Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
1
#GitLabCommit
How GitLab Can Save your Kubernetes environment
from Being Hijacked - a Walk-Through
2
#GitLabCommit
Nico Meisenzahl
● Senior Cloud & DevOps Consultant at white duck
● GitLab Hero, Microsoft MVP & Docker Com...
3
#GitLabCommit
Agenda
● Demo: Hijack a Kubernetes cluster - a walk-through
● How GitLab can help to prevent an attack
● C...
4
#GitLabCommit
#GitLabCommit
Demo:
Hijack a Kubernetes
cluster - a walk-through
5
#GitLabCommit
Hijack a Kubernetes cluster - a walk-through
● we will hijack the container due to a vulnerability in the ...
6
#GitLabCommit
Recap of the attack
● we inject custom code into the text box
○ played around a bit
○ opened a reverse she...
7
#GitLabCommit
#GitLabCommit
How GitLab can help to
prevent an attack
8
#GitLabCommit
GitLab feature stages
9
#GitLabCommit
Create stage
● Pair programming helps to get better and more efficient code
● Required Merge Request Approv...
10
#GitLabCommit
Secure stage
● Secret Detection analyzes Git history for leaked secrets
● Dependency Scanning analyzes yo...
11
#GitLabCommit
Configure stage
● Container Scanning scans containers for known vulnerabilities
(Ultimate)
● Auto DevOps ...
12
#GitLabCommit
Protect stage
● Web Application Firewall filters, monitors, and prevents HTTP based
attacks (deprecated, ...
13
#GitLabCommit
#GitLabCommit
Container Security &
further best practices
14
#GitLabCommit
Container & Kubernetes security best practices
● understand the manifests you apply
● do not share privil...
15
#GitLabCommit
Questions?
Slides: https://www.slideshare.net/nmeisenzahl
Demo: https://gitlab.com/nico-meisenzahl/hijack...
16
#GitLabCommit
Thank You!
You’ve finished this document.
Download and read it offline.
Upcoming SlideShare
What to Upload to SlideShare
Next
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

Share

GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Being Hijacked - a Walk-Through

Download to read offline

Cloud native environments are a double edged sword - used right, the benefits are immense. However, it also introduces multiple entry points for example security breaches.
In this session, Nico will show how application vulnerabilities make it easy to hijack a Kubernetes cluster. He will also talk about why it's important to implement zero-trust to prevent data leaks and malicious workloads from being executed on a hijacked cluster.
In addition, you will learn how GitLab can protect you from being hijacked. Nico will talk about how to create more secure applications by using Static Application Security Testing (SAST) as well as how to secure your Kubernetes cluster with Container Host Security, Container Network Security or a Web Application Firewall.

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Being Hijacked - a Walk-Through

  1. 1. 1 #GitLabCommit How GitLab Can Save your Kubernetes environment from Being Hijacked - a Walk-Through
  2. 2. 2 #GitLabCommit Nico Meisenzahl ● Senior Cloud & DevOps Consultant at white duck ● GitLab Hero, Microsoft MVP & Docker Community Leader ● Container, Kubernetes, Cloud-Native & DevOps Phone: +49 8031 230159 0 Email: nico@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org
  3. 3. 3 #GitLabCommit Agenda ● Demo: Hijack a Kubernetes cluster - a walk-through ● How GitLab can help to prevent an attack ● Container & Kubernetes security best practices
  4. 4. 4 #GitLabCommit #GitLabCommit Demo: Hijack a Kubernetes cluster - a walk-through
  5. 5. 5 #GitLabCommit Hijack a Kubernetes cluster - a walk-through ● we will hijack the container due to a vulnerability in the code of a web app ● we then use some available anti-patterns to gain further access within the Kubernetes cluster
  6. 6. 6 #GitLabCommit Recap of the attack ● we inject custom code into the text box ○ played around a bit ○ opened a reverse shell into the container ● we used the privileged default Service Account to access the API ○ inspected secrets ○ scheduled a privileged Pod With the privileged Pod, we could further hijack the cluster (access to Nodes, the Control Plane and even other Cloud resources)
  7. 7. 7 #GitLabCommit #GitLabCommit How GitLab can help to prevent an attack
  8. 8. 8 #GitLabCommit GitLab feature stages
  9. 9. 9 #GitLabCommit Create stage ● Pair programming helps to get better and more efficient code ● Required Merge Request Approvals allows to opt-in for multiple sign-offs (Premium, Ultimate)
  10. 10. 10 #GitLabCommit Secure stage ● Secret Detection analyzes Git history for leaked secrets ● Dependency Scanning analyzes your dependencies for known vulnerabilities (Ultimate) ● Static Application Security Testing (SAST) analyzes source code for known vulnerabilities (some features require Ultimate) ● Dynamic Application Security Testing (DAST) analyzes running web applications for known vulnerabilities (Ultimate) ● API fuzzing finds unknown bugs and vulnerabilities in web APIs with fuzzing (Ultimate)
  11. 11. 11 #GitLabCommit Configure stage ● Container Scanning scans containers for known vulnerabilities (Ultimate) ● Auto DevOps helps to reduce the complexity of software delivery by setting up pipelines and integrations for you
  12. 12. 12 #GitLabCommit Protect stage ● Web Application Firewall filters, monitors, and prevents HTTP based attacks (deprecated, will get removed in GitLab 14.0) ● Container Host Security provides Intrusion Detection and Prevention capabilities that can monitor and block activity inside the containers themselves ● Container Network Security filters and secures the network traffic inside a containerized environment to block attacks at the network layer (some features require Ultimate)
  13. 13. 13 #GitLabCommit #GitLabCommit Container Security & further best practices
  14. 14. 14 #GitLabCommit Container & Kubernetes security best practices ● understand the manifests you apply ● do not share privileged service accounts ● deny untrusted registries ● enforce rootless containers ● enforce read-only filesystem at runtime ● deny privileged containers ● deny egress traffic ● use distroless containers if possible
  15. 15. 15 #GitLabCommit Questions? Slides: https://www.slideshare.net/nmeisenzahl Demo: https://gitlab.com/nico-meisenzahl/hijack-kubernetes GitLab features: https://about.gitlab.com/features Phone: +49 8031 230159 0 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org
  16. 16. 16 #GitLabCommit Thank You!

Cloud native environments are a double edged sword - used right, the benefits are immense. However, it also introduces multiple entry points for example security breaches. In this session, Nico will show how application vulnerabilities make it easy to hijack a Kubernetes cluster. He will also talk about why it's important to implement zero-trust to prevent data leaks and malicious workloads from being executed on a hijacked cluster. In addition, you will learn how GitLab can protect you from being hijacked. Nico will talk about how to create more secure applications by using Static Application Security Testing (SAST) as well as how to secure your Kubernetes cluster with Container Host Security, Container Network Security or a Web Application Firewall.

Views

Total views

53

On Slideshare

0

From embeds

0

Number of embeds

4

Actions

Downloads

3

Shares

0

Comments

0

Likes

0

×