Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Practical Guide to Kubernetes Security for Deve...

Madhu Akula
January 12, 2023
Technology
0
53

Practical Guide to Kubernetes Security for Developers 🚀

Kubernetes become the defacto for deploying and managing applications from startups to enterprises. This means most developers start writing their application code, package them into containers and deploy them into clusters to serve the customers. But if you look at typical day-to-day development and operations from local development to production deployment, we perform a ton of things that can be potentially insecure patterns. As we use modern tools, and technologies we tend to forget to secure them while building and serving our customers. In this talk, we will see how we can secure Kubernetes workflows and how we can automate these security checks and validate them to identify potential security risks before deploying our applications and code into production.

Madhu Akula will be using Kubernetes Goat, an interactive Kubernetes security learning playground in this talk to demonstrate some security concerns and fix them live 🚀

Madhu Akula

January 12, 2023
Tweet

More Decks by Madhu Akula

See All by Madhu Akula
Interactive Kubernetes Security Learning Playground - Kubernetes Goat @ Black Hat Asia 2023 Arsenal
madhuakula
0
42
Mastering Kubernetes Security with Kubernetes Goat - Cloud-Native Modernization @ TechTarget
madhuakula
0
78
Kubernetes Security Detection Engineering – Mapping Back To MITRE ATT&CK Matrix | HITB 2023 AMS
madhuakula
0
96
Interactive Playground to Learn Kubernetes and Cloud Native Security - KubeCon + CloudNativeCon EU 2023
madhuakula
1
350
Scaling Kubernetes Security with Kubernetes Goat - All Day DevOps 2022
madhuakula
0
60
Scaling Kubernetes Security with Kubernetes Goat
madhuakula
0
110
Defenders Guide to Kubernetes Security - Dutch Microsoft & Security NL - Summer Security Night (+BBQ)
madhuakula
0
88
Kubernetes Goat - Interactive Kubernetes Security Playground: 2022 Edition
madhuakula
0
66
Kubernetes Goat - Practical Approach to Learn Kubernetes Security
madhuakula
0
55

Other Decks in Technology

See All in Technology
マルチプロダクトな開発組織で 「開発生産性」に向き合うために試みたこと / Improving Multi-Product Dev Productivity
sugamasao
1
310
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
3.9k
OCI Security サービス 概要
oracle4engineer
PRO
0
6.5k
エンジニア人生の拡張性を高める 「探索型キャリア設計」の提案
tenshoku_draft
1
130
TanStack Routerに移行するのかい しないのかい、どっちなんだい! / Are you going to migrate to TanStack Router or not? Which one is it?
kaminashi
0
630
B2B SaaSから見た最近のC#/.NETの進化
sansantech
PRO
0
960
TypeScriptの次なる大進化なるか!? 条件型を返り値とする関数の型推論
uhyo
2
1.8k
CysharpのOSS群から見るModern C#の現在地
neuecc
2
3.6k
20241120_JAWS_東京_ランチタイムLT#17_AWS認定全冠の先へ
tsumita
2
310
オープンソースAIとは何か? --「オープンソースAIの定義 v1.0」詳細解説
shujisado
10
1.4k
誰も全体を知らない ~ ロールの垣根を超えて引き上げる開発生産性 / Boosting Development Productivity Across Roles
kakehashi
2
240
AI前提のサービス運用ってなんだろう?
ryuichi1208
8
1.4k

Featured

See All Featured
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
900
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
329
21k
Designing the Hi-DPI Web
ddemaree
280
34k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k
It's Worth the Effort
3n
183
27k
The Art of Programming - Codeland 2020
erikaheidi
52
13k
Building Adaptive Systems
keathley
38
2.3k
KATA
mclloyd
29
14k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
Being A Developer After 40
akosma
87
590k
No one is an island. Learnings from fostering a developers community.
thoeni
19
3k

Transcript

  1. Madhu Akula Practical Guide to Kubernetes Security for Developers 🚀

  2. • Pragmatic Security Leader focusing on Cloud Native infrastructure, security,

    and startups • Creator of Kubernetes Goat, Hacker Container, tools.tldr.run, many other OSS projects. • Speaks & Trains at Blackhat, DEFCON, GitHub, USENIX, OWASP, All Day DevOps, SANS, DevSecCon, CNCF, c0c0n, Nullcon, SACON, null, many others around the globe. • Author of Security Automation with Ansible2, OWASP KSTG, whitepapers, etc. • Technical reviewer (multiple books) & Review board member of multiple conferences, organizations, communities, advisory, etc. • Found security vulnerabilities in 200+ organizations and products including Google, Microsoft, AT&T, Adobe, eBay, WordPress, Ntop, Cloudflare, Yahoo, LocalBitcoins, etc. • Certified Kubernetes(CKA/CKS), Offensive Security Certified Professional, etc. • Never ending learner! About Me 👋 @madhuakula

  3. How many of you heard about Kubernetes and don’t use?

  4. Are you running Kubernetes in Production?

  5. Who is responsible for your Kubernetes Security?

  6. • Introduction to Kubernetes & Architecture • Why developers should

    care about Kubernetes security? ◦ Threat Model, Attack Trees, MITRE, etc. ◦ Some real-world attacks, threats and examples ◦ Showcasing live hacking of attacks • What developer can do about Kubernetes security? ◦ Examples, patterns, core issues, etc. ◦ Education, Training, Knowledge and skill gaps • How developers can add value to Kubernetes security? ◦ What’s we really missing here! ◦ How we can achieve them? ◦ Tools, techniques and processes • Key takeaways and learnings! • Questions & Discussions? Today’s Agenda @madhuakula

  7. https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/#going-back-in-time What is Docker? @madhuakula

  8. • Docker is an open source platform for building, deploying,

    and managing containerized applications • Docker became the de facto standard to build and share containerized apps - from desktop, to the cloud, even edge devices • Docker enables developers to easily pack, ship, and run any application as a lightweight, portable, self-sufficient container, which can run virtually anywhere https://docs.docker.com/get-started/overview/ What is Docker? @madhuakula

  9. Kubernetes is a portable, extensible, open-source platform for managing containerized

    workloads and services, that facilitates both declarative configuration and automation. It has a large, rapidly growing ecosystem. Kubernetes services, support, and tools are widely available. https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/ What is Kubernetes? @madhuakula

  10. https://commons.wikimedia.org/wiki/File:Kubernetes.png What is Kubernetes? @madhuakula

  11. Why Kubernetes Security for Developers?

  12. @madhuakula Why Kubernetes Security for Developers? https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/

  13. @madhuakula Why Kubernetes Security for Developers? https://github.com/cncf/financial-user-group/blob/master/projects/k8s-threat-model/AttackTrees/AccessSensitiveData.md

  14. Let’s go and see the hacking in action! @madhuakula

  15. What is Kubernetes Goat 🐐 Kubernetes Goat is an interactive

    Kubernetes security learning playground. Intentionally vulnerable by design scenarios to showcase the common misconfigurations, real-world vulnerabilities, and security issues in Kubernetes clusters, containers, and cloud native environments. @madhuakula

  16. ⚡ Get Started with Kubernetes Goat 🐐 https://madhuakula.com/kubernetes-goat @madhuakula

  17. ☸ Demo Time 🤞 @madhuakula

  18. What developers can do about Kubernetes Security? @madhuakula

  19. https://github.com/GoogleCloudPlatform/microservices-demo/ 19 Typical Microservices Architecture @madhuakula

  20. @madhuakula What developers can do about Kubernetes Security? • I

    think there is no single answer, approach here • Always look at the core problem and root cause and fix at that layer • Try to be self-service model by providing patterns in an actionable way • Be an helping hand for DevOps, SRE and Engineering teams rather pointing just issues ◦ Helping them to create secure and safe Helm charts, Dockerfiles, Templates, etc. ◦ Removing the blockers by being pragmatic and empathetic ◦ Eliminate the possible things early and at scale • Repeat after me: Education, Education, Education ◦ Most people don’t even understand the technology, leave about security. So educating them by teaching and practicing is the way to go 🚀

  21. Secure Manifests & Helm Charts & Kustomize… @madhuakula

  22. Resource Limits @madhuakula

  23. Least privileged RBAC @madhuakula

  24. Readiness & Liveness Probes @madhuakula

  25. Service Expose - Careful! @madhuakula

  26. Audit Logging @madhuakula

  27. NodeSelectors & Taints & Tolerations @madhuakula

  28. Network Security Policies @madhuakula

  29. Dockerfile Security @madhuakula

  30. Deployment Strategies @madhuakula

  31. [Open] Telemetry Data @madhuakula

  32. [Open] Tracing Data @madhuakula

  33. Many more… @madhuakula

  34. How developers can add value to Kubernetes Security? @madhuakula

  35. @madhuakula The missing pieces in the puzzle! • Nature of

    immutable infrastructure • Matching the speed of containers, infrastructure with security • Frequency of deployments and workloads • Size of the teams, deployments from both dev, ops, engineering and security • How frequently and repetitively we fix certain issues • Education, knowledge and skill gap • Maturity of the security and the alignment with stakeholders • Many others…

  36. Let’s go and see the fixing in action! @madhuakula

  37. ☸ Demo Time 🤞 @madhuakula

  38. ✅ Security is everyone’s responsibility (Dev, Ops, Security, Management, etc.)

    ⚠ Threat model your architecture and identify risks/threats 🙌 Follow and apply secure defaults 📚Know what you have (Inventory of assets) 🧱Adopt zero trust model (Zoning, Containment & Segmentation) 🎯Apply security at each layer (Defense in depth strategy) 🚨Follow least privilege principle 👮AuthN & AuthZ 🔐Encryption at REST & TRANSIT 🛡Proactive monitoring & Active defense 🔁Continuously analyse and apply feedback loops 👉 Crawl 🐢, Walk 🚶, Run 🏃, Fly ✈ Key Takeaways! @madhuakula

  39. Dank je wel 🙏 Want to learn more, have some

    feedback, or just wanted to say 👋 @madhuakula https://madhuakula.com