3. whoami
• James Condon, Director of Research @ Lacework
• Former USAF OSI, Mandiant, and ProtectWise
• Network Forensics, Incident Response, Threat Intelligence, Cloud Security
@laceworklabs
@jameswcondon
6. RESEARCH DISCLAIMERS
• No containers were harmed in the
making of this presentation
• Promote awareness & enhance
security
• Recommendations for managing your
own cluster
10. DASHBOARD RECOMMENDATIONS
• Disable (if possible)
• Ensure RBAC is enabled
• Don’t elevate privileges on default
service account
• Avoid internet access, otherwise use
VPN, Bastion, etc
11. KUBERNETES API SERVER
• Fundamental component of Kubernetes
• REST API
• Handles authentication and authorization
• Secure & insecure port by default
• CVE-2018-1002105
15. API SERVER RECOMMENDATIONS
• Restrict network access
• Disable insecure port
• Enable RBAC
• Look into advanced authentication options
• Upgrade
16. ETCD
• Distributed key value datastore
• Maintains cluster state and secrets
• No authentication by default
• No encryption at rest by default
• REST & gRPC APIs
• The Luke Hemsworth of unsecured
DBs
19. ETCD RECOMMENDATIONS
• Only API server should have access
• Use TLS for peer communications
• Use certification authentication
• Encrypt data at rest
20. FINAL THOUGHTS
• Large scale exposure
• Internet exposure is just one piece
of the security puzzle
• K8s has lots of security features,
understand what they are
• Know what defaults are set with
config tools