Securing_your_Kubernetes_Cluster_with_eBPF.pptx.pdf

Transcript

1. Securing your Kubernetes Cluster with eBPF

2. • I am Bala, Sr. SRE in Zscaler. • I

   love food, travel and technology • And definitely not a eBPF specialist. $ whoami Disclaimer : All the stunts mentioned are done by a kubernetes noobie, It is recommended to you use your own expertise

3. WT is eBPF ?? Extended Berkeley Packet Filter, but now

   eBPF is more than just a packet filter. eBPF is kernel tool which allows users to programmatically extend kernel capabilities without requiring changes to the kernel source code.

4. 01 02 03 04 05 Monitoring and Observability Performance Profiling

   and Tracing Security Networking Use cases of eBPF Incident Handling

5. Why to use eBPF in kubernetes ?? Security Threats: Microservices

   are inherently more susceptible to security vulnerabilities, and detecting threats in real-time is crucial to protect customer data and maintain trust. Performance Monitoring: Monitor CPU, memory, and I/O metrics at a fine-grained level using eBPF tools and extensions. Custom Metrics and Telemetry: we create custom eBPF probes to collect application-specific metrics, such as response times for critical API endpoints or database query performance without instrumentation.

6. 01 02 03 04 05

7. 01 02 03 04 05 Container escapes Lateral movement Information

   disclosure Network Vulnerabilities Vulnerabilities in container technology Privilege escalation

8. Demo time $ kubectl create secret generic aws-secret -n crossplane-system

   --from-file=creds=./aws-credentials.txt $cat <<EOF | kubectl apply -f - apiVersion: aws.upbound.io/v1beta1 kind: ProviderConfig metadata: name: default spec: credentials: source: Secret secretRef: namespace: crossplane-system name: aws-secret key: creds EOF

9. Demo time apiVersion: v1 kind: Pod metadata: name: aws-pod spec:

   hostNetwork: true hostPID: true hostIPC: true containers: - name: test-aws image: ubuntu:focal command: ["sh", "-c"] args: [“while true; do sleep 10; done”] serviceAccount: aws-provider-980813234 serviceAccountName: aws-provider-980813234 volumeMounts: - mountPath: /host name: noderoot - mountPath: /mnt/secrets name: secret-volume volumes: - name: aws-iam-token sources: - serviceAccountToken:

10. How we can avoid this ? apiVersion: security.accuknox.com/v1 kind: KubeArmorPolicy

    metadata: name: restrict-host-access spec: selector: matchLabels: app: my-app process: matchPaths: - path: /proc/* file: matchPaths: - path: /host-mount capabilities: restrictedCapabilities: - SYS_ADMIN custom: - name: NoHostNetworking matchSyscalls: - name: setns action: Block matchPathCalled: - path: /proc/1/ns/ action: Block - name: NoNewPrivileges matchSyscalls: - name: clone action: Block args: [CLONE_NEWUSER, CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWPID, CLONE_NEWNS, CLONE_NEWUTS, CLONE_NEWCGROUP]

11. Thank you. Please feel free to ask any questions. 😄