BSidesPGH

Oh sure, Kubernetes is the Bomb! But is it secure out-of-the-box? Oh hell no! Let's see if we can change that. Let's start with a live Kubernetes cluster running on a stack of PIs (there are visuals)  So we have an app and we deploy it, but before we do that, let's make sure our cluster is secure.

We've all heard of it - Kubernetes - but do you really know what it is and, more importantly, how to set it up securely? The Great Spaghetti Monster isn't too difficult to secure if you just stop and use common sense (wait, WHAT?) security best practices. These techniques are for everyone - even those who have been playing with Kubernetes for some time.

Let's talk about Docker (and containerd), baby!

You have to start somewhere, and containers are the place. Next, let's intro Kubernetes and the magic world of orchestration and what it really means to orchestrate containers. Then the fun begins as I demo a small Raspberry Pi stack with Kubernetes on it to show a live cluster with "visual aides" (very bright LEDs that show containers jumping from node to node).

As the brief Kubernetes demo concludes, it's time to bring in security by demonstrating the security plug-ins and tools used. Techniques are shown for best-in-show k8s security configuration. Remember this concept - "Common Sense"? Let's see if we can apply it with some best practices and build out the secure cluster.
The focus on this is security threats to a Kubernetes cluster, containers and the apps deployed. A review of typical attack vectors in containers and Kubernetes clusters are shown with fun and exciting(?) pentesting tools specifically formulated for k8s.

Now the fun begins - we have secured our cluster and our containers but how can we be sure? Let's put our blue-skills to the test with some red-skills and pentest our cluster. It's time to present some live security testing tools that are best suited for testing k8s. This is where the rubber meets the road, or in this case, where, wait for it ----- common sense prevails!!

Key Takeaways

1. k8s, what is it and why do I care, in real words, not fancy terms
2. Common sense techniques are still a thing and we prove it!
3. What tools we use and why
4. Pentesting in a k8s world is just a tiny bit different, and you will learn how.

The point(s) here, you WILL walk away with practical examples of what to do and what NOT to do. This isn't theoretical.