Secure your Kubernetes Containers - NDC Sydney 2019

Transcript

1. Secure your Kubernetes Containers Hossam Barakat Lead Consultant at Telstra

   Purple @hossambarakat_

2. @hossambarakat_ 2

3. @hossambarakat_ Attack Vectors 3 OS Application

4. @hossambarakat_ Attack Vectors 4 OS Kubernetes Container Image Container Application

   - Container escape - Intercept & modify traffic - Base image vulnerability - OSS Lib Vulnerability - Privilege Escalation - API Compromise

5. @hossambarakat_ 6

6. @hossambarakat_ Kubernetes Cluster 7

7. @hossambarakat_ Kubernetes Architecture Master Worker Worker Client Worker Cluster

8. @hossambarakat_ Kubernetes Architecture Master API Server Worker Kubelet Container Runtime

   UI (Dashboard) CLI (Kubectl) Other Client(s) Pod Pod Cluster Scheduler TLS TLS

9. @hossambarakat_ Attack Insecure API Server 10 Pod Worker Master Cluster

   Container API Server {Access Token} Get Pods Create Pods … Hacker icon by karina from the Noun Project

10. @hossambarakat_ Demo 11 Attack Insecure API Server

11. @hossambarakat_ Role Based Access Control (RBAC) 12 Role Binding Role

    Resource User Group Service Account Verb Verb Subject

12. @hossambarakat_ Service Account 13 apiVersion: v1 kind: ServiceAccount metadata: name:

    webapp-service-account namespace: default

13. @hossambarakat_ Role 14 Role Based Access Control (RBAC) Role Binding

    kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: my-role namespace: default rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list"] kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: my-role-binding namespace: default subjects: - kind: ServiceAccount name: webapp-service-account namespace: default roleRef: kind: Role name: my-role apiGroup: rbac.authorization.k8s.io

14. @hossambarakat_ Cluster Role 15 Cluster Role Binding Cluster Role Resource

    User Group Service Account Verb Verb Subject

15. @hossambarakat_ Get Pods Using RBAC 16 Pod Worker Master Cluster

    Container API Server {Access Token} Get Pods Create Pods Create Deployment …

16. @hossambarakat_ Demo 17 Get Pods Using RBAC

17. @hossambarakat_ CIS Kubernetes Benchmark » Document that provide guidance for

    establishing a secure configuration posture for Kubernetes » Specific recommendations with a description, rationale, method of audit and remediation » Can be automated with kube-bench 18

18. @hossambarakat_ Container Images 19

19. @hossambarakat_ Images Security » Never run as root • Set

    USER in Dockerfile » Minimal base image • Alpine 2 MB • Ubuntu 60 MB » Trusted base image » Private image registry » Do NOT use latest tag » Vulnerability scans 20

20. @hossambarakat_ Image Scanning Tools » aquasecurity/trivy » coreos/clair » optiopay/klar

    » aquasecurity/microscanner » Aqua Security » Twistlock 21

21. @hossambarakat_ Trivy 22

22. @hossambarakat_ Vulnerability Scanning CI Pipeline Integration 23 Code CI Vulnerability

    Scanning Image Registry Schedule Container

23. @hossambarakat_ Vulnerability Scanning CI Pipeline Integration 24 Code CI Vulnerability

    Scanning Image Registry Schedule Container Publish Scanning Results Is Scanned Image? Admission Webhook

24. @hossambarakat_ Patching Container Images » Do NOT SSH into running

    containers » Rebuild then redeploy 25

25. @hossambarakat_ Containers 26

26. @hossambarakat_ Privilege Escalation 27 Pod Worker Container Modify container file

    system Modify host file system Crypto Miner Hacker icon by karina from the Noun Project

27. @hossambarakat_ Demo 28 Privilege Escalation

28. @hossambarakat_ » RunAsUser » RunAsGroup 29 Security Context securityContext: runAsUser:

    1000 runAsGroup: 3000

29. @hossambarakat_ » AllowPrivilegdeEscalation 30 Security Context securityContext: allowPrivilegeEscalation: false

30. @hossambarakat_ » ReadOnlyRootFilesystem 31 Security Context securityContext: readOnlyRootFilesystem: true

31. @hossambarakat_ » RunAsUser » RunAsGroup » AllowPrivilegdeEscalation » ReadOnlyRootFilesystem 32

    Security Context apiVersion: v1 kind: Pod metadata: name: my-app spec: securityContext: runAsUser: 1000 RunAsGroup: 2000 containers: - name: my-app image: my-app securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true

32. @hossambarakat_ Enter Pod Security Policy 33

33. @hossambarakat_ Pod Security Policy » A Pod Security Policy is

    a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access. » The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system. 34

34. @hossambarakat_ Pod Security Policy » privileged » volumes » fsGroup

    » runAsUser, runAsGroup » readOnlyRootFilesystem » allowedHostPaths » hostNetwork » Linux capabilities 35

35. @hossambarakat_ Pod Security Policy 37 Pod Security Policy Role Subject

    Role Binding use Service Account User

36. @hossambarakat_ Stop Privileged Pods with PSP 38 Master API Server

    securityContext: privileged: true Pod Security Policy Controller Schedule Pod Pod Security Policy Policy spec: privileged: false

37. @hossambarakat_ Demo 39 Stop Privileged Pods with PSP

38. @hossambarakat_ kube-psp-advisor 40

39. @hossambarakat_ » All pods can communicate with each other 41

    Network Communication Pod Pod Pod

40. @hossambarakat_ App 1 42 Network Policies Frontend DB Pod apiVersion:

    networking.k8s.io/v1 kind: NetworkPolicy metadata: name: my-frontend-policy spec: podSelector: matchLabels: app: db ingress: - from: - podSelector: matchLabels: app: frontend

41. @hossambarakat_ Network Plugin » Calico » Cilium » Kube-Router »

    Weave Net » … 43

42. @hossambarakat_ 44

43. @hossambarakat_ Service Mesh Data Plane

44. @hossambarakat_ Service Mesh Control Plane Control Plane

45. @hossambarakat_ Service Mesh » Security specific policy enforcement » End-to-end

    encryption » Rolling certificates 47

46. @hossambarakat_ Summary 48 Kubernetes Cluster Bootstrap TLS Authentication Enable RBAC

    CIS Benchmark Container Images No root user Small images Do NOT use latest Private Image Registry Containers Pod Security Context Pod Security Policy Network Policy Service Mesh Vulnerability Scans

47. @hossambarakat_ Resources » https://kubernetes-security.info » http://github.com/hossambarakat/secure-k8s-containers 49

48. @hossambarakat_ Questions? 50

49. Thank You Hossam Barakat @hossambarakat_