The call is coming from inside the building: Post-Exploitation with Kubernetes Webhooks


Admission Controllers are an integral part of Kubernetes Security. Specifically, Access Control. These take the form of mutating and validating web-hooks. Kubernetes clusters use these webhooks to enforce/mutate security policy checks. Everything from security context to memory limits can be enforced through the use of these webhooks. However, attackers can leverage custom-built webhooks as a way of maintaining persistence in an exploited Kubernetes cluster. In this talk, I will detail the admission controller implementation in Kubernetes. I will build and deploy both mutating and validating, malicious webhooks to a cluster to demonstrate a bevy of post-exploit persistence approaches that one can leverage, entirely using Kubernetes webhooks.

These techniques have been used by my team and I during several Kubernetes red-team engagements. At the end of the session, I will open-source a set of easy to deploy malicious admission controllers for kubernetes that can be used as “plug-and-play” post-exploit webhooks. These can perform a variety of post-exploitation activities ranging from stealing secrets to adding malicious sidecars.

Speakers Information

Abhay Bhargav

Abhay Bhargav is the Founder of we45, a focused Application Security Company and the Chief Research Officer of AppSecEngineer, an elite, hands-on online training platform for AppSec, Cloud-Native Security, Kubernetes Security and DevSecOps. Abhay started his career as a breaker of apps, in pentesting and red-teaming, but today is more involved in scaling AppSec with Cloud-Native Security and DevSecOps. He has created some pioneering works in the area of DevSecOps and AppSec Automation, including the world’s first hands-on training program on DevSecOps, focused on Application Security Automation. In addition to this, Abhay has contributed to pioneering work in the Vulnerability Management space, being the architect of a leading Vulnerability Management and Correlation Product, Orchestron, from we45. Abhay is also committed to Open-Source and has developed the first-ever Threat Modeling solution at the crossroads of Agile and DevSecOps, called ThreatPlaybook. Abhay is a speaker and trainer at major industry events including DEF CON, BlackHat, OWASP AppSecUSA, EU and AppSecCali. His trainings have been sold-out events at conferences like AppSecUSA, EU, AppSecDay Melbourne, CodeBlue (Japan), BlackHat USA, SHACK and so on. He’s authored two international publications on Java Security and PCI Compliance as well.

View Full Schedule

Subscribe to Our Mailing List

Join our community mailing list for updated on conference annoucements, important dates and discussions.