Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kubernetes Security Jumpstart

Avatar for Mofizur Rahman Mofizur Rahman
October 14, 2019
Technology
0
84

Kubernetes Security Jumpstart

Details
Kubernetes helps with microservice based app problems like scaling, deployment and discovery. But k8s is not a container security tool, and it would be a big mistake to assume that it can defend your apps from security vulnerabilities. We will explore steps we can take towards k8s security.

Kubernetes makes it possible to run containerized application at scale. It solves many problems of microservice architecture by abstracting away things like container deployment, container-to-container communication, load balancing. While Kubernetes is great at it many things, it seems to be lacking in terms of security. It has some security features but in most respect it is not production grade security, at least not by default.

If you are thinking about or already started with Kubernetes for your production workload, there are some steps you could follow to make sure your environments sand applications is secure.

In this talk we will discuss some best practices for Kubernetes security. From container image to secret management, we will try to cover it all. And after this talk hopefully we will all be in a better position to harden and secure our Kubernetes cluster.
Avatar for Mofizur Rahman

Mofizur Rahman

October 14, 2019
Tweet

More Decks by Mofizur Rahman

See All by Mofizur Rahman
Running Batch Workload on K8s at Scale
Avatar for Mofizur Rahman moficodes
0
55
Managing Kubernetes with Istio
Avatar for Mofizur Rahman moficodes
0
69
Building A SMS Sender Microservice
Avatar for Mofizur Rahman moficodes
0
89
Managing Kubernetes with Istio
Avatar for Mofizur Rahman moficodes
0
42
KNative: Serverless computing on Kubernetes
Avatar for Mofizur Rahman moficodes
1
46
Kubernete Second Week
Avatar for Mofizur Rahman moficodes
0
42
Managing Kubernetes with Istio
Avatar for Mofizur Rahman moficodes
0
32
Manage Kuberentes Deployment with Istio
Avatar for Mofizur Rahman moficodes
0
44
The What, Why and How of Knative on Kubernetes
Avatar for Mofizur Rahman moficodes
0
46

Other Decks in Technology

See All in Technology
論文紹介:LLMDet (CVPR2025 Highlight)
Avatar for tattaka tattaka
0
190
自律的なスケーリング手法FASTにおけるVPoEとしてのアカウンタビリティ / dev-productivity-con-2025
Avatar for Yoshiki Iida yoshikiiida
0
220
CursorによるPMO業務の代替 / Automating PMO Tasks with Cursor
Avatar for Motoyoshi Kosei motoyoshi_kakaku
2
600
Liquid Glass革新とSwiftUI/UIKit進化
Avatar for Fumiya Sakai fumiyasac0921
0
290
OPENLOGI Company Profile for engineer
Avatar for OPENLOGI hr01
1
33k
登壇ネタの見つけ方 / How to find talk topics
Avatar for pinkumohikan pinkumohikan
5
570
BrainPadプログラミングコンテスト記念LT会2025_社内イベント&問題解説
Avatar for BrainPad brainpadpr
1
170
監視のこれまでとこれから/sakura monitoring seminar 2025
Avatar for FUJIWARA Shunichiro fujiwara3
11
4k
「良さそう」と「とても良い」の間には 「良さそうだがホンマか」がたくさんある / 2025.07.01 LLM品質Night
Avatar for Shumpei Miyawaki smiyawaki0820
1
420
KubeCon + CloudNativeCon Japan 2025 Recap by CA
Avatar for YuyaKoda ponkio_o
PRO
0
240
Lambda Web Adapterについて自分なりに理解してみた
Avatar for Makky12 smt7174
5
130
Node-RED × MCP 勉強会 vol.1
Avatar for 1ft-seabass 1ftseabass
PRO
0
170

Featured

See All Featured
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
Avatar for Aki / @LoveIdahoBurger aki_iinuma
124
52k
Git: the NoSQL Database
Avatar for Brandon Keepers bkeepers
PRO
430
65k
Distributed Sagas: A Protocol for Coordinating Microservices
Avatar for Caitie McCaffrey caitiem20
331
22k
RailsConf 2023
Avatar for Aaron Patterson tenderlove
30
1.1k
KATA
Avatar for Megan Lloyd mclloyd
30
14k
Building a Scalable Design System with Sketch
Avatar for Laura Van Doore lauravandoore
462
33k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
Avatar for soudai sone soudai
PRO
181
53k
A Tale of Four Properties
Avatar for Chris Coyier chriscoyier
160
23k
Save Time (by Creating Custom Rails Generators)
Avatar for Garrett Dimon garrettdimon
PRO
31
1.3k
How STYLIGHT went responsive
Avatar for nonsquared nonsquared
100
5.6k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
Avatar for Stéphanie Walter stephaniewalter
281
13k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
Avatar for Irina Nazarova irinanazarova
8
800

Transcript

  1. Kubernetes Security Jumpstart

  2. @moficodes Are computers less secure than “real life”?

  3. @moficodes Is this secure?

  4. @moficodes Is this secure?

  5. @moficodes Maybe this?

  6. @moficodes “Hidden Camera”

  7. @moficodes How about these?

  8. @moficodes This?

  9. @moficodes Maybe this is it?

  10. @moficodes So what’s the point of all these?

  11. @moficodes Security is a spectrum

  12. @moficodes Things can be more secure or less secure. Never

    just “Secure”

  13. @moficodes Remember this?

  14. @moficodes After 4 mins in lockpickinglawyers hand

  15. @moficodes Security is Hard

  16. @moficodes Because attacking computers is easier.

  17. @moficodes In “Real Life” you can assume many things.

  18. @moficodes

  19. @moficodes Everything is an adversary on the Internet

  20. @moficodes Trust No One.

  21. @moficodes Agenda • Security and us • Security in Kubernetes

    Context • Get started with Kubernetes Security

  22. Mofizur Rahman Developer Advocate, IBM Do Container Stuff, Collect Stickers,

    Write go code @moficodes

  23. @moficodes Kubernetes Security

  24. @moficodes Kubernetes Security Application Security Container Security Image Security Infrastructure

    Network Security Runtime K8s Security

  25. @moficodes Application Security

  26. @moficodes Application Security Use best practices for application security

  27. @moficodes Container Security

  28. @moficodes No unknown base image

  29. @moficodes Lock down versions

  30. @moficodes Update for vulnerability remediation

  31. @moficodes Limited Attack Vector

  32. @moficodes Image Security

  33. @moficodes Least Privilege Access

  34. @moficodes Root is the Root of all evil

  35. @moficodes Infrastructure Security

  36. @moficodes Don’t expose underlying infrastructure

  37. @moficodes Metadata is more valuable than you think.

  38. @moficodes Hardened Nodes

  39. @moficodes Update regularly

  40. @moficodes

  41. @moficodes Network Security

  42. @moficodes Network Segmentations

  43. @moficodes Cluster Network Policies

  44. @moficodes Runtime K8S Security

  45. @moficodes RBAC is your friend

  46. @moficodes Define Quotas

  47. @moficodes Monitor and Log

  48. @moficodes Admission Controllers

  49. @moficodes Encrypt at Rest

  50. @moficodes Tools

  51. @moficodes Image Scanning and Analysis

  52. @moficodes Image Scanning and Analysis Anchore (Free Apache) + Commercial

    Offering Clair (Free Apache) Dagda (Free Apache) KubeXRay (Free Apache) + Requires Commercial JFrog Product Snyk (Free Apache) + Commercial Offering Trivy (Free Apache) + commercial offering

  53. @moficodes Runtime Security

  54. @moficodes Runtime Security Falco (Free Apache) AppArmor Seccomp Selinux Sysdig

    OS (Free Apache)

  55. @moficodes K8s Network Security

  56. @moficodes K8s Network Security Aporeto (Commercial) Calico (Free Apache) Cilium

    (Free Apache) Tigera (Commercial) Trireme (Free Apache)

  57. @moficodes Secrets Management

  58. @moficodes Secrets Management Vault (Free MPL)

  59. @moficodes Image Distribution

  60. @moficodes Image Distribution Grafeas (Free Apache) In-toto (Free Apache) Portieris

    (Free Apache)

  61. @moficodes Security Audit

  62. @moficodes Security Audit Kube-bench (Free Apache) Kube-hunter (Free Apache) Kubeaudit

    (Free MIT) Kubesec (Free Apache) Open Policy Agent (Free Apache)

  63. @moficodes E2E Commercial Security Products

  64. @moficodes E2E Commercial Security Products Aqua Security Capsule8 Cavirin Google

    SCC Layered Insight (Qualys) Neuvector StackRox Sysdig Secure Tenable Container Security Twistlock (Palo Alto)

  65. @moficodes Image Scanning Container Compliance Runtime Security Network Security Forensics

    Kubernetes Audit AquaSec ✔ ✔ ✔ ✔ ✔ ✔ Capsule8 ✔ ✔ ✔ ✔ Caviring ✔ ✔ ✔ ✔ Google SCC ✔ ✔ ✔ Pluggable forensics ✔ Layered Insight ✔ ✔ ✔ ✔ NeuVector ✔ ✔ ✔ ✔ ✔ ✔ StackRox ✔ ✔ ✔ ✔ ✔ ✔ Sysdig Secure ✔ ✔ ✔ ✔ ✔* ✔ Tenable Container security ✔ ✔ ✔ Twistlock ✔ ✔ ✔ ✔ ✔ ✔

  66. @moficodes Service Mesh

  67. @moficodes Service Mesh Istio Linkerd 1.x Linkerd 2.x Kuma Maesh

  68. @moficodes Are computers less secure than “real life”?

  69. @moficodes Security is a spectrum

  70. @moficodes Things can be more secure or less secure. Never

    just “Secure”

  71. @moficodes

  72. @moficodes Go out there and secure your Kubernetes.

  73. @moficodes

  74. @moficodes Thank You! I would love to hear your question,

    comments, stories. @moficodes