All graphical assets in this template are licensed for personal and commercial use. If you’d like to use a specific asset, please check the license below

Masterclass: Kubernetes Hacking

Ctrl+Alt+Hack: Hacking Kubernetes For Fun and Profit!
15th December 2023, 6:30 AM ET (5 PM - 6 PM IST)

Masterclass Session Recording and Slides

Slides for the hands on covered in the class
Video Recording of the Masterclass

Session Details

Registration Opens: 5th December 2023, 7:30 AM ET (6 PM IST)
Registration Closes:
12th December 2023, 11:30 AM ET (10 PM IST)
Masterclass Time and Date:
15th December 2023, 6:30 AM ET (5 PM - 6 PM IST)

Only the registered participants will receive the link to join the class and pre-requisites. Although optional, it is highly recommended that you come with the pre-requisites complete so that you can get the maximum out of the class.

Why should you attend this masterclass?

As more dev teams choose automation and container technologies to run their ops and infrastructure, it becomes important to understand the real world attacks and misconfigurations that Kubernetes can have. Owing to its complexity and even sometimes due to business requirements Kubernetes clusters get misconfigured resulting in attacker abuse.

This masterclass is a pure offensive mindset driven hands on class that will teach the students about common misconfigurations within Kubernetes setups and how these misconfigurations can lead to different results based on whether the cluster is an unmanaged or managed cluster.

By the end of the class you will have learnt the following
  1. Identifying and finding potentially vulnerable Kubernetes clusters using OSINT tools
  2. Common Kubernetes Security controls that will come in the way of attackers
  3. Identifying Overly privileged RBAC components
  4. Exploiting Web App and API vulnerabilities to gain access to Kubernetes cluster and underlying network/node/cloud provider
  5. Some of the differences (and advantages) attackers need to be aware when targeting managed clusters in the cloud
The techniques that will be covered in the masterclass are a small subset of the K8S Penetration Testing Service that Appsecco runs.

Who should register?

This masterclass is for those who want to hack and pentest Kubernetes clusters. You know Kubernetes clusters can be misconfigured resulting in weaknesses that can be exploited. Now you want to learn the what and the how.
We want you to get the most out of this masterclass. This Kubernetes Hacking Masterclass is best suited with the following kept in mind
  1. You have some hands on experience setting up, managing and administering Kubernetes clusters.
  2. You are curious how hackers attack and exploit Kubernetes clusters in the wild
  3. You understand the technical nuances of Kubernetes and containers technologies and want to enhance your knowledge of security
  4. You are comfortable with running commands and are familiar with networking concepts
  5. You have worked with or are familiar with cloud concepts and terminology in Google Cloud

Who is the trainer?

Riyaz Walikar, chief hacker at Appsecco.
Riyaz Walikar
Riyaz is a Technical Advisor / Chief Hacker at Appsecco and leads R&D for our offsec teams. He has been hacking and breaking software for the last decade and a half. From ships to printers to WiFi to cloud apps, databases and more.
He is well known security evangelist and researcher in the web, cloud and container space and has led offensive security teams at PwC, Citrix, Appsecco and Kloudle. He loves to teach and has conducted several trainings and talks at numerous conferences like BlackHat, nullcon, OWASP Appsec and a bunch of other developer conferences. He has also authored 2 books and is an active writer on multiple blogs.

Frequently Asked Questions

Is this a free session?
Yes. The class is completely free to attend. There is no payment required. All you have to do is register before the registrations close.
I know the masterclass is free, but will I be charged for the labs?
During the masterclass, if you are following along and doing the hands on, you will require to set up a Kubernetes cluster using Google Kubernetes Engine. This may incur some nominal cost, but we will ensure this remains the absolute minimum by using resources that are free or cost very less.
How will the masterclass be conducted?
The masterclass will be delivered via an online private closed meeting. The instructions to join the meeting will be shared along with the pre-requisites on 13th December to the people who have registered.
What do I need to know before coming to the class?
If you have never worked with Kubernetes or are getting started, it is recommended to become familiar with some basic Kubernetes concepts. This article does a good ELI5 - https://www.cncf.io/phippy/the-childrens-illustrated-guide-to-kubernetes/
What are the technical pre-requisites for this class?
Technical pre-requisites include a working Google Cloud account and access to the cloud account via gcloud CL. A detailed list of pre-requisites will be shared with the registered participants via the notification email which will be sent on 13th December.
Is there a certificate of participation?
Yes. There will be a certificate of participation for this masterclass. Only folks who have registered AND who attend the class will be awarded this certificate of participation.
Where can I find out more about Appsecco's VAPT and Kubernetes Pentesting offerings?
Appsecco offers consulting and security services in a lot of cybersecurity domains including Kubernetes Pentesting, org staffing requirements, web application pentesting, cloud (AWS/GCP/Azure/IBM) audits & pentesting, mobile and API security assessment, thick client pentesting and bespoke training as well. Drop an email to riyaz@appsecco.com to know more!

Appsecco Code of Conduct

This code of conduct applies to all Appsecco's hosted online and offline sessions. The following decorum needs to be observed for all Appsecco hosted sessions.
  1. Be nice to everyone,
  2. Be empathetic,
  3. Be questioning, as it furthers the discussion, but
  4. Discuss ideas, not people and their personalities (as that would be ad hominem).
We strongly condemn any kind of harassment of any fellow participant. This includes:
  1. Sustained disruption of talks, discussions and other events.
  2. Offensive remarks or jokes made about women, men, persons of non-binary genders and those with physical disabilities, or on the basis of sexuality, race, caste or religion.
  3. Use of images or video that objectify the human body unless absolutely relevant to the discussion.
  4. Overriding the speaker with discussion not pertaining to the masterclass or related topics.
  5. Inappropriate imagery and video usage.
  6. Behaviour akin to stalking or doxing of other participants within the class.
  7. Deliberate intimidation and unwelcome gestures.
You can report any violations in confidence by sending an SMS to +91 9886042242. SMSes are received by Riyaz (the trainer) who can address this quickly.

Violators, regardless of their standing, may be expelled from the masterclass, banned for other sessions and reported to the authorities.