Jeff Friedman is a staff software engineer at KSOC. He has built cloud-native, high-performance distributed systems in product engineering teams at CircleCI and EverQuote, ranging from real time data analysis and data visualization applications to auction engines for insurance marketplaces. Prior to software engineering, Jeff worked in investment banking and management consulting.
This talk will cover identities between a kubernetes cluster and a cloud service provider (focusing on AWS). We will dive into every step of the authorization flow from a workload to a cloud service for how those decisions are made and ways they can be abused. This includes Kubernetes RBAC, Kubelet authorization, AWS IAM roles, S3 bucket policies and more. The talk will discuss various options of identity provider integrations such as SAML and OIDC and how they each have unique attack vectors in the auth workflow. To conclude, we’ll summarize attack techniques that would best leverage misconfigurations of this complicated flow.