Profile picture
, 21 tweets, 7 min read
My Authors
Read all threads
Every #Kubernetes cluster admin MUST watch "Advanced Persistence Threats" session from @IanColdwater @bradgeesaman #KubeCon #CloudNative. So much knowledge and goodness - thanks for sharing. I've been trying to get people to understand this attack vector for a long time 👇
You all did a much better job than me articulating it. Ahhh!!! Watching this hurts! I even wrote a chapter on this in Kubernetes Best Practices O'Reilly book. I wake up in cold sweats knowing how easy it is to leave this open! Biting my nails again.
Heartburn watching this. I suspect my pain isn't going to stop here. Anxious for what's going to happen here.
Crap - now we are bypassing the API server with a shadow API server. I need to sit down for this
I'm just going to leave this here
I love how casual both Ian and Brad sound throughout this session - "I'm just going to dump all the secrets on the cluster out via the shadow API server". It's almost like listening to a David Attenborough documentary. Meanwhile - I have heart palpitations.
C2BERNETES! I don't even want to know my blood pressure right now
Me watching this session
Please look at this diagram long and hard. "I think we could install a control-plane component on another cloud (who blocks tcp 443?). With cluster admin on the target cluster we can deploy a workload that escapes the container to the underlying host on every worker node." Brad
"From there, we can install the k3s node in the background with a configuration to auto-join our k3s cluster on start and then the container just exists a couple of seconds after establishing that persistence. The end result is having access to the host file system"
"And the best part is, the target cluster is still fully operational. We didn't break anything to make this happen. The next time the cluster admin runs kubectl get pods, they won't even know a thing or see any logs" -- I believe that's a mic drop right there.
This is the stuff of nightmares. But I'm honestly thankful that Ian and Brad are sharing this.
Demoing this exploit on *KS clusters from all providers..... When you both run for president - just share this image for your candidacy announcement statement. It's proof enough. Frakenhonk!
Casually "How's that for a multi-cloud strategy" says Ian. Nothing but net 🏀🗑️
Just grabbing all mounted secrets from all nodes. Nothing to see here.
Now grabbing cloud credentials. I think I'm going to turn my computer off now unplug it from electricity.
Now reviving kubelet-exploit. 2020 is really the gift that keeps on giving. This flower is making me happy though
Look ma, no hands!
OH: kube-proxy
Absolutely awesome session! Thanks again
Hang around for the Q&A. It's very insightful. Margarita time for me.
Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with Lachlan Evenson

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#Kubernetes #KubeCon #CloudNative

More from @LachlanEvenson see all

Profile picture
Lachlan Evenson
@LachlanEvenson
A heartwarming story on the power of open source community, a thread - @khnidk and I have been working on a rather large change in #Kubernetes to allow support for ipv4/ipv6 dual stack. It's a MASSIVE change which touches many parts of the code (as you can imagine). 1/10
This week is code freeze for the 1.15 release and we are trying to get this change in. It needs review by the sponsoring sig of the KEP. Which in this case is sig-network 2/10
So Kal did the work and got the PR ready and handed it over to sig-network. Extremely tight timeline given the size. Could we have gotten it to them earlier, sure. We probably could have done a lot of things to make this easier on everyone. 3/10
Read 11 tweets

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!