GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Being Hijacked - a Walk-Through

GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Being Hijacked - a Walk-Through

• 1.
  1 #GitLabCommit How GitLab CanSave your Kubernetes environment from Being Hijacked - a Walk-Through
• 2.
  2 #GitLabCommit Nico Meisenzahl ● SeniorCloud & DevOps Consultant at white duck ● GitLab Hero, Microsoft MVP & Docker Community Leader ● Container, Kubernetes, Cloud-Native & DevOps Phone: +49 8031 230159 0 Email: nico@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org
• 3.
  3 #GitLabCommit Agenda ● Demo: Hijacka Kubernetes cluster - a walk-through ● How GitLab can help to prevent an attack ● Container & Kubernetes security best practices
• 4.
  4 #GitLabCommit #GitLabCommit Demo: Hijack a Kubernetes cluster- a walk-through
• 5.
  5 #GitLabCommit Hijack a Kubernetescluster - a walk-through ● we will hijack the container due to a vulnerability in the code of a web app ● we then use some available anti-patterns to gain further access within the Kubernetes cluster
• 6.
  6 #GitLabCommit Recap of theattack ● we inject custom code into the text box ○ played around a bit ○ opened a reverse shell into the container ● we used the privileged default Service Account to access the API ○ inspected secrets ○ scheduled a privileged Pod With the privileged Pod, we could further hijack the cluster (access to Nodes, the Control Plane and even other Cloud resources)
• 7.
  7 #GitLabCommit #GitLabCommit How GitLab canhelp to prevent an attack
• 8.
  8 #GitLabCommit GitLab feature stages
• 9.
  9 #GitLabCommit Create stage ● Pairprogramming helps to get better and more efficient code ● Required Merge Request Approvals allows to opt-in for multiple sign-offs (Premium, Ultimate)
• 10.
  10 #GitLabCommit Secure stage ● SecretDetection analyzes Git history for leaked secrets ● Dependency Scanning analyzes your dependencies for known vulnerabilities (Ultimate) ● Static Application Security Testing (SAST) analyzes source code for known vulnerabilities (some features require Ultimate) ● Dynamic Application Security Testing (DAST) analyzes running web applications for known vulnerabilities (Ultimate) ● API fuzzing finds unknown bugs and vulnerabilities in web APIs with fuzzing (Ultimate)
• 11.
  11 #GitLabCommit Configure stage ● ContainerScanning scans containers for known vulnerabilities (Ultimate) ● Auto DevOps helps to reduce the complexity of software delivery by setting up pipelines and integrations for you
• 12.
  12 #GitLabCommit Protect stage ● WebApplication Firewall filters, monitors, and prevents HTTP based attacks (deprecated, will get removed in GitLab 14.0) ● Container Host Security provides Intrusion Detection and Prevention capabilities that can monitor and block activity inside the containers themselves ● Container Network Security filters and secures the network traffic inside a containerized environment to block attacks at the network layer (some features require Ultimate)
• 13.
  13 #GitLabCommit #GitLabCommit Container Security & furtherbest practices
• 14.
  14 #GitLabCommit Container & Kubernetessecurity best practices ● understand the manifests you apply ● do not share privileged service accounts ● deny untrusted registries ● enforce rootless containers ● enforce read-only filesystem at runtime ● deny privileged containers ● deny egress traffic ● use distroless containers if possible
• 15.
  15 #GitLabCommit Questions? Slides: https://www.slideshare.net/nmeisenzahl Demo: https://gitlab.com/nico-meisenzahl/hijack-kubernetes GitLabfeatures: https://about.gitlab.com/features Phone: +49 8031 230159 0 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org
• 16.
  16 #GitLabCommit Thank You!