Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mastering Kubernetes Security from Containers t...

Deepu K Sasidharan
December 05, 2024
Programming
1
12

Mastering Kubernetes Security from Containers to Cluster Fortresses

Kubernetes is ubiquitous these days—like glitter at a craft party, it’s everywhere! If your team is deploying apps to Kubernetes, you know it offers unmatched convenience and scalability, but it can also be a major headache, especially when it comes to security. Simply setting up your cluster and deploying apps isn’t enough; you need to secure it too.

In this session, we'll turn those headaches into headway with essential security best practices for Kubernetes. We will first understand aspects of Kubernetes security and then we'll dive into:
- Securing clusters to protect your infrastructure.
- Safeguarding Docker containers to ensure robust application security.
- Fortifying Java applications within your Kubernetes environment.
- Leveraging OIDC and RBAC for secure cluster access management.
- Mastering secret management like a pro.

Get ready to transform your Kubernetes security game and turn potential vulnerabilities into strengths!

Deepu K Sasidharan

December 05, 2024
Tweet

More Decks by Deepu K Sasidharan

See All by Deepu K Sasidharan
Go containerless on Kubernetes
deepu105
1
46
A Passwordless Future! Passkeys for Java Developers
deepu105
0
67
Go containerless on Kubernetes with WebAssembly and Rust
deepu105
0
29
An illustrated crash course for OAuth and OIDC
deepu105
1
91
A passwordless future! Passkeys for Spring Developers
deepu105
0
420
Secure Spring Boot Microservices with OAuth and OIDC
deepu105
1
120
A passwordless future! Passkeys for Java Developers
deepu105
0
140
A passwordless future! Passkeys for Java Developers
deepu105
1
170
Modern Java for the Masses! Is Java Still Relevant?
deepu105
1
660

Other Decks in Programming

See All in Programming
第5回日本眼科AI学会総会_AIコンテスト_3位解法
neilsaw
0
170
.NET 9アプリをCGIとして レンタルサーバーで動かす
mayuki
1
770
layerx_20241129.pdf
kyoheig3
2
280
短期間での新規プロダクト開発における「コスパの良い」Goのテスト戦略」 / kamakura.go
n3xem
2
160
数十万行のプロジェクトを Scala 2から3に完全移行した
xuwei_k
0
240
Cloudflare MCP ServerでClaude Desktop からWeb APIを構築
kutakutat
1
520
なまけものオバケたち -PHP 8.4 に入った新機能の紹介-
tanakahisateru
1
120
あれやってみてー駆動から成長を加速させる / areyattemite-driven
nashiusagi
1
200
17年周年のWebアプリケーションにTanStack Queryを導入する / Implementing TanStack Query in a 17th Anniversary Web Application
saitolume
0
250
create_tableをしただけなのに〜囚われのuuid編〜
daisukeshinoku
0
230
プロダクトの品質に コミットする / Commit to Product Quality
pekepek
2
760
rails statsで大解剖 🔍 “B/43流” のRailsの育て方を歴史とともに振り返ります
shoheimitani
2
910

Featured

See All Featured
VelocityConf: Rendering Performance Case Studies
addyosmani
326
24k
Designing Experiences People Love
moore
138
23k
For a Future-Friendly Web
brad_frost
175
9.4k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
Gamification - CAS2011
davidbonilla
80
5.1k
4 Signs Your Business is Dying
shpigford
181
21k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
95
17k
Side Projects
sachag
452
42k
Agile that works and the tools we love
rasmusluckow
328
21k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
7k
Designing for humans not robots
tammielis
250
25k

Transcript

  1. @deepu105 | deepu.tech Mastering Kubernetes Security: From Containers to Cluster

    Fortresses Deepu K Sasidharan Staff Developer Advocate @ Okta

  2. @deepu105 | deepu.tech Understanding Kubernetes Security

  3. @deepu105 | deepu.tech Transport security All API communication is done

    via TLS using valid certificates

  4. @deepu105 | deepu.tech Authentication All API requests are authenticated with

    one of the several authentication mechanisms supported by Kubernetes

  5. @deepu105 | deepu.tech Authorization All authenticated requests are authorized using

    one or more of the supported authorization models

  6. @deepu105 | deepu.tech Admission control All authorized requests, except read/get

    requests, are validated by admission control modules

  7. @deepu105 | deepu.tech Kubernetes Security Best practices https://a0.to/k8s-security-best-practices

  8. @deepu105 | deepu.tech Use RBAC

  9. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only Why? • Most secure Authorization mechanism for Kubernetes • Most widely used and most flexible • Ideal for enterprise and medium-large orgs • Easy to model business rules

  10. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only How? • Check if RBAC is enabled ◦ kubectl cluster-info dump | grep authorization-mode • Use --authorization-mode flag for the API server to enable RBAC • Create Role/ClusterRole and RoleBinding/ClusterRoleBinding as required

  11. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only How? apiVersion : rbac.authorization.k8s.io/v1 kind: Role metadata : namespace : fancy-namespace name: pod-service-reader rules: - apiGroups : [""] # "" indicates the core API group resources : ["pods", "services” ] verbs: [ "get", "watch", "list"] — apiVersion : rbac.authorization.k8s.io/v1 kind: RoleBinding metadata : name: read-pods-services namespace : fancy-namespace roleRef: kind: Role #this must be Role or ClusterRole name: pod-service-reader # this must match the name of the Role or ClusterRole you wish to bind to apiGroup : rbac.authorization.k8s.io subjects : # subject can be individual users or a group of users. Group is defined in the external authentication service, in this case, an OIDC server - kind: Group name: k8s-restricted-users

  12. @deepu105 | deepu.tech Use OpenID Connect

  13. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only Why? • Most secure Authentication mechanism • Most scalable • Ideal for clusters accessed by large teams as it provides a single sign-on solution • Easy to onboard and offboard users

  14. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only How?

  15. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only How? How to Secure Your Kubernetes Cluster with OpenID Connect and RBAC https://a0.to/k8s-api-server-oidc

  16. @deepu105 | deepu.tech Use Secure Secrets

  17. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only Why? • Kubernetes Secrets are not very secure as its just base64 encoded strings • Kubernetes Secrets cannot be stored in version control • Kubernetes Secrets does not work with external secret managers

  18. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only How? • Use Sealed Secrets ◦ Uses asymmetric crypto encryption and supports certificate rotation ◦ Can be stored in version control ◦ Encrypted using unique key per cluster, namespace and secret ◦ Can manage existing secrets ◦ Ideal for small teams

  19. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only How?

  20. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only How? • Use External Secrets Operator ◦ Secrets are stored in external secret managers and is much more secure ◦ Secrets are kept in sync ◦ Works with HashiCorp Vault, Google Secrets Manager, AWS Secrets Manager and so on

  21. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only How?

  22. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only How? • Use Secrets Store CSI driver ◦ Secrets are stored in external secret managers and is much more secure ◦ Secrets are mounted as volume on the pod ◦ Secrets are kept in sync ◦ Supports secret rotation ◦ Works with HashiCorp Vault, Google Secrets Manager, AWS Secrets Manager and so on

  23. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only How?

  24. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only How? Shhhh... Kubernetes Secrets Are Not Really Secret! https://auth0.com/blog/kubernetes-secrets-management/

  25. @deepu105 | deepu.tech Keep Kubernetes version up to date

  26. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only Why? • Fix CVEs and other security bugs • Latest features and security updates

  27. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only How? • Check the Kubernetes security and disclosure information website to see if there are known security vulnerabilities for your version • If you are using a managed PaaS, upgrade using built-in mechanism • For on-prem installations, use tools like kOps, kubeadm, and so on, for easy upgrades

  28. @deepu105 | deepu.tech Restrict kubelet, API, and SSH access

  29. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only Why? • Restrict unintended access • Non-admin users should not have API, SSH access

  30. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only How? • Secure API server using OIDC and RBAC • Disable SSH for non-admin users • Secure kubeletʼs HTTP endpoints

  31. @deepu105 | deepu.tech Control traffic between pods and clusters

  32. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only Why? • A compromised pod could compromise another leading to a chain reaction • Larger attack surface • Better traffic control and better security

  33. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only How? • Use Kubernetes network policies to control traffic between pods and clusters • Allow only necessary traffic between pods

  34. @deepu105 | deepu.tech Use namespaces to isolate workloads

  35. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only Why? • Isolating workloads in namespaces reduces attack surface • Easier to manage with RBAC

  36. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only How? • Avoid using default namespace • Tune RBAC to restrict access to only required namespaces • Use Kubernetes network policies to control traffic between namespaces

  37. @deepu105 | deepu.tech Limit resource usages

  38. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only Why? • Avoid denial of service (DoS) attacks • Reduce attack surface

  39. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only How? • Use resources quotas and limit ranges to set limits at the namespace level • Set resource limits at container level as well

  40. @deepu105 | deepu.tech Use monitoring tools and enable audit logging

  41. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only Why? • Detect unauthorized access attempts • Keep an eye on the traffic • Prevent breaches before with alarms

  42. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only How? • Enable audit logging for the cluster • Use a monitoring tool to monitor ingress/egress networking traffic

  43. @deepu105 | deepu.tech Infrastructure best practices

  44. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only How? • Ensure that all communication is done via TLS. • Protect etcd with TLS, Firewall, and Encryption and restrict access to it using strong credentials. • Set up IAM access policies in a supported environment like a PaaS. • Secure the Kubernetes Control Plane. • Rotate infrastructure credentials frequently. • Restrict cloud metadata API access when running in a PaaS like AWS, Azure, or GCP.

  45. @deepu105 | deepu.tech Container Best practices https://a0.to/container-security

  46. @deepu105 | deepu.tech Do not run containers as root

  47. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only Why? • Principle of least privilege to reduce attack surface • Avoid container escape and privilege escalations

  48. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only How? • Use a least privileged user • Use --chown=user:user when using Docker copy commands

  49. @deepu105 | deepu.tech Use minimal up-to-date official base images

  50. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only Why? • Reduce attack surface • Latest bug fixes and security patches

  51. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only How? • Use deterministic image tags - FROM node:14.2.0-alpine3.11 instead of FROM node:14-alpine • Install only production dependencies • Use official verified images for popular software. Prefer LTS versions. • Use a trusted registry for non-official images and always verify the image publisher

  52. @deepu105 | deepu.tech Prevent loading unwanted kernel modules

  53. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only Why? • Reduce attack surface • Better performance

  54. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only How? • Restrict using rules in /etc/modprobe.d/kubernetes-blacklist.conf of the node • Uninstall the unwanted modules from the node

  55. @deepu105 | deepu.tech Enable container image scanning in your CI/CD

    phase

  56. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only Why? • Detect known vulnerabilities before they are exploited

  57. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only How? • Enable image scanning in CI/CD phase • Use OSS tools like clair, Anchore or commercial tools like Snyk

  58. @deepu105 | deepu.tech Audit images

  59. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only Why? • Check for security best practices

  60. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only How? • Use Docker Bench for Security to audit your container images

  61. @deepu105 | deepu.tech Use pod security policies

  62. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only Why? • Reduce attack surface • Prevent privilege escalation

  63. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only How? • Use Pod Security Admission to limit a containerʼs access to the host further

  64. @deepu105 | deepu.tech Thank you! Deepu K Sasidharan @[email protected] |

    deepu.tech