Building Network Security Boundaries in Kubernetes - null Ahmedabad Meetup

Transcript

1. Building Network Security Boundaries in Kubernetes null - The Open

   Security Community Madhu Akula

2. About Me • Creator of Kubernetes Goat, Hacker Container, tools.tldr.run,

   many others • Speaker & Trainer @ BlackHat, DEFCON, USENIX, OWASP, All Day DevOps, GitHub, SANS, DevSecCon, c0c0n, Nullcon, null, many others • Co-Author of Security Automation with Ansible 2 • Found vulnerabilities in 200+ organisations & products (Google, Microsoft, Wordpress, Ntop, etc.) • Technical reviewer of Learn Kubernetes Security, etc. • Never Ending Learner! @madhuakula https://madhuakula.com

3. What you will learn today? • What is Kubernetes? •

   Why Kubernetes Security? • Why Network Security Boundaries? • Layered Approach (Defense-in-Depth) • Attacker-View of Breaking Network Security Boundaries (No NSP by default) • Cilium Hubble for observing & monitoring • Applying Network Security Policies • Building Secure Defaults using Kyverno • Embedding Security early stages (GitOps/DevSecOps) using KICS • Resources & References @madhuakula

4. What is Docker? https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/#going-back-in-time @madhuakula

5. What is Docker? • Docker is an open source platform

   for building, deploying, and managing containerized applications • Docker became the de facto standard to build and share containerized apps - from desktop, to the cloud, even edge devices • Docker enables developers to easily pack, ship, and run any application as a lightweight, portable, self-sufficient container, which can run virtually anywhere https://docs.docker.com/get-started/overview/ @madhuakula

6. What is Kubernetes? Kubernetes is a portable, extensible, open-source platform

   for managing containerized workloads and services, that facilitates both declarative configuration and automation. It has a large, rapidly growing ecosystem. Kubernetes services, support, and tools are widely available. https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/ @madhuakula

7. What is Kubernetes? https://commons.wikimedia.org/wiki/File:Kubernetes.png @madhuakula

8. The illustrated children's guide to Kubernetes https://www.youtube.com/watch?v=3I9PkvZ80BQ @madhuakula

9. Why Kubernetes Security? @madhuakula

10. MITRE ATT&CK for Kubernetes https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ @madhuakula

11. Why Kubernetes Network Security Boundaries? https://github.com/GoogleCloudPlatform/microservices-demo/ @madhuakula

12. Why Kubernetes Network Security Boundaries? By default, Kubernetes has a

    flat networking schema, which means any pod/service within the cluster can talk to other without any restrictions. The namespaces within the cluster don't have any network security restrictions by default, anyone in the namespace can talk to other namespaces. Network Security Policies provides a declarative way to specify which pods are allowed to talk to which pods. There are many options and features we can include in the policy to enforce this by specifying parameters like labels, namespaces, ports, etc. @madhuakula

13. There is lot more than just Network Security Boundaries There

    are many higher level of abstraction layers we can think of applying security for Kubernetes. What we are going to see today is just small part of Kubernetes Security primarily focusing on Network Security Boundaries. https://github.com/ahmetb/kubernetes-network-policy-recipes @madhuakula

14. Defense In Depth - Layered Approach Some of the very

    high level abstraction layers, each layer contains many ways how we can secure and defend against attackers. • Application Security • Supply Chain Security • Infrastructure Security • Runtime Security • Continuous Security @madhuakula

15. Why Layered Approach? https://github.com/cncf/financial-user-group/blob/master/projects/k8s-threat-model/AttackTrees/AttackerOnTheNetwork.md Attackers have many ways! Defenders have

    many layers! @madhuakula

16. Demo Time 🤞 @madhuakula

17. Summary of what just happened - No NSP by default

    in K8S @madhuakula

18. Approaches to Defense & Building the boundaries • There are

    many ways we can leverage this to build defense and boundaries, it’s always better to apply layered approach • Starting with Monitoring & Observability is key as most of the microservices owners doesn’t know what they need for their services (Ex: Cilium Hubble) • Applying Network Security Policies once we have the details like namespace, labels, ports, services, etc. (Ex: NetworkPolicy with CNI) • Building secure defaults, like if anyone creates new namespace or deployment by default it should deny to ensure they create and follow NSP (Ex: Kyverno) • Embedding security into early stages of lifecycle like GitOps stage by performing scanning of Manifests, Helm charts, etc. (Ex: KICS) • Many other approaches based on the context and organisation @madhuakula

19. Hubble - Network, Service & Security Observability for K8S Hubble

    is a fully distributed networking and security observability platform for cloud native workloads. It is built on top of Cilium and eBPF to enable deep visibility into the communication and behavior of services as well as the networking infrastructure in a completely transparent manner. Some of the things we can achieve using Hubble includes • Service dependencies & communication map • Operational monitoring & alerting • Application monitoring • Security observability @madhuakula https://github.com/cilium/hubble

20. Hubble - Network, Service & Security Observability for K8S https://github.com/cilium/hubble

    @madhuakula

21. Demo Time 🤞 @madhuakula

22. Summary of what just happened - NSP Policy Ingress @madhuakula

23. Kyverno - Kubernetes Native Policy Management Kyverno is a policy

    engine designed for Kubernetes. With Kyverno, policies are managed as Kubernetes resources and no new language is required to write policies. This allows using familiar tools such as kubectl, git, and kustomize to manage policies. Kyverno policies can validate, mutate, and generate Kubernetes resources. The Kyverno CLI can be used to test policies and validate resources as part of a CI/CD pipeline. Kyverno allows cluster administrators to manage environment specific configurations independently of workload configurations and enforce configuration best practices for their clusters. Kyverno can be used to scan existing workloads for best practices, or can be used to enforce best practices by blocking or mutating API requests. @madhuakula https://kyverno.io/

24. Kyverno - Kubernetes Native Policy Management @madhuakula https://kyverno.io/docs/introduction/

25. Demo Time 🤞 @madhuakula

26. KICS - Embedding Security early (GitOps/DevSecOps) Find security vulnerabilities, compliance

    issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx. • Fully customizable and adjustable heuristics rules, called queries. These can be easily edited, extended and added • Robust but yet simple architecture, which allows quick addition of support for new Infrastructure as Code solutions @madhuakula https://kics.io/

27. KICS - Embedding Security early (GitOps/DevSecOps) @madhuakula https://kics.io/

28. Demo Time 🤞 @madhuakula

29. Try it out yourself using online playground @madhuakula https://katacoda.com/madhuakula/scenarios/kubernetes-network-security-boundaries

30. References & Resources @madhuakula • https://kubernetes.io/docs/concepts/services-networking/network-policies • https://github.com/ahmetb/kubernetes-network-policy-recipes • https://github.com/cncf/financial-user-group

    • https://cilium.io • https://github.com/cilium/hubble • https://kyverno.io • https://kics.io • https://editor.cilium.io • https://katacoda.com/madhuakula/scenarios/kubernetes-network-security-boundaries

31. Thank you 🙏 Madhu Akula https://madhuakula.com