Kubernetes Crusade: Deep Dive into Attacks, Defense & Mitigations

• Understanding Kubernetes core concepts and security layers
• Building and validating a kind cluster with Cilium
• Docker layers, namespaces,s and cgroups with practical labs
• Authentication and authorization in Kubernetes with RBAC
• Deploying and validating a sample application with Helm
• Attacking and enumerating Kubernetes clusters from external and internal vantage points
• Exploiting a vulnerable Kubernetes application
• RBAC abuse and remediation
• Container breakout techniques, including host PI,D host network, host IPC, host volume and privileged pods
• Common attack setups include Docker socket DIND misconfigured API server and unauthenticated dashboard
• Image and registry abuse, including private registry testing and image backdooring
• Automated analysis with Kubernetes RBAC audi,t Kubescape kube-bench kube-hunter and Checkov
• Network policies with Kubernetes and Cilium
• Securing secrets with native Secrets and Sealed Secrets
• Admission control with Kyverno
• Hardening with securityContext and distroless images and scanning with Clair
• Istio service mesh with mTLS between services
• SBOM generation with Syft Grype and the Docker SBOM plugin
• Securing CI and CD with Tekton Chains and verifying SLSA provenance with x509 keys
• Threat modelling GitOps pipelines using open-source Argo CD

Course Outline — Day 1: Container & Kubernetes Fundamental Security

• Welcome
  • Introduction
  • Agenda
• Prerequisites
• Kubernetes & Container Basics
  • Introduction to Container Security
  • Preparing the Environment for Lab Setup
  • Understanding Container Layers
    • Lab: Docker Layers & Dockerfile Demo
    • Lab: Dive For Secret Exfiltration
    • Lab: Namespaces & Cgroup in Docker
      • Lab: How Docker Spawns and Isolates Containers using Namespaces
  • Introduction to Kubernetes
  • Explanation of Key Kubernetes Components
    • Important Kubernetes Terminologies
  • Establishing a Kubernetes Cluster via Cilium
    • Lab: Setup Kind
    • Lab: Kind Cluster Validation
  • Difference between Minikube, K3s, Kind & Kubeadm
  • Lab: Validation of Cluster Configuration
  • Authentication & Authorization in K8s
    • Lab: Authentication In K8s
    • Lab: RBAC via Role & RoleBinding
    • Lab: RBAC via ClusterRole & ClusterRoleBinding
  • Services in Kubernetes
  • Lab: Kubectl CLI Basics
  • Theory: Overview of Kubernetes Cluster
  • Basics of Helm
    • Lab: Deploy basic application using Helm
  • Lab: Deploying a Sample Application
    • Theory: Working of Sample Application
    • Lab: Validation of Sample Application

Course Outline — Day 2: Kubernetes Security, OWASP K8s Top 10 & Advanced Exploitation

• Kubernetes Security Testing
  • Kubernetes Attack Surface
  • Kubernetes Cluster Enumeration
    • Lab: External Kubernetes Cluster Enumeration
    • Lab: Internal Kubernetes Cluster Enumeration
  • Lab: Exploiting Vulnerable K8s Application
  • Attacking Role-Based Access Controls
    • Lab: Exploit RBAC Misconfiguration
  • Post-exploitation: Container Breakout Techniques
    • Lab: Host PID True
    • Lab: Host Network True
    • Lab: Host IPC True
    • Lab: Host Volume Mount
    • Lab: Privileged True
  • Post-exploitation: Common Attack Techniques & Demo Setup
    • Demo: Docker Socket Mount (DIND)
    • Demo: Setup Misconfigured Kube API Server
      • Lab: Misconfigured Kube API Server
    • Demo: Unauthenticated Kubernetes Dashboard
      • Lab: Unauthenticated Kubernetes Dashboard
      • Cleanup: Terminating Misconfigured Cluster
    • Lab: Exploiting Private Docker Registry
    • Lab: Backdooring Docker Image
• OWASP Kubernetes Top 10
• Automated Vulnerability Analysis of Kubernetes
  • Lab: RBAC scan via kubernetes-rbac-audit
  • Lab: Audit via Kubescape
  • Lab: CIS Benchmarking with kube-bench
  • Lab: Cluster scan via kube-hunter
  • Lab: Scanning via Checkov

Course Outline — Day 3: Defense in K8s — Hardening, Protection & CTF

• Protection Strategies
  • Network Policies — Kubernetes
    • Lab: Secure Network Policies
  • Authorization Implementation
    • Lab: RBAC Authorization
  • Securing Secrets in Kubernetes
    • Lab: Basic Secrets
    • Lab: Sealed Secrets
  • Kyverno Admission Controller
    • Demo: Setup of Kyverno
    • Lab: Basics of Kyverno
  • Network Fabric: Cilium
    • Demo: Basics of Cilium
    • Lab: Cilium
• Hardening Kubernetes
  • Lab: Configure a Basic Security Context
  • Lab: Using Distroless for Building Lightweight Docker Images & Scanning via Clair
  • Istio Service Mesh
    • Lab: Istio Service Mesh
• Detection Strategies
  • Lab: Runtime Threat Detection via Falco
• Software Supply Chain Security
  • Overview of Supply Chain Threats
  • SBOM Generation using Syft and Grype
  • Lab: SBOM for images using Docker SBOM Plugin
  • Secure the CI/CD Supply Chain with Tekton Chains
  • Importance of SLSA Framework and Provenance Attestation
  • Lab: Setup cluster using k3s
  • Lab: Signing and Verifying Tekton Pipeline Provenance with x509 Keys
• Threat Modelling GitOps
  • Lab: Threat Modelling GitOps Pipelines using Argo CD
• Capture-the-Flag (CTF) style exercises and wrap-up

Additional Practical / Logistics Items

• Environment checklist: required software & versions
• Lab access and troubleshooting tips
• Post-training resources and labs access
• Q&A and continued learning suggestions

• Laptop with a minimum of 4GB RAM, 2 CPU cores and 10GB free disk space
• Network Connectivity or USB ports for data transfer
• Firefox browser installed, specifically for Windows environments.
• Mobile data connection for enabling a hotspot, as the lab exercises require internet access
• Access to wireless internet connectivity for online activities and lab exercises.
• Windows Laptop with admin access & endpoint security, antivirus & VPN disabled.
• Please ensure network access to securitydojo.co.in for Hands-on Lab.

• Basic knowledge of the Linux command line.
• Familiarity with system administration tasks like server and application configuration and deployment
• A basic understanding of container environments like Docker and distributed systems is advantageous.

• Security Researchers & Professionals: Those looking to delve deep into the world of Kubernetes vulnerabilities, from discovery to exploitation.
• Developers & DevOps Experts: For those who architect and deploy Kubernetes, and need to understand its attack vectors and defense strategies.
• DevSecOps Practitioners: Integrating security into DevOps is crucial. Grasp the nuances of Kubernetes security to elevate your organizations defense posture.
• Pen testers & Cloud Engineers: Master techniques to test the resilience of Kubernetes deployments and understand common misconfigurations.
• Red Teams and Blue Teams: Experience both the offensive techniques to exploit Kubernetes and the defensive measures to protect it.
• Beginners in Kubernetes Security: Start your journey with a comprehensive understanding of the threatscape in the Kubernetes ecosystem.

• Not slide-heavy lectures, instead of hands-on labs and exploitation exercises.
• If participants are not comfortable working in a Linux cli.
• If participants are looking for certification training and Kubernetes Administration.

• Valuable Offensive and Defensive Assets: Receive a comprehensive PPT presentation, a cheat sheet for Kubernetes pen testing.
• In-depth Learning Materials: Detailed theory PDFs encapsulating workshop content, ensuring you have resources for reference and deeper exploration.
• Practical Tools for Hands-on Experience: Deployment YAML files and source code for a purposely vulnerable application, letting attendees test their skills in a safe environment.
• CTF Solving Skill: After the workshop, participants will be able to solve various online-hosted Kubernetes security CTFs.
• Terraform code & steps to deploy EKS cluster for further learning.
• Vulnerable Deployment Code to deploy applications.
• Attendees get a cloud-based IDE for running labs free for the entire course period