Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Practical Guide to Kubernetes Security for Developers 🚀

Madhu Akula
January 12, 2023
Technology
0
22

Practical Guide to Kubernetes Security for Developers 🚀

Kubernetes become the defacto for deploying and managing applications from startups to enterprises. This means most developers start writing their application code, package them into containers and deploy them into clusters to serve the customers. But if you look at typical day-to-day development and operations from local development to production deployment, we perform a ton of things that can be potentially insecure patterns. As we use modern tools, and technologies we tend to forget to secure them while building and serving our customers. In this talk, we will see how we can secure Kubernetes workflows and how we can automate these security checks and validate them to identify potential security risks before deploying our applications and code into production.

Madhu Akula will be using Kubernetes Goat, an interactive Kubernetes security learning playground in this talk to demonstrate some security concerns and fix them live 🚀

Madhu Akula

January 12, 2023
Tweet

More Decks by Madhu Akula

See All by Madhu Akula
Scaling Kubernetes Security with Kubernetes Goat
madhuakula
0
51
Defenders Guide to Kubernetes Security - Dutch Microsoft & Security NL - Summer Security Night (+BBQ)
madhuakula
0
29
Kubernetes Goat - Practical Approach to Learn Kubernetes Security
madhuakula
0
34
KUBERNETES GOAT - INTERACTIVE KUBERNETES SECURITY LEARNING PLAYGROUND
madhuakula
0
40
Getting Started with Your Journey into Cloud Security - SOSC devhost:21
madhuakula
0
220
A Practical Guide to Writing Secure Dockerfiles - WeAreDevelopers Container Day 2021
madhuakula
7
4.3k
Defender's Guide to Cloud Native Infrastructure Security - All Day DevOps 2020
madhuakula
1
180
Defenders Guide to Cloud Native Infrastructure Security - Github Satellite 2020
madhuakula
3
1.6k
Container Security for RED and BLUE Teams! - All Day DevOps 2020 Spring Break Edition
madhuakula
4
1.8k

Other Decks in Technology

See All in Technology
stdClassって一体何者なんだ?!/Who the hell is stdClass?
daina0321
0
260
ローコード自動テストを1ヶ月半で導入した話
sumiren
0
150
私と Nature Remo E / Nature Remo E
orgachem
0
240
replace of cart system on ZOZOTOWN
takahashikazutaro
0
330
【5分でわかる】セーフィー エンジニア向け会社紹介
safie_recruit
0
250
Oracle Container Engine for Kubernetes (OKE) ご紹介 / oke-overview
oracle4engineer
PRO
1
980
Zennを支える Google Cloud の技術
wadayusuke
0
110
Privacy Techによる新しいデータ活用の形
line_developers
PRO
1
220
Pain-free APIs with Smithy4s
kubukoz
0
140
作って理解するバックドア
ad5jp
0
270
数年先の金融DX/AI活用
abenben
1
280
Concevoir son API pour le futur
tgalopin
1
330

Featured

See All Featured
Building Adaptive Systems
keathley
28
1.4k
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.7k
The Pragmatic Product Professional
lauravandoore
21
3.6k
Web Components: a chance to create the future
zenorocha
304
41k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
14
1.2k
Docker and Python
trallard
30
2k
10 Git Anti Patterns You Should be Aware of
lemiorhan
643
55k
The Cult of Friendly URLs
andyhume
70
5.2k
Robots, Beer and Maslow
schacon
154
7.4k
Build The Right Thing And Hit Your Dates
maggiecrowley
22
1.5k
Building Better People: How to give real-time feedback that sticks.
wjessup
346
17k
A designer walks into a library…
pauljervisheath
199
16k

Transcript

  1. Madhu Akula
    Practical Guide to Kubernetes
    Security for Developers 🚀

    View Slide

  2. ● Pragmatic Security Leader focusing on Cloud Native infrastructure, security, and startups
    ● Creator of Kubernetes Goat, Hacker Container, tools.tldr.run, many other OSS projects.
    ● Speaks & Trains at Blackhat, DEFCON, GitHub, USENIX, OWASP, All Day DevOps, SANS, DevSecCon,
    CNCF, c0c0n, Nullcon, SACON, null, many others around the globe.
    ● Author of Security Automation with Ansible2, OWASP KSTG, whitepapers, etc.
    ● Technical reviewer (multiple books) & Review board member of multiple conferences,
    organizations, communities, advisory, etc.
    ● Found security vulnerabilities in 200+ organizations and products including Google, Microsoft,
    AT&T, Adobe, eBay, WordPress, Ntop, Cloudflare, Yahoo, LocalBitcoins, etc.
    ● Certified Kubernetes(CKA/CKS), Offensive Security Certified Professional, etc.
    ● Never ending learner!
    About Me 👋
    @madhuakula

    View Slide

  3. How many of you heard
    about
    Kubernetes and don’t use?

    View Slide

  4. Are you running
    Kubernetes in Production?

    View Slide

  5. Who is responsible for your
    Kubernetes Security?

    View Slide

  6. ● Introduction to Kubernetes & Architecture
    ● Why developers should care about Kubernetes security?
    ○ Threat Model, Attack Trees, MITRE, etc.
    ○ Some real-world attacks, threats and examples
    ○ Showcasing live hacking of attacks
    ● What developer can do about Kubernetes security?
    ○ Examples, patterns, core issues, etc.
    ○ Education, Training, Knowledge and skill gaps
    ● How developers can add value to Kubernetes security?
    ○ What’s we really missing here!
    ○ How we can achieve them?
    ○ Tools, techniques and processes
    ● Key takeaways and learnings!
    ● Questions & Discussions?
    Today’s Agenda
    @madhuakula

    View Slide

  7. https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/#going-back-in-time
    What is Docker?
    @madhuakula

    View Slide

  8. ● Docker is an open source platform for building, deploying, and managing
    containerized applications
    ● Docker became the de facto standard to build and share containerized apps -
    from desktop, to the cloud, even edge devices
    ● Docker enables developers to easily pack, ship, and run any application as a
    lightweight, portable, self-sufficient container, which can run virtually
    anywhere
    https://docs.docker.com/get-started/overview/
    What is Docker?
    @madhuakula

    View Slide

  9. Kubernetes is a portable, extensible, open-source platform for managing
    containerized workloads and services, that facilitates both declarative
    configuration and automation. It has a large, rapidly growing ecosystem.
    Kubernetes services, support, and tools are widely available.
    https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/
    What is Kubernetes?
    @madhuakula

    View Slide

  10. https://commons.wikimedia.org/wiki/File:Kubernetes.png
    What is Kubernetes?
    @madhuakula

    View Slide

  11. Why Kubernetes Security for Developers?

    View Slide

  12. @madhuakula
    Why Kubernetes Security for Developers?
    https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/

    View Slide

  13. @madhuakula
    Why Kubernetes Security for Developers?
    https://github.com/cncf/financial-user-group/blob/master/projects/k8s-threat-model/AttackTrees/AccessSensitiveData.md

    View Slide

  14. Let’s go and see the hacking
    in action!
    @madhuakula

    View Slide

  15. What is Kubernetes Goat 🐐
    Kubernetes Goat is an interactive
    Kubernetes security learning playground.
    Intentionally vulnerable by design
    scenarios to showcase the common
    misconfigurations, real-world
    vulnerabilities, and security issues in
    Kubernetes clusters, containers, and
    cloud native environments.
    @madhuakula

    View Slide

  16. ⚡ Get Started with Kubernetes Goat 🐐
    https://madhuakula.com/kubernetes-goat
    @madhuakula

    View Slide

  17. ☸ Demo Time 🤞
    @madhuakula

    View Slide

  18. What developers can do
    about
    Kubernetes Security?
    @madhuakula

    View Slide

  19. https://github.com/GoogleCloudPlatform/microservices-demo/
    19
    Typical Microservices Architecture
    @madhuakula

    View Slide

  20. @madhuakula
    What developers can do about Kubernetes Security?
    ● I think there is no single answer, approach here
    ● Always look at the core problem and root cause and fix at that layer
    ● Try to be self-service model by providing patterns in an actionable way
    ● Be an helping hand for DevOps, SRE and Engineering teams rather pointing just issues
    ○ Helping them to create secure and safe Helm charts, Dockerfiles, Templates, etc.
    ○ Removing the blockers by being pragmatic and empathetic
    ○ Eliminate the possible things early and at scale
    ● Repeat after me: Education, Education, Education
    ○ Most people don’t even understand the technology, leave about security. So
    educating them by teaching and practicing is the way to go 🚀

    View Slide

  21. Secure Manifests & Helm Charts & Kustomize…
    @madhuakula

    View Slide

  22. Resource Limits
    @madhuakula

    View Slide

  23. Least privileged RBAC
    @madhuakula

    View Slide

  24. Readiness & Liveness Probes
    @madhuakula

    View Slide

  25. Service Expose - Careful!
    @madhuakula

    View Slide

  26. Audit Logging
    @madhuakula

    View Slide

  27. NodeSelectors & Taints & Tolerations
    @madhuakula

    View Slide

  28. Network Security Policies
    @madhuakula

    View Slide

  29. Dockerfile Security
    @madhuakula

    View Slide

  30. Deployment Strategies
    @madhuakula

    View Slide

  31. [Open] Telemetry Data
    @madhuakula

    View Slide

  32. [Open] Tracing Data
    @madhuakula

    View Slide

  33. Many more…
    @madhuakula

    View Slide

  34. How developers can add
    value to
    Kubernetes Security?
    @madhuakula

    View Slide

  35. @madhuakula
    The missing pieces in the puzzle!
    ● Nature of immutable infrastructure
    ● Matching the speed of containers, infrastructure with security
    ● Frequency of deployments and workloads
    ● Size of the teams, deployments from both dev, ops, engineering and security
    ● How frequently and repetitively we fix certain issues
    ● Education, knowledge and skill gap
    ● Maturity of the security and the alignment with stakeholders
    ● Many others…

    View Slide

  36. Let’s go and see the
    fixing in action!
    @madhuakula

    View Slide

  37. ☸ Demo Time 🤞
    @madhuakula

    View Slide

  38. ✅ Security is everyone’s responsibility (Dev, Ops, Security, Management, etc.)
    ⚠ Threat model your architecture and identify risks/threats
    🙌 Follow and apply secure defaults
    📚Know what you have (Inventory of assets)
    🧱Adopt zero trust model (Zoning, Containment & Segmentation)
    🎯Apply security at each layer (Defense in depth strategy)
    🚨Follow least privilege principle
    👮AuthN & AuthZ
    🔐Encryption at REST & TRANSIT
    🛡Proactive monitoring & Active defense
    🔁Continuously analyse and apply feedback loops
    👉 Crawl 🐢, Walk 🚶, Run 🏃, Fly ✈
    Key Takeaways!
    @madhuakula

    View Slide

  39. Dank je wel 🙏
    Want to learn more, have some feedback, or just wanted to say 👋
    @madhuakula
    https://madhuakula.com

    View Slide