Kates’ Pot: Finding Attacks Against Kubernetes Deployments

While default deployments on managed platforms are getting safer and safer, the potential attack surface of Kubernetes remains a valuable target given its widespread adoption.
But how do you find new or even current attacks against Kuberentes instances?
Continously monitoring and analyzing any publicly reachable cluster is one way - another would be to deploy a honeypot that emulates an open instance, providing unique insights into ongoing and novel attacks.
This talk introduces a Kubernetes Honeypot and provides insights and interpretations into collected data and observed actions. Furthermore, it provides some recommendations and best practices for publicly reachable Kubernetes instances to mitigate common attacks.

The talk provides some insight into the observed threat landscape and aims to enrich discussions around common attack scenarios, detections, and mitigations. Providing more data to refine or update threat models for publicly reachable Kubernetes deployments could benefit the ecosystem in the long run.
The provided recommendations strive to improve awareness for common misconfigurations, which, combined with real world event data, illustrate the potential dangers. The honeypot itself will be released as Open Source project along with this talk.

About the Speaker