: Detailed theory PDFs encapsulating workshop content, ensuring you have resources for reference and deeper exploration.
- Practical Tools for Hands-on Experience: Deployment YAML files and source code for a purposely vulnerable application, letting attendees test their skills in a safe environment.
- Exclusive Post-Training Challenge: After the workshop, get 4-hour access to a Kubernetes-themed CTF lab to test and validate your learnings.
- Terraform code & steps to deploy EKS cluster for further learning.
- Vulnerable Deployment Code to deploy application.
Trainer Biography
Divyanshu Shukla: Senior security engineer with more than 6 years of experience in Cloud Security, DevSecops, Web Application Pentesting, Mobile Pentesting, Automation, and Secure Code Review. Reported multiple vulnerabilities to companies like Airbnb, Google, Microsoft, AWS, Apple, Amazon, Samsung, Zomato, Xiaomi, Alibaba, Opera, Protonmail, Mobikwik, etc, and received CVE-2019-8727 CVE-2019-16918, CVE-2019-12278, CVE-2019-14962 for reporting issues. Author IAC Code Guardian GPT, Route53Secure Sweep, Burp-o-mation and a very-vulnerable-serverless application. Also part of AWS Community Builder for security and Defcon Cloud Village crew member 2020/2021/2022. He has also given training and talks in events like Blakchat Arsenal, C0c0n, Nullcon India, Bsides Bangalore 2023, Parsec IIT Dharwad, GirlScript Chandigarh University, CSA Monthly Meet, Bsides Bangalore Meetup and Null community. Also winner of “Cybersecurity samurai 2023” at Bsides Bangalore 2023 & “Cloud Security Champion” at CSA Bangalore 2023.
Linkedin: https://www.linkedin.com/in/iamdivyanshu/
Twitter: @justm0rph3u5
Ravi Mishra: 7+ years of experience in DevSecops & DevOps. Currently working as Lead DevOps. Highly Skilled in IAC Security, AWS & GCP Security, SRE, Container Security, K8s (EKS & GKE) Security. Experienced In deploying EKS & GKE Cluster. Previously worked with DevOps Engineering Teams in OLX Group, Paytm Bank, and Opstree. He has also given training and seminars in events like Nullcon, C0C0n, Null Community , Bsides Bangalore 2023 & Kyverno Monthly Meetup. Author of awesome-devops-interview
Linkedin: https://www.linkedin.com/in/ravi-mishra-6046b1114/