Security in Kubernetes is really, really hard. This is why, and here's what you need to think about when managing a cluster.
Kubernetessecurity
View Slide
“...hundreds of Kubernetes administration consolesaccessible over the internet without any passwordprotection…”
Security with VMs on cloud≠Security with Kubernetes
A lot of the same and much more!
Kubernetes● etcd encryption● authentication● authorization● dashboard access● network policies● pod security policies● secret access● audit logs● sandboxing and runtime protection● security updates● secrets management● certificate rotationContainers● trusted images● image scanning● image patching● custom image storage● non-root userPlatform● node-to-node network security● access to nodes (SSH etc.)● security updates● deployment pipeline● multi-tenancy
Jaakko PallariLead SRE Consultant@ Polar SquadCertified Kubernetes Administratornot a security expert
Know your threat model!
Make sure to keep yourthreat model updated!
STRIFEPASTATRIKEVASTOCTAVE
What are you building, andwhat can go wrong?
Production environmentCustomer data nearbyLoss of revenue, trust, reputationLegal liabilityDevelopment environmentNo real data in sightDevs are inconvenienced at most
Who’s using the cluster?Can you trust these people?
multi-tenant+1k people from many teamssingle tenant2-10 person dev team
How are yourunning Kubernetes?
Public or shared networkLocked down networkwith strict firewall rules etc.
Using Amazon EKS?No Pod Security Policies for you!
Using flannel for networking?No network policies for you!
Which security features to use?
TLS for internal comms.AuthenticationRBACNetwork PoliciesPod Security Policiesmust havemust have formulti-tenancy
Let’s talk aboutRBACRole-Based Access Control
1. Figure out the minimal permissions2. Create a role with the permissions3. Attach the role to user/group… and Bob’s your uncle! Right?
Getting around permission scopes
secrets podsuser
secrets pods deploymentsuser
apiVersion: v1kind: Podmetadata:name: slurpsecretsspec:containers:- image: hackertoolz.io/slurpsecretsname: slurpsecretsvolumeMounts:- name: supersecretmountPath: "/secrets"readOnly: truevolumes:- name: supersecretsecret:secretName: supersecret
Also watch out forkubectl exec !
Avoid givingpod execution permissions
namespace 1supersecretspodsusernamespace 2testsecretspods
“Am I buildinga backdoor?”
Kubernetesdashboardis superuseful!
...it alsorequiresaccess tobasicallyeverything
Don’t runKubernetesdashboardin production!
Metrics
Logs
package managerfor Kubernetes=
Packaging and distributing k8s resourcesManaging package (=chart) installations
Kubernetes clusterDeploymentServicekubectlRBAC
Kubernetes clusterTillerDeploymentServicekubectlhelmRBACNo RBAChelmrepo
helm install stable/wordpress
curl https://cool.io/install.sh | sudo bash
Helm v3 will remove Tiller,and integrate with RBAC!
Workarounds“Tillerless” HelmDon’t use Helm for installing things
“Tillerless” HelmKubernetes clusterTillerDeploymentServicekubectlhelmhttps://rimusz.net/tillerless-helmRBACRBAC
Don’t use Helm for installing thingshelm template CHART --output-dir somedirkubectl apply -f somedir/
curl https://cool.io/install.sh | sudo bashFetch Install
Host Helm charts in your own VCS
Final words...
Remember your threat model!
Make sure the platform supportswhat you need!
Security in Kubernetes is hard!
Kubernetes is not for everyone
Check out this book! https://kubernetes-security.info/