$30 off During Our Annual Pro Sale. View Details »

Secure your Kubernetes Containers - All Day DevOps

Hossam Barakat
November 06, 2019
Programming
0
100

Secure your Kubernetes Containers - All Day DevOps

Hossam Barakat

November 06, 2019
Tweet

More Decks by Hossam Barakat

See All by Hossam Barakat
Build Your Cloud Infrastructure as Code With .Net Core - Build Stuff
hossambarakat
0
56
Kubernetes Blue-Green Deployment Made Easy with Argo Rollouts - ADDO
hossambarakat
0
59
Build Your Azure Infrastructure as Code With .NET Core - Azure Day
hossambarakat
0
26
Build Your Azure Infrastructure as Code With .Net Core - Global Azure 2021
hossambarakat
0
34
Practical Domain-Driven Design with EF Core - NDC London 2021
hossambarakat
0
200
Build Your Cloud Infrastructure as Code With .Net Core - ADDO 2020
hossambarakat
0
110
Practical Domain Driven Design With EFCore - NDC Sydney 2020
hossambarakat
0
120
Build Your Cloud Infrastructure as Code With .Net Core - NDC Porto 2020
hossambarakat
2
120
Kubernetes for Developers - All Day DevOps
hossambarakat
2
150

Other Decks in Programming

See All in Programming
飛び出せ!フロントエンド知見共有会~Next,Astro,Sveltekitを使ったエンジニアたちの声~ - NIFTY Tech Day 2023
niftycorp
0
140
Kaggle-Vesuvius-Challenge-Ink-Detection-2nd-Solution
mipypf
0
1.1k
進化したWeb技術でPWAをネイティブアプリに近づける / frontend-conf-2023
yuhei_fujita
6
2.6k
Visually experience the beauty of mathematics with p5.js
clown0082
0
1.6k
エンジニア秘書が通訳する異文化コミュニケーションのあれこれ / engineer-communication
assu_ming
0
130
DIY Python Debugger
parttimenerd
0
990
フロントエンドエンジニアも知っておきたい HTTP/3 で変わること
yahiru
17
9.8k
Intro to Stateful Services or How to get 1 million RPS from a single node
antyadev
0
140
集団意思決定の落とし穴と誰も望まない技術的負債
h0r15h0
0
2.7k
Gatlingによる負荷テスト入門
irof
6
570
文化祭入退場システムCracker (at U-22プログラミング・コンテスト)
pocopota
0
150
net/httpからnet.Connを掘り起こす
hiroyaonoe
0
410

Featured

See All Featured
Happy Clients
brianwarren
91
6.1k
Build your cross-platform service in a week with App Engine
jlugia
223
17k
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
reverentgeek
177
10k
Making the Leap to Tech Lead
cromwellryan
120
8.2k
The World Runs on Bad Software
bkeepers
PRO
59
6.2k
Build The Right Thing And Hit Your Dates
maggiecrowley
23
1.7k
Building Flexible Design Systems
yeseniaperezcruz
317
36k
Reflections from 52 weeks, 52 projects
jeffersonlam
342
19k
Building Better People: How to give real-time feedback that sticks.
wjessup
349
18k
Raft: Consensus for Rubyists
vanstee
130
6k
Done Done
chrislema
178
15k
Rebuilding a faster, lazier Slack
samanthasiow
71
8k

Transcript

  1. Secure your Kubernetes Containers
    Hossam Barakat
    Lead Consultant at Telstra Purple
    @hossambarakat_

    View Slide

  2. @hossambarakat_ 3

    View Slide

  3. @hossambarakat_
    Attack Vectors
    4
    OS
    Application

    View Slide

  4. @hossambarakat_
    Attack Vectors
    5
    OS
    Kubernetes
    Container Image
    Container
    Application

    View Slide

  5. @hossambarakat_ 6

    View Slide

  6. @hossambarakat_
    Kubernetes
    Cluster
    7

    View Slide

  7. @hossambarakat_
    Kubernetes Architecture
    Master
    Worker
    Worker
    Client
    Worker
    Cluster

    View Slide

  8. @hossambarakat_
    Kubernetes Architecture
    Master
    API Server
    Worker
    Kubelet
    Container Runtime
    UI (Dashboard)
    CLI (Kubectl)
    Other Client(s)
    Pod Pod
    Cluster
    Scheduler TLS
    TLS

    View Slide

  9. @hossambarakat_
    Role Based Access Control (RBAC)
    10
    Role Binding Role
    Resource
    User
    Group
    Service
    Account Verb
    Verb
    Subject

    View Slide

  10. @hossambarakat_
    Service Account
    11
    apiVersion: v1
    kind: ServiceAccount
    metadata:
    name: webapp-service-account
    namespace: default

    View Slide

  11. @hossambarakat_
    Role
    12
    Role Based Access Control (RBAC)
    Role Binding
    kind: Role
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
    name: my-role
    namespace: default
    rules:
    - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list"]
    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
    name: my-role-binding
    namespace: default
    subjects:
    - kind: ServiceAccount
    name: webapp-service-account
    namespace: default
    roleRef:
    kind: Role
    name: my-role
    apiGroup: rbac.authorization.k8s.io

    View Slide

  12. @hossambarakat_
    Pod
    13
    Role Based Access Control (RBAC)
    kind: Pod
    apiVersion: v1
    metadata:
    name: webapp
    spec:
    serviceAccountName: webapp-service-account
    containers:
    - name: webapp
    image: hossambarakat/k8s-security-webapp
    ports:
    - containerPort: 3000

    View Slide

  13. @hossambarakat_
    CIS Kubernetes Benchmark
    » Document that provide guidance for establishing a secure configuration posture for Kubernetes
    » Specific recommendations with a description, rationale, method of audit and remediation
    » Can be automated with kube-bench
    14

    View Slide

  14. @hossambarakat_
    Container Images
    15

    View Slide

  15. @hossambarakat_
    Images Security
    » Never run as root
    • Set USER in Dockerfile
    » Minimal base image
    • Alpine 2 MB
    • Ubuntu 60 MB
    » Trusted base image
    » Private image registry
    » Do NOT use latest tag
    » Vulnerability scans
    16

    View Slide

  16. @hossambarakat_
    Image Scanning Tools
    » aquasecurity/trivy
    » coreos/clair
    » optiopay/klar
    » aquasecurity/microscanner
    » Aqua Security
    » Twistlock
    17

    View Slide

  17. @hossambarakat_
    Trivy
    18

    View Slide

  18. @hossambarakat_
    Vulnerability Scanning CI Pipeline Integration
    19
    Code
    CI
    Vulnerability
    Scanning
    Image
    Registry
    Schedule
    Container

    View Slide

  19. @hossambarakat_
    Vulnerability Scanning CI Pipeline Integration
    20
    Code
    CI
    Vulnerability
    Scanning
    Image
    Registry
    Schedule
    Container
    Publish Scanning
    Results
    Is Scanned Image? Admission
    Webhook

    View Slide

  20. @hossambarakat_
    Containers
    21

    View Slide

  21. @hossambarakat_
    Privilege Escalation
    22
    Pod
    Worker
    Container Modify container
    file system
    Modify host file system
    Crypto Miner
    Hacker icon by karina from the Noun Project

    View Slide

  22. @hossambarakat_
    Demo
    23
    Privilege Escalation

    View Slide

  23. @hossambarakat_
    » RunAsUser
    » RunAsGroup
    24
    Security Context
    securityContext:
    runAsUser: 1000
    runAsGroup: 3000

    View Slide

  24. @hossambarakat_
    » AllowPrivilegdeEscalation
    25
    Security Context
    securityContext:
    allowPrivilegeEscalation: false

    View Slide

  25. @hossambarakat_
    » ReadOnlyRootFilesystem
    26
    Security Context
    securityContext:
    readOnlyRootFilesystem: true

    View Slide

  26. @hossambarakat_
    » RunAsUser
    » RunAsGroup
    » AllowPrivilegdeEscalation
    » ReadOnlyRootFilesystem
    27
    Security Context
    apiVersion: v1
    kind: Pod
    metadata:
    name: my-app
    spec:
    securityContext:
    runAsUser: 1000
    RunAsGroup: 2000
    containers:
    - name: my-app
    image: my-app
    securityContext:
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: true

    View Slide

  27. @hossambarakat_
    Enter Pod Security Policy
    28

    View Slide

  28. @hossambarakat_
    Pod Security Policy
    » A Pod Security Policy is a cluster-level resource that controls the actions that a pod can perform and what it has the
    ability to access.
    » The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the
    system.
    29

    View Slide

  29. @hossambarakat_
    Pod Security Policy
    » privileged
    » volumes
    » fsGroup
    » runAsUser, runAsGroup
    » readOnlyRootFilesystem
    » allowedHostPaths
    » hostNetwork
    » Linux capabilities
    30

    View Slide

  30. @hossambarakat_
    kube-psp-advisor
    31

    View Slide

  31. @hossambarakat_
    » All pods can communicate with each other
    32
    Network Communication
    Pod
    Pod
    Pod

    View Slide

  32. @hossambarakat_
    App 1
    33
    Network Communication
    Frontend
    DB
    Pod
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
    name: my-frontend-policy
    spec:
    podSelector:
    matchLabels:
    app: db
    ingress:
    - from:
    - podSelector:
    matchLabels:
    app: frontend

    View Slide

  33. @hossambarakat_
    Network Plugin
    » Calico
    » Cilium
    » Kube-Router
    » Weave Net
    » …
    34

    View Slide

  34. @hossambarakat_ 35

    View Slide

  35. @hossambarakat_
    Service Mesh
    » Security specific policy enforcement
    » End-to-end encryption
    » Rolling certificates
    38

    View Slide

  36. @hossambarakat_
    Summary
    39
    Kubernetes Cluster
    Bootstrap TLS
    Authentication
    Enable RBAC
    CIS Benchmark
    Container Images
    No root user
    Small images
    Do NOT use latest
    Private Image Registry
    Containers
    Pod Security Context
    Pod Security Policy
    Network Policy
    Service Mesh
    Vulnerability Scans

    View Slide

  37. @hossambarakat_
    Resources
    » https://kubernetes-security.info
    » http://github.com/hossambarakat/secure-k8s-containers
    40

    View Slide

  38. @hossambarakat_
    Questions?
    #2019addo-devsecops
    41

    View Slide

  39. @hossambarakat_ 42

    View Slide

  40. Thank You
    Hossam Barakat
    @hossambarakat_

    View Slide