Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Practical Guide to Kubernetes Security for Deve...

Madhu Akula
January 12, 2023
Technology
0
51

Practical Guide to Kubernetes Security for Developers 🚀

Kubernetes become the defacto for deploying and managing applications from startups to enterprises. This means most developers start writing their application code, package them into containers and deploy them into clusters to serve the customers. But if you look at typical day-to-day development and operations from local development to production deployment, we perform a ton of things that can be potentially insecure patterns. As we use modern tools, and technologies we tend to forget to secure them while building and serving our customers. In this talk, we will see how we can secure Kubernetes workflows and how we can automate these security checks and validate them to identify potential security risks before deploying our applications and code into production.

Madhu Akula will be using Kubernetes Goat, an interactive Kubernetes security learning playground in this talk to demonstrate some security concerns and fix them live 🚀

Madhu Akula

January 12, 2023
Tweet

More Decks by Madhu Akula

See All by Madhu Akula
Interactive Kubernetes Security Learning Playground - Kubernetes Goat @ Black Hat Asia 2023 Arsenal
madhuakula
0
39
Mastering Kubernetes Security with Kubernetes Goat - Cloud-Native Modernization @ TechTarget
madhuakula
0
77
Kubernetes Security Detection Engineering – Mapping Back To MITRE ATT&CK Matrix | HITB 2023 AMS
madhuakula
0
93
Interactive Playground to Learn Kubernetes and Cloud Native Security - KubeCon + CloudNativeCon EU 2023
madhuakula
1
350
Scaling Kubernetes Security with Kubernetes Goat - All Day DevOps 2022
madhuakula
0
60
Scaling Kubernetes Security with Kubernetes Goat
madhuakula
0
110
Defenders Guide to Kubernetes Security - Dutch Microsoft & Security NL - Summer Security Night (+BBQ)
madhuakula
0
87
Kubernetes Goat - Interactive Kubernetes Security Playground: 2022 Edition
madhuakula
0
65
Kubernetes Goat - Practical Approach to Learn Kubernetes Security
madhuakula
0
55

Other Decks in Technology

See All in Technology
バクラクにおける可観測性向上の取り組み
yuu26
3
420
【技術書典17】OpenFOAM(自宅で極める流体解析)2次元円柱まわりの流れ
kamakiri1225
0
210
大規模データ基盤チームのオンプレTiDB運用への挑戦 / dpu-tidb
cyberagentdevelopers
PRO
1
110
LeSSに潜む「隠れWF病」とその処方箋
lycorptech_jp
PRO
2
120
小規模に始めるデータメッシュとデータガバナンスの実践
kimujun
3
590
チームを主語にしてみる / Making "Team" the Subject
ar_tama
4
310
サイバーエージェントにおける生成AIのリスキリング施策の取り組み / cyber-ai-reskilling
cyberagentdevelopers
PRO
2
200
CAMERA-Suite: 広告文生成のための評価スイート / ai-camera-suite
cyberagentdevelopers
PRO
3
270
「最高のチューニング」をしないために / hack@delta 24.10
fujiwara3
21
3.4k
オニオンアーキテクチャで実現した 本質課題を解決する インフラ移行の実例
hryushm
14
3k
ABEMA のコンテンツ制作を最適化!生成 AI x クラウド映像編集システム / abema-ai-editor
cyberagentdevelopers
PRO
1
180
10分でわかるfreee エンジニア向け会社説明資料
freee
18
520k

Featured

See All Featured
For a Future-Friendly Web
brad_frost
175
9.4k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
Testing 201, or: Great Expectations
jmmastey
38
7k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
42
9.2k
Embracing the Ebb and Flow
colly
84
4.4k
Measuring & Analyzing Core Web Vitals
bluesmoon
1
40
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
46
2.1k
Designing for humans not robots
tammielis
249
25k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
StorybookのUI Testing Handbookを読んだ
zakiyama
26
5.2k
Documentation Writing (for coders)
carmenintech
65
4.4k

Transcript

  1. Madhu Akula Practical Guide to Kubernetes Security for Developers 🚀

  2. • Pragmatic Security Leader focusing on Cloud Native infrastructure, security,

    and startups • Creator of Kubernetes Goat, Hacker Container, tools.tldr.run, many other OSS projects. • Speaks & Trains at Blackhat, DEFCON, GitHub, USENIX, OWASP, All Day DevOps, SANS, DevSecCon, CNCF, c0c0n, Nullcon, SACON, null, many others around the globe. • Author of Security Automation with Ansible2, OWASP KSTG, whitepapers, etc. • Technical reviewer (multiple books) & Review board member of multiple conferences, organizations, communities, advisory, etc. • Found security vulnerabilities in 200+ organizations and products including Google, Microsoft, AT&T, Adobe, eBay, WordPress, Ntop, Cloudflare, Yahoo, LocalBitcoins, etc. • Certified Kubernetes(CKA/CKS), Offensive Security Certified Professional, etc. • Never ending learner! About Me 👋 @madhuakula

  3. How many of you heard about Kubernetes and don’t use?

  4. Are you running Kubernetes in Production?

  5. Who is responsible for your Kubernetes Security?

  6. • Introduction to Kubernetes & Architecture • Why developers should

    care about Kubernetes security? ◦ Threat Model, Attack Trees, MITRE, etc. ◦ Some real-world attacks, threats and examples ◦ Showcasing live hacking of attacks • What developer can do about Kubernetes security? ◦ Examples, patterns, core issues, etc. ◦ Education, Training, Knowledge and skill gaps • How developers can add value to Kubernetes security? ◦ What’s we really missing here! ◦ How we can achieve them? ◦ Tools, techniques and processes • Key takeaways and learnings! • Questions & Discussions? Today’s Agenda @madhuakula

  7. https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/#going-back-in-time What is Docker? @madhuakula

  8. • Docker is an open source platform for building, deploying,

    and managing containerized applications • Docker became the de facto standard to build and share containerized apps - from desktop, to the cloud, even edge devices • Docker enables developers to easily pack, ship, and run any application as a lightweight, portable, self-sufficient container, which can run virtually anywhere https://docs.docker.com/get-started/overview/ What is Docker? @madhuakula

  9. Kubernetes is a portable, extensible, open-source platform for managing containerized

    workloads and services, that facilitates both declarative configuration and automation. It has a large, rapidly growing ecosystem. Kubernetes services, support, and tools are widely available. https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/ What is Kubernetes? @madhuakula

  10. https://commons.wikimedia.org/wiki/File:Kubernetes.png What is Kubernetes? @madhuakula

  11. Why Kubernetes Security for Developers?

  12. @madhuakula Why Kubernetes Security for Developers? https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/

  13. @madhuakula Why Kubernetes Security for Developers? https://github.com/cncf/financial-user-group/blob/master/projects/k8s-threat-model/AttackTrees/AccessSensitiveData.md

  14. Let’s go and see the hacking in action! @madhuakula

  15. What is Kubernetes Goat 🐐 Kubernetes Goat is an interactive

    Kubernetes security learning playground. Intentionally vulnerable by design scenarios to showcase the common misconfigurations, real-world vulnerabilities, and security issues in Kubernetes clusters, containers, and cloud native environments. @madhuakula

  16. ⚡ Get Started with Kubernetes Goat 🐐 https://madhuakula.com/kubernetes-goat @madhuakula

  17. ☸ Demo Time 🤞 @madhuakula

  18. What developers can do about Kubernetes Security? @madhuakula

  19. https://github.com/GoogleCloudPlatform/microservices-demo/ 19 Typical Microservices Architecture @madhuakula

  20. @madhuakula What developers can do about Kubernetes Security? • I

    think there is no single answer, approach here • Always look at the core problem and root cause and fix at that layer • Try to be self-service model by providing patterns in an actionable way • Be an helping hand for DevOps, SRE and Engineering teams rather pointing just issues ◦ Helping them to create secure and safe Helm charts, Dockerfiles, Templates, etc. ◦ Removing the blockers by being pragmatic and empathetic ◦ Eliminate the possible things early and at scale • Repeat after me: Education, Education, Education ◦ Most people don’t even understand the technology, leave about security. So educating them by teaching and practicing is the way to go 🚀

  21. Secure Manifests & Helm Charts & Kustomize… @madhuakula

  22. Resource Limits @madhuakula

  23. Least privileged RBAC @madhuakula

  24. Readiness & Liveness Probes @madhuakula

  25. Service Expose - Careful! @madhuakula

  26. Audit Logging @madhuakula

  27. NodeSelectors & Taints & Tolerations @madhuakula

  28. Network Security Policies @madhuakula

  29. Dockerfile Security @madhuakula

  30. Deployment Strategies @madhuakula

  31. [Open] Telemetry Data @madhuakula

  32. [Open] Tracing Data @madhuakula

  33. Many more… @madhuakula

  34. How developers can add value to Kubernetes Security? @madhuakula

  35. @madhuakula The missing pieces in the puzzle! • Nature of

    immutable infrastructure • Matching the speed of containers, infrastructure with security • Frequency of deployments and workloads • Size of the teams, deployments from both dev, ops, engineering and security • How frequently and repetitively we fix certain issues • Education, knowledge and skill gap • Maturity of the security and the alignment with stakeholders • Many others…

  36. Let’s go and see the fixing in action! @madhuakula

  37. ☸ Demo Time 🤞 @madhuakula

  38. ✅ Security is everyone’s responsibility (Dev, Ops, Security, Management, etc.)

    ⚠ Threat model your architecture and identify risks/threats 🙌 Follow and apply secure defaults 📚Know what you have (Inventory of assets) 🧱Adopt zero trust model (Zoning, Containment & Segmentation) 🎯Apply security at each layer (Defense in depth strategy) 🚨Follow least privilege principle 👮AuthN & AuthZ 🔐Encryption at REST & TRANSIT 🛡Proactive monitoring & Active defense 🔁Continuously analyse and apply feedback loops 👉 Crawl 🐢, Walk 🚶, Run 🏃, Fly ✈ Key Takeaways! @madhuakula

  39. Dank je wel 🙏 Want to learn more, have some

    feedback, or just wanted to say 👋 @madhuakula https://madhuakula.com