Kubernetes Host Security

Transcript

1. Copyright @ 2018 Aqua Security Software Ltd. All Rights Reserved.

   Securing your Kubernetes hosts Liz Rice @lizrice | @aquasecteam

2. 2 Agenda n Kubernetes configuration for security n CIS benchmarks

   – testing the configuration n Penetration testing – testing for vulnerabilities

3. 6 Kubernetes configuration n Kubernetes components installed on your servers

   n Master & node components n Many configuration settings have a security impact n Example: open Kubelet port = root access n Defaults depend on the installer What config settings should I use?

4. 7 CIS Kubernetes Benchmark

5. 8 kube-bench n Open source automated tests for CIS Kubernetes

   Benchmark n Tests for Kubernetes Masters and Nodes n Available as a container github.com/aquasecurity/kube-bench

6. 9

7. 10 kube-bench n Job configuration YAML n Run regularly to

   ensure no configuration drift n Tests defined in YAML n Released code follows the CIS Benchmark n Modify for your own purposes github.com/aquasecurity/kube-bench

8. 11 Kubernetes & Docker CIS Benchmarks n Built into the

   Aqua CSP n Provides a scored report of the results n Can be scheduled to run daily

9. Kubernetes penetration testing

10. 13 kube-hunter n Open source penetration tests for Kubernetes n

    See what an attacker would see n github.com/aquasecurity/kube-hunter n Online report viewer n kube-hunter.aquasec.com How do I know the config is working to secure my cluster?

11. 14 kube-hunter.aquasec.com

12. 16

13. kube-hunter with kube-bench

14. 18

15. 19

16. 20

17. 21 Authored by Liz Rice from Aqua Security and Michael

    Hausenblas from Red Hat https://info.aquasec.com/kubernetes-security

18. 22 Security for containers & cloud native apps Open-source tools

    for Kubernetes security Find them on GitHub Q&A www.aquasec.com