Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kubernetes Security Jumpstart

Avatar for Mofizur Rahman Mofizur Rahman
October 14, 2019
Technology
0
84

Kubernetes Security Jumpstart

Details
Kubernetes helps with microservice based app problems like scaling, deployment and discovery. But k8s is not a container security tool, and it would be a big mistake to assume that it can defend your apps from security vulnerabilities. We will explore steps we can take towards k8s security.

Kubernetes makes it possible to run containerized application at scale. It solves many problems of microservice architecture by abstracting away things like container deployment, container-to-container communication, load balancing. While Kubernetes is great at it many things, it seems to be lacking in terms of security. It has some security features but in most respect it is not production grade security, at least not by default.

If you are thinking about or already started with Kubernetes for your production workload, there are some steps you could follow to make sure your environments sand applications is secure.

In this talk we will discuss some best practices for Kubernetes security. From container image to secret management, we will try to cover it all. And after this talk hopefully we will all be in a better position to harden and secure our Kubernetes cluster.
Avatar for Mofizur Rahman

Mofizur Rahman

October 14, 2019
Tweet

More Decks by Mofizur Rahman

See All by Mofizur Rahman
Running Batch Workload on K8s at Scale
Avatar for Mofizur Rahman moficodes
0
55
Managing Kubernetes with Istio
Avatar for Mofizur Rahman moficodes
0
69
Building A SMS Sender Microservice
Avatar for Mofizur Rahman moficodes
0
89
Managing Kubernetes with Istio
Avatar for Mofizur Rahman moficodes
0
42
KNative: Serverless computing on Kubernetes
Avatar for Mofizur Rahman moficodes
1
46
Kubernete Second Week
Avatar for Mofizur Rahman moficodes
0
42
Managing Kubernetes with Istio
Avatar for Mofizur Rahman moficodes
0
35
Manage Kuberentes Deployment with Istio
Avatar for Mofizur Rahman moficodes
0
44
The What, Why and How of Knative on Kubernetes
Avatar for Mofizur Rahman moficodes
0
47

Other Decks in Technology

See All in Technology
20250705 Headlamp: 專注可擴展性的 Kubernetes 用戶界面
Avatar for Phil Huang pichuang
0
290
いつの間にか入れ替わってる!?新しいAWS Security Hubとは?
Avatar for cm-usuda-keisuke cmusudakeisuke
0
140
対話型音声AIアプリケーションの信頼性向上の取り組み
Avatar for 株式会社IVRy(社員登壇資料) ivry_presentationmaterials
1
390
さくらのIaaS基盤のモニタリングとOpenTelemetry/OSC Hokkaido 2025
Avatar for FUJIWARA Shunichiro fujiwara3
3
460
american aa airlines®️ USA Contact Numbers: Complete 2025 Support Guide
Avatar for jackal5647 aaguide
0
390
敢えて生成AIを使わないマネジメント業務
Avatar for Kazuki Maeda kzkmaeda
2
470
ABEMAの本番環境負荷試験への挑戦
Avatar for Miyazaki Taiga mk2taiga
4
300
DBのスキルで生き残る技術 - AI時代におけるテーブル設計の勘所
Avatar for soudai sone soudai
PRO
54
21k
VGGT: Visual Geometry Grounded Transformer
Avatar for peisuke peisuke
0
160
衛星運用をソフトウェアエンジニアに依頼したときにできあがるもの
Avatar for Takahiro Miyoshi sankichi92
1
160
マネジメントって難しい、けどおもしろい / Management is tough, but fun! #em_findy
Avatar for ar_tama ar_tama
7
1.2k
2025-07-06 QGIS初級ハンズオン「はじめてのQGIS」
Avatar for kou_kita kou_kita
0
180

Featured

See All Featured
Sharpening the Axe: The Primacy of Toolmaking
Avatar for Bryan Cantrill bcantrill
44
2.4k
Fight the Zombie Pattern Library - RWD Summit 2016
Avatar for Marcelo Somers marcelosomers
233
17k
10 Git Anti Patterns You Should be Aware of
Avatar for Lemi Orhan Ergin lemiorhan
PRO
656
60k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
Avatar for Eileen M. Uchitelle eileencodes
138
34k
YesSQL, Process and Tooling at Scale
Avatar for Rocio Delgado rocio
173
14k
Learning to Love Humans: Emotional Interface Design
Avatar for Aarron Walter aarron
273
40k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
Avatar for Eileen M. Uchitelle eileencodes
26
2.9k
The Psychology of Web Performance [Beyond Tellerrand 2023]
Avatar for Tammy Everts tammyeverts
48
2.9k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
Avatar for Stéphanie Walter stephaniewalter
281
13k
Making Projects Easy
Avatar for Brett Harned brettharned
116
6.3k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
Avatar for Chris Coyier chriscoyier
507
140k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
Avatar for Irina Nazarova irinanazarova
8
830

Transcript

  1. Kubernetes Security Jumpstart

  2. @moficodes Are computers less secure than “real life”?

  3. @moficodes Is this secure?

  4. @moficodes Is this secure?

  5. @moficodes Maybe this?

  6. @moficodes “Hidden Camera”

  7. @moficodes How about these?

  8. @moficodes This?

  9. @moficodes Maybe this is it?

  10. @moficodes So what’s the point of all these?

  11. @moficodes Security is a spectrum

  12. @moficodes Things can be more secure or less secure. Never

    just “Secure”

  13. @moficodes Remember this?

  14. @moficodes After 4 mins in lockpickinglawyers hand

  15. @moficodes Security is Hard

  16. @moficodes Because attacking computers is easier.

  17. @moficodes In “Real Life” you can assume many things.

  18. @moficodes

  19. @moficodes Everything is an adversary on the Internet

  20. @moficodes Trust No One.

  21. @moficodes Agenda • Security and us • Security in Kubernetes

    Context • Get started with Kubernetes Security

  22. Mofizur Rahman Developer Advocate, IBM Do Container Stuff, Collect Stickers,

    Write go code @moficodes

  23. @moficodes Kubernetes Security

  24. @moficodes Kubernetes Security Application Security Container Security Image Security Infrastructure

    Network Security Runtime K8s Security

  25. @moficodes Application Security

  26. @moficodes Application Security Use best practices for application security

  27. @moficodes Container Security

  28. @moficodes No unknown base image

  29. @moficodes Lock down versions

  30. @moficodes Update for vulnerability remediation

  31. @moficodes Limited Attack Vector

  32. @moficodes Image Security

  33. @moficodes Least Privilege Access

  34. @moficodes Root is the Root of all evil

  35. @moficodes Infrastructure Security

  36. @moficodes Don’t expose underlying infrastructure

  37. @moficodes Metadata is more valuable than you think.

  38. @moficodes Hardened Nodes

  39. @moficodes Update regularly

  40. @moficodes

  41. @moficodes Network Security

  42. @moficodes Network Segmentations

  43. @moficodes Cluster Network Policies

  44. @moficodes Runtime K8S Security

  45. @moficodes RBAC is your friend

  46. @moficodes Define Quotas

  47. @moficodes Monitor and Log

  48. @moficodes Admission Controllers

  49. @moficodes Encrypt at Rest

  50. @moficodes Tools

  51. @moficodes Image Scanning and Analysis

  52. @moficodes Image Scanning and Analysis Anchore (Free Apache) + Commercial

    Offering Clair (Free Apache) Dagda (Free Apache) KubeXRay (Free Apache) + Requires Commercial JFrog Product Snyk (Free Apache) + Commercial Offering Trivy (Free Apache) + commercial offering

  53. @moficodes Runtime Security

  54. @moficodes Runtime Security Falco (Free Apache) AppArmor Seccomp Selinux Sysdig

    OS (Free Apache)

  55. @moficodes K8s Network Security

  56. @moficodes K8s Network Security Aporeto (Commercial) Calico (Free Apache) Cilium

    (Free Apache) Tigera (Commercial) Trireme (Free Apache)

  57. @moficodes Secrets Management

  58. @moficodes Secrets Management Vault (Free MPL)

  59. @moficodes Image Distribution

  60. @moficodes Image Distribution Grafeas (Free Apache) In-toto (Free Apache) Portieris

    (Free Apache)

  61. @moficodes Security Audit

  62. @moficodes Security Audit Kube-bench (Free Apache) Kube-hunter (Free Apache) Kubeaudit

    (Free MIT) Kubesec (Free Apache) Open Policy Agent (Free Apache)

  63. @moficodes E2E Commercial Security Products

  64. @moficodes E2E Commercial Security Products Aqua Security Capsule8 Cavirin Google

    SCC Layered Insight (Qualys) Neuvector StackRox Sysdig Secure Tenable Container Security Twistlock (Palo Alto)

  65. @moficodes Image Scanning Container Compliance Runtime Security Network Security Forensics

    Kubernetes Audit AquaSec ✔ ✔ ✔ ✔ ✔ ✔ Capsule8 ✔ ✔ ✔ ✔ Caviring ✔ ✔ ✔ ✔ Google SCC ✔ ✔ ✔ Pluggable forensics ✔ Layered Insight ✔ ✔ ✔ ✔ NeuVector ✔ ✔ ✔ ✔ ✔ ✔ StackRox ✔ ✔ ✔ ✔ ✔ ✔ Sysdig Secure ✔ ✔ ✔ ✔ ✔* ✔ Tenable Container security ✔ ✔ ✔ Twistlock ✔ ✔ ✔ ✔ ✔ ✔

  66. @moficodes Service Mesh

  67. @moficodes Service Mesh Istio Linkerd 1.x Linkerd 2.x Kuma Maesh

  68. @moficodes Are computers less secure than “real life”?

  69. @moficodes Security is a spectrum

  70. @moficodes Things can be more secure or less secure. Never

    just “Secure”

  71. @moficodes

  72. @moficodes Go out there and secure your Kubernetes.

  73. @moficodes

  74. @moficodes Thank You! I would love to hear your question,

    comments, stories. @moficodes