Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kubernetes security

Kubernetes security

Security in Kubernetes is really, really hard. This is why, and here's what you need to think about when managing a cluster.

Jaakko Pallari

June 11, 2019
Tweet

More Decks by Jaakko Pallari

Other Decks in Technology

Transcript

  1. Kubernetes
    security

    View Slide

  2. View Slide

  3. “...hundreds of Kubernetes administration consoles
    accessible over the internet without any password
    protection…”

    View Slide

  4. Security with VMs on cloud

    Security with Kubernetes

    View Slide

  5. A lot of the same and much more!

    View Slide

  6. Kubernetes
    ● etcd encryption
    ● authentication
    ● authorization
    ● dashboard access
    ● network policies
    ● pod security policies
    ● secret access
    ● audit logs
    ● sandboxing and runtime protection
    ● security updates
    ● secrets management
    ● certificate rotation
    Containers
    ● trusted images
    ● image scanning
    ● image patching
    ● custom image storage
    ● non-root user
    Platform
    ● node-to-node network security
    ● access to nodes (SSH etc.)
    ● security updates
    ● deployment pipeline
    ● multi-tenancy

    View Slide

  7. Kubernetes
    ● etcd encryption
    ● authentication
    ● authorization
    ● dashboard access
    ● network policies
    ● pod security policies
    ● secret access
    ● audit logs
    ● sandboxing and runtime protection
    ● security updates
    ● secrets management
    ● certificate rotation
    Containers
    ● trusted images
    ● image scanning
    ● image patching
    ● custom image storage
    ● non-root user
    Platform
    ● node-to-node network security
    ● access to nodes (SSH etc.)
    ● security updates
    ● deployment pipeline
    ● multi-tenancy

    View Slide

  8. Jaakko Pallari
    Lead SRE Consultant
    @ Polar Squad
    Certified Kubernetes Administrator
    not a security expert

    View Slide

  9. Know your threat model!

    View Slide

  10. Make sure to keep your
    threat model updated!

    View Slide

  11. STRIFE
    PASTA
    TRIKE
    VAST
    OCTAVE

    View Slide

  12. What are you building, and
    what can go wrong?

    View Slide

  13. Production environment
    Customer data nearby
    Loss of revenue, trust, reputation
    Legal liability
    Development environment
    No real data in sight
    Devs are inconvenienced at most

    View Slide

  14. Who’s using the cluster?
    Can you trust these people?

    View Slide

  15. multi-tenant
    +1k people from many teams
    single tenant
    2-10 person dev team

    View Slide

  16. How are you
    running Kubernetes?

    View Slide

  17. Public or shared network
    Locked down network
    with strict firewall rules etc.

    View Slide

  18. View Slide

  19. Using Amazon EKS?
    No Pod Security Policies for you!

    View Slide

  20. Using flannel for networking?
    No network policies for you!

    View Slide

  21. Which security features to use?

    View Slide

  22. TLS for internal comms.
    Authentication
    RBAC
    Network Policies
    Pod Security Policies
    must have
    must have for
    multi-tenancy

    View Slide

  23. Let’s talk about
    RBAC
    Role-Based Access Control

    View Slide

  24. 1. Figure out the minimal permissions
    2. Create a role with the permissions
    3. Attach the role to user/group
    … and Bob’s your uncle! Right?

    View Slide

  25. Getting around permission scopes

    View Slide

  26. secrets pods
    user

    View Slide

  27. secrets pods
    user

    View Slide

  28. secrets pods deployments
    user

    View Slide

  29. apiVersion: v1
    kind: Pod
    metadata:
    name: slurpsecrets
    spec:
    containers:
    - image: hackertoolz.io/slurpsecrets
    name: slurpsecrets
    volumeMounts:
    - name: supersecret
    mountPath: "/secrets"
    readOnly: true
    volumes:
    - name: supersecret
    secret:
    secretName: supersecret

    View Slide

  30. Also watch out for
    kubectl exec !

    View Slide

  31. Avoid giving
    pod execution permissions

    View Slide

  32. namespace 1
    super
    secrets
    pods
    user
    namespace 2
    test
    secrets
    pods

    View Slide

  33. “Am I building
    a backdoor?”

    View Slide

  34. Kubernetes
    dashboard
    is super
    useful!

    View Slide

  35. ...it also
    requires
    access to
    basically
    everything

    View Slide

  36. Don’t run
    Kubernetes
    dashboard
    in production!

    View Slide

  37. Metrics

    View Slide

  38. Logs

    View Slide

  39. View Slide

  40. package manager
    for Kubernetes
    =

    View Slide

  41. Packaging and distributing k8s resources
    Managing package (=chart) installations

    View Slide

  42. Kubernetes cluster
    Deployment
    Service
    kubectl
    RBAC

    View Slide

  43. Kubernetes cluster
    Tiller
    Deployment
    Service
    kubectl
    helm
    RBAC
    No RBAC
    helm
    repo

    View Slide

  44. helm install stable/wordpress

    View Slide

  45. curl https://cool.io/install.sh | sudo bash

    View Slide

  46. Helm v3 will remove Tiller,
    and integrate with RBAC!

    View Slide

  47. Workarounds
    “Tillerless” Helm
    Don’t use Helm for installing things

    View Slide

  48. “Tillerless” Helm
    Kubernetes cluster
    Tiller
    Deployment
    Service
    kubectl
    helm
    https://rimusz.net/tillerless-helm
    RBAC
    RBAC

    View Slide

  49. Don’t use Helm for installing things
    helm template CHART --output-dir somedir
    kubectl apply -f somedir/

    View Slide

  50. curl https://cool.io/install.sh | sudo bash
    Fetch Install

    View Slide

  51. Host Helm charts in your own VCS

    View Slide

  52. Final words...

    View Slide

  53. Remember your threat model!

    View Slide

  54. Make sure the platform supports
    what you need!

    View Slide

  55. Security in Kubernetes is hard!

    View Slide

  56. Kubernetes is not for everyone

    View Slide

  57. Check out this book!
    https://kubernetes-security.info/

    View Slide