Segurança em Kubernetes

Transcript

1. Kubernetes Security Carol Valencia Devops Engineer

2. Agenda Overview Containers Kubernetes 2 Conclusion

3. 3 Figure (Wikimedia Infraestructure)

4. 4 Figure (https://blog.resellerspanel.com/web-hosting-platform/dirty-cow-linux-exploit-patched-successfully.html) Kernel exploits

5. 5 DoS Attacks Figure Botnet Command and Control server (http://bit.ly/2BKHFh7)

6. 6 Poisoned Images

7. 7 Container Breakouts Figure - RunC vulnerability in Ubuntu (https://kinvolk.io/blog/2019/02/runc-breakout-vulnerability-mitigated-on-flatcar-linux)

8. 8 Compromised Credentials Figure - Cyber Attacks Compromising (https://www.lookingpoint.com/blog/dark-web)

9. 9 Figure -(pensource security - 2019) 78% vulnerabilities in indirect

   dependencies 37% of open source developers no security testing in CI 54% docker image no security testing Top 10 docker images contain > 30 vulnerable system libraries

10. 10 Figure -(sre19emea - davis)

11. Containers 1 11

12. 12 Control what a process can SEE • PID •

    Mount • Network • UTS • IPS • User Namespaces Control what a process can USE Cgroups

13. 13 Linux Capabilities By default, a container own only 14

    of 37 capabilities Principle of Least Privilege

14. Container Security Public images ? Run as root ? defaults

    to root (uid=0) Admin capabilities ? 14 Private register Secure the Docker host Unprivileged users Read only filesystems Security Policies - syscall whitelist: SELinux, AppArmor, Seccomp-bpf.

15. Container Security 15 Remove SUID binaries or drop the SETUID

    capability Set User ID is a type of permission that allows users to execute a file with the permissions of a specified user. No --privileged containers Drop all capabilities then add needed caps Enable user namespaces Set resource limits and ulimits Mount volumes: ro, noexec, nosuid, nodev

16. Containers are not a sandbox 16 Legacy workloads in a

    cloud-native ? Kata, gVisor, Hyper RunV, KubeVirt Figure - gVisor (https://thenewstack.io/how-to-implement-secure-containers-using-googles-gvisor/)

17. Pod - Security Context 17 Admission controller

18. Pod Security Policy Admission controller 18

19. Tools ◉ Center for Internet Security (CIS) for Docker ◉

    Docker-bench-security ◉ Grafeas: audit and govern your software supply chain ◉ Sysdig: container troubleshooting and security investigation ◉ CoreOs / Clair: Vulnerability Static Analysis for Containers ◉ Aqua / Microscanner: Scan your container images for package vulnerabilities ◉ Capsule8: open-source cloud-native behavioral security monitoring 19

20. Architecting Container Infrastructure for Security And Compliance 20 Figure -

    https://www.xenonstack.com/blog/devsecops/

21. Cluster 2 21 Kubernetes

22. 22 Api Driven

23. Kubernetes Components 23 Figure by Improving your Kubernetes Workload Security

    with Hardware Virtualization

24. Kubernetes High-level Component Architecture 24 What Does “Production Ready” Really

    Mean for a Kubernetes Cluster? - Lucas Käldström

25. “ High System Complexity. Defaults are used first, as-is. 25

26. 26 Kubernetes Security Book - Liz Rice Possible Attacks

27. 27 CVE-2018-1002105 Privilege escalation flaw - Openshift. Tesla Crytomining hackers

28. 28 Kubernetes API

29. GKE 29 Api Server Firewall Kops

30. 30 Kubelet Config

31. 31 Allow Desired Traffic https://github.com/projectcalico/calico/tree/master/v3.5/getting-started/kubernetes/tutorials

32. 32 Network Policy Ingress Egress

33. 33 Best practices ◉ Hosts: Private topology / bastion ◉

    TLS Everywhere - for all API traffic ◉ Certificate rotation (1.8) ◉ Separate and Firewall etcd - Restrict access ◉ Authorization RBAC with Least Privilege ◉ Enable audit logging ◉ Upgrade cluster. ◉ Encrypting Secret Data at Rest (1.13): encrypted in etcd. AES-CBC, AES-GCM, KMS.

34. Tools ◉ Center for Internet Security (CIS) Benchmark for Kubernetes

    ◉ Aqua - kube-bench: Kubernetes is deployed according to security best practices ◉ Aqua - kube-hunter: hunts for security weaknesses in Kubernetes clusters ◉ K8Guard - An auditing system for Kubernetes ◉ Anchore : kubernetes-admission-controller 34

35. Authentication & Authorization Kubernetes 3 35

36. 36 Authorization and RBAC ClusterRole / Roles

37. 37 RBAC Reading access in a specific namespaces

38. 38 Users in Kubernetes • X.509 client certs • Password

    files • Bearer token webhook • Service Account • OpenID Connect (OIDC)

39. ◉ OIDC jwt ◉ Redhat / Keycloak open source identity

    ◉ Dexidp / dex OpenID Connect is based on OAuth 2.0. ◉ Aws iam authenticator - Heptio and Amazon EKS OSS Engineers. ◉ Hashicorp / vault-plugin-auth-kubernetes ◉ Appscode / Guard Kubernetes Authentication WebHook Server 39 Authentication Tools

40. Authorization Tools ◉ Liggitt / audit2rbac Autogenerate RBAC policies based

    on Kubernetes audit logs. ◉ FairwindsOps / Rbac-manager. A Kubernetes operator for Role Bindings and Service Accounts. ◉ Jtblin / kube2iam provides different AWS IAM roles for pods running on Kubernetes. 40

41. Admission Control 41 ◉ NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStor ageClass,DefaultTolerationSeconds,MutatingAdmissionWebh ook,ValidatingAdmissionWebhook,ResourceQuota ◉ Dynamic Admission

    Control ◉ Validating Admission Webhook: Grafeas, Anchore. ◉ Mutating Admission Webhook

42. Security Compliance Tools ◉ OpenSCAP - Open Source Security Content

    Automation Protocol ◉ Open Policy Agent / OPA. 42

43. Security Compliance Tools 43

44. Best practices 44 ◉ Disable anonymous authentication. ◉ Enabled RBAC

    ◉ Helm: TLS certificates ◉ Deny by default: RBAC, NetworkPolicy, PodSecurityPolicy ◉ Restrict service token use ◉ Use Third Party Auth for API Server

45. Secrets Kubernetes 4 45

46. Secrets Credentials, configurations, API keys … 46 Secrets are stored

    in plaintext in etcd, not encrypted.

47. Best practices Source code Dockerfiles / images Base64 is not

    encryption 47 RBAC limit read secrets 1.10 EncryptionConfiguration - Providers: identity, aesbc, secretbox, aesgcm, kms. Kube-apiserver --encryptation-provider-config=/etc/encryptation-config.yml ….

48. Dynamic Secrets 48 Figure Hashicorp vault - (https://learn.hashicorp.com/vault/identity-access-management/vault-agent-k8s )

49. 49 Vault Demo

50. 50 Figure - https://github.com/krol3/k8s-vaults/blob/master/hashicorp/pod-example.yml Vault • Secrets • Credentials •

    Security policies

51. Tools ◉ Hashicorp Vault ◉ CyberArk Conjur ◉ Aqua Secrets

    51

52. DevSecOps Reference Architectures 52 Figure - https://www.cloudbees.com/blog/uniting-devops-and-security-devsecops-government

53. How do you define “production ready” and “highly available” anyway?

    Can a cluster be created so that it’s secured from end-to-end, has no single points of failure, and is upgradable with zero control plane downtime? 53

54. Resources 54

55. Obrigada! Linkedin: linkedin.com/in/carolgv Github: krol3 [email protected] 55