SESSION ID: DSO-W01 Compromising Kubernetes Cluster by Exploiting RBAC Permissions Eviatar Gerzi Security Researcher CyberArk @g3rzi #RSAC #RSAC # whoami Eviatar Gerzi (@g3rzi) Security Researcher at CyberArk 2 #RSAC https://websitesetup.desi/pokemon-go-mod-apk-v0-147-1free-download-2019/ 3 https://www.p okemon.com/u s/pokedex/dra gonite #RSAC https://websitesetup.desi/pokemon-go-mod-apk-v0-147-1free-download-2019/ 4 #RSAC Kubernetes 5 #RSAC Kubernetes “AN OPEN-SOURCE SYSTEM FOR AUTOMATING DEPLOYMENT, SCALING AND MANAGEMENT OF CONTAINERIZED APPLICATIONS.” 6 Kubernetes – containerized application APPLICATION + DEPENDENCIES - Isolated - Quickly - Reliably 7 #RSAC #RSAC https://hackernoon.com/practical-introductionto-docker-compose-d34e79c4c2b6 8 Kubernetes architecture #RSAC kubectl Master controller manager Worker kubelet Pod etcd API server Container Kube proxy scheduler 9 9 #RSAC Access to Kubernetes API #RSAC Authentication Authorization 11 Admission Control #RSAC Authentication Normal User Service Account 12 #RSAC Authentication Service Account Normal User •X509 Client Certs •Service Account •Static Token File Tokens •Static Password File •OpenID Connect Tokens •Webhook Token Authentication •Authenticating Proxy 13 #RSAC Service Account “When you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace.” 14 #RSAC Service Account default service account NOT specify ANY service account in the namespace Specify 15 Service Account Token Location pod container /var/run/secrets/kubernetes.io/serviceaccount/token service account token /run/secrets/kubernetes.io/serviceaccount/token 16 #RSAC #RSAC Service Account Token 17 #RSAC 18 #RSAC Authorization #RSAC Role-Based Access Control (RBAC) Users\ Groups Roles Permissions 20 Resources