Cloud native environments are a double edged sword - used right, the benefits are immense. However, it also introduces multiple entry points for example security breaches. In this session, Nico will show how application vulnerabilities make it easy to hijack a Kubernetes cluster. He will also talk about why it's important to implement zero-trust to prevent data leaks and malicious workloads from being executed on a hijacked cluster. In addition, you will learn how GitLab can protect you from being hijacked. Nico will talk about how to create more secure applications by using Static Application Security Testing (SAST) as well as how to secure your Kubernetes cluster with Container Host Security, Container Network Security or a Web Application Firewall.

1. 1
#GitLabCommit
How GitLab Can Save your Kubernetes environment
from Being Hijacked - a Walk-Through

2. 2
#GitLabCommit
Nico Meisenzahl
● Senior Cloud & DevOps Consultant at white duck
● GitLab Hero, Microsoft MVP & Docker Community Leader
● Container, Kubernetes, Cloud-Native & DevOps
Phone: +49 8031 230159 0
Email: nico@whiteduck.de
Twitter: @nmeisenzahl
LinkedIn: https://www.linkedin.com/in/nicomeisenzahl
Blog: https://meisenzahl.org

3. 3
#GitLabCommit
Agenda
● Demo: Hijack a Kubernetes cluster - a walk-through
● How GitLab can help to prevent an attack
● Container & Kubernetes security best practices

4. 4
#GitLabCommit
#GitLabCommit
Demo:
Hijack a Kubernetes
cluster - a walk-through

5. 5
#GitLabCommit
Hijack a Kubernetes cluster - a walk-through
● we will hijack the container due to a vulnerability in the code of a web
app
● we then use some available anti-patterns to gain further access within
the Kubernetes cluster

6. 6
#GitLabCommit
Recap of the attack
● we inject custom code into the text box
○ played around a bit
○ opened a reverse shell into the container
● we used the privileged default Service Account to access the API
○ inspected secrets
○ scheduled a privileged Pod
With the privileged Pod, we could further hijack the cluster (access to
Nodes, the Control Plane and even other Cloud resources)

7. 7
#GitLabCommit
#GitLabCommit
How GitLab can help to
prevent an attack

8. 8
#GitLabCommit
GitLab feature stages

9. 9
#GitLabCommit
Create stage
● Pair programming helps to get better and more efficient code
● Required Merge Request Approvals allows to opt-in for multiple
sign-offs (Premium, Ultimate)

10. 10
#GitLabCommit
Secure stage
● Secret Detection analyzes Git history for leaked secrets
● Dependency Scanning analyzes your dependencies for known
vulnerabilities (Ultimate)
● Static Application Security Testing (SAST) analyzes source code for
known vulnerabilities (some features require Ultimate)
● Dynamic Application Security Testing (DAST) analyzes running web
applications for known vulnerabilities (Ultimate)
● API fuzzing finds unknown bugs and vulnerabilities in web APIs with
fuzzing (Ultimate)

11. 11
#GitLabCommit
Configure stage
● Container Scanning scans containers for known vulnerabilities
(Ultimate)
● Auto DevOps helps to reduce the complexity of software delivery by
setting up pipelines and integrations for you

12. 12
#GitLabCommit
Protect stage
● Web Application Firewall filters, monitors, and prevents HTTP based
attacks (deprecated, will get removed in GitLab 14.0)
● Container Host Security provides Intrusion Detection and Prevention
capabilities that can monitor and block activity inside the containers
themselves
● Container Network Security filters and secures the network traffic
inside a containerized environment to block attacks at the network layer
(some features require Ultimate)

13. 13
#GitLabCommit
#GitLabCommit
Container Security &
further best practices

14. 14
#GitLabCommit
Container & Kubernetes security best practices
● understand the manifests you apply
● do not share privileged service accounts
● deny untrusted registries
● enforce rootless containers
● enforce read-only filesystem at runtime
● deny privileged containers
● deny egress traffic
● use distroless containers if possible

15. 15
#GitLabCommit
Questions?
Slides: https://www.slideshare.net/nmeisenzahl
Demo: https://gitlab.com/nico-meisenzahl/hijack-kubernetes
GitLab features: https://about.gitlab.com/features
Phone: +49 8031 230159 0
Email: nico.meisenzahl@whiteduck.de
Twitter: @nmeisenzahl
LinkedIn: https://www.linkedin.com/in/nicomeisenzahl
Blog: https://meisenzahl.org

16. 16
#GitLabCommit
Thank You!