Authors: Lenin Alevski
DFRWS USA 2025 — “History in the Making” — Jubilee 25th Anniversary
Abstract
Kubernetes is the de facto operating system of the cloud, and more and more organizations are running their workloads on Kubernetes. While Kubernetes offers many benefits, new users may introduce security risks like cluster misconfiguration, leaked credentials, crypto-jacking, container escapes, and vulnerable clusters.
This workshop will teach you the fundamentals of Kubernetes security, from protecting your cluster to securing your workloads. You’ll learn about RBAC, OPA, Security Contexts, Network Policies, and other security features. You’ll also learn how to exploit workloads running on a Kubernetes environment using Living Off the Land (LotL) techniques like exploiting Insecure APIs, Secrets Theft, Container Escape and Pod Privilege Escalation, similar to the ones used by real-world threat actors.
This workshop is designed for both beginners and advanced students. By the end of the workshop, you’ll have a deep understanding of Kubernetes security and the skills to protect your clusters and workloads
Outline
- Kubernetes Security talk: ~40 mins
- Q/A for intro talk, 10 mins
- Break: 10 mins
- Hands-On Attack and Defense workshop: 3 hrs
- Abusing docker for privilege escalation
- Container escape
- Create New Kubernetes Cluster Using Kind
- Explore Kubectl Command
- Explore k9s To Manage Your Cluster
- Deploy Kubernetes Workload
- Get a Shell to a Running Container
- ConfigMaps & Secrets
- Namespaces
- Pod Security Context
- Kubernetes certificate authority
- Pod resource limits
- Scratch Containers
- Service Account Token
- Network Security Policies With Calico
- kube-bench: CIS Kubernetes Benchmark
- kube-hunter: Hunt for security weaknesses in Kubernetes clusters
- kube-linter: Check Kubernetes YAML files and Helm charts
- terrascan: Static code analyzer for Infrastructure as Code
- kubeaudit: Audit your Kubernetes clusters against common security controls
- Challenge 1: NFT Museum
- Challenge 2: Network debugging console
This workshop is based on my open-source labs published at https://github.com/Alevsk/dvka/blob/master/workshop/README.md
Required Materials
- Laptop with at least 8gb of Ram (16gb is recommended)
- Laptop with at least 40gb of free space (For downloading and running the workshop VM)
- Internet connection, mostly to pull docker images and the required tools (kind, kubectl, kustomize, etc).
- Any Linux distribution (ie: Kali or Ubuntu) or Mac OSX operating systems, or a virtual machine running them.
Biography
 Lenin Alevski is a Full Stack Engineer and security-focused generalist with a deep passion for Information Security. He currently works as a Security Engineer at Google, where he focuses on building and securing distributed systems, with expertise in application and cloud security. Outside of work, Lenin enjoys playing CTFs, contributing to open-source projects, and sharing insights on security and privacy through his blog at https://www.alevsk.com. |