Hacking Containers and Kubernetes Exploiting and protecting containers with a few lines of scripting

Thomas Fricke

43 min

43 min 2019-08-21

2019-08-21 1625

1625 Fahrplan

Playlists: 'camp2019' videos starting here

The talks shows the security model of Kubernetes and how to detect and fight security weaknesses with a few lines of scripting.

Hidden under the hood of Kubernetes are a lot of security features. Starting from the Linux namespaces used in containers to the network there are a lot of configurations with many bells and whistles supporting or totally destroying the security of a cluster

The talk gives an overview of the container escape vulnerabilities in the wild, that are documented in the CVE database. Simple scripts are shown to check clusters for vulnerabilities. The scripts are used to analyze Istio, the "trust nothing" distributed firewall solution, and find an exploitable attack immediately. This would be a script kiddie attack, if they already would have started using Kubernetes and Istio.

Finally, it is shown, how Istio has handled the bug report and how future versions from 1.2 will close the exploit using the Container Network Interface (CNI).

Download

Related

Embed Share:







Tags