Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building Network Security Boundaries in Kubernetes - null Ahmedabad Meetup

Building Network Security Boundaries in Kubernetes - null Ahmedabad Meetup

The adoption of Kubernetes is growing exponentially in the technology landscape and how companies adopting and leveraging. While this happening, security teams also trying to catch up with the new releases speed and velocity of the Kubernetes ecosystem. Even recent Red Hat State of Kubernetes Security Report states that "94% of respondents experienced at least one security incident in their Kubernetes environments in the last 12 months, and concludes that security misconfigurations". So in this talk, Madhu Akula will showcase some real-world examples of security issues with default Kubernetes setup regarding network security boundaries, and showcase how we can leverage the network security policies to build better security boundaries using open source security solutions

Madhu Akula

August 21, 2021

More Decks by Madhu Akula

Other Decks in Technology


  1. About Me • Creator of Kubernetes Goat, Hacker Container, tools.tldr.run,

    many others • Speaker & Trainer @ BlackHat, DEFCON, USENIX, OWASP, All Day DevOps, GitHub, SANS, DevSecCon, c0c0n, Nullcon, null, many others • Co-Author of Security Automation with Ansible 2 • Found vulnerabilities in 200+ organisations & products (Google, Microsoft, Wordpress, Ntop, etc.) • Technical reviewer of Learn Kubernetes Security, etc. • Never Ending Learner! @madhuakula https://madhuakula.com
  2. What you will learn today? • What is Kubernetes? •

    Why Kubernetes Security? • Why Network Security Boundaries? • Layered Approach (Defense-in-Depth) • Attacker-View of Breaking Network Security Boundaries (No NSP by default) • Cilium Hubble for observing & monitoring • Applying Network Security Policies • Building Secure Defaults using Kyverno • Embedding Security early stages (GitOps/DevSecOps) using KICS • Resources & References @madhuakula
  3. What is Docker? • Docker is an open source platform

    for building, deploying, and managing containerized applications • Docker became the de facto standard to build and share containerized apps - from desktop, to the cloud, even edge devices • Docker enables developers to easily pack, ship, and run any application as a lightweight, portable, self-sufficient container, which can run virtually anywhere https://docs.docker.com/get-started/overview/ @madhuakula
  4. What is Kubernetes? Kubernetes is a portable, extensible, open-source platform

    for managing containerized workloads and services, that facilitates both declarative configuration and automation. It has a large, rapidly growing ecosystem. Kubernetes services, support, and tools are widely available. https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/ @madhuakula
  5. Why Kubernetes Network Security Boundaries? By default, Kubernetes has a

    flat networking schema, which means any pod/service within the cluster can talk to other without any restrictions. The namespaces within the cluster don't have any network security restrictions by default, anyone in the namespace can talk to other namespaces. Network Security Policies provides a declarative way to specify which pods are allowed to talk to which pods. There are many options and features we can include in the policy to enforce this by specifying parameters like labels, namespaces, ports, etc. @madhuakula
  6. There is lot more than just Network Security Boundaries There

    are many higher level of abstraction layers we can think of applying security for Kubernetes. What we are going to see today is just small part of Kubernetes Security primarily focusing on Network Security Boundaries. https://github.com/ahmetb/kubernetes-network-policy-recipes @madhuakula
  7. Defense In Depth - Layered Approach Some of the very

    high level abstraction layers, each layer contains many ways how we can secure and defend against attackers. • Application Security • Supply Chain Security • Infrastructure Security • Runtime Security • Continuous Security @madhuakula
  8. Approaches to Defense & Building the boundaries • There are

    many ways we can leverage this to build defense and boundaries, it’s always better to apply layered approach • Starting with Monitoring & Observability is key as most of the microservices owners doesn’t know what they need for their services (Ex: Cilium Hubble) • Applying Network Security Policies once we have the details like namespace, labels, ports, services, etc. (Ex: NetworkPolicy with CNI) • Building secure defaults, like if anyone creates new namespace or deployment by default it should deny to ensure they create and follow NSP (Ex: Kyverno) • Embedding security into early stages of lifecycle like GitOps stage by performing scanning of Manifests, Helm charts, etc. (Ex: KICS) • Many other approaches based on the context and organisation @madhuakula
  9. Hubble - Network, Service & Security Observability for K8S Hubble

    is a fully distributed networking and security observability platform for cloud native workloads. It is built on top of Cilium and eBPF to enable deep visibility into the communication and behavior of services as well as the networking infrastructure in a completely transparent manner. Some of the things we can achieve using Hubble includes • Service dependencies & communication map • Operational monitoring & alerting • Application monitoring • Security observability @madhuakula https://github.com/cilium/hubble
  10. Kyverno - Kubernetes Native Policy Management Kyverno is a policy

    engine designed for Kubernetes. With Kyverno, policies are managed as Kubernetes resources and no new language is required to write policies. This allows using familiar tools such as kubectl, git, and kustomize to manage policies. Kyverno policies can validate, mutate, and generate Kubernetes resources. The Kyverno CLI can be used to test policies and validate resources as part of a CI/CD pipeline. Kyverno allows cluster administrators to manage environment specific configurations independently of workload configurations and enforce configuration best practices for their clusters. Kyverno can be used to scan existing workloads for best practices, or can be used to enforce best practices by blocking or mutating API requests. @madhuakula https://kyverno.io/
  11. KICS - Embedding Security early (GitOps/DevSecOps) Find security vulnerabilities, compliance

    issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx. • Fully customizable and adjustable heuristics rules, called queries. These can be easily edited, extended and added • Robust but yet simple architecture, which allows quick addition of support for new Infrastructure as Code solutions @madhuakula https://kics.io/
  12. References & Resources @madhuakula • https://kubernetes.io/docs/concepts/services-networking/network-policies • https://github.com/ahmetb/kubernetes-network-policy-recipes • https://github.com/cncf/financial-user-group

    • https://cilium.io • https://github.com/cilium/hubble • https://kyverno.io • https://kics.io • https://editor.cilium.io • https://katacoda.com/madhuakula/scenarios/kubernetes-network-security-boundaries