Earlier today, my friend Will Kline and I presented at DEF CON 30. Our talk demonstrated the dangers that vulnerabilities in third-party applications can pose to Kubernetes clusters by attacking a cluster with vulnerable versions of Kiali , Fleet and Longhorn . The vulnerabilities we exploited were based on our own research, and the vulnerabilities were all responsibly disclosed and patched prior to this talk.
I had a great time creating and recording the attack, so I decided to publish a walkthrough for anyone interested in trying the attacks out themselves. I also published the Longhorn exploit , which I’ve named Rustler.