Version Kaus Australis

Lecture: Hacking Containers and Kubernetes

Exploiting and protecting containers with a few lines of scripting

The talks shows the security model of Kubernetes and how to detect and fight security weaknesses with a few lines of scripting.

Hidden under the hood of Kubernetes are a lot of security features. Starting from the Linux namespaces used in containers to the network there are a lot of configurations with many bells and whistles supporting or totally destroying the security of a cluster

The talk gives an overview of the container escape vulnerabilities in the wild, that are documented in the CVE database. Simple scripts are shown to check clusters for vulnerabilities. The scripts are used to analyze Istio, the "trust nothing" distributed firewall solution, and find an exploitable attack immediately. This would be a script kiddie attack, if they already would have started using Kubernetes and Istio.

Finally, it is shown, how Istio has handled the bug report and how future versions from 1.2 will close the exploit using the Container Network Interface (CNI).

Info

Day: 2019-08-21
Start time: 13:00
Duration: 00:45
Room: Curie
Track: Security
Language: en

Links:

Files

Feedback

Click here to let us know how you liked this event.

Concurrent Events