I gave this talk at Booz Allen Hamilton for Agile Austin on some of the items that I am working on with GKE security. This talk merely scratches the surface on k8s security.
system for docker containers.” - The Illustrated Children's Guide to Kubernetes • Kubernetes is an open-source container-orchestration system for automating application deployment, scaling, and management. It was originally designed by Google, and is now maintained by the Cloud Native Computing Foundation.
during setup • Involving Security at the inception of the project (DevSecOps) • The ability to identify how a breach occurred • Knowledge share amongst guests • Confidence
• Security at the application level (think about security while developing, easier said than done) OWASP ZAP scans in the future • Security at the repository level (github security alerts per repo) • Security at the container level (Container Registry vulnerability scanning - GCP specific) • Strict role setup within the public cloud provider, in our case GCP, following the principle of least privilege • GKE cluster hardening (network policy, auto-upgrade nodes, pod security policy, etc.) • Future iteration - using Falco for security alerts on production (protect those containers)
If you’re using a public cloud such as GCP, you have some of this covered for you BUT understand what’s left and how you can harden the cluster. e.g. using Kubernetes service accounts versus using GCP service accounts since a GCP account has much greater access • Limiting pod to pod communication (and on the VPC) • Consider using an internal load balancer with a list of CIDR ranges to whitelist • Consider the container OS that you’re using - review CVE’s, etc.
Proper secrets management (there are entire talks on this) • Consider multi-factor authentication on your public cloud accounts • Especially for anyone that can SSH into nodes, etc.
STRIDE example Spoofing - k8s authenticates users to prevent spoofing Tampering - k8s components such as etcd, config files, kubelet, etc. Repudiation - Security observability - audits and logs Information disclosure - Protect the cluster store (etcd) Denial of service - Protect the API server (cluster communications) Elevation of privilege - Protect the API server (RBAC, Webhook, Node) Protect the pods
guide to Kubernetes security https://techbeacon.com/enterprise-it/hackers-guide-kubernetes-security The Kubernetes Book: Updated Nov 2019 https://www.amazon.com/Kubernetes-Book-Version-November-2018-ebook/dp/B072TS9ZQZ Falco https://sysdig.com/opensource/falco/ Hardening your cluster - GKE specific https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster
evanniedojadlo
shibayu36
minodriven
aku11i
kk__777
ryodeveloper
appleparan
ivargrimstad
ssssota
takedatakashi
javiergs
keisuke69
tammyeverts
morganepeng
chrislema
mraible
bluesmoon
lemiorhan
pauljervisheath
maltzj
wjessup
destraynor
shlominoach
