SlideShare une entreprise Scribd logo

The Hacker's Guide to Kubernetes: Reloaded

Patrycja Wegrzynowicz
Patrycja Wegrzynowicz

Codemotion Milan 2023

Technologie
1  sur  24
Télécharger pour lire hors ligne
Patrycja Wegrzynowicz The Hacker’s Guide to Kubernetes: Reloaded Lead Engineer, Form3 @yonlabs
Hello! ! • 20+ professional experience software engineer, architect, researcher, head of R&D • Author and speaker JavaOne, CodeOne, Devoxx, JFokus, JavaZone, and more • Top 10 Women in Tech in Poland • Oracle Groundbreaker Ambassador, Oracle ACE • Form3, Financial Cloud Lead SRE Engineer • Founder at Yon Labs Automated tools for detection and refactoring of software defects. Performance, security, concurrency. Intro to Patrycja
Form3, Financial Cloud Business Model • Provides a payment platform for financial institution • Integrates across multiple payment schemes • Makes integration easier and quicker Work Model • Fully remote • Pair programming • Only senior engineers Technology • Multi-cloud platform: AWS, GCP, Azure • Microservices: (mostly) Go and (little) Java • Infrastructure as Code: Terraform Why is Security Important?
Introduction to Kubernetes Architecture Introduction to OWASP Kubernetes Top 10 & MITRE ATT&K ® Threat Matrix for Kubernetes Demos Summary 01 02 03 04 Agenda
Introduction to Kubernetes Architecture
Kubernetes Components Kubernetes Architecture Source: https://medium.com, Kubernetes - Architecture Overview by Ashish Patel
Kubernetes Components Kubernetes Architecture Source: https://medium.com, Kubernetes - Architecture Overview by Ashish Patel CNI
Introduction to OWASP Kubernetes Top 10
OWASP Kubernetes Top 10 2022 K01 Insecure Workload Configuration K02 Supply Chain Vulnerabilities K03 Overly Permissive RBAC Configurations K04 Lack of Centralized Policy Enforcement K05 Inadequate Logging and Monitoring K06 Broken Authentication Mechanisms K07 Missing Network Segmentation Controls K08 Secrets Management Failures K09 Misconfigured Cluster Components K10 Outdated and Vulnerable Kubernetes Components
MITRE ATT&K ® – Threat Matrix for Kubernetes Source: https://www.microsoft.com/en-us/security/blog/2021/03/23/secure- containerized-environments-with-updated-threat-matrix-for-kubernetes/
Demos – 101 Kubernetes hacking
Demo Fun Time – Overview • Demo application https://codemotion.yonlabs.com (or checkout X-Twitter: https://twitter.com/yonlabs) register a new account each account has a secret data log in wait to be hacked :D • Objective to hack your accounts and learn your secrets hacking 101 Let the fun begin!
Bad Pods: Kubernetes Pod Privilege Escalation • https://bishopfox.com/blog/kubernetes-pod- privilege-escalation • By: Seth Art, Principal Security Consultant Demos
Demo #1
Problems • K01 Insecure Workload Configuration root privileged hostPID hostPath hostNetwork hostIPC • K04 Lack of Centralized Policy Enforcement able to create insecure workload • K08 Secrets Management Failure demo-secret not encrypted Demo #1
Demo #2
Problems • K01 Insecure Workload Configuration root privileged hostPID • K04 Lack of Centralized Policy Enforcement able to create insecure workload • Networking unencrypted traffic Demo #2
Summary
Kubernetes Security
Bad Pods: Kubernetes Pod Privilege Escalation • Bad Pod #1: Everything allowed • Bad Pod #2: Privileged and hostPid • Bad Pod #3: Privileged only • Bad Pod #4: hostPath only • Bad Pod #5: hostPID only • Bad Pod #6: hostNetwork only • Bad Pod #7: hostIPC only • Bad Pod #8: Nothing allowed Source: https://bishopfox.com/blog/kubernetes-pod-privilege-escalation
Swiss Cheese Security Model
A fool with a tool is only a fool
Continuous Learning
Thank you! @yonlabs

Recommandé

The Hacker's Guide to Kubernetes
The Hacker's Guide to KubernetesThe Hacker's Guide to Kubernetes
The Hacker's Guide to KubernetesPatrycja Wegrzynowicz
 
Developing and Deploying Microservices with Project Tye
Developing and Deploying Microservices with Project TyeDeveloping and Deploying Microservices with Project Tye
Developing and Deploying Microservices with Project TyeEran Stiller
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes SecurityKarthik Gaekwad
 
Deciphering Kubernetes Networking
Deciphering Kubernetes NetworkingDeciphering Kubernetes Networking
Deciphering Kubernetes NetworkingVictor Morales
 
Bring-your-ML-Project-into-Production-v2.pdf
Bring-your-ML-Project-into-Production-v2.pdfBring-your-ML-Project-into-Production-v2.pdf
Bring-your-ML-Project-into-Production-v2.pdfLiang Yan
 
ZaloPay Merchant Platform on K8S on-premise
ZaloPay Merchant Platform on K8S on-premiseZaloPay Merchant Platform on K8S on-premise
ZaloPay Merchant Platform on K8S on-premiseChau Thanh
 
CloudBuilders 2022: "The Past, Present, and Future of Cloud Native API Gateways"
CloudBuilders 2022: "The Past, Present, and Future of Cloud Native API Gateways"CloudBuilders 2022: "The Past, Present, and Future of Cloud Native API Gateways"
CloudBuilders 2022: "The Past, Present, and Future of Cloud Native API Gateways"Daniel Bryant
 
GOTOpia 2020: "The Past, Present, and Future of Cloud Native API Gateways"
GOTOpia 2020: "The Past, Present, and Future of Cloud Native API Gateways"GOTOpia 2020: "The Past, Present, and Future of Cloud Native API Gateways"
GOTOpia 2020: "The Past, Present, and Future of Cloud Native API Gateways"Daniel Bryant
 

Recommandé

The Hacker's Guide to Kubernetes
The Hacker's Guide to KubernetesThe Hacker's Guide to Kubernetes
The Hacker's Guide to KubernetesPatrycja Wegrzynowicz
 
Developing and Deploying Microservices with Project Tye
Developing and Deploying Microservices with Project TyeDeveloping and Deploying Microservices with Project Tye
Developing and Deploying Microservices with Project TyeEran Stiller
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes SecurityKarthik Gaekwad
 
Deciphering Kubernetes Networking
Deciphering Kubernetes NetworkingDeciphering Kubernetes Networking
Deciphering Kubernetes NetworkingVictor Morales
 
Bring-your-ML-Project-into-Production-v2.pdf
Bring-your-ML-Project-into-Production-v2.pdfBring-your-ML-Project-into-Production-v2.pdf
Bring-your-ML-Project-into-Production-v2.pdfLiang Yan
 
ZaloPay Merchant Platform on K8S on-premise
ZaloPay Merchant Platform on K8S on-premiseZaloPay Merchant Platform on K8S on-premise
ZaloPay Merchant Platform on K8S on-premiseChau Thanh
 
CloudBuilders 2022: "The Past, Present, and Future of Cloud Native API Gateways"
CloudBuilders 2022: "The Past, Present, and Future of Cloud Native API Gateways"CloudBuilders 2022: "The Past, Present, and Future of Cloud Native API Gateways"
CloudBuilders 2022: "The Past, Present, and Future of Cloud Native API Gateways"Daniel Bryant
 
GOTOpia 2020: "The Past, Present, and Future of Cloud Native API Gateways"
GOTOpia 2020: "The Past, Present, and Future of Cloud Native API Gateways"GOTOpia 2020: "The Past, Present, and Future of Cloud Native API Gateways"
GOTOpia 2020: "The Past, Present, and Future of Cloud Native API Gateways"Daniel Bryant
 
20191201 kubernetes managed weblogic revival - part 2
20191201 kubernetes managed weblogic revival - part 220191201 kubernetes managed weblogic revival - part 2
20191201 kubernetes managed weblogic revival - part 2makker_nl
 
oci-container-engine-oke-100.pdf
oci-container-engine-oke-100.pdfoci-container-engine-oke-100.pdf
oci-container-engine-oke-100.pdfNandiniSinghal16
 
The Kubernetes WebLogic revival (part 2)
The Kubernetes WebLogic revival (part 2)The Kubernetes WebLogic revival (part 2)
The Kubernetes WebLogic revival (part 2)Simon Haslam
 
Container security within Cisco Container Platform
Container security within Cisco Container PlatformContainer security within Cisco Container Platform
Container security within Cisco Container PlatformSanjeev Rampal
 
JCON_15FactorWorkshop.pptx
JCON_15FactorWorkshop.pptxJCON_15FactorWorkshop.pptx
JCON_15FactorWorkshop.pptxGrace Jansen
 
DeveloperWeekEnterprise2023 - Introduction to Kubernetes Operators for Databases
DeveloperWeekEnterprise2023 - Introduction to Kubernetes Operators for DatabasesDeveloperWeekEnterprise2023 - Introduction to Kubernetes Operators for Databases
DeveloperWeekEnterprise2023 - Introduction to Kubernetes Operators for DatabasesJuarez Junior
 
Attacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisAttacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisOWASP Hacker Thursday
 
Continuously Design your Continuous Deployment
Continuously Design your Continuous DeploymentContinuously Design your Continuous Deployment
Continuously Design your Continuous DeploymentMichael Elder
 
Anil Info
Anil InfoAnil Info
Anil InfoAnil Kumar Mullapudi
 
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Lacework
 
Cloud Native Application Development-build fast, low TCO, scalable & agile so...
Cloud Native Application Development-build fast, low TCO, scalable & agile so...Cloud Native Application Development-build fast, low TCO, scalable & agile so...
Cloud Native Application Development-build fast, low TCO, scalable & agile so...Lucas Jellema
 
SKILup Days Container Orchestration - Kubernetes Operators for Databases
SKILup Days Container Orchestration - Kubernetes Operators for DatabasesSKILup Days Container Orchestration - Kubernetes Operators for Databases
SKILup Days Container Orchestration - Kubernetes Operators for DatabasesJuarez Junior
 
2015 03-11_todd-fritz_devnexus_2015
2015 03-11_todd-fritz_devnexus_20152015 03-11_todd-fritz_devnexus_2015
2015 03-11_todd-fritz_devnexus_2015Todd Fritz
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azurekloia
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxVasiliy Fomichev
 
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREMicroservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREAraf Karsh Hamid
 
Develop and deploy Kubernetes applications with Docker - IBM Index 2018
Develop and deploy Kubernetes applications with Docker - IBM Index 2018Develop and deploy Kubernetes applications with Docker - IBM Index 2018
Develop and deploy Kubernetes applications with Docker - IBM Index 2018Patrick Chanezon
 
Red Hat and kubernetes: awesome stuff coming your way
Red Hat and kubernetes: awesome stuff coming your wayRed Hat and kubernetes: awesome stuff coming your way
Red Hat and kubernetes: awesome stuff coming your wayJohannes Brännström
 
One Kubernetes to rule them all (ZEUS 2019 Keynote)
One Kubernetes to rule them all (ZEUS 2019 Keynote)One Kubernetes to rule them all (ZEUS 2019 Keynote)
One Kubernetes to rule them all (ZEUS 2019 Keynote)Simon Harrer
 
給 RD 的 Kubernetes 初體驗
給 RD 的 Kubernetes 初體驗給 RD 的 Kubernetes 初體驗
給 RD 的 Kubernetes 初體驗William Yeh
 
The Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityThe Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityPatrycja Wegrzynowicz
 
The Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityThe Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityPatrycja Wegrzynowicz
 

Contenu connexe

Similaire à The Hacker's Guide to Kubernetes: Reloaded

20191201 kubernetes managed weblogic revival - part 2
20191201 kubernetes managed weblogic revival - part 220191201 kubernetes managed weblogic revival - part 2
20191201 kubernetes managed weblogic revival - part 2makker_nl
 
oci-container-engine-oke-100.pdf
oci-container-engine-oke-100.pdfoci-container-engine-oke-100.pdf
oci-container-engine-oke-100.pdfNandiniSinghal16
 
The Kubernetes WebLogic revival (part 2)
The Kubernetes WebLogic revival (part 2)The Kubernetes WebLogic revival (part 2)
The Kubernetes WebLogic revival (part 2)Simon Haslam
 
Container security within Cisco Container Platform
Container security within Cisco Container PlatformContainer security within Cisco Container Platform
Container security within Cisco Container PlatformSanjeev Rampal
 
JCON_15FactorWorkshop.pptx
JCON_15FactorWorkshop.pptxJCON_15FactorWorkshop.pptx
JCON_15FactorWorkshop.pptxGrace Jansen
 
DeveloperWeekEnterprise2023 - Introduction to Kubernetes Operators for Databases
DeveloperWeekEnterprise2023 - Introduction to Kubernetes Operators for DatabasesDeveloperWeekEnterprise2023 - Introduction to Kubernetes Operators for Databases
DeveloperWeekEnterprise2023 - Introduction to Kubernetes Operators for DatabasesJuarez Junior
 
Attacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisAttacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisOWASP Hacker Thursday
 
Continuously Design your Continuous Deployment
Continuously Design your Continuous DeploymentContinuously Design your Continuous Deployment
Continuously Design your Continuous DeploymentMichael Elder
 
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Lacework
 
Cloud Native Application Development-build fast, low TCO, scalable & agile so...
Cloud Native Application Development-build fast, low TCO, scalable & agile so...Cloud Native Application Development-build fast, low TCO, scalable & agile so...
Cloud Native Application Development-build fast, low TCO, scalable & agile so...Lucas Jellema
 
SKILup Days Container Orchestration - Kubernetes Operators for Databases
SKILup Days Container Orchestration - Kubernetes Operators for DatabasesSKILup Days Container Orchestration - Kubernetes Operators for Databases
SKILup Days Container Orchestration - Kubernetes Operators for DatabasesJuarez Junior
 
2015 03-11_todd-fritz_devnexus_2015
2015 03-11_todd-fritz_devnexus_20152015 03-11_todd-fritz_devnexus_2015
2015 03-11_todd-fritz_devnexus_2015Todd Fritz
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azurekloia
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxVasiliy Fomichev
 
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREMicroservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREAraf Karsh Hamid
 
Develop and deploy Kubernetes applications with Docker - IBM Index 2018
Develop and deploy Kubernetes applications with Docker - IBM Index 2018Develop and deploy Kubernetes applications with Docker - IBM Index 2018
Develop and deploy Kubernetes applications with Docker - IBM Index 2018Patrick Chanezon
 
Red Hat and kubernetes: awesome stuff coming your way
Red Hat and kubernetes: awesome stuff coming your wayRed Hat and kubernetes: awesome stuff coming your way
Red Hat and kubernetes: awesome stuff coming your wayJohannes Brännström
 
One Kubernetes to rule them all (ZEUS 2019 Keynote)
One Kubernetes to rule them all (ZEUS 2019 Keynote)One Kubernetes to rule them all (ZEUS 2019 Keynote)
One Kubernetes to rule them all (ZEUS 2019 Keynote)Simon Harrer
 
給 RD 的 Kubernetes 初體驗
給 RD 的 Kubernetes 初體驗給 RD 的 Kubernetes 初體驗
給 RD 的 Kubernetes 初體驗William Yeh
 

Similaire à The Hacker's Guide to Kubernetes: Reloaded (20)

20191201 kubernetes managed weblogic revival - part 2
20191201 kubernetes managed weblogic revival - part 220191201 kubernetes managed weblogic revival - part 2
20191201 kubernetes managed weblogic revival - part 2
 
oci-container-engine-oke-100.pdf
oci-container-engine-oke-100.pdfoci-container-engine-oke-100.pdf
oci-container-engine-oke-100.pdf
 
The Kubernetes WebLogic revival (part 2)
The Kubernetes WebLogic revival (part 2)The Kubernetes WebLogic revival (part 2)
The Kubernetes WebLogic revival (part 2)
 
Container security within Cisco Container Platform
Container security within Cisco Container PlatformContainer security within Cisco Container Platform
Container security within Cisco Container Platform
 
JCON_15FactorWorkshop.pptx
JCON_15FactorWorkshop.pptxJCON_15FactorWorkshop.pptx
JCON_15FactorWorkshop.pptx
 
DeveloperWeekEnterprise2023 - Introduction to Kubernetes Operators for Databases
DeveloperWeekEnterprise2023 - Introduction to Kubernetes Operators for DatabasesDeveloperWeekEnterprise2023 - Introduction to Kubernetes Operators for Databases
DeveloperWeekEnterprise2023 - Introduction to Kubernetes Operators for Databases
 
Attacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisAttacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin Jois
 
Continuously Design your Continuous Deployment
Continuously Design your Continuous DeploymentContinuously Design your Continuous Deployment
Continuously Design your Continuous Deployment
 
Anil Info
Anil InfoAnil Info
Anil Info
 
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
 
Cloud Native Application Development-build fast, low TCO, scalable & agile so...
Cloud Native Application Development-build fast, low TCO, scalable & agile so...Cloud Native Application Development-build fast, low TCO, scalable & agile so...
Cloud Native Application Development-build fast, low TCO, scalable & agile so...
 
SKILup Days Container Orchestration - Kubernetes Operators for Databases
SKILup Days Container Orchestration - Kubernetes Operators for DatabasesSKILup Days Container Orchestration - Kubernetes Operators for Databases
SKILup Days Container Orchestration - Kubernetes Operators for Databases
 
2015 03-11_todd-fritz_devnexus_2015
2015 03-11_todd-fritz_devnexus_20152015 03-11_todd-fritz_devnexus_2015
2015 03-11_todd-fritz_devnexus_2015
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptx
 
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREMicroservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SRE
 
Develop and deploy Kubernetes applications with Docker - IBM Index 2018
Develop and deploy Kubernetes applications with Docker - IBM Index 2018Develop and deploy Kubernetes applications with Docker - IBM Index 2018
Develop and deploy Kubernetes applications with Docker - IBM Index 2018
 
Red Hat and kubernetes: awesome stuff coming your way
Red Hat and kubernetes: awesome stuff coming your wayRed Hat and kubernetes: awesome stuff coming your way
Red Hat and kubernetes: awesome stuff coming your way
 
One Kubernetes to rule them all (ZEUS 2019 Keynote)
One Kubernetes to rule them all (ZEUS 2019 Keynote)One Kubernetes to rule them all (ZEUS 2019 Keynote)
One Kubernetes to rule them all (ZEUS 2019 Keynote)
 
給 RD 的 Kubernetes 初體驗
給 RD 的 Kubernetes 初體驗給 RD 的 Kubernetes 初體驗
給 RD 的 Kubernetes 初體驗
 

Plus de Patrycja Wegrzynowicz

The Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL InjectionThe Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL InjectionPatrycja Wegrzynowicz
 
The Hacker's Guide to Session Hijacking
The Hacker's Guide to Session Hijacking The Hacker's Guide to Session Hijacking
The Hacker's Guide to Session Hijacking Patrycja Wegrzynowicz
 
The Hacker's Guide To Session Hijacking
The Hacker's Guide To Session HijackingThe Hacker's Guide To Session Hijacking
The Hacker's Guide To Session HijackingPatrycja Wegrzynowicz
 
Lazy vs. Eager Loading Strategies in JPA 2.1
Lazy vs. Eager Loading Strategies in JPA 2.1Lazy vs. Eager Loading Strategies in JPA 2.1
Lazy vs. Eager Loading Strategies in JPA 2.1Patrycja Wegrzynowicz
 
Secure Authentication and Session Management in Java EE
Secure Authentication and Session Management in Java EESecure Authentication and Session Management in Java EE
Secure Authentication and Session Management in Java EEPatrycja Wegrzynowicz
 

Plus de Patrycja Wegrzynowicz (11)

The Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityThe Hacker's Guide to JWT Security
The Hacker's Guide to JWT Security
 
The Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityThe Hacker's Guide to JWT Security
The Hacker's Guide to JWT Security
 
The Hacker's Guide to XSS
The Hacker's Guide to XSSThe Hacker's Guide to XSS
The Hacker's Guide to XSS
 
The Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL InjectionThe Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL Injection
 
The Hacker's Guide to Session Hijacking
The Hacker's Guide to Session Hijacking The Hacker's Guide to Session Hijacking
The Hacker's Guide to Session Hijacking
 
Second Level Cache in JPA Explained
Second Level Cache in JPA ExplainedSecond Level Cache in JPA Explained
Second Level Cache in JPA Explained
 
Thinking Beyond ORM in JPA
Thinking Beyond ORM in JPAThinking Beyond ORM in JPA
Thinking Beyond ORM in JPA
 
The Hacker's Guide To Session Hijacking
The Hacker's Guide To Session HijackingThe Hacker's Guide To Session Hijacking
The Hacker's Guide To Session Hijacking
 
Lazy vs. Eager Loading Strategies in JPA 2.1
Lazy vs. Eager Loading Strategies in JPA 2.1Lazy vs. Eager Loading Strategies in JPA 2.1
Lazy vs. Eager Loading Strategies in JPA 2.1
 
Secure Authentication and Session Management in Java EE
Secure Authentication and Session Management in Java EESecure Authentication and Session Management in Java EE
Secure Authentication and Session Management in Java EE
 
Thinking Beyond ORM in JPA
Thinking Beyond ORM in JPAThinking Beyond ORM in JPA
Thinking Beyond ORM in JPA
 

Dernier

Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...ScyllaDB
 
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...SOFTTECHHUB
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxMasterG
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfdanishmna97
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxFIDO Alliance
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...panagenda
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxMarkSteadman7
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch TuesdayIvanti
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxjbellis
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 
Navigating the Large Language Model choices_Ravi Daparthi
Navigating the Large Language Model choices_Ravi DaparthiNavigating the Large Language Model choices_Ravi Daparthi
Navigating the Large Language Model choices_Ravi DaparthiRaviKumarDaparthi
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctBrainSell Technologies
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTopCSSGallery
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)Samir Dash
 

Dernier (20)

Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Navigating the Large Language Model choices_Ravi Daparthi
Navigating the Large Language Model choices_Ravi DaparthiNavigating the Large Language Model choices_Ravi Daparthi
Navigating the Large Language Model choices_Ravi Daparthi
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 

The Hacker's Guide to Kubernetes: Reloaded

  • 1. Patrycja Wegrzynowicz The Hacker’s Guide to Kubernetes: Reloaded Lead Engineer, Form3 @yonlabs
  • 2. Hello! ! • 20+ professional experience software engineer, architect, researcher, head of R&D • Author and speaker JavaOne, CodeOne, Devoxx, JFokus, JavaZone, and more • Top 10 Women in Tech in Poland • Oracle Groundbreaker Ambassador, Oracle ACE • Form3, Financial Cloud Lead SRE Engineer • Founder at Yon Labs Automated tools for detection and refactoring of software defects. Performance, security, concurrency. Intro to Patrycja
  • 3. Form3, Financial Cloud Business Model • Provides a payment platform for financial institution • Integrates across multiple payment schemes • Makes integration easier and quicker Work Model • Fully remote • Pair programming • Only senior engineers Technology • Multi-cloud platform: AWS, GCP, Azure • Microservices: (mostly) Go and (little) Java • Infrastructure as Code: Terraform Why is Security Important?
  • 4. Introduction to Kubernetes Architecture Introduction to OWASP Kubernetes Top 10 & MITRE ATT&K ® Threat Matrix for Kubernetes Demos Summary 01 02 03 04 Agenda
  • 6. Kubernetes Components Kubernetes Architecture Source: https://medium.com, Kubernetes - Architecture Overview by Ashish Patel
  • 7. Kubernetes Components Kubernetes Architecture Source: https://medium.com, Kubernetes - Architecture Overview by Ashish Patel CNI
  • 8. Introduction to OWASP Kubernetes Top 10
  • 9. OWASP Kubernetes Top 10 2022 K01 Insecure Workload Configuration K02 Supply Chain Vulnerabilities K03 Overly Permissive RBAC Configurations K04 Lack of Centralized Policy Enforcement K05 Inadequate Logging and Monitoring K06 Broken Authentication Mechanisms K07 Missing Network Segmentation Controls K08 Secrets Management Failures K09 Misconfigured Cluster Components K10 Outdated and Vulnerable Kubernetes Components
  • 10. MITRE ATT&K ® – Threat Matrix for Kubernetes Source: https://www.microsoft.com/en-us/security/blog/2021/03/23/secure- containerized-environments-with-updated-threat-matrix-for-kubernetes/
  • 11. Demos – 101 Kubernetes hacking
  • 12. Demo Fun Time – Overview • Demo application https://codemotion.yonlabs.com (or checkout X-Twitter: https://twitter.com/yonlabs) register a new account each account has a secret data log in wait to be hacked :D • Objective to hack your accounts and learn your secrets hacking 101 Let the fun begin!
  • 13. Bad Pods: Kubernetes Pod Privilege Escalation • https://bishopfox.com/blog/kubernetes-pod- privilege-escalation • By: Seth Art, Principal Security Consultant Demos
  • 15. Problems • K01 Insecure Workload Configuration root privileged hostPID hostPath hostNetwork hostIPC • K04 Lack of Centralized Policy Enforcement able to create insecure workload • K08 Secrets Management Failure demo-secret not encrypted Demo #1
  • 17. Problems • K01 Insecure Workload Configuration root privileged hostPID • K04 Lack of Centralized Policy Enforcement able to create insecure workload • Networking unencrypted traffic Demo #2
  • 20. Bad Pods: Kubernetes Pod Privilege Escalation • Bad Pod #1: Everything allowed • Bad Pod #2: Privileged and hostPid • Bad Pod #3: Privileged only • Bad Pod #4: hostPath only • Bad Pod #5: hostPID only • Bad Pod #6: hostNetwork only • Bad Pod #7: hostIPC only • Bad Pod #8: Nothing allowed Source: https://bishopfox.com/blog/kubernetes-pod-privilege-escalation
  • 22. A fool with a tool is only a fool