Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Preventative Security for Kubernetes

676c8aec28ade455c442e648abfa1db5?s=47 Liz Rice
February 28, 2019

Preventative Security for Kubernetes

Testing your Kubernetes cluster for security issues using the CIS benchmark, and open source tools kube-bench and kube-hunter

As seen at DevSecCon Singapore 2019


Liz Rice

February 28, 2019


  1. © 2018-19 Aqua Security Software Ltd., All Rights Reserved Preventative

    Security for Kubernetes Liz Rice @lizrice | @aquasecteam
  2. @lizrice Agenda ▪ Kubernetes configuration for security ▪ CIS benchmarks

    – testing the configuration ▪ Penetration testing – testing for vulnerabilities
  3. 3 Authored by Liz Rice from Aqua Security and Michael

    Hausenblas from Red Hat https://info.aquasec.com/kubernetes-security
  4. @lizrice ▪ Secure the CI/CD pipeline ▪ “Shift left” security,

    fix issues early and fast ▪ Accelerate app delivery with security automation Aqua: our approach ▪ Enforce immutability – no patching, no drift ▪ Whitelist good behavior, preventing anomalies ▪ Prevent lateral movement ▪ Secure apps regardless of platform, cloud, or OS ▪ Enable hybrid cloud and cloud migration ▪ Avoid cloud lock-in and security reconfiguration Automate DevSecOps Modernize security through containers Secure once, run anywhere
  5. @lizrice Create software Build Deploy Code quality Security testing Vulnerability

    scanning Image policies Runtime protection Artifacts free of security defects Only expected code & config Detect anomalous behaviour Host configuration Automating Security at Every Stage
  6. @lizrice Kubernetes Host Configuration

  7. @lizrice ▪ Kubernetes components installed on your servers ▪ Master

    & node components ▪ Many configuration settings have a security impact ▪ Example: open Kubelet port = root access ▪ Defaults depend on the installer Kubernetes configuration What config settings should I use?
  8. @lizrice CIS Kubernetes Benchmark

  9. @lizrice ▪ Open source automated tests for CIS Kubernetes Benchmark

    ▪ Tests for Kubernetes Masters and Nodes ▪ Available as a container kube-bench github.com/aquasecurity/kube-bench
  10. @lizrice

  11. @lizrice ▪ Job configuration YAML ▪ Run regularly to ensure

    no configuration drift ▪ Tests defined in YAML ▪ Released code follows the CIS Benchmark ▪ Modify for your own purposes kube-bench github.com/aquasecurity/kube-bench
  12. @lizrice ▪ Built into the Aqua CSP ▪ Provides a

    scored report of the results ▪ Can be scheduled to run daily Kubernetes & Docker CIS Benchmarks
  13. @lizrice Kubernetes penetration testing

  14. @lizrice ▪ Open source penetration tests for Kubernetes ▪ See

    what an attacker would see ▪ github.com/aquasecurity/kube-hunter ▪ Online report viewer ▪ kube-hunter.aquasec.com kube-hunter How do I know the config is working to secure my cluster?
  15. @lizrice kube-hunter.aquasec.com

  16. 16

  17. 17

  18. @lizrice kube-hunter with kube-bench

  19. 19

  20. 20

  21. 21

  22. @lizrice kube-hunter inside a pod

  23. @lizrice Kubernetes cluster pod kube-hunter inside a pod What if

    my app gets compromised? token API server
  24. @lizrice ▪ Results depend on RBAC settings ▪ and the

    service account you use for the pod kube-hunter inside a pod What if my app gets compromised?
  25. © 2018-19 Aqua Security Software Ltd., All Rights Reserved github.com/aquasecurity/kube-bench

    github.com/aquasecurity/kube-hunter @lizrice | @aquasecteam