continuous kubernetes security
play

Continuous Kubernetes Security @sublimino and @controlplaneio Im: - PowerPoint PPT Presentation

Apr 10, 2024 •49 likes •1.18k views

Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like - Sec-ish - Ops-y Is this Kubernetes cluster secure? EPIC FAIL GIF How secure is Kubernetes? What this Kubernetes talk is about Common Pwns

  1. Admission Controllers: NodeRestriction limits the Node and Pod objects a kubelet can modify kubelets must use credentials in the system:nodes group, with a username in the form system:node:<nodeName> n.b. Node Authorizer authorization mode required https://kubernetes.io/docs/admin/authorization/node/

  2. clusterrole system:node

  3. Admission Controllers: NodeRestriction --authorization-mode=Node A kubelet can not: ● alter the state of resources of any Pod it does not manage ● access Secrets, ConfigMaps or Persistent Volumes / PVCs, unless they are bound to a Pod managed by itself ● alter the state of any Node but the one it is running on https://kubernetes.io/docs/admin/authorization/node/

  4. Admission Controllers: PodSecurityPolicy determines if it should be admitted based on the requested security context and available Pod Security Policies https://github.com/kubernetes/examples/tree/master/staging/podsecuritypolicy/rbac

  5. Admission Controllers: ServiceAccount automation for serviceAccounts if not exist, set: ServiceAccount , ImagePullSecrets , /var/run/secrets/kubernetes.io/serviceaccount volume

  6. Admission Controllers in GKE

  7. Admission Controllers: ValidatingAdmissionWebhook (v1.9 beta) calls validating webhooks in parallel, rejects pod if any fail

  8. Admission Controllers: ValidatingAdmissionWebhook (v1.9 beta) https://github.com/kelseyhightower/denyenv-validating-admission-webhook#valida ting-admission-webhook-configuration https://github.com/openshift/generic-admission-server

  9. Secrets and Configmaps --experimental-encryption-provider-config ● Secrets and configmaps are encrypted at rest with ‘aescbc’ ○ If ‘aesgcm’ encryption is used, encryption keys should be rotated frequently ● Secure connection is set between apiserver and etcd ● Only apiserver user can read / edit EncryptionConfig file https://www.twistlock.com/2017/08/02/kubernetes-secrets-encryption/

  10. Secrets and Configmaps ● https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/ ● Secure Secret management for Kubernetes (with gpg, Google Cloud KMS and AWS KMS backends) - https://github.com/shyiko/kubesec ● Encryption at rest KMS integration - https://github.com/kubernetes/features/issues/460 ● https://medium.com/@mtreacher/using-aws-kms-for-application-secrets-in-ku bernetes-149ffb6b4073 ● Sealed Secrets - a Kubernetes controller and tool for one-way encrypted Secrets https://github.com/bitnami-labs/sealed-secrets

  11. TokenRequest API (v1.10 alpha) The TokenRequest API enables creation of tokens that: ● aren't persisted in the Secrets API ● targeted for specific audiences (such as external secret stores) ● have configurable expiries ● bindable to specific pods.

  12. Compliance Scanning ● https://github.com/nccgroup/kube-auto-analyzer - review Kubernetes installations against the CIS Kubernetes 1.8 Benchmark ● https://github.com/aquasecurity/kube-bench - test versions of Kubernetes (1.6, 1.7 and 1.8) against CIS Kubernetes 1.0.0, 1.1.0 and 1.2.0 ● https://github.com/heptio/sonobuoy - running a set of Kubernetes conformance tests in an accessible and non-destructive manner ● https://github.com/bgeesaman/sonobuoy-plugin-bulkhead - kube-bench for sonobouy ● https://github.com/bgeesaman/kubeatf - spin up, test, and destroy Kubernetes clusters in a human and CI/CD friendly way

  13. Image Scanning ● https://github.com/coreos/clair ● https://github.com/arminc/clair-local-scan ● https://github.com/optiopay/klar - integration of Clair and Docker Registry ● https://github.com/banyanops/collector ● https://github.com/anchore/anchore-engine

  14. Securing Kubernetes Networking

  15. https://medium.com/google-cloud/ understanding-kubernetes-networ king-services-f0cb48e4cc82 Kubernetes networking

  16. NetworkPolicy ● Calico ● Cilium (Learn more about eBPF) ● Kube-router ● Romana ● Weave Net

  17. NetworkPolicy

  18. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny spec: podSelector: https://github.com/ahmetb/kube rnetes-network-policy-recipes Kubernetes NetworkPolicy: default deny

  19. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny spec: Illegal syntax, but podSelector: represents what it - “*” actually does (effectively a wildcard) https://github.com/ahmetb/kube rnetes-network-policy-recipes Kubernetes NetworkPolicy: default deny

  20. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: foo-deny-external-egress spec: podSelector: matchLabels: app: foo policyTypes: - Egress egress: - ports: - port: 53 protocol: UDP - port: 53 protocol: TCP - to: https://github.com/ahmetb/kube - namespaceSelector: {} rnetes-network-policy-recipes Kubernetes NetworkPolicy

  21. https://github.com/kubernetes/kubernetes/issues/56901 Kubernetes NetworkPolicy - NO DNS NAMES

  22. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: foo-deny-external-egress spec: podSelector: ILLEGAL! NOT ALLOWED! dnsName: control-plane.io policyTypes: - Egress egress: - ports: - port: 53 protocol: UDP - port: 53 protocol: TCP - to: - namespaceSelector: {} https://github.com/ahmetb/kube rnetes-network-policy-recipes Kubernetes NetworkPolicy - ILLEGAL!

  24. What is a Service Mesh? https://abhishek-tiwari.com/a-sidecar-for-your-service-mesh/

  25. http://blog.christianposta.com/istio-workshop/

  26. Service Meshes - Istio ● Automatic mutual TLS between services ● Service-level RBAC ● External identity provider integration ● Policy and quota enforcement, dynamic per-request routing ● Deployment strategies such as red/black, canary, dark/mirrored ● Distributed tracing ● Network policy between apps/services, and on ingress/egress

  27. netassert - cloud native network testing ● netassert - network security testing for DevSecOps workflows https://github.com/controlplaneio/netassert host: localhost: bitbucket.com: - 22 control-plane.io: github.com: - 22

  28. netassert - cloud native network testing k8s: # used for Kubernetes pods deployment: # only deployments currently supported test-frontend: # pod name, defaults to `default` namespace test-microservice: 80 # `test-microservice` is the DNS name of the target service test-database: -80 # should not be able to access port 80 of `test-database` new-namespace:test-microservice: # `new-namespace` is the namespace name test-database.new-namespace: 80 # longer DNS names can be used for other namespaces test-frontend.default: 80 default:test-database: test-frontend.default.svc.cluster.local: 80 # full DNS names can be used test-microservice.default.svc.cluster.local: -80 control-plane.io: 443 # we can check remote services too https://github.com/controlplaneio/netassert

  30. Cloud Native Dynamic Firewalls ● Network Policy recipes - https://github.com/ahmetb/kubernetes-network-policy-recipes ● WeaveNet Network Policy - https://kubernetes.io/docs/tasks/administer-cluster/weave-network-policy/ ● NeuVector Container Firewall - https://neuvector.com/products/ ● Tesla Compromise mitigation - https://www.tigera.io/tesla-compromise-network-policy/

  31. Recap

  32. Multi Tenancy Principles

  33. Secure Hosts ● Minimal attack surface ○ CoreOS (RIP), forked as FlatCar Linux- https://coreos.com/ and https://kinvolk.io/ ○ Red Hat Atomic - https://www.redhat.com/en/resources/enterprise-linux-atomic-host-datasheet ○ Ubuntu Core -https://www.ubuntu.com/core ○ Container-Optimized OS from Google - https://cloud.google.com/container-optimized-os/docs/ ● Security extensions enabled, configured, and monitored ● Immutable infrastructure ● Group nodes by type, usage, and security level

  34. No Routes To: ● cadvisor ● heapster ● kubelet ● kubernetes dashboard ● etcd

  35. Proxy to Metadata APIs ● https://github.com/jtblin/kube2iam - provides different AWS IAM roles for pods running on Kubernetes ● https://github.com/uswitch/kiam - allows cluster users to associate IAM roles to Pods ● https://github.com/heptio/authenticator - allow AWS IAM credentials to authenticate to a Kubernetes cluster ● https://github.com/GoogleCloudPlatform/k8s-metadata-proxy - a simple proxy for serving concealed metadata to container workloads

  36. MULTI TENANCY: Soft

  37. MULTI TENANCY: Soft ● Isolate by namespace ○ don't forget the default networkpolicy and podsecuritypolicy ○ assign limits to the namespace with LimitRanges https://kubernetes.io/docs/tasks/administer-cluster/memory-default-namespace/ ● Separate dev/test from production ● Image scanning ○ private registry and build artefacts/supply chain

  38. MULTI TENANCY: Soft ● Policed, scanned, compliant base images ○ minimal attack surface ○ FROM scratch if possible ● Deploy admission controllers, pod security policies, etc ● Everything as code ○ https://www.weave.works/blog/gitops-operations-by-pull-request

  39. MULTI TENANCY: Hard

  40. MULTI TENANCY: Hard ● All users untrusted, potentially malicious ○ comfortable running code from multiple third parties, with the potential for malice that implies, in the same cluster ● Only co-tenant along your existing security boundaries ● Segregate logically by application type, security level, and/or physically by project/account ● Separate node pools for different tenants

  41. Container Runtimes ● runc - CLI tool for spawning and running containers according to the OCI specification https://github.com/opencontainers/runc ● cri-o - Open Container Initiative-based implementation of Kubernetes Container Runtime Interface https://github.com/kubernetes-incubator/cri-o ● Kata Containers - hardware virtualized containers https://katacontainers.io/ ● VirtualKubelet - a Kubernetes kubelet implementation https://github.com/virtual-kubelet/virtual-kubelet ● LXC/LXD, rkt, systemd-nspawn - https://coreos.com/rkt/docs/latest/rkt-vs-other-projects.html

Recommend

Continuous Delivery the hard way with Kubernetes Luke Marsden, Developer Experience @lmarsden

Continuous Delivery the hard way with Kubernetes Luke Marsden, Developer Experience @lmarsden

Continuous Delivery the hard way with Kubernetes Luke Marsden, Developer Experience @lmarsden Agenda 1. Why should I deliver continuously? 2. Kubernetes primer 3. GitLab primer 4. OK, so weve got these pieces, how are we going to put

638 views • 62 slides
Bringing Security and Multi- tenancy to Kubernetes Lei (Harry) Zhang About Me Lei (Harry)

Bringing Security and Multi- tenancy to Kubernetes Lei (Harry) Zhang About Me Lei (Harry)

Bringing Security and Multi- tenancy to Kubernetes Lei (Harry) Zhang About Me Lei (Harry) Zhang @resouer #CNCF member, #Microsoft MVP Previous: VMware, Baidu Feature Maintainer of Kubernetes HyperCrew: https://hyper.sh/

609 views • 40 slides
Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes

Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes

Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes Overview 1 Airflows integration with Kubernetes 2 Deployment of Airflow on Kubernetes 3 Kubernetes Pod Operator and its benefits 4 DAG Development

2.79k views • 14 slides
Automatic failovers with Kubernetes using Orchestrator, ProxySQL and Zookeeper Continuous

Automatic failovers with Kubernetes using Orchestrator, ProxySQL and Zookeeper Continuous

Automatic failovers with Kubernetes using Orchestrator, ProxySQL and Zookeeper Continuous monitoring Continuous monitoring Holistic approach to failure detection Continuous monitoring Holistic approach to failure

837 views • 81 slides
CONTINUOUS SECURITY CONTINUOUS SECURITY IN THE DEVOPS WORLD IN THE DEVOPS WORLD JULIEN VEHENT

CONTINUOUS SECURITY CONTINUOUS SECURITY IN THE DEVOPS WORLD IN THE DEVOPS WORLD JULIEN VEHENT

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ CONTINUOUS SECURITY CONTINUOUS SECURITY IN THE DEVOPS WORLD IN THE DEVOPS WORLD JULIEN VEHENT JULIEN VEHENT MOZILLA SECURITY MOZILLA SECURITY

724 views • 49 slides
Kubernetes Security Zooming In, Zooming Out A comprehensive Container Security Strategy Kavya

Kubernetes Security Zooming In, Zooming Out A comprehensive Container Security Strategy Kavya

Kubernetes Security Zooming In, Zooming Out A comprehensive Container Security Strategy Kavya Pearlman Global Cybersecurity Strategist - Wallarm @KavyaPearlman | @Wallarm Rob Richardson Technical Evangelist - MemSQL @Rob_Rich | @MemSQL

279 views • 27 slides
Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes

Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes

Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes Deployments Cequence Security: A Cloud Native Approach to Application Security Venture-backed start-up bringing much-needed innovation to

304 views • 17 slides
CI/CD at Zalando Continuous Delivery to Kubernetes at Zalando CI/CD Meetup Berlin LOTHAR SCHULZ

CI/CD at Zalando Continuous Delivery to Kubernetes at Zalando CI/CD Meetup Berlin LOTHAR SCHULZ

Please write title, subtitle and speaker name in all capital letters CI/CD at Zalando Continuous Delivery to Kubernetes at Zalando CI/CD Meetup Berlin LOTHAR SCHULZ 2017-09-20 Please write the title in all Please write the title in all

352 views • 11 slides
Kubernetes Matthias Haeussler Mirna Alaisami Overview Overview Kubernetes is an open-source

Kubernetes Matthias Haeussler Mirna Alaisami Overview Overview Kubernetes is an open-source

Kubernetes Matthias Haeussler Mirna Alaisami Overview Overview Kubernetes is an open-source platform designed to automate deploying , scaling , and operating application containers . Kubernetes v1.0 was released in 2015. It utilizes

916 views • 52 slides
K8s or Die! You must do Kubernetes. Or should you? If so when, where, why? How?! Marco Ceppi

K8s or Die! You must do Kubernetes. Or should you? If so when, where, why? How?! Marco Ceppi

K8s or Die! You must do Kubernetes. Or should you? If so when, where, why? How?! Marco Ceppi @marcoceppi Ryan Beisner @ryanbeisner Why Kubernetes Computing in the modern age Virtual Process Machines Containers Traditional Container

516 views • 24 slides
#MicroFocusCyberSummit Shifting Security Left Bringing security into continuous integration and

#MicroFocusCyberSummit Shifting Security Left Bringing security into continuous integration and

#MicroFocusCyberSummit Shifting Security Left Bringing security into continuous integration and delivery Brenton Scott Witonski &lt;&gt;&lt; , Acxiom Brandon Spruth, Target Lucas von Stockhausen, Fortify #MicroFocusCyberSummit WHY ARE YOU

711 views • 44 slides
Zoom In, Zoom Out. A Fresh look at Kubernetes Security Rob Richardson Technical Evangelist -

Zoom In, Zoom Out. A Fresh look at Kubernetes Security Rob Richardson Technical Evangelist -

Zoom In, Zoom Out. A Fresh look at Kubernetes Security Rob Richardson Technical Evangelist - MemSQL @Rob_Rich | @MemSQL Kavya Pearlman Global Cybersecurity Strategist - Wallarm @KavyaPearlman | @Wallarm Introducing Rob... Rob Richardson

602 views • 31 slides
From Laptop to the World With Kubernetes @saturnism @googlecloud #kubernetes Ray Tsang

From Laptop to the World With Kubernetes @saturnism @googlecloud #kubernetes Ray Tsang

From Laptop to the World With Kubernetes @saturnism @googlecloud #kubernetes Ray Tsang Developer Advocate Google Cloud Platform @saturnism | +RayTsang @saturnism @googlecloud #kubernetes Ray Tsang Developer Architect Traveler

1.29k views • 65 slides
Contributing to kubernetes Who am I? Senior Software Engineer at Gojek Organizer at Kubernetes

Contributing to kubernetes Who am I? Senior Software Engineer at Gojek Organizer at Kubernetes

Contributing to kubernetes Who am I? Senior Software Engineer at Gojek Organizer at Kubernetes &amp; Cloud Native Meetups in Jakarta and Bandung https://www.meetup.com/jakarta-kubernetes/ https://www.meetup.com/Microservice-JKT/ You can find

709 views • 47 slides
Developing Kubernetes Services at Airbnb Scale @MELANIECEBULA What is kubernetes?

Developing Kubernetes Services at Airbnb Scale @MELANIECEBULA What is kubernetes?

@MELANIECEBULA / MARCH 2019 / CON LONDON Developing Kubernetes Services at Airbnb Scale @MELANIECEBULA What is kubernetes? @MELANIECEBULA Who am I? A BRIEF HISTORY @MELANIECEBULA Why Microservices? 4000000 3000000 2000000 MONOLITH

1.74k views • 111 slides
Four times Microservices: REST, Kubernetes, UI Integration, Async Eberhard Wolff @ewolff

Four times Microservices: REST, Kubernetes, UI Integration, Async Eberhard Wolff @ewolff

Four times Microservices: REST, Kubernetes, UI Integration, Async Eberhard Wolff @ewolff http://ewolff.com Fellow http://continuous-delivery-buch.de/ http://continuous-delivery-book.com/ http://microservices-buch.de/

1.03k views • 89 slides
Continuous Application Security Testing Presented by:

Continuous Application Security Testing Presented by:

W14 Security Testing Wednesday, October 23rd, 2019 3:00 PM Continuous Application Security Testing Presented by: Josh Gibbs

306 views • 4 slides
Kubernetes Networking and Istio Apurva Bhandari $whoami SRE / DevOps Docker &amp; Kubernetes

Kubernetes Networking and Istio Apurva Bhandari $whoami SRE / DevOps Docker &amp; Kubernetes

Kubernetes Networking and Istio Apurva Bhandari $whoami SRE / DevOps Docker &amp; Kubernetes Enthusiast Speaker at Meetups Email: apurvbhandari@gmail.com LinkedIn: https://www.linkedin.com/in/apurvabhandari-linux GitHub:

2.17k views • 28 slides
Kubernetes APIs Under the Hood @pwittrock Who Am I? Phillip Wittrock (@pwittrock) Software

Kubernetes APIs Under the Hood @pwittrock Who Am I? Phillip Wittrock (@pwittrock) Software

Kubernetes APIs Under the Hood @pwittrock Who Am I? Phillip Wittrock (@pwittrock) Software Engineer at Google working on GKE and OSS Kubernetes My mission is to make using Kubernetes simple and enjoyable You might have come across me

1.12k views • 27 slides
Stateful workloads on kubernetes with ceph Agenda CaaS Kubernetes

Stateful workloads on kubernetes with ceph Agenda CaaS Kubernetes

Stateful workloads on kubernetes with ceph Agenda CaaS Kubernetes Ceph Storage Operation NVRAMOS 2019 10/28/2019 Cloud Service Model On Premises IaaS CaaS PaaS SaaS Applications Applications

660 views • 36 slides
Kubernetes Administration from Zero to (junior) Hero Lszl Budai Component Soft Ltd.

Kubernetes Administration from Zero to (junior) Hero Lszl Budai Component Soft Ltd.

Kubernetes Administration from Zero to (junior) Hero Lszl Budai Component Soft Ltd. Agenda 1.Introduction 2.Accessing the kubernetes API 3.Kubernetes workloads 4.Accessing applications 5.Volumes and persistent storage 2 (c) 2018

1.17k views • 57 slides
Kubernetes und Container Aber Sicher! Container / K8s Security Andreas Falk Vorstellung

Kubernetes und Container Aber Sicher! Container / K8s Security Andreas Falk Vorstellung

Kubernetes und Container Aber Sicher! Container / K8s Security Andreas Falk Vorstellung Andreas Falk Novatec Consulting andreas.falk@novatec-gmbh.de / @andifalk https://www.novatec-gmbh.de/beratung/agile-security 2

1.1k views • 65 slides
OpenStack on Kubernetes: Make OpenStack and Kubernetes Fail-Safe Seungkyu Ahn (ahnsk@sk.com)

OpenStack on Kubernetes: Make OpenStack and Kubernetes Fail-Safe Seungkyu Ahn (ahnsk@sk.com)

OpenStack on Kubernetes: Make OpenStack and Kubernetes Fail-Safe Seungkyu Ahn (ahnsk@sk.com) Jaesuk Ahn (jay.ahn@sk.com) Open System Lab Network IT Convergence R&amp;D Center SK Telecom Wil Reichert (wil@solinea.com) Solinea What will

1.26k views • 46 slides
Kubelet to Istio: Kubernetes Network Security Demystified FOSDEM SPEED RUN @sublimino and

Kubelet to Istio: Kubernetes Network Security Demystified FOSDEM SPEED RUN @sublimino and

Kubelet to Istio: Kubernetes Network Security Demystified FOSDEM SPEED RUN @sublimino and @controlplaneio @sublimino Im: - Andy - Dev-like - Sec-ish - Ops-y @sublimino What is Network Security @sublimino Why do we need Network

1.54k views • 108 slides

More recommend