Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Preventative Security for Kubernetes

Liz Rice
February 28, 2019
Programming
1
350

Preventative Security for Kubernetes

Testing your Kubernetes cluster for security issues using the CIS benchmark, and open source tools kube-bench and kube-hunter

As seen at DevSecCon Singapore 2019

Liz Rice

February 28, 2019
Tweet

More Decks by Liz Rice

See All by Liz Rice
Unleashing the kernel with eBPF
lizrice
0
31
eBPF's Abilities and Limitations: The Truth
lizrice
0
39
Simplifying multi-cloud and multi-cluster Kubernetes deployments with Cilium
lizrice
0
22
When is a Secure Connection not encrypted? And other stories
lizrice
1
21
Keeping it simple: Cilium Mesh - networking for multi-cloud Kubernetes and beyond
lizrice
1
460
How Many Proxies Do You Need
lizrice
1
100
eBPF for Security Observability
lizrice
0
1k
Beginner's Guide to eBPF Programming for Networking
lizrice
1
2k
Contributing to Open Source - what's in it for my business?
lizrice
0
36

Other Decks in Programming

See All in Programming
Kotlin Multiplatform at Stable and Beyond (Android Makers 2024)
zsmb
0
550
2024 コーディング研修
ckazu
0
440
GitHub Copilotのススメ
marcy731
1
240
Goのエラースタックトレースの歴史と今後
sonatard
10
2k
Exploring the Implementation of “t.Run”, “t.Parallel”, and “t.Cleanup”
akarin
1
150
検証も兼ねて個人開発でHonoとかと向き合った話
hanetsuki
1
1.4k
Fragment Composition of GraphQL
quramy
13
1.6k
Scalable Customer Journey Orchestration (CJO)
lewuathe
0
450
AppRouter Panel Talk
yosuke_furukawa
PRO
1
500
Komplexe Oberflächen mit SVG und der Web Animation API
joergneumann
0
690
Open standards for building event-driven applications in the cloud
meteatamel
0
190
Hanami and htmx
bkuhlmann
0
230

Featured

See All Featured
Making the Leap to Tech Lead
cromwellryan
125
8.5k
Agile that works and the tools we love
rasmusluckow
325
20k
Web development in the modern age
philhawksworth
203
10k
The World Runs on Bad Software
bkeepers
PRO
61
6.7k
Fontdeck: Realign not Redesign
paulrobertlloyd
76
4.9k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
660
120k
What’s in a name? Adding method to the madness
productmarketing
PRO
17
2.7k
Bash Introduction
62gerente
605
210k
A Philosophy of Restraint
colly
197
16k
The Cost Of JavaScript in 2023
addyosmani
21
3.9k
A Modern Web Designer's Workflow
chriscoyier
689
190k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k

Transcript

  1. © 2018-19 Aqua Security Software Ltd., All Rights Reserved Preventative

    Security for Kubernetes Liz Rice @lizrice | @aquasecteam

  2. @lizrice Agenda ▪ Kubernetes configuration for security ▪ CIS benchmarks

    – testing the configuration ▪ Penetration testing – testing for vulnerabilities

  3. 3 Authored by Liz Rice from Aqua Security and Michael

    Hausenblas from Red Hat https://info.aquasec.com/kubernetes-security

  4. @lizrice ▪ Secure the CI/CD pipeline ▪ “Shift left” security,

    fix issues early and fast ▪ Accelerate app delivery with security automation Aqua: our approach ▪ Enforce immutability – no patching, no drift ▪ Whitelist good behavior, preventing anomalies ▪ Prevent lateral movement ▪ Secure apps regardless of platform, cloud, or OS ▪ Enable hybrid cloud and cloud migration ▪ Avoid cloud lock-in and security reconfiguration Automate DevSecOps Modernize security through containers Secure once, run anywhere

  5. @lizrice Create software Build Deploy Code quality Security testing Vulnerability

    scanning Image policies Runtime protection Artifacts free of security defects Only expected code & config Detect anomalous behaviour Host configuration Automating Security at Every Stage

  6. @lizrice Kubernetes Host Configuration

  7. @lizrice ▪ Kubernetes components installed on your servers ▪ Master

    & node components ▪ Many configuration settings have a security impact ▪ Example: open Kubelet port = root access ▪ Defaults depend on the installer Kubernetes configuration What config settings should I use?

  8. @lizrice CIS Kubernetes Benchmark

  9. @lizrice ▪ Open source automated tests for CIS Kubernetes Benchmark

    ▪ Tests for Kubernetes Masters and Nodes ▪ Available as a container kube-bench github.com/aquasecurity/kube-bench

  10. @lizrice

  11. @lizrice ▪ Job configuration YAML ▪ Run regularly to ensure

    no configuration drift ▪ Tests defined in YAML ▪ Released code follows the CIS Benchmark ▪ Modify for your own purposes kube-bench github.com/aquasecurity/kube-bench

  12. @lizrice ▪ Built into the Aqua CSP ▪ Provides a

    scored report of the results ▪ Can be scheduled to run daily Kubernetes & Docker CIS Benchmarks

  13. @lizrice Kubernetes penetration testing

  14. @lizrice ▪ Open source penetration tests for Kubernetes ▪ See

    what an attacker would see ▪ github.com/aquasecurity/kube-hunter ▪ Online report viewer ▪ kube-hunter.aquasec.com kube-hunter How do I know the config is working to secure my cluster?

  15. @lizrice kube-hunter.aquasec.com

  16. 16

  17. 17

  18. @lizrice kube-hunter with kube-bench

  19. 19

  20. 20

  21. 21

  22. @lizrice kube-hunter inside a pod

  23. @lizrice Kubernetes cluster pod kube-hunter inside a pod What if

    my app gets compromised? token API server

  24. @lizrice ▪ Results depend on RBAC settings ▪ and the

    service account you use for the pod kube-hunter inside a pod What if my app gets compromised?

  25. © 2018-19 Aqua Security Software Ltd., All Rights Reserved github.com/aquasecurity/kube-bench

    github.com/aquasecurity/kube-hunter @lizrice | @aquasecteam