The Kubernetes Crusade: Workshop on Defending & Attacking Kubernetes

This workshop aims to deliver a comprehensive understanding of Kubernetes attack and defense strategies through hands-on labs and demonstrations empowering participants with the knowledge to identify and mitigate vulnerabilities in their Kubernetes clusters. It covers the basics of Kubernetes and container security and provides an overview of key Kubernetes components and terminologies. Participants will learn how to establish a Kubernetes cluster via Cilium and different methods like Kind, k3s, and Kubeadm. They will also be introduced to Authorization & Authentication in K8s and deploy a sample application.

With a strong focus on Kubernetes security testing, the workshop explores Kubernetes attack surfaces and role-based access controls. Participants will gain insights into container breakout techniques and learn how to secure secrets using Sealed Secrets. The workshop further covers network policies in Kubernetes and demonstrates how to fortify the network fabric using Cilium & network security policies. As a culmination of the hands-on workshop, participants will learn about the hardening techniques for the Kubernetes environment and deep dive into detection strategies employing Falco and EFK Logging and Monitoring.

To assess the newly acquired skills, the workshop includes a Capture The Flag (CTF) challenge. Upon completing this hands-on workshop, participants will possess the knowledge and skills necessary to recognize and address vulnerabilities in their Kubernetes clusters effectively.

Open source Cloud9 IDE with complete setup will be provided to all the participants for hassle free learning experience

Course Content (ToC):

• Day 1:
  • Kubernetes & Container Basics
    • Introduction To Container Security
    • Preparing the Environment for Lab Setup
    • Understanding Container Layers
    • Lab: Docker Layers & Dockerfile Demo
    • Lab: Dive For Secret Exfiltration
  • Introduction to Kubernetes
  • Explanation of Key Kubernetes Components
    • - Important Kubernetes Terminologies
  • Establishing a Kubernetes Cluster via Cilium
    • Lab: Setup Kind
    • Lab: Kind Cluster Validation
  • Difference between minikube, k3s , Kind & kubeadm
  • Lab: Validation of Cluster Configuration
  • Authentication & Authorization In K8s
    • Lab: Authentication In K8s
    • Lab: RBAC via Role & RoleBinding
    • Lab: RBAC via Cluster Role & ClusterRoleBinding
  • Services in Kubernetes
  • Lab: Kubectl CLI Basics
  • Theory: Overview of Kubernetes Cluster
  • Basic of Helm
    • Lab: Deploy the basic application using Helm
  • Lab: Deploying a Sample Application
    • Theory: Working of Sample Application
    • Lab: Validation of Sample Application
  • Kubernetes Security Testing
  • Kubernetes Attack Surface
  • Kubernetes Cluster Enumeration
    • Lab: External Kubernetes Cluster Enumeration
    • Lab: Internal Kubernetes Cluster Enumeration
  • Lab: Exploiting Vulnerable K8s Application
  • Attacking Role Based Access Controls
    • Lab: Exploit RBAC Misconfiguration
  • Post-exploitation: Container Breakout Techniques
    • Lab: Host PID True
    • Lab: Host Network True
    • Lab: Host IPC True
    • Lab: Host Volume Mount
    • Lab: Privileged True
  • Post-exploitation: Common Attack Techniques & Demo Setup
    • Demo: Docker Socket Mount:DIND
    • Demo: Setup Misconfigured Kube API Server
    • Lab: Misconfigured Kube API Server
    • Demo: Unauthenticated Kubernetes Dashboard
    • Lab: Unauthenticated Kubernetes Dashboard
    • Cleanup: Terminating Misconfigured Cluster
  • Lab: Exploiting Private Docker registry
  • Lab: Backdooring Docker Image
  • Theory: CVE-2021-25741
  • Theory: Docker Capabilities
• Day 2
  • OWASP Kubernetes Top 10
  • Automated Vulnerability Analysis of Kubernetes
    • Lab: RBAC: Kubernetes-rbac-audit
    • Lab: KubeSec
    • Lab: Kube Audit
    • Lab: Kube-bench
    • Lab: Kube-hunter
    • Lab: Checkov
  • Protection Strategies
  • Network Policies - Kubernetes
    • Lab: Secure Network Policies
  • Authorization Implementation
    • Lab: RBAC Authorization
  • Securing Secrets in Kubernetes
    • Lab: Basic Secrets
    • Lab: Sealed Secrets
  Kyverno Admission Controller
  • Setup & Demo: Basics of Kyverno
  • Lab: Basics of Kyverno
  • Network Fabric: Cilium
    • Demo: Basics of Cilium
    • Lab: Cilium
  • Hardening Kubernetes
    • Configure a Basic Security Context
    • Configure AppArmor Profiles
    • Configure Seccomp Profiles
  Istio Service Mesh
  • Lab: Istio Service Mesh
  • Demo: Kiali Dashboard
  • Quiz: Service Mesh
  Detection Strategies
  • Falco & EFK Logging and Monitoring Kubernetes Security Testing Lab
  • Lab: Kubernetes Security Testing CTF Lab
    • Lab: AWS Architecture Explanation
    • Lab: Kubernetes Cluster Explanation
    • Lab: Enumeration: From Vulnerable Cluster Web UI
  • CTF Challenge

Pre-requisite:

• Basic knowledge of the Linux command line
• Familiarity with system administration tasks like server and application configuration and deployment
• Understanding of container environments like Docker and distributed systems is advantageous

Participants Requirements:

At least 4GB & 2 CPU Laptops and access to wireless internet connectivity and updated browsers.

Duration

2 days

• Day 1: Introduction to Kubernetes & Attack Surfaces
• Day 2: Securing the Kubernetes Cluster

PaWho should attend:

• Developers, DevOps, DevSecops, Pentesters, and Cloud Engineers.
• Freshers willing to start Kubernetes Security.
• Red & Blue Teams, who want to learn both offensive and defensive sides.

What to expect:

• Hands-on experience with real-world problem scenarios along with concepts explained in detail.
• For the entire course, a step-by-step, comprehensive guide will be provided.
• Open source tools & resources for additional information on Kubernetes security
• Real-world scenarios were found during the Kubernetes penetration testing engagements.

What not to expect:

• In-depth coverage of general Kubernetes administration.
• Training on third-party tools and technologies that are not directly related to Kubernetes security.