Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kubernetes Host Security

Liz Rice
October 25, 2018

Kubernetes Host Security

Using kube-bench and kube-hunter to test the configuration of Kubernetes components in your deployment. Presented at the Kubernetes meetup at Wantedly, Tokyo.

Liz Rice

October 25, 2018
Tweet

More Decks by Liz Rice

Other Decks in Technology

Transcript

  1. Copyright @ 2018 Aqua Security Software Ltd. All Rights Reserved.

    Securing your Kubernetes hosts Liz Rice @lizrice | @aquasecteam
  2. 2 Agenda n Kubernetes configuration for security n CIS benchmarks

    – testing the configuration n Penetration testing – testing for vulnerabilities
  3. 6 Kubernetes configuration n Kubernetes components installed on your servers

    n Master & node components n Many configuration settings have a security impact n Example: open Kubelet port = root access n Defaults depend on the installer What config settings should I use?
  4. 8 kube-bench n Open source automated tests for CIS Kubernetes

    Benchmark n Tests for Kubernetes Masters and Nodes n Available as a container github.com/aquasecurity/kube-bench
  5. 9

  6. 10 kube-bench n Job configuration YAML n Run regularly to

    ensure no configuration drift n Tests defined in YAML n Released code follows the CIS Benchmark n Modify for your own purposes github.com/aquasecurity/kube-bench
  7. 11 Kubernetes & Docker CIS Benchmarks n Built into the

    Aqua CSP n Provides a scored report of the results n Can be scheduled to run daily
  8. 13 kube-hunter n Open source penetration tests for Kubernetes n

    See what an attacker would see n github.com/aquasecurity/kube-hunter n Online report viewer n kube-hunter.aquasec.com How do I know the config is working to secure my cluster?
  9. 16

  10. 18

  11. 19

  12. 20

  13. 21 Authored by Liz Rice from Aqua Security and Michael

    Hausenblas from Red Hat https://info.aquasec.com/kubernetes-security
  14. 22 Security for containers & cloud native apps Open-source tools

    for Kubernetes security Find them on GitHub Q&A www.aquasec.com