Name: Crafty Requests: Deep Dive Into Kubernetes CVE-2018-1002105 - Ian Coldwater, Heroku
Start: 2019-05-22T11:55:00+0200
End: 2019-05-22T12:30:00+0200

Barcelona, Spain
May 20–23, 2019
Click here for more information and registration

View Conference Venue and Sponsor Showcase Map

Back To Schedule

Crafty Requests: Deep Dive Into Kubernetes CVE-2018-1002105 - Ian Coldwater, Heroku

Feedback form is now closed.

You may have heard about CVE-2018-1002105, one of the most severe Kubernetes security vulnerabilities of all time. But how does this flaw work? How can it be exploited, and what does it all mean?

This deep dive will walk the audience through the Kubernetes back end, going over relevant concepts like aggregated API servers, the kubelet API, and permissions for namespace-constrained users. We will explain the details of how this flaw works, how a cluster’s moving parts can fit together to create a vulnerable context, and the risks involved in leaving this CVE unpatched in the wild.

A live demonstration will show the audience exactly how easy it is to exploit this vulnerability. After explaining the attack pathways, the audience will leave with practical advice about mitigation and how to protect their clusters.

Speakers

Ian Coldwater

Director of Offensive Security, Twilio

Ian Coldwater is co-chair of Kubernetes SIG Security, a CNCF Ambassador, and a security researcher specializing in hacking and hardening Kubernetes, containers, and cloud native infrastructure. In their spare time, they like to read all the docs, participate in Capture the Flag competitions... Read More →

craftyrequests pdf

Wednesday May 22, 2019 11:55 - 12:30 CEST
Hall 8.0 C4

Security + Identity + Policy

Skill Level Intermediate (Mid-level experience)
Link to Session Recording https://youtu.be/VjSJqc13PNk

KubeCon + CloudNativeCon Europe 2019

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Ian Coldwater