From the Cluster to the Cloud: Lateral Movements in Kubernetes

Explore novel techniques used in recent real-world attacks that enabled adversaries to move laterally from a container in a Kubernetes cluster to external cloud resources in this 36-minute conference talk. Delve into inner-cluster lateral movement, focusing on Kubernetes RBAC configurations that unexpectedly allowed such movements and served as the root cause of vulnerabilities in containerized applications. Learn how to identify these activities using native Kubernetes tools. Examine cluster-to-cloud lateral movement, with emphasis on cluster-to-cloud authentication methods employed by major cloud providers like Azure, AWS, and GCP. Understand the three main authentication approaches: direct/modified access to IMDS, using Kubernetes as an OIDC identity provider, and storing credentials on underlying nodes. Analyze real-world incidents of cloud environment takeovers originating from Kubernetes clusters, and discover methods to prevent and detect such activities.

From the Cluster to the Cloud: Lateral Movements in Kubernetes - Yossi Weizman & Ram Pliskin