Upgrade to Pro — share decks privately, control downloads, hide ads and more …

GDG Google Cloud Security Next Ext 19

cncf-canada-meetups
May 16, 2019
Technology
0
46

GDG Google Cloud Security Next Ext 19

Multi-party approvals
IAM recommender
RBAC recommender
Cloud Identity
Workload Identity on GKE
GKE Sandbox Beta - gvisor.dev
Container Analysis GA
Binary Authorization GA
Managed TLS certificates

cncf-canada-meetups

May 16, 2019
Tweet

More Decks by cncf-canada-meetups

See All by cncf-canada-meetups
Canada Cloud Native Meetups - 2025 Sponsor Deck
cncfcanada
0
13
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope
cncfcanada
0
70
[CNCF Q1 2024] Remediate Kubernetes Security Threats in Real-Time with Falco Talon
cncfcanada
0
19
[Q2 CNCF 2023] Metrio, a Cloud run journey
cncfcanada
0
17
[CNCF Q1 2024] Agentic Installer LLMs Helm Charts by Chris Gruel @Akeyless
cncfcanada
0
23
Karpenter @LightSpeed
cncfcanada
0
57
Shorten the dev loop with mirrord
cncfcanada
0
29
October 2023 Montreal CNCF Meetup
cncfcanada
0
41
Beyond Dashboarding The Grafana Observability Stack by Steve Caron
cncfcanada
0
77

Other Decks in Technology

See All in Technology
Exadata Database Service on Dedicated Infrastructure(ExaDB-D) UI スクリーン・キャプチャ集
oracle4engineer
PRO
2
3.2k
BLADE: An Attempt to Automate Penetration Testing Using Autonomous AI Agents
bbrbbq
0
310
強いチームと開発生産性
onk
PRO
34
11k
Terraform CI/CD パイプラインにおける AWS CodeCommit の代替手段
hiyanger
1
240
信頼性に挑む中で拡張できる・得られる1人のスキルセットとは?
ken5scal
2
540
【Startup CTO of the Year 2024 / Audience Award】アセンド取締役CTO 丹羽健
niwatakeru
0
1.1k
10XにおけるData Contractの導入について: Data Contract事例共有会
10xinc
6
650
生成AIが変えるデータ分析の全体像
ishikawa_satoru
0
150
iOSチームとAndroidチームでブランチ運用が違ったので整理してます
sansantech
PRO
0
140
SSMRunbook作成の勘所_20241120
koichiotomo
2
150
いざ、BSC討伐の旅
nikinusu
2
780
Introduction to Works of ML Engineer in LY Corporation
lycorp_recruit_jp
0
130

Featured

See All Featured
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
RailsConf 2023
tenderlove
29
900
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
16
2.1k
The Pragmatic Product Professional
lauravandoore
31
6.3k
Optimising Largest Contentful Paint
csswizardry
33
2.9k
Embracing the Ebb and Flow
colly
84
4.5k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
The Art of Programming - Codeland 2020
erikaheidi
52
13k
The Power of CSS Pseudo Elements
geoffreycrofte
73
5.3k

Transcript

  1. Google Next Extended

  2. 2

  3. Jonathan Pulsifer • Staff Infrastructure Security Engineer at Shopify, Kubernetes

    Product Security Committee Associate, and Google Developer Expert for Google Cloud Platform • Previously a SIGINT Cyber Sailor from the Canadian Forces Network Operations Centre and SANS Instructor • @jonpulsifer on the internet

  4. Logging & Monitoring Cloud Security Command Center, Stackdriver, Logs, Forseti

    Control Plane VPC Service Controls, Shared VPC, Firewalls, Org Policies Access Path Cloud Identity, IAM, IAP, Context Aware Access, Security Keys, Built-in Infrastructure Security Data Path Default Encryption (Rest/Transit), KMS/CMEK/HSM, DLP, Dedicated Interconnect, Cloud Armor, Built-in Infrastructure Security The GCP Security Ecosystem On-Premises Apps Internet-Facing Apps Cloud Armor Dedicated Interconnect IAP Shared VPCs VPC Service Controls Cloud Security Command Center Firewall Cloud NAT IAM Org Policies DLP CSS Forseti Audit Logs Firewall Logs Stackdriver Sync VPC Flow Logs Stackdriver Monitoring BigQuery KMS/CMEK/HSM New for 2019 - Stuff N Things Built-in Infrastructure Security Context Aware/SK Identities Partners Cloud Identity

  5. @jonpulsifer’s favourite announcements 01 Workload Identity on GKE 1. Service

    Accounts are hard 2. tl;dr enables OIDC provider for GKE clusters 3. Bridges the GCP project and Kubernetes PKI 4. Is awesome :) 02 Policy and IAM • Multi-party approvals • IAM recommender • RBAC recommender • Cloud Identity ◦ FINALLY ◦ LDAP all the things 03 Container Security 1. GKE Sandbox Beta - gvisor.dev 2. Container Analysis GA 3. Binary Authorization GA 4. Managed TLS certificates

  6. The Shopify platform includes more than 50 GKE clusters used

    to power over 800,000 businesses in approximately 175 countries and is trusted by brands such as Unilever, Kylie Cosmetics, Allbirds, MVMT, and many more ServicesDB Create Service Generate PR Approve and merge Create Features Container Registry Push Pull kubernetes-deploy CloudBuddies (Kubernetes controllers) Create custom resource or deployments Watch for custom resource API calls Google Cloud Platform Other GCP services Ground Control (service robot) Webhook Cloud IAM Creates namespace and secrets Shopify Build

  7. Emily Ye to Ground Control...

  8. Ground Control to Emily Ye...

  9. Ground Control to developers... 1. Initializes Kubernetes namespace inside a

    cluster 2. Generates encrypted JSON (ejson) keypair 3. Creates GCP service account identity and stores it in a Kubernetes secret

  10. Keeping the cloud fluffy at Shopify NetPolbuddy Ensures Kubernetes network

    policy objects are in place RBACbuddy Ensures our Kubernetes RBAC policies are applied and up to date Bucketbuddy Provisions GCS buckets and manages their IAM permissions Accountabilibuddy Grants IAM bindings for GCP service accounts and stores them in a ConfigMap Illustrations by David Neal @reverentgeek

  11. The Shopify platform includes more than 50 GKE clusters used

    to power over 800,000 businesses in approximately 175 countries and is trusted by brands such as Unilever, Kylie Cosmetics, Allbirds, MVMT, and many more ServicesDB Create Service Generate PR Approve and merge Create Features Container Registry Push Pull kubernetes-deploy CloudBuddies (Kubernetes controllers) Create custom resource or deployments Watch for custom resource API calls Google Cloud Platform Other GCP services Ground Control (service robot) Webhook Cloud IAM Creates namespace and secrets Shopify Build

  12. Demystifying Google Service Accounts (GSA) 01 Two types of service

    accounts 1. Google managed GSAs are created and managed by Google and assigned to your project automagically 2. User-managed GSAs include new service accounts and the Compute Engine default service account 02 Keys are not well understood • Contains a security thingy • Documentation says do this: env: - name: GOOGLE_APPLICATION_CREDENTIALS value: /path/to/creds.json • It works! Thanks! shopifam [1:05 PM] left #help-infrasec 03 Keys are unreasonably hard to manage You need these processes: 1. Experience managing a PKI 2. Key storage 3. Key distribution 4. Key revocation 5. Key rotation 6. Protecting the keys from unauthorized users 7. Key recovery 8. … 9.

  13. This stuff isn’t easy. 1. User managed GSA credentials live

    forever ◦ 10 years is forever in cloud years ▪ Who has the keys? ◦ Is actually 2048 bit RSA key pair ▪ CN=uniqueId 2. 1,000 GSAs per project ◦ Who would ever do that? ▪ We DoS IAM :(

  14. Thanks!