kubernetes und container aber sicher container k8s
play

Kubernetes und Container Aber Sicher! Container / K8s Security - PowerPoint PPT Presentation

Jan 16, 2023 •437 likes •1.1k views

Kubernetes und Container Aber Sicher! Container / K8s Security Andreas Falk Vorstellung Andreas Falk Novatec Consulting andreas.falk@novatec-gmbh.de / @andifalk https://www.novatec-gmbh.de/beratung/agile-security 2

  1. Kubernetes und Container – Aber Sicher! Container / K8s Security Andreas Falk

  2. Vorstellung Andreas Falk Novatec Consulting andreas.falk@novatec-gmbh.de / @andifalk https://www.novatec-gmbh.de/beratung/agile-security 2

  3. https://www.novatec-gmbh.de/schulung/application-security-training-for-developers-by-jim-manico 3

  4. Agenda 1. What can go wrong 2. Application Security 3. Container Security 4. Kubernetes Security 5. Kubernetes Secrets 4

  5. Where are the Slides and the Code? Presentation Slides and Demo Code: https://github.com/andifalk/secure-development-on-kubernetes 5

  6. What can go wrong? Introduction 6

  7. Top Challenges in Kubernetes Source: https://thenewstack.io 7

  8. Severe Vulnerability in Kubernetes Source: https://blog.aquasec.com 8

  9. Crypto Mining Via K8s Dashboard Source: https://blog.heptio.com 9

  10. Open ETCD Ports in Kubernetes (1) https://shodan.io 10

  11. Open ETCD Ports in Kubernetes (2) $ etcdctl --endpoints=http://xx.xx.xx.xx:2379 cluster-health member b97ee4034db41d17 is healthy: got healthy result from http://xx.xx.xx.xx:2379 cluster is healthy https://github.com/etcd-io/etcd/releases 11

  12. Vulnerable Docker Images Source: The state of open source security report (snyk.io) 12

  13. All is Root 13

  14. Kubernetes attack vectors Source: Kubernetes Security, O’Reilly, 2018 14

  15. Operational / Development Kubernetes Security K8s Development Security Master Node Worker Node Container TLS TLS API Server Scheduler Kubelet Runtime Auth Auth Controller Authz Authz Etcd Kube Proxy Manager K8s Operational Security https://kubernetes.io/docs/concepts/security/overview/#the-4c-s-of-cloud-native-security https://learnk8s.io/production-best-practices/ 15

  16. So what can we do as developers? Application- / Docker- / K8s-Security 16

  17. The Path for Secure Development on K8s Application Container Kubernetes Kubernetes Security Security Security Secrets 17

  18. The Path for Secure Development on K8s Application Container Kubernetes Kubernetes Security Security Secrets Security 18

  19. Application Security Authentication Authorization SQL Injection Cross Site Scripting (XSS) Web Application Cross Site Request Forgery (CSRF) Data Protection (Crypto) ... 19

  20. Application Security 20

  21. Live Demo: Show me the code Iteration 1: Application Security https://github.com/andifalk/secure-development-on-kubernetes 21

  22. The Path for Secure Development on K8s Application Container Kubernetes Kubernetes Security Security Secrets Security 22

  23. Docker Security Basics 23

  24. Linux Kernel Namespaces ▪ Process ID (pid) Network (net) ▪ ▪ Filesystem/mount (mnt) Inter-Process Communication (ipc) ▪ ▪ User (user) UTS (hostname) ▪ 24

  25. Linux Control Groups (CGroups) ▪ Resource Limits − CPU − Memory − Devices − Processes − Network For Java this only works with container aware JDK versions as of OpenJDK 8u192 or above 25

  26. Linux Capabilities ▪ Break up root privileges into smaller units − CAP_SYS_ADMIN − CAP_NET_ADMIN − CAP_NET_BIND_SERVICE − CAP_CHOWN − ... $ docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE http://man7.org/linux/man-pages/man7/capabilities.7.html 26

  27. Mandatory Access Control (MAC) ▪ AppArmor ▪ Security Enhanced Linux (SELinux) https://gitlab.com/apparmor/apparmor/wikis/home https://github.com/SELinuxProject 27

  28. Secure Computing Mode (SecComp) ▪ Deny critical system calls by default − reboot − mount − swapon − ... http://man7.org/linux/man-pages/man2/seccomp.2.html https://docs.docker.com/engine/security/seccomp 28

  29. OWASP Docker Top 10 1. Secure User Mapping 2. Patch Management Strategy 3. Network Segmentation and Firewalling 4. Secure Defaults and Hardening 5. Maintain Security Contexts 6. Protect Secrets 7. Resource Protection 8. Container Image Integrity and Origin 9. Follow Immutable Paradigm 10. Logging https://github.com/OWASP/Docker-Security 29

  30. Docker Images 30

  31. Docker Image Security 31

  32. Say No To Root! USER directive in Dockerfile FROM openjdk:11-jre-slim COPY hello-spring-kubernetes-1.0.0-SNAPSHOT.jar app.jar EXPOSE 8080 RUN addgroup --system --gid 1002 app && adduser --system --uid 1002 --gid 1002 appuser USER 1002 ENTRYPOINT java -jar /app.jar https://opensource.com/article/18/3/just-say-no-root-containers 32

  33. Say No To Root! Use JIB and Distroless Images plugins { id 'com.google.cloud.tools.jib' version '...' } jib { container { user = 1002 } } https://github.com/GoogleContainerTools/jib 33

  34. Keep Being Secure ▪ Perform Image Scanning − Anchore − Clair − Trivy ▪ Regularly Update Base Images https://anchore.com/opensource/ https://github.com/coreos/clair https://github.com/aquasecurity/trivy 34

  35. Live Demo: Show me the code Iteration 2: Container Security https://github.com/andifalk/secure-development-on-kubernetes 35

  36. The Path for Secure Development on K8s Application Security Kubernetes Container Kubernetes Security Secrets Security 36

  37. Kubernetes Basics Ingress Service Deployment Replica Set Pod Pod Pod https://kubernetes.io/docs/concepts https://www.aquasec.com/wiki/display/containers/70+Best+Kube rnetes+Tutorials 37

  38. Kubernetes Security Kubernetes Auditing Network Policies Role Based Access Control (RBAC) Resource Limits Pod Security Context Pod Security Policy

  39. Resource Limits spec: ... containers: resources: limits: cpu: "1" memory: "512Mi" requests: cpu: 500m memory: "256Mi" ... https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource 39

  40. Pod/Container Security Context spec: securityContext: runAsNonRoot: true containers: securityContext: allowPrivilegeEscalation: false privileged: false runAsNonRoot: true readOnlyRootFilesystem: true capabilities: drop: - ALL https://kubernetes.io/docs/tasks/configure-pod-container/security-context 40

  41. Pod Security Policy (Still In Beta!) apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: no-root-policy spec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: - ALL runAsUser: rule: 'MustRunAsNonRoot' ... https://kubernetes.io/docs/concepts/policy/pod-security-policy 41

  42. Pod Security Policy (Policy Order) Policy order selection criteria: 1. Policies which allow the pod as-is are preferred 2. If pod must be defaulted or mutated, the first policy (ordered by name) to allow the pod is selected. https://kubernetes.io/docs/concepts/policy/pod-security-policy/#policy-order https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers 42

  43. Kubernetes Role Based Access Control (RBAC) Cluster-Wide Subject API Groups ClusterRole ClusterRoleBinding Resources - User - Group - ServiceAccount Role RoleBinding Verbs Namespace https://kubernetes.io/docs/reference/access-authn-authz/rbac/ 43

  44. Kubernetes Role Based Access Control (RBAC) apiGroups extensions, apps, policy, ... resources pods, deployments, configmaps, secrets, nodes, services, endpoints, podsecuritypolicies, ... verbs get, list, watch, create, update, patch, delete, use, ... https://kubernetes.io/docs/reference/access-authn-authz/rbac/ 44

  45. Service Account apiVersion: v1 kind: ServiceAccount metadata: name: deploy-pod-security-policy namespace: default https://kubernetes.io/docs/concepts/policy/pod-security-policy/#authorizing-policies 45

  46. Pod Security Policy Role apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: no-root-policy-role namespace: default rules: - apiGroups: ['policy'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: - no-root-policy https://kubernetes.io/docs/concepts/policy/pod-security-policy/#authorizing-policies 46

  47. Pod Security Policy Role Binding apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: deploy-pod-security-policy namespace: default roleRef: kind: Role name: no-root-policy-role apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: deploy-pod-security-policy namespace: default 47

  48. Helm 3 Is Here! https://v3.helm.sh https://helm.sh/docs/faq/#removal-of-tiller 48

  49. Live Demo: Show me the code Iteration 3: Kubernetes Security https://github.com/andifalk/secure-development-on-kubernetes 49

  50. The Path for Secure Development on K8s Application Container Kubernetes Security Kubernetes Security Security Secrets 50

  51. Kubernetes Secrets KMS Etcd Secrets Secrets Secrets

  52. Kubernetes Secrets apiVersion: v1 kind: Secret metadata: name: hello-spring-cloud-kubernetes namespace: default type: Opaque data: user.username: dXNlcg== user.password: azhzX3VzZXI= admin.username: YWRtaW4= admin.password: azhzX2FkbWlu https://kubernetes.io/docs/concepts/configuration/secret 52

Recommend

OPENSTACK + KUBERNETES + HYPERCONTAINER The Container Platform for NFV ABOUT ME Harry Zhang

OPENSTACK + KUBERNETES + HYPERCONTAINER The Container Platform for NFV ABOUT ME Harry Zhang

OPENSTACK + KUBERNETES + HYPERCONTAINER The Container Platform for NFV ABOUT ME Harry Zhang ID: @resouer Coder, Author, Speaker Member of Hyper Feature Maintainer & Project Manager of Kubernetes sig-scheduling,

3.57k views • 46 slides
DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x

DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x

DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x Galley Container 1x Medical Container 1x Feed Water Container 1x Water Treatment Container 2x Generator Container 1x

569 views • 8 slides
OpenAFS as Persistent Storage inside Kubernetes using Container Storage Interface plugin for

OpenAFS as Persistent Storage inside Kubernetes using Container Storage Interface plugin for

OpenAFS as Persistent Storage inside Kubernetes using Container Storage Interface plugin for OpenAFS Yadavendra Yadav T odd DeSantis OpenAFS WorkShop 2019 Pittsburgh, US Application Modernization Evolution of Container Agenda

542 views • 27 slides
Matthias Sohn Adel Zaalouk SAP From Containers to Kubernetes From Containers to Kubernetes

Matthias Sohn Adel Zaalouk SAP From Containers to Kubernetes From Containers to Kubernetes

Matthias Sohn Adel Zaalouk SAP From Containers to Kubernetes From Containers to Kubernetes Container Container Runtime Host OS VM From Containers to Kubernetes Container Container Runtime Host OS VM From Containers to Kubernetes

1.72k views • 135 slides
CONTAINER ORCHESTRATION WITH SWARM MODE, MESOS/MARATHON AND KUBERNETES ADRIAN MOUAT WHO AM I?

CONTAINER ORCHESTRATION WITH SWARM MODE, MESOS/MARATHON AND KUBERNETES ADRIAN MOUAT WHO AM I?

CONTAINER ORCHESTRATION WITH SWARM MODE, MESOS/MARATHON AND KUBERNETES ADRIAN MOUAT WHO AM I? Chief Scientist at Container Solutions Wrote "Using Docker" for O'Reilly 40% discount with code AUTHD Docker Captain @adrianmouat WHAT

1.4k views • 59 slides
Build Your Serverless Container Cloud with OpenStack and Kubernetes Kevin Zhao Senior Software

Build Your Serverless Container Cloud with OpenStack and Kubernetes Kevin Zhao Senior Software

22.05.2018 Build Your Serverless Container Cloud with OpenStack and Kubernetes Kevin Zhao Senior Software Engineer on Arm. OpenStack Zun Core Reviewer kevin.zhao@arm.com Agenda What is Serverless Container Cloud Demo Zun and Container

750 views • 35 slides
Deployment Strategies on Kubernetes By Etienne Tremel Software engineer at Container Solutions

Deployment Strategies on Kubernetes By Etienne Tremel Software engineer at Container Solutions

Deployment Strategies on Kubernetes By Etienne Tremel Software engineer at Container Solutions @etiennetremel February 13th, 2017 Agenda Kubernetes in brief Look at 6 different strategies Recreate Ramped Blue/Green

822 views • 61 slides
Container Library and FUSE Container File System Softwarepraktikum f ur Fortgeschrittene

Container Library and FUSE Container File System Softwarepraktikum f ur Fortgeschrittene

Introduction Container Library Container Tools FUSE Container File System Evaluation Container Library and FUSE Container File System Softwarepraktikum f ur Fortgeschrittene Michael Kuhn Parallele und Verteilte Systeme Institut f ur

353 views • 22 slides
Kubernetes Crossing the Chasm 05.03.2018 Ian Crosby @IanDCrosby info@container-solutions.com

Kubernetes Crossing the Chasm 05.03.2018 Ian Crosby @IanDCrosby info@container-solutions.com

Kubernetes Crossing the Chasm 05.03.2018 Ian Crosby @IanDCrosby info@container-solutions.com container-solutions.com container-solutions.com info@container-solutions.com Kubernetes: Crossing the Chasm @IanDCrosby container-solutions.com

424 views • 40 slides
K8s Intermediate Kubernetes a clustered container orchestration Software an open-source system

K8s Intermediate Kubernetes a clustered container orchestration Software an open-source system

K8s Intermediate Kubernetes a clustered container orchestration Software an open-source system for automating deployment, scaling, and management of containerized applications. It groups containers that make up an application into logical units

566 views • 45 slides
Deliver Docker Containers Continuously on AWS Philipp Garbe @pgarbe Google Container So many

Deliver Docker Containers Continuously on AWS Philipp Garbe @pgarbe Google Container So many

Deliver Docker Containers Continuously on AWS Philipp Garbe @pgarbe Google Container So many choices... Engine Azure Container Services Cloud Foundrys Amazon ECS Diego Kubernetes Docker Swarm Mesosphere CoreOS Marathon Fleet

465 views • 45 slides
Managing Kubernetes and OpenShift with ManageIQ Alissa Bonas @ Container Con Seattle 2015 The

Managing Kubernetes and OpenShift with ManageIQ Alissa Bonas @ Container Con Seattle 2015 The

Managing Kubernetes and OpenShift with ManageIQ Alissa Bonas @ Container Con Seattle 2015 The stages of containers world Containerizing an app Alissa Bonas @ Container Con Seattle 2015 The stages of containers world Run a container

911 views • 62 slides
K8s or Die! You must do Kubernetes. Or should you? If so when, where, why? How?! Marco Ceppi

K8s or Die! You must do Kubernetes. Or should you? If so when, where, why? How?! Marco Ceppi

K8s or Die! You must do Kubernetes. Or should you? If so when, where, why? How?! Marco Ceppi @marcoceppi Ryan Beisner @ryanbeisner Why Kubernetes Computing in the modern age Virtual Process Machines Containers Traditional Container

516 views • 24 slides
Secure Kubernetes Container Workloads with Production-Grade Networking Cynthia Thomas Irena

Secure Kubernetes Container Workloads with Production-Grade Networking Cynthia Thomas Irena

Secure Kubernetes Container Workloads with Production-Grade Networking Cynthia Thomas Irena Berezovsky Tim Hockin CIA IT operations have top secret apps for their agents, most of which require isolation Antoni is in Ops and wants to help CIA

458 views • 31 slides
Container Deposits The story so far, and why doesn t everyone do this? Container Deposit

Container Deposits The story so far, and why doesn t everyone do this? Container Deposit

Plastic Bags Ban and Container Deposits The story so far, and why doesn t everyone do this? Container Deposit Legislation Remember 1975? Source: Adelaide Now Adelaide Oval Cricket test 1973 Football Grand Final 1973Adelaide Cans

658 views • 18 slides
Kubernetes Security Zooming In, Zooming Out A comprehensive Container Security Strategy Kavya

Kubernetes Security Zooming In, Zooming Out A comprehensive Container Security Strategy Kavya

Kubernetes Security Zooming In, Zooming Out A comprehensive Container Security Strategy Kavya Pearlman Global Cybersecurity Strategist - Wallarm @KavyaPearlman | @Wallarm Rob Richardson Technical Evangelist - MemSQL @Rob_Rich | @MemSQL

279 views • 27 slides
A Series Of Unfortunate Container Events Netflixs container platform lessons learned About the

A Series Of Unfortunate Container Events Netflixs container platform lessons learned About the

A Series Of Unfortunate Container Events Netflixs container platform lessons learned About the speakers and team Follow along - @sargun @tomaszbak_ca @fabiokung @aspyker @amit_joshee @anwleung 2 Netflixs container management platform

808 views • 44 slides
Build Production Ready Container Platform Based on Magnum and Kubernetes Bo Wang

Build Production Ready Container Platform Based on Magnum and Kubernetes Bo Wang

Build Production Ready Container Platform Based on Magnum and Kubernetes Bo Wang bo.wang@easystack.cn HouMing Wang houming.wang@easystack.cn Magnum weakness Features for production ready container platform Private docker

525 views • 23 slides
Introduction to Kubernetes Containers container vs virtual machine Virtual machine Container

Introduction to Kubernetes Containers container vs virtual machine Virtual machine Container

Introduction to Kubernetes Containers container vs virtual machine Virtual machine Container runs its own kernel uses the host kernel user-space user-space vm user-space container user-space vm kernel host kernel host kernel

833 views • 26 slides
BELOW KUBERNETES DEMYSTIFYING CONTAINER RUNTIMES Thierry Carrez, OpenStack Foundation (OSF)

BELOW KUBERNETES DEMYSTIFYING CONTAINER RUNTIMES Thierry Carrez, OpenStack Foundation (OSF)

BELOW KUBERNETES DEMYSTIFYING CONTAINER RUNTIMES Thierry Carrez, OpenStack Foundation (OSF) @tcarrez on Twitter ttx on Freenode WHY AM I HERE? WHY AM I HERE? OpenStack is more than just VMs WHY AM I HERE? OpenStack is more than just

1.37k views • 52 slides
our container journey @beshippable shippable.com our container journey containers can

our container journey @beshippable shippable.com our container journey containers can

our container journey @beshippable shippable.com our container journey containers can make us way more efficient containers can save us money on hosting containers sound interesting company founded in 2013

848 views • 30 slides
Mini-Bulk/IBC Pesticide Container Collection Program EPA Sponsored California San Joaquin Valley

Mini-Bulk/IBC Pesticide Container Collection Program EPA Sponsored California San Joaquin Valley

Mini-Bulk/IBC Pesticide Container Collection Program EPA Sponsored California San Joaquin Valley Jim Bise Director of Sales Myers Container/CMS jbise@myerscontainer.com 1 Myers Container Myers Container Myers Container, LLC has been

635 views • 8 slides
GitOps 101 2019-11-05, Michael Hausenblas Who am I? Developer Advocate in the AWS container

GitOps 101 2019-11-05, Michael Hausenblas Who am I? Developer Advocate in the AWS container

GitOps 101 2019-11-05, Michael Hausenblas Who am I? Developer Advocate in the AWS container service team Previous roles at Red Hat, Mesosphere, MapR, applied research Find me via Slack: AWS dev, Kubernetes, CNCF,

811 views • 63 slides
Welcome to EUROGATE Container Terminal Limassol Ltd. AGENDA 1. Introduction: EUROGATE Container

Welcome to EUROGATE Container Terminal Limassol Ltd. AGENDA 1. Introduction: EUROGATE Container

EUROGATE MOVING THE GLOBAL ECONOMY Welcome to EUROGATE Container Terminal Limassol Ltd. AGENDA 1. Introduction: EUROGATE Container Terminal Limassol Ltd. 2. Operational Concept of EUROGATE Container Terminal Limassol Ltd. Changed

1.75k views • 31 slides

More recommend