SlideShare a Scribd company logo

The Hacker's Guide to Kubernetes: Reloaded

Patrycja Wegrzynowicz
Patrycja Wegrzynowicz

Codemotion Milan 2023

Technology
1 of 24
Download to read offline
Patrycja Wegrzynowicz The Hacker’s Guide to Kubernetes: Reloaded Lead Engineer, Form3 @yonlabs
Hello! ! • 20+ professional experience software engineer, architect, researcher, head of R&D • Author and speaker JavaOne, CodeOne, Devoxx, JFokus, JavaZone, and more • Top 10 Women in Tech in Poland • Oracle Groundbreaker Ambassador, Oracle ACE • Form3, Financial Cloud Lead SRE Engineer • Founder at Yon Labs Automated tools for detection and refactoring of software defects. Performance, security, concurrency. Intro to Patrycja
Form3, Financial Cloud Business Model • Provides a payment platform for financial institution • Integrates across multiple payment schemes • Makes integration easier and quicker Work Model • Fully remote • Pair programming • Only senior engineers Technology • Multi-cloud platform: AWS, GCP, Azure • Microservices: (mostly) Go and (little) Java • Infrastructure as Code: Terraform Why is Security Important?
Introduction to Kubernetes Architecture Introduction to OWASP Kubernetes Top 10 & MITRE ATT&K ® Threat Matrix for Kubernetes Demos Summary 01 02 03 04 Agenda
Introduction to Kubernetes Architecture
Kubernetes Components Kubernetes Architecture Source: https://medium.com, Kubernetes - Architecture Overview by Ashish Patel
Kubernetes Components Kubernetes Architecture Source: https://medium.com, Kubernetes - Architecture Overview by Ashish Patel CNI
Introduction to OWASP Kubernetes Top 10
OWASP Kubernetes Top 10 2022 K01 Insecure Workload Configuration K02 Supply Chain Vulnerabilities K03 Overly Permissive RBAC Configurations K04 Lack of Centralized Policy Enforcement K05 Inadequate Logging and Monitoring K06 Broken Authentication Mechanisms K07 Missing Network Segmentation Controls K08 Secrets Management Failures K09 Misconfigured Cluster Components K10 Outdated and Vulnerable Kubernetes Components
MITRE ATT&K ® – Threat Matrix for Kubernetes Source: https://www.microsoft.com/en-us/security/blog/2021/03/23/secure- containerized-environments-with-updated-threat-matrix-for-kubernetes/
Demos – 101 Kubernetes hacking
Demo Fun Time – Overview • Demo application https://codemotion.yonlabs.com (or checkout X-Twitter: https://twitter.com/yonlabs) register a new account each account has a secret data log in wait to be hacked :D • Objective to hack your accounts and learn your secrets hacking 101 Let the fun begin!
Bad Pods: Kubernetes Pod Privilege Escalation • https://bishopfox.com/blog/kubernetes-pod- privilege-escalation • By: Seth Art, Principal Security Consultant Demos
Demo #1
Problems • K01 Insecure Workload Configuration root privileged hostPID hostPath hostNetwork hostIPC • K04 Lack of Centralized Policy Enforcement able to create insecure workload • K08 Secrets Management Failure demo-secret not encrypted Demo #1
Demo #2
Problems • K01 Insecure Workload Configuration root privileged hostPID • K04 Lack of Centralized Policy Enforcement able to create insecure workload • Networking unencrypted traffic Demo #2
Summary
Kubernetes Security
Bad Pods: Kubernetes Pod Privilege Escalation • Bad Pod #1: Everything allowed • Bad Pod #2: Privileged and hostPid • Bad Pod #3: Privileged only • Bad Pod #4: hostPath only • Bad Pod #5: hostPID only • Bad Pod #6: hostNetwork only • Bad Pod #7: hostIPC only • Bad Pod #8: Nothing allowed Source: https://bishopfox.com/blog/kubernetes-pod-privilege-escalation
Swiss Cheese Security Model
A fool with a tool is only a fool
Continuous Learning
Thank you! @yonlabs

Recommended

The Hacker's Guide to Kubernetes
The Hacker's Guide to KubernetesThe Hacker's Guide to Kubernetes
The Hacker's Guide to KubernetesPatrycja Wegrzynowicz
 
Developing and Deploying Microservices with Project Tye
Developing and Deploying Microservices with Project TyeDeveloping and Deploying Microservices with Project Tye
Developing and Deploying Microservices with Project TyeEran Stiller
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes SecurityKarthik Gaekwad
 
Deciphering Kubernetes Networking
Deciphering Kubernetes NetworkingDeciphering Kubernetes Networking
Deciphering Kubernetes NetworkingVictor Morales
 
Bring-your-ML-Project-into-Production-v2.pdf
Bring-your-ML-Project-into-Production-v2.pdfBring-your-ML-Project-into-Production-v2.pdf
Bring-your-ML-Project-into-Production-v2.pdfLiang Yan
 
ZaloPay Merchant Platform on K8S on-premise
ZaloPay Merchant Platform on K8S on-premiseZaloPay Merchant Platform on K8S on-premise
ZaloPay Merchant Platform on K8S on-premiseChau Thanh
 
CloudBuilders 2022: "The Past, Present, and Future of Cloud Native API Gateways"
CloudBuilders 2022: "The Past, Present, and Future of Cloud Native API Gateways"CloudBuilders 2022: "The Past, Present, and Future of Cloud Native API Gateways"
CloudBuilders 2022: "The Past, Present, and Future of Cloud Native API Gateways"Daniel Bryant
 
GOTOpia 2020: "The Past, Present, and Future of Cloud Native API Gateways"
GOTOpia 2020: "The Past, Present, and Future of Cloud Native API Gateways"GOTOpia 2020: "The Past, Present, and Future of Cloud Native API Gateways"
GOTOpia 2020: "The Past, Present, and Future of Cloud Native API Gateways"Daniel Bryant
 

Recommended

The Hacker's Guide to Kubernetes
The Hacker's Guide to KubernetesThe Hacker's Guide to Kubernetes
The Hacker's Guide to KubernetesPatrycja Wegrzynowicz
 
Developing and Deploying Microservices with Project Tye
Developing and Deploying Microservices with Project TyeDeveloping and Deploying Microservices with Project Tye
Developing and Deploying Microservices with Project TyeEran Stiller
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes SecurityKarthik Gaekwad
 
Deciphering Kubernetes Networking
Deciphering Kubernetes NetworkingDeciphering Kubernetes Networking
Deciphering Kubernetes NetworkingVictor Morales
 
Bring-your-ML-Project-into-Production-v2.pdf
Bring-your-ML-Project-into-Production-v2.pdfBring-your-ML-Project-into-Production-v2.pdf
Bring-your-ML-Project-into-Production-v2.pdfLiang Yan
 
ZaloPay Merchant Platform on K8S on-premise
ZaloPay Merchant Platform on K8S on-premiseZaloPay Merchant Platform on K8S on-premise
ZaloPay Merchant Platform on K8S on-premiseChau Thanh
 
CloudBuilders 2022: "The Past, Present, and Future of Cloud Native API Gateways"
CloudBuilders 2022: "The Past, Present, and Future of Cloud Native API Gateways"CloudBuilders 2022: "The Past, Present, and Future of Cloud Native API Gateways"
CloudBuilders 2022: "The Past, Present, and Future of Cloud Native API Gateways"Daniel Bryant
 
GOTOpia 2020: "The Past, Present, and Future of Cloud Native API Gateways"
GOTOpia 2020: "The Past, Present, and Future of Cloud Native API Gateways"GOTOpia 2020: "The Past, Present, and Future of Cloud Native API Gateways"
GOTOpia 2020: "The Past, Present, and Future of Cloud Native API Gateways"Daniel Bryant
 
20191201 kubernetes managed weblogic revival - part 2
20191201 kubernetes managed weblogic revival - part 220191201 kubernetes managed weblogic revival - part 2
20191201 kubernetes managed weblogic revival - part 2makker_nl
 
oci-container-engine-oke-100.pdf
oci-container-engine-oke-100.pdfoci-container-engine-oke-100.pdf
oci-container-engine-oke-100.pdfNandiniSinghal16
 
The Kubernetes WebLogic revival (part 2)
The Kubernetes WebLogic revival (part 2)The Kubernetes WebLogic revival (part 2)
The Kubernetes WebLogic revival (part 2)Simon Haslam
 
Container security within Cisco Container Platform
Container security within Cisco Container PlatformContainer security within Cisco Container Platform
Container security within Cisco Container PlatformSanjeev Rampal
 
JCON_15FactorWorkshop.pptx
JCON_15FactorWorkshop.pptxJCON_15FactorWorkshop.pptx
JCON_15FactorWorkshop.pptxGrace Jansen
 
DeveloperWeekEnterprise2023 - Introduction to Kubernetes Operators for Databases
DeveloperWeekEnterprise2023 - Introduction to Kubernetes Operators for DatabasesDeveloperWeekEnterprise2023 - Introduction to Kubernetes Operators for Databases
DeveloperWeekEnterprise2023 - Introduction to Kubernetes Operators for DatabasesJuarez Junior
 
Attacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisAttacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisOWASP Hacker Thursday
 
Continuously Design your Continuous Deployment
Continuously Design your Continuous DeploymentContinuously Design your Continuous Deployment
Continuously Design your Continuous DeploymentMichael Elder
 
Anil Info
Anil InfoAnil Info
Anil InfoAnil Kumar Mullapudi
 
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Lacework
 
Cloud Native Application Development-build fast, low TCO, scalable & agile so...
Cloud Native Application Development-build fast, low TCO, scalable & agile so...Cloud Native Application Development-build fast, low TCO, scalable & agile so...
Cloud Native Application Development-build fast, low TCO, scalable & agile so...Lucas Jellema
 
SKILup Days Container Orchestration - Kubernetes Operators for Databases
SKILup Days Container Orchestration - Kubernetes Operators for DatabasesSKILup Days Container Orchestration - Kubernetes Operators for Databases
SKILup Days Container Orchestration - Kubernetes Operators for DatabasesJuarez Junior
 
2015 03-11_todd-fritz_devnexus_2015
2015 03-11_todd-fritz_devnexus_20152015 03-11_todd-fritz_devnexus_2015
2015 03-11_todd-fritz_devnexus_2015Todd Fritz
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azurekloia
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxVasiliy Fomichev
 
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREMicroservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREAraf Karsh Hamid
 
Develop and deploy Kubernetes applications with Docker - IBM Index 2018
Develop and deploy Kubernetes applications with Docker - IBM Index 2018Develop and deploy Kubernetes applications with Docker - IBM Index 2018
Develop and deploy Kubernetes applications with Docker - IBM Index 2018Patrick Chanezon
 
Red Hat and kubernetes: awesome stuff coming your way
Red Hat and kubernetes: awesome stuff coming your wayRed Hat and kubernetes: awesome stuff coming your way
Red Hat and kubernetes: awesome stuff coming your wayJohannes Brännström
 
One Kubernetes to rule them all (ZEUS 2019 Keynote)
One Kubernetes to rule them all (ZEUS 2019 Keynote)One Kubernetes to rule them all (ZEUS 2019 Keynote)
One Kubernetes to rule them all (ZEUS 2019 Keynote)Simon Harrer
 
給 RD 的 Kubernetes 初體驗
給 RD 的 Kubernetes 初體驗給 RD 的 Kubernetes 初體驗
給 RD 的 Kubernetes 初體驗William Yeh
 
The Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityThe Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityPatrycja Wegrzynowicz
 
The Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityThe Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityPatrycja Wegrzynowicz
 

More Related Content

Similar to The Hacker's Guide to Kubernetes: Reloaded

20191201 kubernetes managed weblogic revival - part 2
20191201 kubernetes managed weblogic revival - part 220191201 kubernetes managed weblogic revival - part 2
20191201 kubernetes managed weblogic revival - part 2makker_nl
 
oci-container-engine-oke-100.pdf
oci-container-engine-oke-100.pdfoci-container-engine-oke-100.pdf
oci-container-engine-oke-100.pdfNandiniSinghal16
 
The Kubernetes WebLogic revival (part 2)
The Kubernetes WebLogic revival (part 2)The Kubernetes WebLogic revival (part 2)
The Kubernetes WebLogic revival (part 2)Simon Haslam
 
Container security within Cisco Container Platform
Container security within Cisco Container PlatformContainer security within Cisco Container Platform
Container security within Cisco Container PlatformSanjeev Rampal
 
JCON_15FactorWorkshop.pptx
JCON_15FactorWorkshop.pptxJCON_15FactorWorkshop.pptx
JCON_15FactorWorkshop.pptxGrace Jansen
 
DeveloperWeekEnterprise2023 - Introduction to Kubernetes Operators for Databases
DeveloperWeekEnterprise2023 - Introduction to Kubernetes Operators for DatabasesDeveloperWeekEnterprise2023 - Introduction to Kubernetes Operators for Databases
DeveloperWeekEnterprise2023 - Introduction to Kubernetes Operators for DatabasesJuarez Junior
 
Attacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisAttacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisOWASP Hacker Thursday
 
Continuously Design your Continuous Deployment
Continuously Design your Continuous DeploymentContinuously Design your Continuous Deployment
Continuously Design your Continuous DeploymentMichael Elder
 
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Lacework
 
Cloud Native Application Development-build fast, low TCO, scalable & agile so...
Cloud Native Application Development-build fast, low TCO, scalable & agile so...Cloud Native Application Development-build fast, low TCO, scalable & agile so...
Cloud Native Application Development-build fast, low TCO, scalable & agile so...Lucas Jellema
 
SKILup Days Container Orchestration - Kubernetes Operators for Databases
SKILup Days Container Orchestration - Kubernetes Operators for DatabasesSKILup Days Container Orchestration - Kubernetes Operators for Databases
SKILup Days Container Orchestration - Kubernetes Operators for DatabasesJuarez Junior
 
2015 03-11_todd-fritz_devnexus_2015
2015 03-11_todd-fritz_devnexus_20152015 03-11_todd-fritz_devnexus_2015
2015 03-11_todd-fritz_devnexus_2015Todd Fritz
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azurekloia
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxVasiliy Fomichev
 
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREMicroservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREAraf Karsh Hamid
 
Develop and deploy Kubernetes applications with Docker - IBM Index 2018
Develop and deploy Kubernetes applications with Docker - IBM Index 2018Develop and deploy Kubernetes applications with Docker - IBM Index 2018
Develop and deploy Kubernetes applications with Docker - IBM Index 2018Patrick Chanezon
 
Red Hat and kubernetes: awesome stuff coming your way
Red Hat and kubernetes: awesome stuff coming your wayRed Hat and kubernetes: awesome stuff coming your way
Red Hat and kubernetes: awesome stuff coming your wayJohannes Brännström
 
One Kubernetes to rule them all (ZEUS 2019 Keynote)
One Kubernetes to rule them all (ZEUS 2019 Keynote)One Kubernetes to rule them all (ZEUS 2019 Keynote)
One Kubernetes to rule them all (ZEUS 2019 Keynote)Simon Harrer
 
給 RD 的 Kubernetes 初體驗
給 RD 的 Kubernetes 初體驗給 RD 的 Kubernetes 初體驗
給 RD 的 Kubernetes 初體驗William Yeh
 

Similar to The Hacker's Guide to Kubernetes: Reloaded (20)

20191201 kubernetes managed weblogic revival - part 2
20191201 kubernetes managed weblogic revival - part 220191201 kubernetes managed weblogic revival - part 2
20191201 kubernetes managed weblogic revival - part 2
 
oci-container-engine-oke-100.pdf
oci-container-engine-oke-100.pdfoci-container-engine-oke-100.pdf
oci-container-engine-oke-100.pdf
 
The Kubernetes WebLogic revival (part 2)
The Kubernetes WebLogic revival (part 2)The Kubernetes WebLogic revival (part 2)
The Kubernetes WebLogic revival (part 2)
 
Container security within Cisco Container Platform
Container security within Cisco Container PlatformContainer security within Cisco Container Platform
Container security within Cisco Container Platform
 
JCON_15FactorWorkshop.pptx
JCON_15FactorWorkshop.pptxJCON_15FactorWorkshop.pptx
JCON_15FactorWorkshop.pptx
 
DeveloperWeekEnterprise2023 - Introduction to Kubernetes Operators for Databases
DeveloperWeekEnterprise2023 - Introduction to Kubernetes Operators for DatabasesDeveloperWeekEnterprise2023 - Introduction to Kubernetes Operators for Databases
DeveloperWeekEnterprise2023 - Introduction to Kubernetes Operators for Databases
 
Attacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisAttacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin Jois
 
Continuously Design your Continuous Deployment
Continuously Design your Continuous DeploymentContinuously Design your Continuous Deployment
Continuously Design your Continuous Deployment
 
Anil Info
Anil InfoAnil Info
Anil Info
 
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
 
Cloud Native Application Development-build fast, low TCO, scalable & agile so...
Cloud Native Application Development-build fast, low TCO, scalable & agile so...Cloud Native Application Development-build fast, low TCO, scalable & agile so...
Cloud Native Application Development-build fast, low TCO, scalable & agile so...
 
SKILup Days Container Orchestration - Kubernetes Operators for Databases
SKILup Days Container Orchestration - Kubernetes Operators for DatabasesSKILup Days Container Orchestration - Kubernetes Operators for Databases
SKILup Days Container Orchestration - Kubernetes Operators for Databases
 
2015 03-11_todd-fritz_devnexus_2015
2015 03-11_todd-fritz_devnexus_20152015 03-11_todd-fritz_devnexus_2015
2015 03-11_todd-fritz_devnexus_2015
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptx
 
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREMicroservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SRE
 
Develop and deploy Kubernetes applications with Docker - IBM Index 2018
Develop and deploy Kubernetes applications with Docker - IBM Index 2018Develop and deploy Kubernetes applications with Docker - IBM Index 2018
Develop and deploy Kubernetes applications with Docker - IBM Index 2018
 
Red Hat and kubernetes: awesome stuff coming your way
Red Hat and kubernetes: awesome stuff coming your wayRed Hat and kubernetes: awesome stuff coming your way
Red Hat and kubernetes: awesome stuff coming your way
 
One Kubernetes to rule them all (ZEUS 2019 Keynote)
One Kubernetes to rule them all (ZEUS 2019 Keynote)One Kubernetes to rule them all (ZEUS 2019 Keynote)
One Kubernetes to rule them all (ZEUS 2019 Keynote)
 
給 RD 的 Kubernetes 初體驗
給 RD 的 Kubernetes 初體驗給 RD 的 Kubernetes 初體驗
給 RD 的 Kubernetes 初體驗
 

More from Patrycja Wegrzynowicz

The Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL InjectionThe Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL InjectionPatrycja Wegrzynowicz
 
The Hacker's Guide to Session Hijacking
The Hacker's Guide to Session Hijacking The Hacker's Guide to Session Hijacking
The Hacker's Guide to Session Hijacking Patrycja Wegrzynowicz
 
The Hacker's Guide To Session Hijacking
The Hacker's Guide To Session HijackingThe Hacker's Guide To Session Hijacking
The Hacker's Guide To Session HijackingPatrycja Wegrzynowicz
 
Lazy vs. Eager Loading Strategies in JPA 2.1
Lazy vs. Eager Loading Strategies in JPA 2.1Lazy vs. Eager Loading Strategies in JPA 2.1
Lazy vs. Eager Loading Strategies in JPA 2.1Patrycja Wegrzynowicz
 
Secure Authentication and Session Management in Java EE
Secure Authentication and Session Management in Java EESecure Authentication and Session Management in Java EE
Secure Authentication and Session Management in Java EEPatrycja Wegrzynowicz
 

More from Patrycja Wegrzynowicz (11)

The Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityThe Hacker's Guide to JWT Security
The Hacker's Guide to JWT Security
 
The Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityThe Hacker's Guide to JWT Security
The Hacker's Guide to JWT Security
 
The Hacker's Guide to XSS
The Hacker's Guide to XSSThe Hacker's Guide to XSS
The Hacker's Guide to XSS
 
The Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL InjectionThe Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL Injection
 
The Hacker's Guide to Session Hijacking
The Hacker's Guide to Session Hijacking The Hacker's Guide to Session Hijacking
The Hacker's Guide to Session Hijacking
 
Second Level Cache in JPA Explained
Second Level Cache in JPA ExplainedSecond Level Cache in JPA Explained
Second Level Cache in JPA Explained
 
Thinking Beyond ORM in JPA
Thinking Beyond ORM in JPAThinking Beyond ORM in JPA
Thinking Beyond ORM in JPA
 
The Hacker's Guide To Session Hijacking
The Hacker's Guide To Session HijackingThe Hacker's Guide To Session Hijacking
The Hacker's Guide To Session Hijacking
 
Lazy vs. Eager Loading Strategies in JPA 2.1
Lazy vs. Eager Loading Strategies in JPA 2.1Lazy vs. Eager Loading Strategies in JPA 2.1
Lazy vs. Eager Loading Strategies in JPA 2.1
 
Secure Authentication and Session Management in Java EE
Secure Authentication and Session Management in Java EESecure Authentication and Session Management in Java EE
Secure Authentication and Session Management in Java EE
 
Thinking Beyond ORM in JPA
Thinking Beyond ORM in JPAThinking Beyond ORM in JPA
Thinking Beyond ORM in JPA
 

Recently uploaded

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 

Recently uploaded (20)

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

The Hacker's Guide to Kubernetes: Reloaded

  • 1. Patrycja Wegrzynowicz The Hacker’s Guide to Kubernetes: Reloaded Lead Engineer, Form3 @yonlabs
  • 2. Hello! ! • 20+ professional experience software engineer, architect, researcher, head of R&D • Author and speaker JavaOne, CodeOne, Devoxx, JFokus, JavaZone, and more • Top 10 Women in Tech in Poland • Oracle Groundbreaker Ambassador, Oracle ACE • Form3, Financial Cloud Lead SRE Engineer • Founder at Yon Labs Automated tools for detection and refactoring of software defects. Performance, security, concurrency. Intro to Patrycja
  • 3. Form3, Financial Cloud Business Model • Provides a payment platform for financial institution • Integrates across multiple payment schemes • Makes integration easier and quicker Work Model • Fully remote • Pair programming • Only senior engineers Technology • Multi-cloud platform: AWS, GCP, Azure • Microservices: (mostly) Go and (little) Java • Infrastructure as Code: Terraform Why is Security Important?
  • 4. Introduction to Kubernetes Architecture Introduction to OWASP Kubernetes Top 10 & MITRE ATT&K ® Threat Matrix for Kubernetes Demos Summary 01 02 03 04 Agenda
  • 6. Kubernetes Components Kubernetes Architecture Source: https://medium.com, Kubernetes - Architecture Overview by Ashish Patel
  • 7. Kubernetes Components Kubernetes Architecture Source: https://medium.com, Kubernetes - Architecture Overview by Ashish Patel CNI
  • 8. Introduction to OWASP Kubernetes Top 10
  • 9. OWASP Kubernetes Top 10 2022 K01 Insecure Workload Configuration K02 Supply Chain Vulnerabilities K03 Overly Permissive RBAC Configurations K04 Lack of Centralized Policy Enforcement K05 Inadequate Logging and Monitoring K06 Broken Authentication Mechanisms K07 Missing Network Segmentation Controls K08 Secrets Management Failures K09 Misconfigured Cluster Components K10 Outdated and Vulnerable Kubernetes Components
  • 10. MITRE ATT&K ® – Threat Matrix for Kubernetes Source: https://www.microsoft.com/en-us/security/blog/2021/03/23/secure- containerized-environments-with-updated-threat-matrix-for-kubernetes/
  • 11. Demos – 101 Kubernetes hacking
  • 12. Demo Fun Time – Overview • Demo application https://codemotion.yonlabs.com (or checkout X-Twitter: https://twitter.com/yonlabs) register a new account each account has a secret data log in wait to be hacked :D • Objective to hack your accounts and learn your secrets hacking 101 Let the fun begin!
  • 13. Bad Pods: Kubernetes Pod Privilege Escalation • https://bishopfox.com/blog/kubernetes-pod- privilege-escalation • By: Seth Art, Principal Security Consultant Demos
  • 15. Problems • K01 Insecure Workload Configuration root privileged hostPID hostPath hostNetwork hostIPC • K04 Lack of Centralized Policy Enforcement able to create insecure workload • K08 Secrets Management Failure demo-secret not encrypted Demo #1
  • 17. Problems • K01 Insecure Workload Configuration root privileged hostPID • K04 Lack of Centralized Policy Enforcement able to create insecure workload • Networking unencrypted traffic Demo #2
  • 20. Bad Pods: Kubernetes Pod Privilege Escalation • Bad Pod #1: Everything allowed • Bad Pod #2: Privileged and hostPid • Bad Pod #3: Privileged only • Bad Pod #4: hostPath only • Bad Pod #5: hostPID only • Bad Pod #6: hostNetwork only • Bad Pod #7: hostIPC only • Bad Pod #8: Nothing allowed Source: https://bishopfox.com/blog/kubernetes-pod-privilege-escalation
  • 22. A fool with a tool is only a fool