Slide 1

Slide 1 text

Madhu Akula Practical Guide to Kubernetes Security for Developers 🚀

Slide 2

Slide 2 text

● Pragmatic Security Leader focusing on Cloud Native infrastructure, security, and startups ● Creator of Kubernetes Goat, Hacker Container, tools.tldr.run, many other OSS projects. ● Speaks & Trains at Blackhat, DEFCON, GitHub, USENIX, OWASP, All Day DevOps, SANS, DevSecCon, CNCF, c0c0n, Nullcon, SACON, null, many others around the globe. ● Author of Security Automation with Ansible2, OWASP KSTG, whitepapers, etc. ● Technical reviewer (multiple books) & Review board member of multiple conferences, organizations, communities, advisory, etc. ● Found security vulnerabilities in 200+ organizations and products including Google, Microsoft, AT&T, Adobe, eBay, WordPress, Ntop, Cloudflare, Yahoo, LocalBitcoins, etc. ● Certified Kubernetes(CKA/CKS), Offensive Security Certified Professional, etc. ● Never ending learner! About Me 👋 @madhuakula

Slide 3

Slide 3 text

How many of you heard about Kubernetes and don’t use?

Slide 4

Slide 4 text

Are you running Kubernetes in Production?

Slide 5

Slide 5 text

Who is responsible for your Kubernetes Security?

Slide 6

Slide 6 text

● Introduction to Kubernetes & Architecture ● Why developers should care about Kubernetes security? ○ Threat Model, Attack Trees, MITRE, etc. ○ Some real-world attacks, threats and examples ○ Showcasing live hacking of attacks ● What developer can do about Kubernetes security? ○ Examples, patterns, core issues, etc. ○ Education, Training, Knowledge and skill gaps ● How developers can add value to Kubernetes security? ○ What’s we really missing here! ○ How we can achieve them? ○ Tools, techniques and processes ● Key takeaways and learnings! ● Questions & Discussions? Today’s Agenda @madhuakula

Slide 7

Slide 7 text

https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/#going-back-in-time What is Docker? @madhuakula

Slide 8

Slide 8 text

● Docker is an open source platform for building, deploying, and managing containerized applications ● Docker became the de facto standard to build and share containerized apps - from desktop, to the cloud, even edge devices ● Docker enables developers to easily pack, ship, and run any application as a lightweight, portable, self-sufficient container, which can run virtually anywhere https://docs.docker.com/get-started/overview/ What is Docker? @madhuakula

Slide 9

Slide 9 text

Kubernetes is a portable, extensible, open-source platform for managing containerized workloads and services, that facilitates both declarative configuration and automation. It has a large, rapidly growing ecosystem. Kubernetes services, support, and tools are widely available. https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/ What is Kubernetes? @madhuakula

Slide 10

Slide 10 text

https://commons.wikimedia.org/wiki/File:Kubernetes.png What is Kubernetes? @madhuakula

Slide 11

Slide 11 text

Why Kubernetes Security for Developers?

Slide 12

Slide 12 text

@madhuakula Why Kubernetes Security for Developers? https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/

Slide 13

Slide 13 text

@madhuakula Why Kubernetes Security for Developers? https://github.com/cncf/financial-user-group/blob/master/projects/k8s-threat-model/AttackTrees/AccessSensitiveData.md

Slide 14

Slide 14 text

Let’s go and see the hacking in action! @madhuakula

Slide 15

Slide 15 text

What is Kubernetes Goat 🐐 Kubernetes Goat is an interactive Kubernetes security learning playground. Intentionally vulnerable by design scenarios to showcase the common misconfigurations, real-world vulnerabilities, and security issues in Kubernetes clusters, containers, and cloud native environments. @madhuakula

Slide 16

Slide 16 text

⚡ Get Started with Kubernetes Goat 🐐 https://madhuakula.com/kubernetes-goat @madhuakula

Slide 17

Slide 17 text

☸ Demo Time 🤞 @madhuakula

Slide 18

Slide 18 text

What developers can do about Kubernetes Security? @madhuakula

Slide 19

Slide 19 text

https://github.com/GoogleCloudPlatform/microservices-demo/ 19 Typical Microservices Architecture @madhuakula

Slide 20

Slide 20 text

@madhuakula What developers can do about Kubernetes Security? ● I think there is no single answer, approach here ● Always look at the core problem and root cause and fix at that layer ● Try to be self-service model by providing patterns in an actionable way ● Be an helping hand for DevOps, SRE and Engineering teams rather pointing just issues ○ Helping them to create secure and safe Helm charts, Dockerfiles, Templates, etc. ○ Removing the blockers by being pragmatic and empathetic ○ Eliminate the possible things early and at scale ● Repeat after me: Education, Education, Education ○ Most people don’t even understand the technology, leave about security. So educating them by teaching and practicing is the way to go 🚀

Slide 21

Slide 21 text

Secure Manifests & Helm Charts & Kustomize… @madhuakula

Slide 22

Slide 22 text

Resource Limits @madhuakula

Slide 23

Slide 23 text

Least privileged RBAC @madhuakula

Slide 24

Slide 24 text

Readiness & Liveness Probes @madhuakula

Slide 25

Slide 25 text

Service Expose - Careful! @madhuakula

Slide 26

Slide 26 text

Audit Logging @madhuakula

Slide 27

Slide 27 text

NodeSelectors & Taints & Tolerations @madhuakula

Slide 28

Slide 28 text

Network Security Policies @madhuakula

Slide 29

Slide 29 text

Dockerfile Security @madhuakula

Slide 30

Slide 30 text

Deployment Strategies @madhuakula

Slide 31

Slide 31 text

[Open] Telemetry Data @madhuakula

Slide 32

Slide 32 text

[Open] Tracing Data @madhuakula

Slide 33

Slide 33 text

Many more… @madhuakula

Slide 34

Slide 34 text

How developers can add value to Kubernetes Security? @madhuakula

Slide 35

Slide 35 text

@madhuakula The missing pieces in the puzzle! ● Nature of immutable infrastructure ● Matching the speed of containers, infrastructure with security ● Frequency of deployments and workloads ● Size of the teams, deployments from both dev, ops, engineering and security ● How frequently and repetitively we fix certain issues ● Education, knowledge and skill gap ● Maturity of the security and the alignment with stakeholders ● Many others…

Slide 36

Slide 36 text

Let’s go and see the fixing in action! @madhuakula

Slide 37

Slide 37 text

☸ Demo Time 🤞 @madhuakula

Slide 38

Slide 38 text

✅ Security is everyone’s responsibility (Dev, Ops, Security, Management, etc.) ⚠ Threat model your architecture and identify risks/threats 🙌 Follow and apply secure defaults 📚Know what you have (Inventory of assets) 🧱Adopt zero trust model (Zoning, Containment & Segmentation) 🎯Apply security at each layer (Defense in depth strategy) 🚨Follow least privilege principle 👮AuthN & AuthZ 🔐Encryption at REST & TRANSIT 🛡Proactive monitoring & Active defense 🔁Continuously analyse and apply feedback loops 👉 Crawl 🐢, Walk 🚶, Run 🏃, Fly ✈ Key Takeaways! @madhuakula

Slide 39

Slide 39 text

Dank je wel 🙏 Want to learn more, have some feedback, or just wanted to say 👋 @madhuakula https://madhuakula.com