Stop Reading YAML. Start Hunting: Finding real Kubernetes attack paths with ClusterHound
Track 2 – 2:00pm
Your name as you wish to be identified in the programme and announcements Nathan Dove and Josh Hickling
Your title and company name if you want this to be advertised. Lead Penetration Testers at KPMG UK
Your social media handles, including Twitter, Bluesky and LinkedIN No handles but feel free to tag us on LinkedIn: https://www.linkedin.com/in/nathan-dove https://www.linkedin.com/in/joshua-hickling Lead Penetration Testers at KPMG UK
Bio
Nathan and Josh are Lead Penetration Testers at KPMG UK, based in Leeds. Between them, they bring over a decade of hands-on experience in security testing across a wide range of domains, including infrastructure, web applications, and complex enterprise environments.
Having both built their careers in and around Leeds, they have spent the past 11 years contributing to the local security community through practical testing, research, and knowledge sharing. While relatively new to the conference speaking circuit, they have delivered numerous talks and workshops at academic institutions across the region, helping to bridge the gap between education and real-world offensive security.
Their combined experience spans most areas of penetration testing, but their recent focus has shifted toward modern cloud-native technologies, particularly Kubernetes. Through their work, they have been exploring the unique attack surfaces and security challenges introduced by containerised environments, with an emphasis on how security testers can deliver valuable assessments.
At BSides Leeds, they aim to share insights from their research and testing experience, offering attendees a grounded and practitioner-led perspective on Kubernetes pentesting, with some new tooling to boot.
Talk Abstract
Kubernetes underpins a large proportion of modern infrastructure, but the way it is commonly assessed during penetration tests often does not reflect how clusters can actually be exploited. Many assessments still centre around configuration reviews, standard tooling, and lists of misconfigurations, without demonstrating how issues can be combined to achieve meaningful compromise.
In this talk, we present a hands-on approach to Kubernetes testing. We start with a brief introduction to Kubernetes from a penetration testing perspective, covering the parts of the platform that matter in an offensive security context.
We then look at how Kubernetes assessments are typically performed today and where they fall short, before outlining a more effective approach based on actively accounting for a cluster’s context and identifying paths for privilege escalation and lateral movement.
We introduce ClusterHound, a Kubernetes ingestor for BloodHound, which models Kubernetes environments as a graph to support attack path mapping and help identify routes to elevated privileges.
Attendees will learn key Kubernetes concepts for penetration testing, the limitations of configuration-led assessments, how to take a more active testing approach, how to identify paths for escalation and movement, and how ClusterHound and BloodHound support attack path mapping.
Intended Audience
Pentesters and blue team operators of any level will find the talk beneficial. Also developers and engineers who need to maintain awareness of Kuberentes security in their day to day role.
How NSFW is this talk?
(How spicy is your talk in chilli's?)
We may use profanity but not excessively.