Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kubernetes security

Kubernetes security

Security in Kubernetes is really, really hard. This is why, and here's what you need to think about when managing a cluster.

Ab4a11cf19e2341bfb0837b2ed2b2dd0?s=128

Jaakko Pallari

June 11, 2019
Tweet

Transcript

  1. Kubernetes security

  2. None
  3. “...hundreds of Kubernetes administration consoles accessible over the internet without

    any password protection…”
  4. Security with VMs on cloud ≠ Security with Kubernetes

  5. A lot of the same and much more!

  6. Kubernetes • etcd encryption • authentication • authorization • dashboard

    access • network policies • pod security policies • secret access • audit logs • sandboxing and runtime protection • security updates • secrets management • certificate rotation Containers • trusted images • image scanning • image patching • custom image storage • non-root user Platform • node-to-node network security • access to nodes (SSH etc.) • security updates • deployment pipeline • multi-tenancy
  7. Kubernetes • etcd encryption • authentication • authorization • dashboard

    access • network policies • pod security policies • secret access • audit logs • sandboxing and runtime protection • security updates • secrets management • certificate rotation Containers • trusted images • image scanning • image patching • custom image storage • non-root user Platform • node-to-node network security • access to nodes (SSH etc.) • security updates • deployment pipeline • multi-tenancy
  8. Jaakko Pallari Lead SRE Consultant @ Polar Squad Certified Kubernetes

    Administrator not a security expert
  9. Know your threat model!

  10. Make sure to keep your threat model updated!

  11. STRIFE PASTA TRIKE VAST OCTAVE

  12. What are you building, and what can go wrong?

  13. Production environment Customer data nearby Loss of revenue, trust, reputation

    Legal liability Development environment No real data in sight Devs are inconvenienced at most
  14. Who’s using the cluster? Can you trust these people?

  15. multi-tenant +1k people from many teams single tenant 2-10 person

    dev team
  16. How are you running Kubernetes?

  17. Public or shared network Locked down network with strict firewall

    rules etc.
  18. None
  19. Using Amazon EKS? No Pod Security Policies for you!

  20. Using flannel for networking? No network policies for you!

  21. Which security features to use?

  22. TLS for internal comms. Authentication RBAC Network Policies Pod Security

    Policies must have must have for multi-tenancy
  23. Let’s talk about RBAC Role-Based Access Control

  24. 1. Figure out the minimal permissions 2. Create a role

    with the permissions 3. Attach the role to user/group … and Bob’s your uncle! Right?
  25. Getting around permission scopes

  26. secrets pods user

  27. secrets pods user

  28. secrets pods deployments user

  29. apiVersion: v1 kind: Pod metadata: name: slurpsecrets spec: containers: -

    image: hackertoolz.io/slurpsecrets name: slurpsecrets volumeMounts: - name: supersecret mountPath: "/secrets" readOnly: true volumes: - name: supersecret secret: secretName: supersecret
  30. Also watch out for kubectl exec !

  31. Avoid giving pod execution permissions

  32. namespace 1 super secrets pods user namespace 2 test secrets

    pods
  33. “Am I building a backdoor?”

  34. Kubernetes dashboard is super useful!

  35. ...it also requires access to basically everything

  36. Don’t run Kubernetes dashboard in production!

  37. Metrics

  38. Logs

  39. None
  40. package manager for Kubernetes =

  41. Packaging and distributing k8s resources Managing package (=chart) installations

  42. Kubernetes cluster Deployment Service kubectl RBAC

  43. Kubernetes cluster Tiller Deployment Service kubectl helm RBAC No RBAC

    helm repo
  44. helm install stable/wordpress

  45. curl https://cool.io/install.sh | sudo bash

  46. Helm v3 will remove Tiller, and integrate with RBAC!

  47. Workarounds “Tillerless” Helm Don’t use Helm for installing things

  48. “Tillerless” Helm Kubernetes cluster Tiller Deployment Service kubectl helm https://rimusz.net/tillerless-helm

    RBAC RBAC
  49. Don’t use Helm for installing things helm template CHART --output-dir

    somedir kubectl apply -f somedir/
  50. curl https://cool.io/install.sh | sudo bash Fetch Install

  51. Host Helm charts in your own VCS

  52. Final words...

  53. Remember your threat model!

  54. Make sure the platform supports what you need!

  55. Security in Kubernetes is hard!

  56. Kubernetes is not for everyone

  57. Check out this book! https://kubernetes-security.info/