Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kubernetes-native security with Starboard

676c8aec28ade455c442e648abfa1db5?s=47 Liz Rice
January 01, 2021

Kubernetes-native security with Starboard

676c8aec28ade455c442e648abfa1db5?s=128

Liz Rice

January 01, 2021
Tweet

Transcript

  1. © 2020 Aqua Security Software Ltd., All Rights Reserved Kubernetes-native

    security with Starboard Liz Rice & Daniel Pacak Open Source Engineering, Aqua Security @lizrice @d_pacak
  2. @lizrice @d_pacak Kubernetes K8s resources Starboard – motivation Dave Loper

    pods deployments statefulsets daemonsets Security tools Image vulnerabilities CIS benchmarks Config auditing Pen testing Dashboard kubectl Kubernetes API
  3. @lizrice @d_pacak Starboard – brings security reports into Kubernetes Kubernetes

    Dashboard Dave Loper K8s resources pods deployments statefulsets daemonsets Security tools Image vulnerabilities CIS benchmarks Config auditing Pen testing kubehunterreports vulnerabilityreports ciskubebenchreports configauditreports Starboard kubectl Kubernetes API
  4. @lizrice @d_pacak Starboard CLI demo

  5. @lizrice @d_pacak Starboard operator Starboard operator – automation Kubernetes Dashboard

    Dave Loper K8s resources pods deployments statefulsets daemonsets Security tools Image vulnerabilities CIS benchmarks Config auditing Pen testing kubehunterreports vulnerabilityreports ciskubebenchreports configauditreports Starboard kubectl Kubernetes API
  6. @lizrice @d_pacak Starboard operator demo

  7. @lizrice @d_pacak Starboard design decisions

  8. @lizrice @d_pacak Resource What security issues are this for this

    resource? Security report Resource type = pod Resource name = my-app owner
  9. @lizrice @d_pacak Resource What security issues are this for this

    resource? Security report Resource type = pod Resource name = my-app owner Resource name
  10. @lizrice @d_pacak namespace Resource What security issues are this for

    this resource? Security report
  11. @lizrice @d_pacak namespace Resource What security issues are this for

    this resource? Security report starboard Scan job
  12. @lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet image:1.3 Pod image:1.3 ReplicaSet

    image:1.3 Pod app-image:1.3 What security issues are there for my workloads? Unmanaged pod other-image:2.0
  13. @lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet image:1.3 Pod image:1.3 ReplicaSet

    image:1.3 Pod app-image:1.3 Unmanaged pod other-image:2.0 Vuln report some-image:2.0
  14. @lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet image:1.3 Pod image:1.3 ReplicaSet

    image:1.3 Pod app-image:1.3 Unmanaged pod other-image:2.0 Vuln report some-image:2.0 Vuln report some-image:2.0 Vuln report some-image:2.0 Vuln report some-image:2.0
  15. @lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet image:1.3 Pod image:1.3 ReplicaSet

    image:1.3 Pod app-image:1.3 Unmanaged pod other-image:2.0 Vuln report some-image:2.0 Vuln report
  16. @lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet app-image:1.6 ReplicaSet image:1.3 Pod

    image:1.3 ReplicaSet image:1.3 Pod app-image:1.3 ReplicaSet image:1.3 Pod app-image:1.6 Unmanaged pod other-image:2.0 Vuln report some-image:2.0 Vuln report
  17. @lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet app-image:1.6 ReplicaSet image:1.3 Pod

    image:1.3 ReplicaSet image:1.3 Pod app-image:1.3 ReplicaSet image:1.3 Pod app-image:1.6 Unmanaged pod some-image:2.0 Vuln report some-image:2.0 Vuln report app-image:1.6 Vuln report app-image:1.3
  18. @lizrice @d_pacak Deployment ReplicaSet ReplicaSet image:1.3 Pod image:1.3 ReplicaSet image:1.3

    Pod Vuln report What vulnerabilities are in my deployment?
  19. @lizrice @d_pacak Starboard hierarchy demo

  20. @lizrice @d_pacak Extending Starboard

  21. @lizrice @d_pacak Kind: Job Name: efavbs-d21... Namespace: starboard-operator Pluggable vulnerability

    scanners Kind: Deployment Name: my-app Image: some-image:2.0 Struct: PodTemplateSpec Image: aquasec/trivy:0.11.0 Command: trivy some-image:2.0 Kind: VulnerabilityReport Name: deployment-my-app-some-container PodSpec Trivy output converter
  22. 22 22 VulnerabilityScanner interface

  23. @lizrice @d_pacak

  24. @lizrice @d_pacak

  25. @lizrice @d_pacak Starboard future

  26. @lizrice @d_pacak Fully pluggable security reporting Kubernetes Dashboard Dave Loper

    K8s resources pods <some resources> replicasets Security tools Image vulnerabilities CIS benchmarks Config auditing Pen testing kubehunterreports vulnerabilityreports ciskubebenchreports configauditreports Starboard kubectl Kubernetes API Starboard ConfigMap Scanners - Tool: Resource: Report: - Tool: Resource: Report: … <other>reports some other security tool
  27. @lizrice @d_pacak What are the most important security issues in

    my cluster? kubectl starboard summary <namespace>
  28. @lizrice @d_pacak github.com/aquasecurity/starboard