Get a round trip ticket; from the Kubernetes workload to the public cloud and back
11-04, 15:10–15:40 (US/Central), ROOM 1

This talk will cover identities between a kubernetes cluster and a cloud service provider (focusing on AWS). We will dive into every step of the authorization flow from a workload to a cloud service for how those decisions are made and ways they can be abused. This includes Kubernetes RBAC, Kubelet authorization, AWS IAM roles, S3 bucket policies and more. The talk will discuss various options of identity provider integrations such as SAML and OIDC and how they each have unique attack vectors in the auth workflow. To conclude, we’ll summarize attack techniques that would best leverage misconfigurations of this complicated flow.


Add.'l info: We’ll be talking about how permissions are granted and leveraged by entities across different planes of a containerized application hosted in a cloud service provider. It’s interesting to break down the differences of implicit and explicit permissions as they relate to different components along the trail when you look at it from an attackers point of view.

Jeff Friedman is a staff software engineer at KSOC. He has built cloud-native, high-performance distributed systems in product engineering teams at CircleCI and EverQuote, ranging from real time data analysis and data visualization applications to auction engines for insurance marketplaces. Prior to software engineering, Jeff worked in investment banking and management consulting.