Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kubernetes-native security with Starboard

Liz Rice
January 01, 2021

Kubernetes-native security with Starboard

Liz Rice

January 01, 2021
Tweet

More Decks by Liz Rice

Other Decks in Programming

Transcript

  1. © 2020 Aqua Security Software Ltd., All Rights Reserved
    Kubernetes-native security
    with Starboard
    Liz Rice & Daniel Pacak
    Open Source Engineering, Aqua Security
    @lizrice @d_pacak

    View full-size slide

  2. @lizrice @d_pacak
    Kubernetes
    K8s resources
    Starboard – motivation
    Dave Loper
    pods
    deployments
    statefulsets
    daemonsets
    Security tools
    Image
    vulnerabilities
    CIS benchmarks
    Config auditing
    Pen testing
    Dashboard
    kubectl
    Kubernetes API

    View full-size slide

  3. @lizrice @d_pacak
    Starboard – brings security reports into Kubernetes
    Kubernetes
    Dashboard
    Dave Loper
    K8s resources
    pods
    deployments
    statefulsets
    daemonsets
    Security tools
    Image
    vulnerabilities
    CIS benchmarks
    Config auditing
    Pen testing
    kubehunterreports
    vulnerabilityreports
    ciskubebenchreports
    configauditreports
    Starboard
    kubectl
    Kubernetes API

    View full-size slide

  4. @lizrice @d_pacak
    Starboard CLI demo

    View full-size slide

  5. @lizrice @d_pacak
    Starboard operator
    Starboard operator – automation
    Kubernetes
    Dashboard
    Dave Loper
    K8s resources
    pods
    deployments
    statefulsets
    daemonsets
    Security tools
    Image
    vulnerabilities
    CIS benchmarks
    Config auditing
    Pen testing
    kubehunterreports
    vulnerabilityreports
    ciskubebenchreports
    configauditreports
    Starboard
    kubectl
    Kubernetes API

    View full-size slide

  6. @lizrice @d_pacak
    Starboard operator demo

    View full-size slide

  7. @lizrice @d_pacak
    Starboard design decisions

    View full-size slide

  8. @lizrice @d_pacak
    Resource
    What security
    issues are this for
    this resource?
    Security
    report
    Resource type = pod
    Resource name = my-app
    owner

    View full-size slide

  9. @lizrice @d_pacak
    Resource
    What security
    issues are this for
    this resource?
    Security
    report
    Resource type = pod
    Resource name = my-app
    owner
    Resource name

    View full-size slide

  10. @lizrice @d_pacak
    namespace
    Resource
    What security
    issues are this for
    this resource?
    Security
    report

    View full-size slide

  11. @lizrice @d_pacak
    namespace
    Resource
    What security
    issues are this for
    this resource?
    Security
    report
    starboard
    Scan job

    View full-size slide

  12. @lizrice @d_pacak
    Deployment
    ReplicaSet
    app-image:1.3
    ReplicaSet
    image:1.3
    Pod
    image:1.3
    ReplicaSet
    image:1.3
    Pod
    app-image:1.3
    What security
    issues are there
    for my workloads?
    Unmanaged pod
    other-image:2.0

    View full-size slide

  13. @lizrice @d_pacak
    Deployment
    ReplicaSet
    app-image:1.3
    ReplicaSet
    image:1.3
    Pod
    image:1.3
    ReplicaSet
    image:1.3
    Pod
    app-image:1.3
    Unmanaged pod
    other-image:2.0
    Vuln report
    some-image:2.0

    View full-size slide

  14. @lizrice @d_pacak
    Deployment
    ReplicaSet
    app-image:1.3
    ReplicaSet
    image:1.3
    Pod
    image:1.3
    ReplicaSet
    image:1.3
    Pod
    app-image:1.3
    Unmanaged pod
    other-image:2.0
    Vuln report
    some-image:2.0
    Vuln report
    some-image:2.0
    Vuln report
    some-image:2.0
    Vuln report
    some-image:2.0

    View full-size slide

  15. @lizrice @d_pacak
    Deployment
    ReplicaSet
    app-image:1.3
    ReplicaSet
    image:1.3
    Pod
    image:1.3
    ReplicaSet
    image:1.3
    Pod
    app-image:1.3
    Unmanaged pod
    other-image:2.0
    Vuln report
    some-image:2.0
    Vuln report

    View full-size slide

  16. @lizrice @d_pacak
    Deployment
    ReplicaSet
    app-image:1.3
    ReplicaSet
    app-image:1.6
    ReplicaSet
    image:1.3
    Pod
    image:1.3
    ReplicaSet
    image:1.3
    Pod
    app-image:1.3
    ReplicaSet
    image:1.3
    Pod
    app-image:1.6
    Unmanaged pod
    other-image:2.0
    Vuln report
    some-image:2.0
    Vuln report

    View full-size slide

  17. @lizrice @d_pacak
    Deployment
    ReplicaSet
    app-image:1.3
    ReplicaSet
    app-image:1.6
    ReplicaSet
    image:1.3
    Pod
    image:1.3
    ReplicaSet
    image:1.3
    Pod
    app-image:1.3
    ReplicaSet
    image:1.3
    Pod
    app-image:1.6
    Unmanaged pod
    some-image:2.0
    Vuln report
    some-image:2.0
    Vuln report
    app-image:1.6
    Vuln report
    app-image:1.3

    View full-size slide

  18. @lizrice @d_pacak
    Deployment
    ReplicaSet
    ReplicaSet
    image:1.3
    Pod
    image:1.3
    ReplicaSet
    image:1.3
    Pod
    Vuln report
    What
    vulnerabilities are
    in my deployment?

    View full-size slide

  19. @lizrice @d_pacak
    Starboard hierarchy demo

    View full-size slide

  20. @lizrice @d_pacak
    Extending Starboard

    View full-size slide

  21. @lizrice @d_pacak
    Kind: Job
    Name: efavbs-d21...
    Namespace: starboard-operator
    Pluggable vulnerability scanners
    Kind: Deployment
    Name: my-app
    Image: some-image:2.0
    Struct: PodTemplateSpec
    Image: aquasec/trivy:0.11.0
    Command: trivy some-image:2.0
    Kind: VulnerabilityReport
    Name: deployment-my-app-some-container
    PodSpec
    Trivy output converter

    View full-size slide

  22. 22
    22
    VulnerabilityScanner interface

    View full-size slide

  23. @lizrice @d_pacak

    View full-size slide

  24. @lizrice @d_pacak

    View full-size slide

  25. @lizrice @d_pacak
    Starboard future

    View full-size slide

  26. @lizrice @d_pacak
    Fully pluggable security reporting
    Kubernetes
    Dashboard
    Dave Loper
    K8s resources
    pods

    replicasets
    Security tools
    Image
    vulnerabilities
    CIS benchmarks
    Config auditing
    Pen testing
    kubehunterreports
    vulnerabilityreports
    ciskubebenchreports
    configauditreports
    Starboard
    kubectl
    Kubernetes API
    Starboard ConfigMap
    Scanners
    - Tool:
    Resource:
    Report:
    - Tool:
    Resource:
    Report:

    reports
    some other
    security tool

    View full-size slide

  27. @lizrice @d_pacak
    What are the
    most important
    security issues in
    my cluster?
    kubectl starboard summary

    View full-size slide

  28. @lizrice @d_pacak
    github.com/aquasecurity/starboard

    View full-size slide