Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kubernetes-native security with Starboard

Liz Rice
January 01, 2021
Programming
0
160

Kubernetes-native security with Starboard

Liz Rice

January 01, 2021
Tweet

More Decks by Liz Rice

See All by Liz Rice
Unleashing the kernel with eBPF
lizrice
0
73
eBPF's Abilities and Limitations: The Truth
lizrice
0
110
Simplifying multi-cloud and multi-cluster Kubernetes deployments with Cilium
lizrice
0
63
When is a Secure Connection not encrypted? And other stories
lizrice
1
44
Keeping it simple: Cilium Mesh - networking for multi-cloud Kubernetes and beyond
lizrice
1
510
How Many Proxies Do You Need
lizrice
1
110
eBPF for Security Observability
lizrice
0
1.1k
Beginner's Guide to eBPF Programming for Networking
lizrice
1
2.1k
Contributing to Open Source - what's in it for my business?
lizrice
0
37

Other Decks in Programming

See All in Programming
Activities at Cairo Library
cairolibrary720
0
1.2k
Webエディタライブラリ 「CodeMirror」から学ぶ Webアプリ開発のテクニック
ryosukeigarashi
0
250
GraphQL はいいぞ! ~Laravel で学ぶ GraphQL 入門~
azuki
1
160
Jetpack for KMP
fornewid
1
290
「2024年版 Kotlin サーバーサイドプログラミング実践開発」の補講 〜O/Rマッパー編〜
n_takehata
2
260
CSC307 Lecture 07
javiergs
PRO
0
220
なぜ宣言的 UI は壊れにくいのか / Why declarative UI is less fragile
uenitty
29
13k
大規模マルチテナントを解決するYugabyteDBという選択肢
nnaka2992
1
250
Folding Cheat Sheet #7
philipschwarz
PRO
0
150
I/O Extended Android in Korea 2024 ~ Whats new in Android development tools
pluu
0
250
Introduction to GitOps
hwchiu
0
110
CSC307 Lecture 06
javiergs
PRO
0
360

Featured

See All Featured
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
26
2.1k
Unsuck your backbone
ammeep
666
57k
Adopting Sorbet at Scale
ufuk
71
8.8k
Art, The Web, and Tiny UX
lynnandtonic
291
20k
Statistics for Hackers
jakevdp
792
220k
Thoughts on Productivity
jonyablonski
64
4.1k
BBQ
matthewcrist
82
9k
GraphQLの誤解/rethinking-graphql
sonatard
59
9.6k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
13
430
Java REST API Framework Comparison - PWX 2021
mraible
PRO
20
7.2k
What the flash - Photography Introduction
edds
65
11k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
36
9.1k

Transcript

  1. © 2020 Aqua Security Software Ltd., All Rights Reserved Kubernetes-native

    security with Starboard Liz Rice & Daniel Pacak Open Source Engineering, Aqua Security @lizrice @d_pacak

  2. @lizrice @d_pacak Kubernetes K8s resources Starboard – motivation Dave Loper

    pods deployments statefulsets daemonsets Security tools Image vulnerabilities CIS benchmarks Config auditing Pen testing Dashboard kubectl Kubernetes API

  3. @lizrice @d_pacak Starboard – brings security reports into Kubernetes Kubernetes

    Dashboard Dave Loper K8s resources pods deployments statefulsets daemonsets Security tools Image vulnerabilities CIS benchmarks Config auditing Pen testing kubehunterreports vulnerabilityreports ciskubebenchreports configauditreports Starboard kubectl Kubernetes API

  4. @lizrice @d_pacak Starboard CLI demo

  5. @lizrice @d_pacak Starboard operator Starboard operator – automation Kubernetes Dashboard

    Dave Loper K8s resources pods deployments statefulsets daemonsets Security tools Image vulnerabilities CIS benchmarks Config auditing Pen testing kubehunterreports vulnerabilityreports ciskubebenchreports configauditreports Starboard kubectl Kubernetes API

  6. @lizrice @d_pacak Starboard operator demo

  7. @lizrice @d_pacak Starboard design decisions

  8. @lizrice @d_pacak Resource What security issues are this for this

    resource? Security report Resource type = pod Resource name = my-app owner

  9. @lizrice @d_pacak Resource What security issues are this for this

    resource? Security report Resource type = pod Resource name = my-app owner Resource name

  10. @lizrice @d_pacak namespace Resource What security issues are this for

    this resource? Security report

  11. @lizrice @d_pacak namespace Resource What security issues are this for

    this resource? Security report starboard Scan job

  12. @lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet image:1.3 Pod image:1.3 ReplicaSet

    image:1.3 Pod app-image:1.3 What security issues are there for my workloads? Unmanaged pod other-image:2.0

  13. @lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet image:1.3 Pod image:1.3 ReplicaSet

    image:1.3 Pod app-image:1.3 Unmanaged pod other-image:2.0 Vuln report some-image:2.0

  14. @lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet image:1.3 Pod image:1.3 ReplicaSet

    image:1.3 Pod app-image:1.3 Unmanaged pod other-image:2.0 Vuln report some-image:2.0 Vuln report some-image:2.0 Vuln report some-image:2.0 Vuln report some-image:2.0

  15. @lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet image:1.3 Pod image:1.3 ReplicaSet

    image:1.3 Pod app-image:1.3 Unmanaged pod other-image:2.0 Vuln report some-image:2.0 Vuln report

  16. @lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet app-image:1.6 ReplicaSet image:1.3 Pod

    image:1.3 ReplicaSet image:1.3 Pod app-image:1.3 ReplicaSet image:1.3 Pod app-image:1.6 Unmanaged pod other-image:2.0 Vuln report some-image:2.0 Vuln report

  17. @lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet app-image:1.6 ReplicaSet image:1.3 Pod

    image:1.3 ReplicaSet image:1.3 Pod app-image:1.3 ReplicaSet image:1.3 Pod app-image:1.6 Unmanaged pod some-image:2.0 Vuln report some-image:2.0 Vuln report app-image:1.6 Vuln report app-image:1.3

  18. @lizrice @d_pacak Deployment ReplicaSet ReplicaSet image:1.3 Pod image:1.3 ReplicaSet image:1.3

    Pod Vuln report What vulnerabilities are in my deployment?

  19. @lizrice @d_pacak Starboard hierarchy demo

  20. @lizrice @d_pacak Extending Starboard

  21. @lizrice @d_pacak Kind: Job Name: efavbs-d21... Namespace: starboard-operator Pluggable vulnerability

    scanners Kind: Deployment Name: my-app Image: some-image:2.0 Struct: PodTemplateSpec Image: aquasec/trivy:0.11.0 Command: trivy some-image:2.0 Kind: VulnerabilityReport Name: deployment-my-app-some-container PodSpec Trivy output converter

  22. 22 22 VulnerabilityScanner interface

  23. @lizrice @d_pacak

  24. @lizrice @d_pacak

  25. @lizrice @d_pacak Starboard future

  26. @lizrice @d_pacak Fully pluggable security reporting Kubernetes Dashboard Dave Loper

    K8s resources pods <some resources> replicasets Security tools Image vulnerabilities CIS benchmarks Config auditing Pen testing kubehunterreports vulnerabilityreports ciskubebenchreports configauditreports Starboard kubectl Kubernetes API Starboard ConfigMap Scanners - Tool: Resource: Report: - Tool: Resource: Report: … <other>reports some other security tool

  27. @lizrice @d_pacak What are the most important security issues in

    my cluster? kubectl starboard summary <namespace>

  28. @lizrice @d_pacak github.com/aquasecurity/starboard