2025-08-04 –, Florentine F
What started as a simple exercise to create Kubernetes interview questions took an unexpected turn into discovering some interesting cluster security quirks. While brainstorming scenarios to test candidates' knowledge, we found ourselves saying "wait, would that actually work?" more times than we expected. This talk shares these insights, showing how even a cluster with a common configuration can lead to surprising cluster disruptions. We will guide you through our journey, sharing both the techniques we stumbled upon and practical ways to keep your Kubernetes infrastructure safe.
From Interview Questions to Cluster Damage: Adventures in k8s Cluster Hacking
It all started with a simple task - creating technical interview questions for Kubernetes researchers. You know the type: "What happens if this pod can't schedule?" or "How would you debug a failing service?" But as we brainstormed scenarios, we kept having these "hold up, what if..." moments that led us down some interesting paths.
We started testing our theories in lab environments, and what we found was both interesting and kind of amusing. Turns out there are quite a few ways to mess with a Kubernetes cluster that don't require sophisticated zero-day exploits - just creative use of normal cluster operations.
In this talk, we'll share three main insights from our accidental research project. First, we'll look at some surprisingly effective ways to disrupt cluster operations through resource manipulation and component misconfigurations. These aren't complex attacks - they're the kind of things that could happen by accident if you're not paying attention.
We'll then explore how attackers might map out a cluster starting with limited access. Understanding this helps both with security testing and knowing what to watch out for in your monitoring. Finally, we'll tackle a classic interview question that turned out to be more interesting than we expected: if someone compromises a node, can they take over the whole cluster?
This isn't going to be a standard lecture - we want to hear your thoughts and experiences too. We'll show some live demos and turn key points into discussions. After all, the best security insights often come from comparing notes with other practitioners.
The talk is aimed at folks who work with Kubernetes regularly - security engineers, DevSecOps teams, platform engineers. You don't need to be a security expert, but you should be familiar with basic Kubernetes concepts. We'll focus on practical stuff you can actually use, not theoretical edge cases.
By the end, you'll have:
* Some new perspectives on cluster security
* Practical ideas for hardening your environments
* Better understanding of what to monitor
* Some good material for your own interview questions
Travis spends most of his days working in the cloud/container/Kubernetes security space. He has worked in security for ~15 years. Most importantly, he is one of the select few individuals to be recognized with an official certification from Microsoft as a Microsoft Office User Specialist in Microsoft Access 2000.
Amit Serper is a seasoned security researcher with over 20 years of experience spanning vulnerability research, malware analysis, exploitation, and reverse engineering. Known for high-impact discoveries and deep technical insights, Amit has contributed to both defensive and offensive security domains. He currently serves as a Lead Security Researcher at CrowdStrike, where he focuses on uncovering advanced threats and novel attack techniques. His work has been widely cited in industry reports and media, and he frequently presents at leading security conferences worldwide. Before joining Crowdstrike, Amit worked multiple security research roles at companies such as Akamai, Cybereason, and other startups.