Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kubernetes Security Jumpstart

Kubernetes Security Jumpstart

Details
Kubernetes helps with microservice based app problems like scaling, deployment and discovery. But k8s is not a container security tool, and it would be a big mistake to assume that it can defend your apps from security vulnerabilities. We will explore steps we can take towards k8s security.

Kubernetes makes it possible to run containerized application at scale. It solves many problems of microservice architecture by abstracting away things like container deployment, container-to-container communication, load balancing. While Kubernetes is great at it many things, it seems to be lacking in terms of security. It has some security features but in most respect it is not production grade security, at least not by default.

If you are thinking about or already started with Kubernetes for your production workload, there are some steps you could follow to make sure your environments sand applications is secure.

In this talk we will discuss some best practices for Kubernetes security. From container image to secret management, we will try to cover it all. And after this talk hopefully we will all be in a better position to harden and secure our Kubernetes cluster.

Avatar for Mofizur Rahman

Mofizur Rahman

October 14, 2019
Tweet

More Decks by Mofizur Rahman

Other Decks in Technology

Transcript

  1. @moficodes Agenda • Security and us • Security in Kubernetes

    Context • Get started with Kubernetes Security
  2. @moficodes Image Scanning and Analysis Anchore (Free Apache) + Commercial

    Offering Clair (Free Apache) Dagda (Free Apache) KubeXRay (Free Apache) + Requires Commercial JFrog Product Snyk (Free Apache) + Commercial Offering Trivy (Free Apache) + commercial offering
  3. @moficodes K8s Network Security Aporeto (Commercial) Calico (Free Apache) Cilium

    (Free Apache) Tigera (Commercial) Trireme (Free Apache)
  4. @moficodes Security Audit Kube-bench (Free Apache) Kube-hunter (Free Apache) Kubeaudit

    (Free MIT) Kubesec (Free Apache) Open Policy Agent (Free Apache)
  5. @moficodes E2E Commercial Security Products Aqua Security Capsule8 Cavirin Google

    SCC Layered Insight (Qualys) Neuvector StackRox Sysdig Secure Tenable Container Security Twistlock (Palo Alto)
  6. @moficodes Image Scanning Container Compliance Runtime Security Network Security Forensics

    Kubernetes Audit AquaSec ✔ ✔ ✔ ✔ ✔ ✔ Capsule8 ✔ ✔ ✔ ✔ Caviring ✔ ✔ ✔ ✔ Google SCC ✔ ✔ ✔ Pluggable forensics ✔ Layered Insight ✔ ✔ ✔ ✔ NeuVector ✔ ✔ ✔ ✔ ✔ ✔ StackRox ✔ ✔ ✔ ✔ ✔ ✔ Sysdig Secure ✔ ✔ ✔ ✔ ✔* ✔ Tenable Container security ✔ ✔ ✔ Twistlock ✔ ✔ ✔ ✔ ✔ ✔