From the Cluster to the Cloud-Lateral Movements in Kubernetes.pdf

1、Yossi Weizman&Ram Pliskin,MicrosoftFrom the Cluster to the Cloud:Lateral Movements in KubernetesAgendaIdentity types in KubernetesInner-cluster lateral movementCluster-to-cloud lateral movement:Azure,AWS and GCPDetections&mitigationsKey takeawaysIdentity types in KubernetesThree main areas:How users

2、(or applications)from outside the cluster authenticate with the cluster.How workloads in the cluster authenticate within the cluster.How workloads in the cluster authenticate with resources in the cloud outside the cluster.Identity types in KubernetesThree main areas:How users(or applications)from o

3、utside the cluster authenticate with the cluster.How workloads in the cluster authenticate within the cluster.(Inner-cluster lateral movement)How workloads in the cluster authenticate with resources in the cloud outside the cluster.(Cluster-to-cloud lateral movement)Inner-cluster lateral movementInn

4、er-cluster lateral movementLets assume a pod is compromisedAPI ServerK8s control planeetcdscheduler Controller managerNode 1Pod APod BNode 2Pod CPod DNode 3Pod EPod FAPI ServerK8s control planeetcdscheduler Controller managerNode 1Pod APod BNode 2Pod DNode 3Pod EPod FPod CAPI ServerK8s control plane

5、etcdscheduler Controller managerNode 1Pod APod BNode 2Pod CPod DNode 3Pod EPod FAPI ServerK8s control planeetcdscheduler Controller managerNode 1Pod APod BNode 2Pod DNode 3Pod EPod FPod CAPI ServerK8s control planeetcdscheduler Controller managerNode 1Pod APod BNode 2Pod CPod DNode 3Pod EPod FAPI Se

6、rverK8s control planeetcdscheduler Controller managerNode 1Pod APod BNode 2Pod CPod DNode 3Pod EPod FInner-cluster lateral movementHow can attackers leverage a compromised pod for cluster takeover?API ServerK8s control planeetcdscheduler Controller managerNode 1Pod APod BNode 2Pod CPod DNode 3Pod EP