Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Practical Guide to Kubernetes Security for Developers 🚀

Madhu Akula
January 12, 2023
Technology
0
44

Practical Guide to Kubernetes Security for Developers 🚀

Kubernetes become the defacto for deploying and managing applications from startups to enterprises. This means most developers start writing their application code, package them into containers and deploy them into clusters to serve the customers. But if you look at typical day-to-day development and operations from local development to production deployment, we perform a ton of things that can be potentially insecure patterns. As we use modern tools, and technologies we tend to forget to secure them while building and serving our customers. In this talk, we will see how we can secure Kubernetes workflows and how we can automate these security checks and validate them to identify potential security risks before deploying our applications and code into production.

Madhu Akula will be using Kubernetes Goat, an interactive Kubernetes security learning playground in this talk to demonstrate some security concerns and fix them live 🚀

Madhu Akula

January 12, 2023
Tweet

More Decks by Madhu Akula

See All by Madhu Akula
Interactive Kubernetes Security Learning Playground - Kubernetes Goat @ Black Hat Asia 2023 Arsenal
madhuakula
0
30
Mastering Kubernetes Security with Kubernetes Goat - Cloud-Native Modernization @ TechTarget
madhuakula
0
52
Kubernetes Security Detection Engineering – Mapping Back To MITRE ATT&CK Matrix | HITB 2023 AMS
madhuakula
0
46
Interactive Playground to Learn Kubernetes and Cloud Native Security - KubeCon + CloudNativeCon EU 2023
madhuakula
1
340
Scaling Kubernetes Security with Kubernetes Goat - All Day DevOps 2022
madhuakula
0
49
Scaling Kubernetes Security with Kubernetes Goat
madhuakula
0
94
Defenders Guide to Kubernetes Security - Dutch Microsoft & Security NL - Summer Security Night (+BBQ)
madhuakula
0
61
Kubernetes Goat - Interactive Kubernetes Security Playground: 2022 Edition
madhuakula
0
46
Kubernetes Goat - Practical Approach to Learn Kubernetes Security
madhuakula
0
51

Other Decks in Technology

See All in Technology
Improve Your Development Workflow with Gemini Code Assist
meteatamel
0
130
IPUT App Dev. Co. -Overview 2024/4
iputapp
0
130
Gradle Build Scanを使ってビルドのことを知ろう potatotips #87
tomorrowkey
2
160
IaCジェネレーターとBedrockで詳細設計書を生成してみた
tsukasa_ishimaru
4
890
LayerXにおけるLLMプロダクト開発の今までとこれから
layerx
PRO
4
710
Building a RAG-powered AI chat app with Python and VS Code
pamelafox
0
160
JAWS-UG Bedrock Claude Night
yamahiro
3
720
チームでロジカルシンキングに改めて向き合っている話 〜学習環境と実践⽅法〜
sansantech
PRO
3
3.3k
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
5
37k
本当のAWS基礎
toru_kubota
1
630
Google Cloud Next '24でブログを10本書いた方法と勉強会を沸かせた方法
yasumuusan
0
330
MapLibreとAmazon Location Service
dayjournal
1
190

Featured

See All Featured
Rebuilding a faster, lazier Slack
samanthasiow
74
8.2k
Web development in the modern age
philhawksworth
203
10k
Building an army of robots
kneath
300
41k
Adopting Sorbet at Scale
ufuk
69
8.6k
Bash Introduction
62gerente
605
210k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
34
8.9k
Robots, Beer and Maslow
schacon
PRO
155
7.9k
Facilitating Awesome Meetings
lara
43
5.6k
Reflections from 52 weeks, 52 projects
jeffersonlam
345
19k
Faster Mobile Websites
deanohume
300
30k
Unsuck your backbone
ammeep
663
57k

Transcript

  1. Madhu Akula Practical Guide to Kubernetes Security for Developers 🚀

  2. • Pragmatic Security Leader focusing on Cloud Native infrastructure, security,

    and startups • Creator of Kubernetes Goat, Hacker Container, tools.tldr.run, many other OSS projects. • Speaks & Trains at Blackhat, DEFCON, GitHub, USENIX, OWASP, All Day DevOps, SANS, DevSecCon, CNCF, c0c0n, Nullcon, SACON, null, many others around the globe. • Author of Security Automation with Ansible2, OWASP KSTG, whitepapers, etc. • Technical reviewer (multiple books) & Review board member of multiple conferences, organizations, communities, advisory, etc. • Found security vulnerabilities in 200+ organizations and products including Google, Microsoft, AT&T, Adobe, eBay, WordPress, Ntop, Cloudflare, Yahoo, LocalBitcoins, etc. • Certified Kubernetes(CKA/CKS), Offensive Security Certified Professional, etc. • Never ending learner! About Me 👋 @madhuakula

  3. How many of you heard about Kubernetes and don’t use?

  4. Are you running Kubernetes in Production?

  5. Who is responsible for your Kubernetes Security?

  6. • Introduction to Kubernetes & Architecture • Why developers should

    care about Kubernetes security? ◦ Threat Model, Attack Trees, MITRE, etc. ◦ Some real-world attacks, threats and examples ◦ Showcasing live hacking of attacks • What developer can do about Kubernetes security? ◦ Examples, patterns, core issues, etc. ◦ Education, Training, Knowledge and skill gaps • How developers can add value to Kubernetes security? ◦ What’s we really missing here! ◦ How we can achieve them? ◦ Tools, techniques and processes • Key takeaways and learnings! • Questions & Discussions? Today’s Agenda @madhuakula

  7. https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/#going-back-in-time What is Docker? @madhuakula

  8. • Docker is an open source platform for building, deploying,

    and managing containerized applications • Docker became the de facto standard to build and share containerized apps - from desktop, to the cloud, even edge devices • Docker enables developers to easily pack, ship, and run any application as a lightweight, portable, self-sufficient container, which can run virtually anywhere https://docs.docker.com/get-started/overview/ What is Docker? @madhuakula

  9. Kubernetes is a portable, extensible, open-source platform for managing containerized

    workloads and services, that facilitates both declarative configuration and automation. It has a large, rapidly growing ecosystem. Kubernetes services, support, and tools are widely available. https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/ What is Kubernetes? @madhuakula

  10. https://commons.wikimedia.org/wiki/File:Kubernetes.png What is Kubernetes? @madhuakula

  11. Why Kubernetes Security for Developers?

  12. @madhuakula Why Kubernetes Security for Developers? https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/

  13. @madhuakula Why Kubernetes Security for Developers? https://github.com/cncf/financial-user-group/blob/master/projects/k8s-threat-model/AttackTrees/AccessSensitiveData.md

  14. Let’s go and see the hacking in action! @madhuakula

  15. What is Kubernetes Goat 🐐 Kubernetes Goat is an interactive

    Kubernetes security learning playground. Intentionally vulnerable by design scenarios to showcase the common misconfigurations, real-world vulnerabilities, and security issues in Kubernetes clusters, containers, and cloud native environments. @madhuakula

  16. ⚡ Get Started with Kubernetes Goat 🐐 https://madhuakula.com/kubernetes-goat @madhuakula

  17. ☸ Demo Time 🤞 @madhuakula

  18. What developers can do about Kubernetes Security? @madhuakula

  19. https://github.com/GoogleCloudPlatform/microservices-demo/ 19 Typical Microservices Architecture @madhuakula

  20. @madhuakula What developers can do about Kubernetes Security? • I

    think there is no single answer, approach here • Always look at the core problem and root cause and fix at that layer • Try to be self-service model by providing patterns in an actionable way • Be an helping hand for DevOps, SRE and Engineering teams rather pointing just issues ◦ Helping them to create secure and safe Helm charts, Dockerfiles, Templates, etc. ◦ Removing the blockers by being pragmatic and empathetic ◦ Eliminate the possible things early and at scale • Repeat after me: Education, Education, Education ◦ Most people don’t even understand the technology, leave about security. So educating them by teaching and practicing is the way to go 🚀

  21. Secure Manifests & Helm Charts & Kustomize… @madhuakula

  22. Resource Limits @madhuakula

  23. Least privileged RBAC @madhuakula

  24. Readiness & Liveness Probes @madhuakula

  25. Service Expose - Careful! @madhuakula

  26. Audit Logging @madhuakula

  27. NodeSelectors & Taints & Tolerations @madhuakula

  28. Network Security Policies @madhuakula

  29. Dockerfile Security @madhuakula

  30. Deployment Strategies @madhuakula

  31. [Open] Telemetry Data @madhuakula

  32. [Open] Tracing Data @madhuakula

  33. Many more… @madhuakula

  34. How developers can add value to Kubernetes Security? @madhuakula

  35. @madhuakula The missing pieces in the puzzle! • Nature of

    immutable infrastructure • Matching the speed of containers, infrastructure with security • Frequency of deployments and workloads • Size of the teams, deployments from both dev, ops, engineering and security • How frequently and repetitively we fix certain issues • Education, knowledge and skill gap • Maturity of the security and the alignment with stakeholders • Many others…

  36. Let’s go and see the fixing in action! @madhuakula

  37. ☸ Demo Time 🤞 @madhuakula

  38. ✅ Security is everyone’s responsibility (Dev, Ops, Security, Management, etc.)

    ⚠ Threat model your architecture and identify risks/threats 🙌 Follow and apply secure defaults 📚Know what you have (Inventory of assets) 🧱Adopt zero trust model (Zoning, Containment & Segmentation) 🎯Apply security at each layer (Defense in depth strategy) 🚨Follow least privilege principle 👮AuthN & AuthZ 🔐Encryption at REST & TRANSIT 🛡Proactive monitoring & Active defense 🔁Continuously analyse and apply feedback loops 👉 Crawl 🐢, Walk 🚶, Run 🏃, Fly ✈ Key Takeaways! @madhuakula

  39. Dank je wel 🙏 Want to learn more, have some

    feedback, or just wanted to say 👋 @madhuakula https://madhuakula.com