Security News > 2021 > May > Kubecon 2021: A largely dry and corporate affair where the best bits involved a spot of Kubernetes-hacking roleplay

Kubecon 2021: A largely dry and corporate affair where the best bits involved a spot of Kubernetes-hacking roleplay
2021-05-10 19:12

A session on how to hack into a Kubernetes cluster was among the highlights of a Kubecon where the main events were generally bland and corporate affairs, perhaps indicative of the technology now being a de facto infrastructure standard among enterprises.

Kubernetes is huge, and if there was an underlying theme at the event it was that Kubernetes is becoming the standard runtime platform.

There was plenty of strong technical content at the event, though attendees were left in no doubt that Kubernetes is big business and there was a dry corporate flavour to much of the keynote content along with the usual mutual backslapping.

"Nobody is auditing anything." Enter CVE-2020-15257 - "The containerd-shim API is improperly exposed to host network containers." Körbes figured: "If I use a vulnerability in something Kubernetes is running on top of, I can bypass all Kubernetes security completely."

There is more: we will not spoil the story completely as it will be published for all to enjoy from 14 May. "I struggled a lot to learn how to make talks engaging. The way to keep people engaging is with story," explained Körbes at the wrap-up later, while Sable said: "We realised, Kubernetes security is complex because it's the union of Linux security and network security and usually cloud provider security, and also Kubernetes has its own additional layer of complication there especially around RBAC and tying your shoes together with RBAC... I believe this is the first public demonstration of that Containerd exploit against Kubernetes."

"To me the power of Kubernetes is, if I'm building a simple app I can use that style, if I need to drop down and mess with the details of the application run stateful things, I can do that, all in one environment. I think we'll add that to the ways Kubernetes is consumed. The question is whether we'll do that in one way or whether there's going to be 35 ways for that to happen."


News URL

https://go.theregister.com/feed/www.theregister.com/2021/05/10/kubecon_2021_highlights/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-12-01 CVE-2020-15257 Incorrect Resource Transfer Between Spheres vulnerability in multiple products
containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows.
5.2