Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Evolution of security strategies in K8s environments- All day devops

jmortegac
October 29, 2023

Evolution of security strategies in K8s environments- All day devops

In the latest versions of K8s there has been an evolution regarding the definition of security strategies at the level of access policies to the cluster by users and developers. The security contexts (securityContext) allow you to define the configurations at the level of access control and privileges for a pod or container in a simple way using keywords in the configuration files.
To facilitate the implementation of these security strategies throughout the cluster, new strategies have emerged such as the Pod Security Policy (PSP) where the cluster administrator is in charge of defining these policies at the cluster level with the aim that developers can follow these policies.
Other interesting projects include Open Policy Agent (OPA) as the main cloud-native authorization policy agent for creating policies and managing user permissions for access to applications.
The objective of this talk is to present the evolution that has occurred in security strategies and how we could use them together, as well as analyze their behavior in accessing resources. Among the points to be discussed we can highlight:
-Introduction to security strategies in K8s environments
-Pod Security Admission(PSA) vs Open Policy Agent (OPA)
-Combination of different security strategies together
-Access to resources in privileged and non-privileged mode

jmortegac

October 29, 2023
Tweet

More Decks by jmortegac

Other Decks in Technology

Transcript

  1. TRACK: DEVSECOPS
    OCTOBER 26, 2023
    Jose Manuel Ortega, OWASP
    Evolution of security
    strategies in K8s
    environments

    View full-size slide

  2. TRACK: DEVSECOPS
    •Introduction to security strategies in K8s environments
    •Pod Security Admission(PSA) vs Open Policy Agent (OPA)
    •Combination of different security strategies together
    •Access to resources in privileged and non-privileged
    mode
    Agenda

    View full-size slide

  3. TRACK: DEVSECOPS
    •Cluster Hardening: Implement best practices for
    securing the Kubernetes cluster itself, including
    securing access to the API server, enabling RBAC
    (Role-Based Access Control), and using network
    policies to control communication between pods.
    •Pod Security Policies (PSP): Enforce security policies
    that define what a pod can and cannot do, including
    limiting privilege levels, host access, and running as
    non-root users.
    Introduction to security strategies in K8s environments

    View full-size slide

  4. TRACK: DEVSECOPS
    •Secrets Management: Use Kubernetes Secrets
    to store sensitive information securely, such as
    API keys, passwords, or certificates.
    •Role-Based Access Control (RBAC): Define
    fine-grained access controls for users and
    service accounts to limit the scope of actions
    they can perform within the cluster.
    Introduction to security strategies in K8s environments

    View full-size slide

  5. TRACK: DEVSECOPS
    •Limit Resource Consumption: Set resource quotas
    to limit the amount of CPU, memory, and other
    resources that can be consumed by pods,
    preventing resource exhaustion and potential
    denial-of-service attacks.
    •Pod Security Context: Use pod security context to
    define security settings at the pod level, such as
    user and group IDs, SELinux, and file system
    permissions.
    Introduction to security strategies in K8s environments

    View full-size slide

  6. TRACK: DEVSECOPS
    Introduction to security strategies in K8s environments
    Security Contexts RBAC (Role-Based
    Access Control)
    Resource scope Pods Pods, Nodes, cluster
    Actions Predefined capabilities RBAC policies
    Extensibility Via integrations with
    external frameworks,
    including SELinux and
    AppArmor
    Can’t use external
    tools to define policies.

    View full-size slide

  7. TRACK: DEVSECOPS
    Introduction to security strategies in K8s environments
    spec:
    securityContext:
    runAsUser: 1000
    fsGroup: 2000
    allowPrivilegeEscalation: false

    View full-size slide

  8. TRACK: DEVSECOPS
    Introduction to security strategies in K8s environments
    apiVersion: v1
    kind: Pod
    metadata:
    name: scd-3
    spec:
    containers:
    - name: scd-3
    image: nginx
    securityContext:
    capabilities:
    add: ["NET_ADMIN","SYS_TIME"]

    View full-size slide

  9. TRACK: DEVSECOPS
    Introduction to security strategies in K8s environments
    https://github.com/Shopify/kubeaudit

    View full-size slide

  10. TRACK: DEVSECOPS
    •PodSecurityPolicy has been deprecated from
    Kubernetes 1.21.
    Introduction to security strategies in K8s environments

    View full-size slide

  11. TRACK: DEVSECOPS
    Pod Security Admission(PSA)
    ● New form of admission control is created with the
    understanding that Kubernetes users are probably
    going to seek external authorization.
    ● It can be deactivated partially or entirely to coexist
    with external admission controllers like OPA.
    ● KEP-2579: Pod Security Admission Control
    ● https://github.com/kubernetes/enhancements/blob/mast
    er/keps/sig-auth/2579-psp-replacement/README.md

    View full-size slide

  12. TRACK: DEVSECOPS
    Pod Security Admission(PSA)
    ● Pod Security admission places requirements on a Pod's
    Security Context and other related fields according to the three
    levels defined by the Pod Security Standards: privileged,
    baseline, and restricted.
    ● spec.containers[*].ports
    ● spec.volumes[*].hostPath
    ● spec.securityContext
    ● spec.containers[*].securityContext

    View full-size slide

  13. TRACK: DEVSECOPS
    Pod Security Admission(PSA)
    kind: Cluster
    apiVersion: kind.x-k8s.io/v1alpha4
    featureGates:
    PodSecurity: true
    nodes:
    - role: control-plane
    - role: worker

    View full-size slide

  14. TRACK: DEVSECOPS
    Pod Security Admission(PSA)
    Mode Description
    enforce Policy violations will cause the pod to be
    rejected.
    audit Policy violations will trigger the addition of
    an audit annotation to the event recorded in
    the audit log, but are otherwise allowed.
    warn Policy violations will trigger a user-facing
    warning, but are otherwise allowed.

    View full-size slide

  15. TRACK: DEVSECOPS
    Pod Security Admission(PSA)
    $ kubectl label --dry-run=server --overwrite ns --all \
    pod-security.kubernetes.io/enforce=baseline
    Warning: kuard: privileged
    namespace/default labeled
    namespace/kube-node-lease labeled
    namespace/kube-public labeled
    Warning: kube-proxy-vxjwb: host namespaces, hostPath volumes, privileged
    Warning: kube-proxy-zxqzz: host namespaces, hostPath volumes, privileged
    Warning: kube-apiserver-kind-control-plane: host namespaces, hostPath volumes
    Warning: etcd-kind-control-plane: host namespaces, hostPath volumes
    Warning: kube-controller-manager-kind-control-plane: host namespaces, hostPath volumes
    Warning: kindnet-cl5ln: non-default capabilities, host namespaces, hostPath volumes
    Warning: kube-scheduler-kind-control-plane: host namespaces, hostPath volumes
    Warning: kindnet-6ptww: non-default capabilities, host namespaces, hostPath volumes
    namespace/kube-system labeled
    namespace/local-path-storage labeled

    View full-size slide

  16. TRACK: DEVSECOPS
    Pod Security Admission(PSA)
    apiVersion: v1
    kind: Namespace
    metadata:
    name: test-ns
    labels:
    pod-security.kubernetes.io/enforce: baseline
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted

    View full-size slide

  17. TRACK: DEVSECOPS
    Pod Security Admission(PSA)
    apiVersion: v1
    kind: Pod
    metadata:
    name: nginx
    spec:
    containers:
    - image: nginx
    name: nginx
    ports:
    - containerPort: 80

    View full-size slide

  18. TRACK: DEVSECOPS
    Pod Security Admission(PSA)
    $ kubectl apply -f pod.yaml
    Warning: would violate "latest" version of "restricted" PodSecurity profile:
    allowPrivilegeEscalation != false (container "nginx" must set
    securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container
    "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod
    or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile
    (pod or container "nginx" must set securityContext.seccompProfile.type to
    "RuntimeDefault" or "Localhost")
    pod/nginx created
    $ kubectl get pods
    NAME READY STATUS RESTARTS AGE
    nginx 1/1 Running 0 6s

    View full-size slide

  19. TRACK: DEVSECOPS
    Pod Security Admission(PSA)
    {"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"808ca159-914c-43fa-b4c8-d
    ee5cb2fc440","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods?fieldMan
    ager=kubectl-create","verb":"create","user":{"username":"kubernetes-admin","groups":["system:master
    s","system:authenticated"]},"sourceIPs":["172.18.0.1"],"userAgent":"kubectl/v1.22.0 (darwin/amd64)
    kubernetes/c2b5237","objectRef":{"resource":"pods","namespace":"default","name":"nginx","apiVersio
    n":"v1"},"responseStatus":{"metadata":{},"code":201},"requestReceivedTimestamp":"2023-08-21T03:3
    0:26.605589Z","stageTimestamp":"2023-08-21T03:30:26.627123Z","annotations":{"authorization.k8s
    .io/decision":"allow","authorization.k8s.io/reason":"","pod-security.kubernetes.io/audit":"allowPrivil
    egeEscalation != false (container \"nginx\" must set
    securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"nginx\" must
    set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"nginx\"
    must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"nginx\" must set
    securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"}}

    View full-size slide

  20. TRACK: DEVSECOPS
    Pod Security Admission(PSA)
    apiVersion: apiserver.config.k8s.io/v1
    kind: AdmissionConfiguration
    plugins:
    - name: PodSecurity
    configuration:
    apiVersion: pod-security.admission.config.k8s.io/v1alpha1
    kind: PodSecurityConfiguration
    defaults:
    enforce: "baseline"
    enforce-version: "latest"
    audit: "restricted"
    audit-version: "latest"
    warn: "restricted"
    warn-version: "latest"
    exemptions:
    usernames: []
    runtimeClassNames: []
    namespaces: [kube-system]

    View full-size slide

  21. TRACK: DEVSECOPS
    Policy-as-code (PAC) solutions

    View full-size slide

  22. TRACK: DEVSECOPS
    ● Policy agent for cloud-native authorization
    ● It provides a means of standardizing policy
    definition and management throughout the
    cloud-native technology stack.
    ● When combined with Kubernetes, OPA has the
    capability to enforce guardrails upon an entire
    system, requiring users’ permissions to match
    policy at all times.

    View full-size slide

  23. TRACK: DEVSECOPS
    ● Require specific labels on all resources.
    ● Require container images from the corporate image
    registry.
    ● Require all Pods specify resource requests and limits.
    ● Prevent conflicting Ingress objects from being created.

    View full-size slide

  24. TRACK: DEVSECOPS

    View full-size slide

  25. TRACK: DEVSECOPS
    https://play.openpolicyagent.org

    View full-size slide

  26. TRACK: DEVSECOPS
    https://play.openpolicyagent.org

    View full-size slide

  27. TRACK: DEVSECOPS
    Pod Security Admission(PSA) vs Open Policy
    Agent(OPA)
    Pod Security Admission (PSA) Open Policy Agent (OPA)
    Simplicity Flexibility
    Native Integration Customization
    Performance External Control
    Limited Attack Surface Compliance

    View full-size slide

  28. TRACK: DEVSECOPS
    Pod Security Admission(PSA) vs Open Policy
    Agent(OPA)
    ● Which users can access which resources?
    ● Which subnets egress traffic is allowed to?
    ● Which clusters a workload must be deployed to?
    ● Which registries images can be downloaded from?
    ● Which capabilities a container can execute with?
    ● Which times of day the system can be accessed
    at?

    View full-size slide

  29. TRACK: DEVSECOPS
    Combination of different security strategies
    ● RBAC (Role-Based Access Control)
    ● PodSecurity Admission Controllers
    ● Network Policies
    ● Secrets Management
    ● Security Contexts
    ● Runtime Security

    View full-size slide

  30. TRACK: DEVSECOPS
    Access to resources in privileged and non-privileged
    mode
    ● Privileged Mode
    ● Non-Privileged Mode*

    View full-size slide

  31. TRACK: DEVSECOPS
    Access to resources in privileged and non-privileged
    mode
    ● Privileged Mode

    View full-size slide

  32. TRACK: DEVSECOPS
    Access to resources in privileged and non-privileged
    mode
    ● Non Privileged Mode

    View full-size slide

  33. TRACK: DEVSECOPS
    Conclusions
    ● Security
    ● Functionality
    ● Isolation
    ● Attack Surface
    ● Principle of least privilege

    View full-size slide

  34. TRACK: DEVSECOPS
    @jmortegac
    https://www.linkedin.com/in/jmortega1
    https://jmortega.github.io
    https://josemanuelortegablog.com

    View full-size slide

  35. TRACK: DEVSECOPS

    View full-size slide