I Own Your Cluster: My Talk at BSides TLV 2024

Leave a Comment / Speaking & Media / By

Last year at BSides Tel Aviv 2024 – one of the largest, known for its technical depth and strong community. I had the incredible opportunity to take the stage and share a discovery that had a significant impact on the Kubernetes and cloud security world.

🎥 Watch the full talk here:

 

🎤 The Talk: “I Own Your Cluster”

Over 1,400 cyber professionals packed the venue during Cyber Week, and I presented a research journey titled “I Own Your Cluster” – an exposé of a chain attack I uncovered targeting AWS EKS (Elastic Kubernetes Service) clusters.

The TL;DR?
I demonstrated how an attacker could move laterally from a restricted container in Kubernetes, all the way to full EKS cluster takeover, using two high-risk vulnerabilities and a clever abuse of default IAM roles, metadata endpoints, and container images.

Yes, thousands of clusters and customers were at risk.

🧠 The Research: From a Pod to Pwn

It all started with a question: “What can I do from a low-privilege pod if I get inside?”
The answer was… way too much.

🔗 The Chain Attack Flow:

  1. Access IMDSv2 from inside a container and abuse it using the Gopher protocol.
  2. Retrieve temporary tokens linked to the EKS node IAM role.
  3. Use those tokens to enumerate ECR repositories and access all container images.
  4. Generate a new kubeconfig and bypass RBAC restrictions.
  5. Create vulnerable pods to execute code on other nodes.
  6. And finally… Take over the whole cluster.

Bonus: We even showed how similar logic applies to Azure Kubernetes Service (AKS) via azure.json.

🔥 Highlights from the Stage

  • A live demo showing real-world exploitation with Ngrok tunneling and minimal privileges.
  • Kubernetes API and RBAC bypass tricks you won’t find in most blogs.
  • Released KubeKiller – a beta offensive security toolkit for Kubernetes research (co-authored with Ishay Tsabari).

🔒 Mitigations That Actually Work

I didn’t just drop a bomb – I brought fire extinguishers.

Here are a few critical fixes:

  • Block pod access to IMDS using security group rules.
  • Enforce least privilege on EKS node IAM roles.
  • Monitor usage of mirror pods and access to azure.json.

More mitigation tips are available here and in the talk.

🧩 Why This Matters

Kubernetes is powerful but complex. The cloud gives you flexibility, but also… a false sense of security.
What we showed is that default configurations and hidden IAM relationships can quickly become critical liabilities.

Organizations running workloads on EKS or AKS must treat containers as potential entry points and enforce cloud-native security practices from day zero.

👋 Final Thoughts

Presenting this research at BSides TLV was an honor.
The crowd’s energy, the challenging questions, and the conversations that followed were a testament to the evolving interest in cloud-native security.

Let’s not wait for attackers to find the gaps. Let’s close them before they do.

📬 Let’s connect:

See you at the next con!

Leave a Comment

Your email address will not be published. Required fields are marked *