Save 37% off PRO during our Black Friday Sale! »

ContainerDays Hamburg 2019: Continuous Security with Kubernetes

7c6a033dd957d547b49630f626e1a143?s=47 Chris Van Tuin
June 26, 2019
Technology
0
72

ContainerDays Hamburg 2019: Continuous Security with Kubernetes

7c6a033dd957d547b49630f626e1a143?s=128

Chris Van Tuin

June 26, 2019
Tweet

More Decks by Chris Van Tuin

See All by Chris Van Tuin
7c6a033dd957d547b49630f626e1a143?s=48 cvantuin
0
59
7c6a033dd957d547b49630f626e1a143?s=48 cvantuin
0
14
7c6a033dd957d547b49630f626e1a143?s=48 cvantuin
0
31
7c6a033dd957d547b49630f626e1a143?s=48 cvantuin
0
7
7c6a033dd957d547b49630f626e1a143?s=48 cvantuin
0
16
7c6a033dd957d547b49630f626e1a143?s=48 cvantuin
0
20
7c6a033dd957d547b49630f626e1a143?s=48 cvantuin
0
16
7c6a033dd957d547b49630f626e1a143?s=48 cvantuin
0
40
7c6a033dd957d547b49630f626e1a143?s=48 cvantuin
0
100

Other Decks in Technology

See All in Technology
3499a1d71fa70b8ee44816ca9e7329fe?s=48 bells17
0
320
8d80af14296180866264212adbfb587e?s=48 godan
0
160
590fe37e032309f0f2657135085e395d?s=48 kmotohas
0
410
140494d272a4d89883a94fdfdb29dea2?s=48 oracle4engineer
PRO
0
110
91f6ef52b846ca5f00325b05f3e3547d?s=48 cola119
3
1k
4bd69b0ec8e5731a5332ee100ad8fb6d?s=48 entaku
1
710
5ad40ebf0de566a519067153e6e85a41?s=48 nkajihara
0
140
7a29c02251394fc05ebd88c631c562dc?s=48 takufujii
0
170
7a29c02251394fc05ebd88c631c562dc?s=48 takufujii
0
340
D8d463da5ab4a99265ffc1d12e76cbc9?s=48 sagara
0
110
A60224e356e52f631bec70bc9df52889?s=48 empitsu
2
2.2k
64e95d2d8051ee58501f21987f46b9e7?s=48 chck
0
120

Featured

See All Featured
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
396
61k
C7393b7ba7ec9c8890dd77d209fbb3c9?s=48 maltzj
504
37k
25c7c18223fb42a4c6ae1c8db6f50f9b?s=48 mojombo
364
63k
B3ace07412a5178ea778e7eec161fc0a?s=48 jcasabona
10
770
5b6a2bd86ef643786a381a212e0ef2f1?s=48 geoffreycrofte
44
3.6k
C86443373fbfe92996aa882d0d7a59f8?s=48 imathis
484
150k
78b475797a14c84799063c7cd073962f?s=48 holman
451
140k
5f2da528927a2ec9ba4fec2069cbc958?s=48 kneath
298
39k
7fa6101cd43067653cf4ac6c7ca54305?s=48 akmur
255
20k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
498
130k
828ace851b606e1206900f26459f55ad?s=48 speakerdeck
PRO
2
480
F68cb25ae3e5c2106997454b13b7737d?s=48 brad_frost
163
6.9k

Transcript

  1. A DEVOPS STATE OF MIND: CONTINUOUS SECURITY WITH KUBERNETES Chris

    Van Tuin
 Chief Technologist, NA West @chrisvantuin cvantuin@redhat.com

  2. THE WORLD IS AUTOMATING Those who succeed in automation will

    win

  3. ENABLING INNOVATION, WHILE EXECUTING AT SCALE Static &
 Planned Dynamic

    & 
 Policy Driven Execution Innovation Innovation Execution Old New

  4. I.T. MUST EVOLVE & KEEP UP

  5. DEV QA OPS SECURITY IS AN AFTERTHOUGHT | SECURITY |

    “Patch? The servers are behind the firewall.” - Anonymous (far too many to name), 2005 - … | Security | SECURITY IS AN AFTERTHOUGHT

  6. BARE METAL VIRTUAL PRIVATE CLOUD OFF-PREMISE ON-PREMISE PUBLIC CLOUD DATA

    DATA MICROSERVICES: DISTRBUTED SERVICES ACROSS NETWORK B B B B

  7. DEVOPS: INCREASED SPEED & FREQUENCY Empowered organization Speed Up 


    Innovation Time Change Move Fast, Break Things Culture of experimentation A 20% vs. 25% Shorten the Feedback Loop Real-time data-driven intelligence & personalization AI /
 ML Data, Data, Data B

  8. BARE METAL PRIVATE CLOUD PUBLIC CLOUD VIRTUAL PRODUCTION DEV/TEST HYBRID/MULTI

    CLOUD: DISSOLVING SECURITY PERIMETER, CONSUMPTION BASED COSTS

  9. MULTI-TENANCY: SHARED INFRASTRUCTURE

  10. DEVSECOPS

  11. DEVSECOPS + + End to End Security DEV QA OPS

    Culture Process Technology Linux + Containers IaaS Orchestration CI/CD Source Control Management Collaboration Build and Artifact Management Testing Frameworks Open Source

  12. DEVSECOPS AT SCALE

  13. BARE METAL VIRTUAL PRIVATE CLOUD PUBLIC CLOUD Automated Software Factory


    Speed, Resiliency, Scalability, Security 
 BARE METAL VIRTUAL PRIVATE CLOUD PUBLIC CLOUD Automated Software Factory
 Speed, Resiliency, Scalability, Security 
 BARE METAL VIRTUAL PRIVATE CLOUD PUBLIC CLOUD Automated Software Factory
 Speed, Resiliency, Scalability, Security 
 Speed, Agility, Resiliency, Scalability, Efficiency, Security

  14. Scheduling Monitoring Persistence Discovery Lifecycle & health Scaling Aggregation Security

    MORE THAN CONTAINERS…

  15. • No security on K8s dashboard • IT infrastructure credentials

    exposed • Enabled access to a large part of Weight Watchers' network • K8s dashboard exposed • AWS environment with telemetry data compromised • Tesla’s infrastructure was used for crypto mining THE CONTAINERS NEWS YOU DON’T WANT • 17 tainted crypto-mining containers on dockerhub • Remained for ~1 year
 with 5 million pulls and • Harvested ~90k in crypto currency.

  16. SECURING CONTAINERS BEST PRACTICES Reduce Attack Surface Least Privilege Layered

    Security $ sudo Immutable

  17. CONTAINERS ENABLE DEVSECOPS

  18. CONTAINERS Software packaging concept that typically includes an application and

    all of its runtime dependencies • Self contained • Reduce attack surface • Immutable • Build once, deploy anywhere CONTAINER CONTAINER APP LIBS HOST OS SERVER APP LIBS SECURITY BENEFITS

  19. LAPTOP Container Application OS dependencies Guest VM LINUX BARE METAL

    Container Application OS dependencies LINUX VIRTUALIZATION Container Application OS dependencies Virtual Machine LINUX PRIVATE CLOUD Container Application OS dependencies Virtual Machine LINUX PUBLIC CLOUD Container Application OS dependencies Virtual Machine LINUX CONTAINERIZED MICROSERVICES
 Build Once, Deploy Anywhere

  20. Image Format Distribution Spec Runtime Spec

  21. KUBERNETES AUTOMATION

  22. DEMO APPLICATION Web App DEV QA OPS THE AVERAGE ENTERPRISE

    
 DOES DEPLOYMENTS EVERY 6 TO 9 MONTHS. Walled off people, walled off processes, walled off technologies with surprisingly little to no automation DEV QA OPS THE AVERAGE ENTERPRISE 
 DOES DEPLOYMENTS EVERY 6 TO 9 MONTHS. Walled off people, walled off processes, walled off technologies with surprisingly little to no automation

  23. Web Application ORCHESTRATION Speed, Agility Pods Nodes Controller Manager &

    Data Store (etcd) Ingress / Routes role: web role: app role: web replicas: 1, 
 role: app replicas: 2, 
 role: web Services

  24. Pods Nodes Services Web Application role: web role: app role:

    web replicas: 1, 
 role: app replicas: 2, 
 role: web role: web Controller Manager & Data Store (etcd) Ingress / Routes Health Check HEALTH CHECK Resiliency

  25. Web Application 80% CPU Pods Nodes Services role: web role:

    app role: web Controller Manager & Data Store (etcd) role: app Ingress / Routes replicas: 2 
 role: app replicas: 2, 
 role: web Readiness Probe e.g. tcp, http, script AUTO SCALE Scalability & Efficiency

  26. CONTAINER IMAGES

  27. docker.io Registry Private Registry FROM fedora:1.0 CMD echo “Hello” Build

    file Physical, Virtual, Cloud Container Image Container Instance Build Run Ship CONTAINERS ENABLE DEVOPS CONTAINERS ENABLE DEVSECOPS FROM registry.redhat.com/rhel7 RUN groupadd -g 999 appuser && \ useradd -r -u 999 -g appuser appuser USER appuser CMD echo “Hello”

  28. CONTAINER IMAGE JAR CONTAINER IMAGE Application Application Language runtimes OS

    dependencies 1.2/latest 1.1

  29. ERGED SOFTWARE 
 UPPLY CHAIN TAINER IMAGE CONTAINER IMAGE Application

    Language runtimes OS dependencies 1.2/latest 1.1 TAINER IMAGE CONTAINER IMAGE Application Language runtimes OS dependencies 1.2/latest 1.1 TAINER IMAGE CONTAINER IMAGE Application Language runtimes OS dependencies 1.2/latest 1.1 SUPPLY CHAIN CONTAINER IMAGE JAR CONTAINER IMAGE Application Application Language runtimes OS dependencies 1.2/latest 1.1 CONVERGED SOFTWARE SUPPLY CHAIN Build file Container Image CONTAINER IMAGE JAR CONTAINER IMAGE Application Application Language runtimes OS dependencies Container Instance BARE METAL VIRTUAL PRIVATE CLOUD PUBLIC CLOUD Automated Software Factory
 Speed, Resiliency, Scalability, Security 
 Configs / Storage Developer Apps / DB Operations

  30. Config Data Kubernetes configmaps secrets Container image Traditional 
 data

    services, Kubernetes 
 persistent volumes TREAT CONTAINERS AS IMMUTABLE To keep containerized apps portable Application Language runtimes OS dependencies

  31. KUBERNETES CONFIGMAP Decouple configuration from container image Application Language runtimes

    OS dependencies Environment Variable or Volume/File CONTAINER INSTANCE key:value from directories, files, or values KUBERNETES
 CONFIGMAP APPLICATION CONFIG FILE Application Configuration File e.g. XML etcd Pod Source Code Repository EnvVar require pod restart Files refresh in time

  32. • Don’t ssh to instance to configure • Treat build

    file as a Blueprint • Version control build file • Be explicit with versions, not latest • Always list registry pulling FROM • Each Run creates a new layer • Specify USER, default is root • Sign and validate images BUILD FILE BEST PRACTICES FROM registry.redhat.com/rhel7 RUN groupadd -g 999 appuser && \ useradd -r -u 999 -g appuser appuser USER appuser CMD echo “Hello” Build file

  33. CONTINUOUS BUILDS

  34. CI/CD PIPELINE WITH KUBERNETES BARE METAL VIRTUAL PRIVATE CLOUD PUBLIC

    CLOUD CI/CD PIPELINE WITH KUBERNETES BARE METAL VIRTUAL PRIVATE CLOUD PUBLIC CLOUD Automated Software Factory
 Speed, Resiliency, Scalability, Security 


  35. Java Build Environment Language runtimes OS dependencies Build Image Java

    Code Application Language runtimes OS dependencies Container Image Image Registry Source Repository Image Registry REPRODUCIBLE BUILDS Source to Image with Build Images Source v3.1 v1.0.1 v3.1 + REPRODUCIBLE BUILDS with build images Java Build Environment Language runtimes OS dependencies Build Image Java Code Application Language runtimes OS dependencies Container Image Image Registry Source Repository Image Registry REPRODUCIBLE BUILDS Source to Image with Build Images Source v3.1 v1.0.1 v3.1

  36. CUSTOM SUPPLY CHAIN CASCADING REBUILDS

  37. CONTAINER REGISTRY & SCANNING

  38. WHAT’S INSIDE MATTERS…

  39. PRIVATE REGISTRY PRIVATE REGISTRY Trusted Content

  40. Security CONTINUOUS INTEGRATION WITH SECURITY SCAN

  41. AUTOMATED SECURITY SCANNING with OpenSCAP Reports & Remediation Scan SCAP

    Security Guide for RHEL CCE-27002-5 Set Password Minimum Length Content Scan physical servers, virtual machines, docker images and containers
 for Security Policy Compliance (CCEs) and known Security Vulnerabilities (CVEs)

  42. CI/CD

  43. CONTINUOUS DELIVERY WITH CONTAINERS CI/CD PIPLINE

  44. A/B TESTING WITH CANARIES

  45. ”only about 1/3 of ideas improve the metrics 
 they

    were designed to improve.”
 Ronny Kohavi, Microsoft (Amazon) MICROSERVICES RAPID INNNOVATION & EXPERIMENTATION

  46. A/B TESTING USING CANARY DEPLOYMENTS

  47. 25% Conversion Rate ?! Conversion Rate 100% Version B Version

    A Ingress CANARY DEPLOYMENTS Tests / CI CANARY DEPLOYMENTS
 Build confidence in new version Service
 selector:
 app=demo version=A label:
 app=demo
 version=A 25% Conversion Rate ??% Conversion Rate label:
 app=demo
 version=B

  48. 25% Conversion Rate 30% Conversion Rate 75% 25% Version B

    Version A Ingress CANARY DEPLOYMENTS CANARY DEPLOYMENTS
 Requires app to support side-by-side version Deploy new version and wait until it’s ready… Health Check: readiness probe e.g. tcp, http, script Version 1 Version 1 Version 
 1.2 Version 1 Rollingupdate
 maxUnavailable=0 maxSurge=1 Service Service
 selector:
 app=demo label:
 app=demo
 version=A 25% Conversion Rate ??% Conversion Rate label:
 app=demo
 version=B

  49. 25% Conversion Rate 30% Conversion Rate 75% 25% Version B

    Version A Ingress CANARY DEPLOYMENTS CANARY DEPLOYMENTS
 Requires app to support side-by-side version Service Service
 selector:
 app=demo label:
 app=demo
 version=A 25% Conversion Rate 30% Conversion Rate label:
 app=demo
 version=B

  50. 25% Conversion Rate 30% Conversion Rate 100% Version B Version

    A Ingress CANARY DEPLOYMENTS Service
 selector:
 app=demo version=B label:
 app=demo
 version=A 25% Conversion Rate 30% Conversion Rate label:
 app=demo
 version=B

  51. EXTERNAL SERVICES

  52. EXTERNAL SERVICES Database outside cluster with IP address External Mongo

    Database Service External Mongo Database Service Development Production IP=10.200.0.2 port=27017 IP=10.100.0.9 port=27017

  53. EXTERNAL SERVICES Database outside cluster with IP address Pods Nodes

    Services WebApp role=webapp replicas=2, 
 role=webapp External Mongo Database Service IP=10.200.0.2 port=27017 Network External Mongo Database Service IP=10.100.0.9 port=27017

  54. EXTERNAL SERVICES Database outside cluster with IP address Pods Nodes

    Services WebApp role=webapp replicas=2, 
 role=webapp External Mongo Database Service IP=10.200.0.2 port=27017 Network External Mongo Database Service IP=10.100.0.9 port=27017 Database name=mongo port=27017 targetport=27017 Endpoint IP=10.200.0.2 port=27017 Database kind=Service type=ClusterIP name=mongo port=27017 targetport=27017

  55. EXTERNAL SERVICES Database outside cluster with IP address Pods Nodes

    Services WebApp role=webapp replicas=2, 
 role=webapp External Mongo Database Service IP=10.200.0.2 port=27017 Network External Mongo Database Service IP=10.100.0.9 port=27017 Database name=mongo port=27017 targetport=27017 Endpoint IP=10.200.0.2 port=27017 Connect with mongodb://mongo Database kind=Service type=ClusterIP name=mongo port=27017 targetport=27017 kind=Endpoints name=mongo ip=10.200.0.2 port=27017

  56. EXTERNAL SERVICES Database outside cluster with IP address Pods Nodes

    Services WebApp role=webapp replicas=2, 
 role=webapp External Mongo Database Service IP=10.200.0.2 port=27017 Network External Mongo Database Service IP=10.100.0.9 port=27017 Database name=mongo port=27017 targetport=27017 Endpoint IP=10.100.0.9 port=27017 kind=Service type=ClusterIP name=mongo port=27017 targetport=27017 kind=Endpoints name=mongo ip=10.200.0.9 port=27017 Connect with mongodb://mongo Database

  57. Pods Nodes Services Database name: mongo type: ExternalName externalName: mongo52101.domain,.name

    EXTERNAL SERVICES Using CNAME redirection mongodb://
 <dbuser>:
 <dbpassword>
 @mongo:<port>/dev 
 mongodb://<dbuser>:<dbpassword>
 @mongo52101.domain.name:52101/dev Cloud Mongo Database Service WebApp role=webapp replicas=2, 
 role=webapp .name EXTERNAL SERVICE Connecting to Service with dynamic URI with a static ExternalName Kubernetes service

  58. DATABASE MIGRATIONS

  59. Application v3 Development Application V2 Test Application v1 Production DB

    v1 DB v2 DB v3 CI/CD PIPELINE Version control database updates, ex: flyway V3__add_table_scooter.sql V2__add_table_truck.sql V1__add_table_car.sql

  60. DATABASE MIGRATIONS Version control database updates with Containers CONTAINER IMAGE

    CONTAINER BUILD FILE SQL MIGRATION SCRIPT Source Code Repository V2__add_table.sql Source Code Repository V2__add_table.sql /var/flyway/data Flyway flyway-mydb:v2.0.0 Registry + Dockerfile

  61. Nodes Pods Services postgresql-0 Persistent Volume A B D C

    PostgreSQL StatefulSet replicas=1 role=postgresq pvcl DATABASE MIGRATION StatefulSet deployment with headless Service v1

  62. Nodes Pods Services postgresql-0 Persistent Volume A B D C

    PostgreSQL StatefulSet replicas=1 role=postgresql Pvc DATABASE MIGRATIONS Create a Job for Flyway Flyway Job Secrets = Database Connection Info v1 flyway-mydb:v2.0.0 Image Registry Flyway

  63. role=postgressql type=primary Nodes Pods Services postgresql-0 Persistent Volume A B

    D C PostgreSQL StatefulSet replicas=1 role=postgresql pvc DATABASE MIGRATIONS Apply schema changes to database Flyway Job Secrets = Database Connection Info V2 flyway-mydb:v2.0.0 Flyway

  64. role=postgresql type=primary Nodes Pods Services postgresql-0 Persistent Volume A B

    D C PostgreSQL StatefulSet replicas=1 role=postgresql Pvc DATABASE MIGRATIONS Version control for database with Kubernetes V2

  65. FEEDBACK LOOP

  66. MONITORING CONSIDERATIONS Kubernetes* Container* Host Cluster services, services, pods, 


    deployments metrics Container native metrics Traditional resource metrics - cpu, memory, network, storage prometheus + grafana kubernetes-state-metrics probes Stack Metrics Tool node-exporter Kubernetes metrics server: kubelet:cAdvisor Microservices Distributed applications - traditional app metrics - service discovery - distributed tracing prometheus + grafana jaeger tracing istio

  67. ARCHITECTURE

  68. KUBERNETES ARCHITECTURE Authorization API Server Controller node, replication, endpoints, token,

    service account7 Scheduler etcd etcd etcd Kubernetes Master API UI CLI Node 3 Node 1 Node 2 Node 4 Cluster User TLS - encrypted traffic: users>api>kubelet>pods Pod Pod Pod kubelet kube- proxy container runtime Node

  69. KUBERNETES ARCHITECTURE Authorization API Server Controller Scheduler etcd etcd etcd

    Kubernetes Master API UI CLI Node 3 Node 1 Node 2 Node 4 Cluster User Network, DNS Linux, Container Runtime Management, Monitoring, Logs, Security, Registry Storage Pod Pod Pod kubelet kube- proxy container runtime Node

  70. ARCHITECTURE CONSIDERATIONS Optimize for… Cluster 
 per app / data

    / location, Short lived Data Sensitive, e.g. Finance Multi-AZ, Multi/
 Hybrid
 cloud Production, Mission 
 critical Bare metal HPC, AI/ML Security Scale Availability Latency Portability Performance Large cluster, multi/
 hybrid cloud Internet, SaaS Efficiency Large cluster, Bare Metal, Recreate Many apps, Large scale Consistent
 OS & Kubernetes version 1 app anywhere, e.g. ISVs Local, Small Cluster IoT, Retail

  71. NETWORKING

  72. Kubernetes 
 Logical Network Model NETWORK SECURITY • Kubernetes uses

    a flat SDN model • All pods get IP from same CIDR • And live on same logical network • Assumes all nodes communicate
 Traditional 
 Physical Network Model • Each layer represents a Zone with
 increased trust - DMZ > App > DB,
 interzone flow generally one direction • Intrazone traffic generally unrestricted

  73. NETWORK SECURITY MODELS Co-Existence Approaches One Cluster Multiple Zones Kubernete

    Cluster Physical Compute 
 isolation based on 
 Network Zones Kubernete Cluster One Cluster Per Zone Kubernete Cluster B Kubernete Cluster A Kubernetes Cluster B C D https://blog.openshift.com/openshift-and-network-security-zones-coexistence-approaches/

  74. Network Namespace 
 provides resource isolation NETWORK ISOLATION Multi-Environment Multi-Tenant

  75. NETWORK POLICY example: 
 all pods in namespace ‘project-a’ allow

    traffic 
 from any other pods in the same namespace.” apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny spec: podSelector: {} policyTypes: - Ingress - Egress Tip: default allows all ingress/egress from pods within namspace, create a deny all ingress/egress policy

  76. KUBERNETES SECURITY POLICY

  77. Chris Van Tuin Chief Technologist, NA West / Silicon Valley

    cvantuin@redhat.co Be • Don’t ru • If you m limit Lin • Limit SS • Use nam • Define r • Enable • Apply S • Apply S and se • Run pro unprivile http://blog.kubernetes.io/2016/08/security-best-practices-kubernetes-deployment.html Kernel Hardware (Intel, AMD) or Virtual Machine Containers Containers Containers Unit File Docker Image Container CLI SYSTEMD Cgroups Namespaces SELinux Drivers seccomp Read Only mounts Capabilities CONTAINER HOST SECURITY CONTAINERS ARE LINUX

  78. KUBERNETES: POD SECURITY POLICIES Cluster level, Implemented as an Admission

    Controller apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: privileged annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' spec: privileged: true allowPrivilegeEscalation: true allowedCapabilities: - '*' volumes: - '*' hostNetwork: true hostPorts: - min: 0 max: 65535 hostIPC: true hostPID: true runAsUser: rule: 'RunAsAny' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'RunAsAny' fsGroup: rule: 'RunAsAny' apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restricted annotations: seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' spec: privileged: false # Required to prevent escalations to root. allowPrivilegeEscalation: false # This is redundant with non-root + disallow privilege escalation, # but we can provide it for defense in depth. requiredDropCapabilities: - ALL # Allow core volume types. volumes: - 'configMap' - 'secret'' # Assume that persistentVolumes set up by the cluster admin are safe to use. - 'persistentVolumeClaim' hostNetwork: false hostPID: false ...... Open Restrictive

  79. CONTROLLING ACCESS TO KUBERNETES API Authorization User BLUE GREEN Version

    1 Version 2 Ingress e.g haproxy BLUE / GREEN DEPLOYMENT Using Ingress 100% Pod (Service Account) etcd 1 Kubernetes API Server Authentication Authorization RBAC: role (pods: get, watch, list) & rolebinding (john, default) Admission Controller (mutate /validate) ex: AlwaysPullImage, PodSecurityPolicy 2 3 4 5

  80. KUBERNETES NODE Network, DNS kube- proxy kubelet Kubernetes Master Linux,

    Container Runtime Management, Monitoring, Logs, Security, Registry Storage Chris Van Tuin Chief Technologist, NA West / Silicon Valley cvantuin@redhat.co Best Practices • Don’t run as root • If you must, 
 limit Linux Capabilities • Limit SSH Access • Use namespaces • Define resource quotas • Enable logging • Apply Security Errata • Apply Security Context and seccomp filters • Run production 
 unprivileged containers 
 as read-only http://blog.kubernetes.io/2016/08/security-best-practices-kubernetes-deployment.html Kernel Hardware (Intel, AMD) or Virtual Machine Containers Containers Containers Unit File Docker Image Container CLI SYSTEMD Cgroups Namespaces SELinux Drivers seccomp Read Only mounts Capabilities CONTAINER HOST SECURITY

  81. WHAT’S NEXT?

  82. KUBERNETES NATIVE ADD-ONS kubevirt github.com/kubevirt operators coreos.com/operators knative github.com/knative istio

    istio.io Virtual Machines Day 2 Operations Server-
 less Service Mesh CI/CD tekton tekton.dev

  83. SERVICE MESH

  84. Traffic Control Service Resiliency Chaos Testing Observ- ability Security SERVICE

    MESH WITH ISTIO Dedicated infrastructure layer for making service-to-service communication 
 safe, fast, and reliable Deploy as a lightweight side-car network proxy

  85. CONFIDENTIAL - FOR INTERNAL USE ONLY MICROSERVICES WITHOUT ISTIO Container

    JVM service A discovery load-balancer resiliency metrics tracing app logic JVM service B discovery load-balancer resiliency metrics tracing app logic Container JVM service C discovery load-balancer resiliency metrics tracing app logic

  86. CONFIDENTIAL - FOR INTERNAL USE ONLY MICROSERVICES WITH ISTIO Container

    JVM service C app logic Pod Sidecar Container Envoy Container JVM service A app logic Pod Sidecar Container Envoy Container JVM service B app logic Pod Sidecar Container Envoy

  87. ISTIO SERVICE MESH Envoy istio-ingress Envoy App A Envoy App

    B Envoy App C istio-pilot routing & resiliency istio-mixer reporting & policy enforcement istio-auth security HTTP Req/Resp Kubernetes Pods Istio Components Config to Envoy Access Control and Telemetry

  88. 24% 76% v1 v2 apiVersion: config.istio.io/v1alpha2 kind: RouteRule metadata: name:

    recommendation-v1-v2 spec: destination: namespace: tutorial name: recommendation precedence: 5 route: - labels: version: v1 weight: 76 - labels: version: v2 weight: 24 CANARY RELEASE BY WEIGHT RouteRule #2: 
 Route 94% to v1 and 6% to v2

  89. “.*Safari.*” Default v1 v2 apiVersion: config.istio.io/v1alpha2 kind: RouteRule metadata: name:

    recommendation-safari spec: destination: namespace: tutorial name: recommendation precedence: 2 match: request: headers: user-agent: regex: ".*Safari.*" route: - labels: version: v2 ROUTING BY HEADER By Geography, Mobile Device, Browser, Customer, … RouteRule #3: 
 Route “Safari” to v2

  90. v1 v2 apiVersion: config.istio.io/v1alpha2 kind: RouteRule metadata: name: recommendation-mirror spec:

    destination: namespace: tutorial name: recommendation precedence: 2 route: - labels: version: v1 weight: 100 - labels: version: v2 weight: 0 mirror: namespace: tutorial name: recommendation labels: version: v2 DARK LAUNCH Mirror production traffic for pre-release testing RouteRule #3: 
 Route “Safari” to v2 Mirror Production Traffic To v2 100% 100% Test Production

  91. apiVersion: config.istio.io/v1alpha2 kind: EgressRule metadata: name: httpbin-egress-rule spec: destination: service:

    httpbin.org ports: - port: 80 protocol: http SECURE BY DEFAULT Egress blocks all traffic unless unless whitelisted with EgressRule EgressRule: Allow httpbin.org:80 
 (http) role=web Pods Nodes http://httpbin.org Istio EgressRule

  92. Deployment Frequency Lead Time Deployment
 Failure Rate Mean Time to

    Recover 99.999 Service Availability DEVSECOPS METRICS Compliance Score

  93. THANK YOU linkedin: Chris Van Tuin email: cvantuin@redhat.com twitter: @chrisvantuin