BSides - Mejores Prácticas de Seguridad en Docker

Transcript

1. None

2. Mejores Prácticas de Seguridad en Docker Abdel Gadiel Martínez Lassonde

   Director de Servicios Tecnológicos e Innovación

3. Ayudando a Transformar y Agregar Valor a las Operaciones de

   Nuestros Clientes Desde 1990 en mercado Con +50 colaboradores Ejecutado +1500 proyectos Contamos +175 cer4ficaciones Trabajado +100 empresas Aliado +10 fabricantes

4. Nuestros Servicios Servicios de MISIÓN CRÍTICA Servicios de RENDIMIENTO Servicios

   de CIBERSEGURIDAD Servicios de CALIDAD Servicios de DESARROLLO HUMANO Servicios de INNOVACIÓN Servicios de AUTOMATIZACIÓN (RPA) Servicios de BIG DATA Servicios de GOBERNANZA DE DATOS Servicios de GESTIÓN DE PROCESOS Servicios de ERP/CRM/HCM/EPM Servicios de ANALÍTICA DE DATOS Servicios de OMNICANALIDAD Servicios de COMERCIO ELECTRÓNICO Servicios de TRÁMITES DIGITALES Servicios de FIRMA ELECTRÓNICA

5. Vamos a contar una historia Carlos trabaja como Especialista en

   Seguridad Informá>ca en un banco importante de la localidad. Como parte de la estrategia opera>va del banco, le han solicitado que se enfoque en aplicar las mejores prác4cas de seguridad a los ambientes basados en contenedores Docker que maneja el equipo de DevOps.

6. El que busca encuentra Carlos identifica que la arquitectura actual

   es simple: un servidor Docker donde se ejecutan todos los contenedores , cuyas imágenes vienen del Docker Hub.

7. Aplicando conceptos básicos Carlos luego de atender BSides Panamá ,

   en>ende que los principios básicos ⚔ que debe cubrir en este caso son: • Validar la auten1cidad de las imágenes u1lizadas • Ejecutar contenedores como un usuario no root • Adoptar el concepto del Least Privilege Principle • U1lizar Docker Secrets para manejar data sensi1va • Usar Mul1-Stage Builds • Establecer Resource Limits a los contenedores • Realizar reforzamiento al DOCKER_HOST • Usar contenedores con 1empo de vida corta

8. Aplicando conceptos básicos Validar la autenticidad de las imágenes utilizadas

   carlos@server01 ~ % export DOCKER_CONTENT_TRUST=1 carlos@server01 ~ % docker pull momonga/wordpress Using default tag: latest Error: remote trust data does not exist for docker.io/momonga/wordpress: notary.docker.io does not have trust data for docker.io/momonga/wordpress

9. Aplicando conceptos básicos Ejecutar contenedores como un usuario no root

   carlos@server01 ~ % # Ejecutado como root carlos@server01 ~ % docker run -d fedora sleep infinity 5a25f6a6cd4a81bac3ba646c6f55ccd5224ce54582abe78f3 50ec04dbe22119f carlos@server01 ~ % # Ejecutado como non-root carlos@server01 ~ % docker run -d -u 500 fedora sleep infinity 252983fa61857ba7355f8e9ff0f3b63022ff19c41be548d6f 8c9688889579330

10. Aplicando conceptos básicos Ejecutar contenedores como un usuario no root

    FROM fedora:29 RUN groupadd -r swuser -g 433 && \ useradd -u 431 -r -g swuser -s /sbin/nologin -c "Docker image user" swuser USER root RUN dnf install -y vim USER swuser

11. Aplicando conceptos básicos Adoptar el concepto de Least Privilege Principle

    Ejecutar los contenedores con usuarios dis1ntos a root Establecer control de acceso a los contenedores con el mínimo de privilegios Configurar la directiva USER para tener usuarios dedicados a las aplicaciones Limitar los privilegios del contenedor reduce sustancialmente el riesgo de vulnerabilidades

12. Aplicando conceptos básicos Utilizar Docker Secrets para manejar data sensitiva

    FROM fedora # Muestra secreto de ruta por defecto RUN --mount=type=secret,id=misecreto cat /run/secrets/misecreto # Muestra secreto de ruta especifica RUN --mount=type=secret,id=misecreto,dst=/foobar cat /foobar

13. Aplicando conceptos básicos Usar Multi-Stage Builds FROM golang:1.7.3 AS builder

    WORKDIR /go/src/github.com/alexellis/href- counter/ RUN go get -d -v golang.org/x/net/html COPY app.go . RUN CGO_ENABLED=0 GOOS=linux go build -a - installsuffix cgo -o app . FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ COPY --from=builder /go/src/github.com/alexellis/href-counter/app . CMD ["./app"]

14. Aplicando conceptos básicos Establecer Resource Limits a los contenedores carlos@server01

    ~ % # Utilizando 50% de CPU carlos@server01 ~ % docker run -it --cpus=".5" fedora /bin/bash [root@314aa5d73b7c /]# exit exit carlos@server01 ~ % # Utilizando GPU especifico carlos@server01 ~ % docker run -it --rm --gpus device=GPU-3a23c669-1f69-c64e-cf85-44e9b07e7a2a ubuntu nvidia-smi

15. Aplicando conceptos básicos Realizar reforzamiento al DOCKER_HOST Si el servidor

    está comprometido, los contenedores están en riesgo Actualizar el sistema opera1vo, parchado, versiones de kernel y soOware de sistema Utilizar distribuciones específicas como CoreOS y habilitar características como SELinux Monitorizar al servidor así como los contenedores por vulnerabilidades de seguridad

16. Aplicando conceptos básicos Usar contenedores con tiempo de vida corta

    Los contenedores presumen ser más seguros que las prác1cas de desarrollo tradicional Están diseñados para ser livianos y de uso momentáneo En su lugar, los desarrolladores lo usan como un servidor, con pocas actualizaciones Minimizar el número de archivos que se guardan en el contenedor y refrescarlo frecuentemente

17. Ejecutando tecnologías de apoyo ✅ Carlos identifica dos tecnologías que

    le permitiría mejorar aún más las condiciones de su servidor Docker: • Auditoría con Docker Bench • Escaneo de vulnerabilidades con Docker Scan Menciones honoríficas: Clair, Cillium, Anchore, OpenSCAP, Dagda, Notary, Grafaes, Inspec

18. Ejecutando tecnologías de apoyo ✅ Auditoría con Docker Bench carlos@server01

    docker-bench-security % ./docker-bench-security.sh # ------------------------------------------------------------------------------ # Docker Bench for Security v1.3.5 # # Docker, Inc. (c) 2015- # # Checks for dozens of common best-practices around deploying Docker containers in production. # Inspired by the CIS Docker Benchmark v1.2.0. # ------------------------------------------------------------------------------ [WARN] Some tests might require root to run Initializing Sat Jan 30 02:21:11 EST 2021 [INFO] 1 - Host Configuration [INFO] 1.1 - General Configuration [NOTE] 1.1.1 - Ensure the container host has been Hardened (Not Scored) date: illegal time format usage: date [-jnRu] [-d dst] [-r seconds] [-t west] [-v[+|-]val[ymwdHMS]] ... [-f fmt date | [[[mm]dd]HH]MM[[cc]yy][.ss]] [+format] ./helper_lib.sh: line 19: [: : integer expression expected ./helper_lib.sh: line 20: [: : integer expression expected [PASS] 1.1.2 - Ensure that the version of Docker is up to date (Not Scored) [INFO] * Using 20.10.2 which is current [INFO] * Check with your operating system vendor for support and security maintenance for Docker

19. Ejecutando tecnologías de apoyo ✅ Auditoría con Docker Bench [INFO]

    1.2 - Linux Hosts Specific Configuration [WARN] 1.2.1 - Ensure a separate partition for containers has been created (Scored) [INFO] 1.2.2 - Ensure only trusted users are allowed to control Docker daemon (Scored) [WARN] 1.2.3 - Ensure auditing is configured for the Docker daemon (Scored) [INFO] 1.2.4 - Ensure auditing is configured for Docker files and directories - /var/lib/docker (Scored) [INFO] * Directory not found [INFO] 1.2.5 - Ensure auditing is configured for Docker files and directories - /etc/docker (Scored) [INFO] * Directory not found [INFO] 1.2.6 - Ensure auditing is configured for Docker files and directories - docker.service (Scored) [INFO] * File not found [INFO] 1.2.7 - Ensure auditing is configured for Docker files and directories - docker.socket (Scored) [INFO] * File not found [INFO] 1.2.8 - Ensure auditing is configured for Docker files and directories - /etc/default/docker (Scored) [INFO] * File not found [INFO] 1.2.9 - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Scored) [INFO] * File not found [INFO] 1.2.10 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json (Scored) [INFO] * File not found [INFO] 1.2.11 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Scored) [INFO] * File not found [INFO] 1.2.12 - Ensure auditing is configured for Docker files and directories - /usr/sbin/runc (Scored) [INFO] * File not found

20. Ejecutando tecnologías de apoyo ✅ Auditoría con Docker Bench NFO]

    2 - Docker daemon configuration [WARN] 2.1 - Ensure network traffic is restricted between containers on the default bridge (Scored) [PASS] 2.2 - Ensure the logging level is set to 'info' (Scored) [PASS] 2.3 - Ensure Docker is allowed to make changes to iptables (Scored) [PASS] 2.4 - Ensure insecure registries are not used (Scored) [PASS] 2.5 - Ensure aufs storage driver is not used (Scored) [INFO] 2.6 - Ensure TLS authentication for Docker daemon is configured (Scored) [INFO] * Docker daemon not listening on TCP [INFO] 2.7 - Ensure the default ulimit is configured appropriately (Not Scored) [INFO] * Default ulimit doesn't appear to be set [WARN] 2.8 - Enable user namespace support (Scored) [WARN] 2.9 - Ensure the default cgroup usage has been confirmed (Scored) [INFO] * Confirm cgroup usage [PASS] 2.10 - Ensure base device size is not changed until needed (Scored) [WARN] 2.11 - Ensure that authorization for Docker client commands is enabled (Scored) [WARN] 2.12 - Ensure centralized and remote logging is configured (Scored) [WARN] 2.13 - Ensure live restore is enabled (Scored) [WARN] 2.14 - Ensure Userland Proxy is Disabled (Scored) [PASS] 2.15 - Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Not Scored) [INFO] Ensure that experimental features are not implemented in production (Scored) (Deprecated) [WARN] 2.17 - Ensure containers are restricted from acquiring new privileges (Scored)

21. Ejecutando tecnologías de apoyo ✅ Auditoría con Docker Bench [INFO]

    3 - Docker daemon configuration files [INFO] 3.1 - Ensure that the docker.service file ownership is set to root:root (Scored) [INFO] * File not found [INFO] 3.2 - Ensure that docker.service file permissions are appropriately set (Scored) ... [WARN] 3.16 - Ensure that the Docker socket file permissions are set to 660 or more restrictively (Scored) [WARN] * Wrong permissions for /var/run/docker.sock [INFO] 3.17 - Ensure that the daemon.json file ownership is set to root:root (Scored) [INFO] * File not found ... [INFO] 3.22 - Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Scored) [INFO] * File not found [INFO] 4 - Container Images and Build File [WARN] 4.1 - Ensure that a user for the container has been created (Scored) [WARN] * Running as root: k8s_POD_etcd-docker-desktop_kube-system_c7cc6a3c3118f127f5fd469ef69477e0_1 [NOTE] 4.2 - Ensure that containers use only trusted base images (Not Scored) [NOTE] 4.3 - Ensure that unnecessary packages are not installed in the container (Not Scored) [NOTE] 4.4 - Ensure images are scanned and rebuilt to include security patches (Not Scored) [WARN] 4.5 - Ensure Content trust for Docker is Enabled (Scored) [WARN] 4.6 - Ensure that HEALTHCHECK instructions have been added to container images (Scored) [WARN] * No Healthcheck found: [dojo-meetup16:latest]

22. Ejecutando tecnologías de apoyo ✅ Auditoría con Docker Bench [INFO]

    4.7 - Ensure update instructions are not use alone in the Dockerfile (Not Scored) [INFO] * Update instruction found: [dojo-meetup16:latest] [NOTE] 4.8 - Ensure setuid and setgid permissions are removed (Not Scored) [INFO] 4.9 - Ensure that COPY is used instead of ADD in Dockerfiles (Not Scored) [INFO] * ADD in image history: [fedora:latest] [NOTE] 4.10 - Ensure secrets are not stored in Dockerfiles (Not Scored) [NOTE] 4.11 - Ensure only verified packages are are installed (Not Scored) [INFO] 5 - Container Runtime [WARN] 5.1 - Ensure that, if applicable, an AppArmor Profile is enabled (Scored) [WARN] * No AppArmorProfile Found: k8s_POD_kube-scheduler-docker-desktop_kube- system_ee4c94eb845abf1878fb3c4c489b1365_1 [PASS] 5.2 - Ensure that, if applicable, SELinux security options are set (Scored) [PASS] 5.3 - Ensure that Linux kernel capabilities are restricted within containers (Scored) [WARN] 5.4 - Ensure that privileged containers are not used (Scored) [WARN] * Container running in Privileged mode: k8s_kube-proxy_kube-proxy-59rjj_kube-system_320058af-6cf6- 4ead-811b-6b1acd620489_1 [PASS] 5.5 - Ensure sensitive host system directories are not mounted on containers (Scored) [PASS] 5.6 - Ensure sshd is not run within containers (Scored) [PASS] 5.7 - Ensure privileged ports are not mapped within containers (Scored) [NOTE] 5.8 - Ensure that only needed ports are open on the container (Not Scored) [WARN] 5.9 - Ensure that the host's network namespace is not shared (Scored) [WARN] * Container running with networking mode 'host': k8s_POD_kube-proxy-59rjj_kube-system_320058af-6cf6- 4ead-811b-6b1acd620489_1

23. Ejecutando tecnologías de apoyo ✅ Auditoría con Docker Bench [WARN]

    5.10 - Ensure that the memory usage for containers is limited (Scored) [WARN] * Container running without memory restrictions: k8s_storage-provisioner_storage-provisioner_kube- system_12bba6fb-f8e8-4778-9a2e-34b55291ad2a_2 [PASS] 5.11 - Ensure that CPU priority is set appropriately on containers (Scored) [WARN] 5.12 - Ensure that the container's root filesystem is mounted as read only (Scored) [WARN] * Container running with root FS mounted R/W: k8s_storage-provisioner_storage-provisioner_kube- system_12bba6fb-f8e8-4778-9a2e-34b55291ad2a_2 [PASS] 5.13 - Ensure that incoming container traffic is bound to a specific host interface (Scored) [WARN] 5.14 - Ensure that the 'on-failure' container restart policy is set to '5' (Scored) [WARN] * MaximumRetryCount is not set to 5: k8s_storage-provisioner_storage-provisioner_kube- system_12bba6fb-f8e8-4778-9a2e-34b55291ad2a_2 [PASS] 5.15 - Ensure that the host's process namespace is not shared (Scored) [PASS] 5.16 - Ensure that the host's IPC namespace is not shared (Scored) [PASS] 5.17 - Ensure that host devices are not directly exposed to containers (Not Scored) [INFO] 5.18 - Ensure that the default ulimit is overwritten at runtime if needed (Not Scored) [INFO] * Container no default ulimit override: k8s_storage-provisioner_storage-provisioner_kube- system_12bba6fb-f8e8-4778-9a2e-34b55291ad2a_2 [PASS] 5.19 - Ensure mount propagation mode is not set to shared (Scored) [WARN] 5.20 - Ensure that the host's UTS namespace is not shared (Scored) [WARN] * Host UTS namespace being shared with: k8s_kube-proxy_kube-proxy-59rjj_kube-system_320058af-6cf6- 4ead-811b-6b1acd620489_1

24. Ejecutando tecnologías de apoyo ✅ Auditoría con Docker Bench [WARN]

    5.21 - Ensure the default seccomp profile is not Disabled (Scored) [WARN] * Default seccomp profile disabled: k8s_storage-provisioner_storage-provisioner_kube- system_12bba6fb-f8e8-4778-9a2e-34b55291ad2a_2 [NOTE] 5.22 - Ensure that docker exec commands are not used with the privileged option (Scored) [NOTE] 5.23 - Ensure that docker exec commands are not used with the user=root option (Not Scored) [WARN] 5.24 - Ensure that cgroup usage is confirmed (Scored) [WARN] * Confirm cgroup usage: k8s_storage-provisioner_storage-provisioner_kube-system_12bba6fb-f8e8-4778- 9a2e-34b55291ad2a_2 [WARN] 5.25 - Ensure that the container is restricted from acquiring additional privileges (Scored) [WARN] * Privileges not restricted: k8s_storage-provisioner_storage-provisioner_kube-system_12bba6fb-f8e8- 4778-9a2e-34b55291ad2a_2 [WARN] 5.26 - Ensure that container health is checked at runtime (Scored) [WARN] * Health check not set: k8s_storage-provisioner_storage-provisioner_kube-system_12bba6fb-f8e8-4778- 9a2e-34b55291ad2a_2 [INFO] 5.27 - Ensure that Docker commands always make use of the latest version of their image (Not Scored) [WARN] 5.28 - Ensure that the PIDs cgroup limit is used (Scored) [WARN] * PIDs limit not set: k8s_storage-provisioner_storage-provisioner_kube-system_12bba6fb-f8e8-4778- 9a2e-34b55291ad2a_2 [PASS] 5.29 - Ensure that Docker's default bridge docker0 is not used (Not Scored) [PASS] 5.30 - Ensure that the host's user namespaces are not shared (Scored) [PASS] 5.31 - Ensure that the Docker socket is not mounted inside any containers (Scored)

25. Ejecutando tecnologías de apoyo ✅ Auditoría con Docker Bench [INFO]

    6 - Docker Security Operations [INFO] 6.1 - Ensure that image sprawl is avoided (Not Scored) [INFO] * There are currently: 61 images [INFO] 6.2 - Ensure that container sprawl is avoided (Not Scored) [INFO] * There are currently a total of 51 containers, with only 18 of them currently running [INFO] 7 - Docker Swarm Configuration [PASS] 7.1 - Ensure swarm mode is not Enabled, if not needed (Scored) [PASS] 7.2 - Ensure that the minimum number of manager nodes have been created in a swarm (Scored) (Swarm mode not enabled) [PASS] 7.3 - Ensure that swarm services are bound to a specific host interface (Scored) (Swarm mode not enabled) [PASS] 7.4 - Ensure that all Docker swarm overlay networks are encrypted (Scored) [PASS] 7.5 - Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Not Scored) (Swarm mode not enabled) [PASS] 7.6 - Ensure that swarm manager is run in auto-lock mode (Scored) (Swarm mode not enabled) [PASS] 7.7 - Ensure that the swarm manager auto-lock key is rotated periodically (Not Scored) (Swarm mode not enabled) [PASS] 7.8 - Ensure that node certificates are rotated as appropriate (Not Scored) (Swarm mode not enabled) [PASS] 7.9 - Ensure that CA certificates are rotated as appropriate (Not Scored) (Swarm mode not enabled) [PASS] 7.10 - Ensure that management plane traffic is separated from data plane traffic (Not Scored) (Swarm mode not enabled)

26. Ejecutando tecnologías de apoyo ✅ Auditoría con Docker Bench [INFO]

    8 - Docker Enterprise Configuration [INFO] * Community Engine license, skipping section 8 [INFO] Checks: 107 [INFO] Score: 4

27. Ejecutando tecnologías de apoyo ✅ Escaneo de vulnerabilidades con Docker

    Scan carlos@server01 docker-bench-security % docker scan hello-world Testing hello-world... Organization: bancoimportante Package manager: linux Project name: docker-image|hello-world Docker image: hello-world Platform: linux/amd64 Licenses: enabled ✓ Tested hello-world for known issues, no vulnerable paths found. Note that we do not currently have vulnerability data for your image.

28. Ejecutando tecnologías de apoyo ✅ Escaneo de vulnerabilidades con Docker

    Scan carlos@server01 ~ % docker scan --file Dockerfile docker-scan:e2e Testing docker-scan:e2e... ✗ High severity vulnerability found in perl Description: Integer Overflow or Wraparound Info: https://snyk.io/vuln/SNYK-DEBIAN10-PERL-570802 Introduced through: git@1:2.20.1-2+deb10u3, meta-common-packages@meta From: git@1:2.20.1-2+deb10u3 > [email protected] From: git@1:2.20.1-2+deb10u3 > [email protected] > [email protected] and 4 more... Introduced by your base image (golang:1.14.6) Organization: bancoimportante Target file: Dockerfile Project name: docker-image|99138c65ebc7 Docker image: 99138c65ebc7 Base image: golang:1.14.6 Licenses: enabled Tested 200 dependencies for known issues, found 157 issues. According to our scan, you are currently using the most secure version of the selected base image.

29. Ejecutando tecnologías de apoyo ✅ Escaneo de vulnerabilidades con Docker

    Scan carlos@server01 ~ % docker scan --json --group-issues docker-scan:e2e { { "title": "Improper Check for Dropped Privileges", ... "packageName": "bash", "language": "linux", "packageManager": "debian:10", "description": "## Overview\nAn issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.\n\n## References\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200430-0003/)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-18276)\n- [GitHub Commit](https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff)\n- [MISC](http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html)\n- [MISC](https://www.youtube.com/watch?v=-wGtxJ8opa8)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu- security/cve/CVE-2019-18276)\n", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2019-18276" ], "CWE": [ "CWE-273" ] }, "severity": "low", "severityWithCritical": "low", "cvssScore": 7.8, "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F", ...

30. Resumiendo ✏ un poco 1. Mantener Docker actualizado 2. Limitar

    usuarios que controlan Docker daemon 3. Tener auditoría para Docker daemon y archivos 4. Asegurar permisología en archivos y directorios 5. Usar Docker Registry con cerDficado (ideal TLS) 6. Deshabilitar contenedores de obtener nuevos privilegios 7. Ejecutar los contenedores como usuario no root 8. Usar imágenes base cerDficadas al construir 9. Usar imágenes mínimas 10. Implementar políDca de gobernanza de imágenes

31. Resumiendo ✏ un poco 11. Construir flujo de trabajo claro

    12. No guardar secretos en Dockerfiles 13. Quitar capacidades no requeridas de contenedores 14. No ejecutar contenedores con –priviliged 15. No montar directorios sensitivos en contenedores 16. No permitir sshd a los contenedores 17. No mapear puertos por debajo de 1024 en contenedores 18. Especificar la cantidad de memoria y CPU necesario 19. Establecer el filesystem raíz como sólo-lectura 20. Imponer límites en el PID

32. Nuevos cambios El banco ha comunicado que la arquitectura de

    la aplicación está tomando un nivel mayor de complejidad por lo que se usaría Kubernetes en esquema híbrido.

33. Extendiendo conceptos Carlos luego de aprender con la experiencia anterior

    , extiende su plan de acción a lo siguiente: • Mantener Kubernetes actualizado • Restringir el acceso al API y SSH • Asegurar el uso de namespaces • No ejecutar como root • Tener revisiones de seguridad periódicas

34. Extendiendo conceptos Mantener Kubernetes actualizado La actualización depende del servicio

    u1lizado: Kops, EKS, GKE, AKS Trata de estar no más de 1 versión atrás de la úl1ma disponible Las actualizaciones resuelven vulnerabilidades de seguridad descubiertas Se debe aprovechar de las herramientas que permiten actualizar sin interrupción del servicio

35. Extendiendo conceptos Restringir acceso al API y SSH Algunos servicios

    ya registren acceso usando IAM, RBAC o AD Si el cluster no lo soporta, se puede establecer uno de esos métodos a través de proyectos de código abierto Se recomienda también restringir el acceso al API por direcciones IP Idealmente se debe permi1r únicamente el acceso a través de IPs validadas desde una VPN, SD-WAN o Bas1on

36. Extendiendo conceptos Asegurar el uso de namespaces --- apiVersion: v1

    kind: ServiceAccount metadata: name: MyDevUser namespace: development --- kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: MyDevUser namespace: development rules: - apiGroups: ["", "extensions", "apps"]

37. Extendiendo conceptos Asegurar el uso de namespaces resources: ["*"] ---

    kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: MyDevUser namespace: development subjects: - kind: ServiceAccount name: MyDevUser namespace: development roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: MyDevUser

38. Extendiendo conceptos No ejecutar como root apiVersion: v1 kind: Pod

    metadata: name: security-context-demo spec: securityContext: runAsUser: 1000 runAsGroup: 3000 containers: - name: sec-ctx-demo image: busybox command: [ "sh", "-c", "sleep 1h" ] securityContext: allowPrivilegeEscalation: false

39. Extendiendo conceptos Tener revisiones de seguridad periódicas Se debe tener

    una revisión de seguridad externa Es extremadamente importante que se valide el trabajo realizado por un tercero Principalmente si se está manejando data sensitiva en la aplicación Es una buena práctica que se ejecute esta revisión externa de forma anual y quede debidamente documentado

40. Resumiendo ✏ un poco 1. Usar imágenes base mínimas y

    actualizadas 2. No agregar componentes innecesarios 3. Integrar la seguridad en el pipeline CI/CD 4. Etiquetar vulnerabilidades no corregibles 5. Implementar defense-in-depth 6. Usar namespaces para aislar carga de trabajo sensitiva 7. Usar políticas de red para controlar tráfico entre pods y clúster 8. Prevenir acceso sobre-permisivo a secretos 9. Evaluar privilegios usados por contenedores 10. Evaluar procedencia de las imágenes

41. Resumiendo ✏ un poco 11. Usar eDquetas y anotaciones 12.

    Habilitar Kubernetes RBAC 13. Apalacar información de contexto en Kubernetes 14. Configurar contextos de seguridad en pods para limitarlos 15. Monitorizar el tráfico para limitar comunicación innecesaria 16. Si se detecta brecha, escalar pods sospechosos a cero 17. Actualizar Kubernetes a nuevas versiones 18. Configurar acceso seguro al API 19. Asegurar etcd 20. Asegurar el kubelet

42. Últimas preocupaciones Carlos leyó en una no>cia en el blog

    de Kubernetes que el proyecto va a dejar de soportar a Docker como Container Run4me Interface (CRI) a par>r de la versión v1.20. h"ps:/ /kubernetes.io/blog/2020/12/02/dont-panic-kubernetes-and-docker/

43. Ahora, ¿qué pasa ? Mantenerse en la misma versión Reemplazar

    Docker por CRI-O Reemplazar Docker por Podman Reemplazar Kubernetes por OpenShi@ UBlizar MiranBs Kuberntes Engine UBlizar alguna plataforma como servicio (EKS, AKS, GKS)

44. Preguntas y Respuestas - MEJORES PRÁCTICAS DE SEGURIDAD EN DOCKER

    - ¿Está interesado en más información? [email protected] +507-232-9222
45. None