Madhu Akula Practical Guide to Kubernetes Security for Developers 🚀

● Pragmatic Security Leader focusing on Cloud Native infrastructure, security, and startups ● Creator of Kubernetes Goat, Hacker Container, tools.tldr.run, many other OSS projects. ● Speaks & Trains at Blackhat, DEFCON, GitHub, USENIX, OWASP, All Day DevOps, SANS, DevSecCon, CNCF, c0c0n, Nullcon, SACON, null, many others around the globe. ● Author of Security Automation with Ansible2, OWASP KSTG, whitepapers, etc. ● Technical reviewer (multiple books) & Review board member of multiple conferences, organizations, communities, advisory, etc. ● Found security vulnerabilities in 200+ organizations and products including Google, Microsoft, AT&T, Adobe, eBay, WordPress, Ntop, Cloudflare, Yahoo, LocalBitcoins, etc. ● Certified Kubernetes(CKA/CKS), Offensive Security Certified Professional, etc. ● Never ending learner! About Me 👋 @madhuakula

How many of you heard about Kubernetes and don’t use?

Are you running Kubernetes in Production?

Who is responsible for your Kubernetes Security?

● Introduction to Kubernetes & Architecture ● Why developers should care about Kubernetes security? ○ Threat Model, Attack Trees, MITRE, etc. ○ Some real-world attacks, threats and examples ○ Showcasing live hacking of attacks ● What developer can do about Kubernetes security? ○ Examples, patterns, core issues, etc. ○ Education, Training, Knowledge and skill gaps ● How developers can add value to Kubernetes security? ○ What’s we really missing here! ○ How we can achieve them? ○ Tools, techniques and processes ● Key takeaways and learnings! ● Questions & Discussions? Today’s Agenda @madhuakula

https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/#going-back-in-time What is Docker? @madhuakula

● Docker is an open source platform for building, deploying, and managing containerized applications ● Docker became the de facto standard to build and share containerized apps - from desktop, to the cloud, even edge devices ● Docker enables developers to easily pack, ship, and run any application as a lightweight, portable, self-sufficient container, which can run virtually anywhere https://docs.docker.com/get-started/overview/ What is Docker? @madhuakula

Kubernetes is a portable, extensible, open-source platform for managing containerized workloads and services, that facilitates both declarative configuration and automation. It has a large, rapidly growing ecosystem. Kubernetes services, support, and tools are widely available. https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/ What is Kubernetes? @madhuakula

https://commons.wikimedia.org/wiki/File:Kubernetes.png What is Kubernetes? @madhuakula

Why Kubernetes Security for Developers?

@madhuakula Why Kubernetes Security for Developers? https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/

@madhuakula Why Kubernetes Security for Developers? https://github.com/cncf/financial-user-group/blob/master/projects/k8s-threat-model/AttackTrees/AccessSensitiveData.md

Let’s go and see the hacking in action! @madhuakula

What is Kubernetes Goat 🐐 Kubernetes Goat is an interactive Kubernetes security learning playground. Intentionally vulnerable by design scenarios to showcase the common misconfigurations, real-world vulnerabilities, and security issues in Kubernetes clusters, containers, and cloud native environments. @madhuakula

⚡ Get Started with Kubernetes Goat 🐐 https://madhuakula.com/kubernetes-goat @madhuakula

☸ Demo Time 🤞 @madhuakula

What developers can do about Kubernetes Security? @madhuakula

https://github.com/GoogleCloudPlatform/microservices-demo/ 19 Typical Microservices Architecture @madhuakula

@madhuakula What developers can do about Kubernetes Security? ● I think there is no single answer, approach here ● Always look at the core problem and root cause and fix at that layer ● Try to be self-service model by providing patterns in an actionable way ● Be an helping hand for DevOps, SRE and Engineering teams rather pointing just issues ○ Helping them to create secure and safe Helm charts, Dockerfiles, Templates, etc. ○ Removing the blockers by being pragmatic and empathetic ○ Eliminate the possible things early and at scale ● Repeat after me: Education, Education, Education ○ Most people don’t even understand the technology, leave about security. So educating them by teaching and practicing is the way to go 🚀

Secure Manifests & Helm Charts & Kustomize… @madhuakula

Resource Limits @madhuakula

Least privileged RBAC @madhuakula

Readiness & Liveness Probes @madhuakula

Service Expose - Careful! @madhuakula

Audit Logging @madhuakula

NodeSelectors & Taints & Tolerations @madhuakula

Network Security Policies @madhuakula

Dockerfile Security @madhuakula

Deployment Strategies @madhuakula

[Open] Telemetry Data @madhuakula

[Open] Tracing Data @madhuakula

Many more… @madhuakula

How developers can add value to Kubernetes Security? @madhuakula

@madhuakula The missing pieces in the puzzle! ● Nature of immutable infrastructure ● Matching the speed of containers, infrastructure with security ● Frequency of deployments and workloads ● Size of the teams, deployments from both dev, ops, engineering and security ● How frequently and repetitively we fix certain issues ● Education, knowledge and skill gap ● Maturity of the security and the alignment with stakeholders ● Many others…

Let’s go and see the fixing in action! @madhuakula

☸ Demo Time 🤞 @madhuakula

✅ Security is everyone’s responsibility (Dev, Ops, Security, Management, etc.) ⚠ Threat model your architecture and identify risks/threats 🙌 Follow and apply secure defaults 📚Know what you have (Inventory of assets) 🧱Adopt zero trust model (Zoning, Containment & Segmentation) 🎯Apply security at each layer (Defense in depth strategy) 🚨Follow least privilege principle 👮AuthN & AuthZ 🔐Encryption at REST & TRANSIT 🛡Proactive monitoring & Active defense 🔁Continuously analyse and apply feedback loops 👉 Crawl 🐢, Walk 🚶, Run 🏃, Fly ✈ Key Takeaways! @madhuakula

Dank je wel 🙏 Want to learn more, have some feedback, or just wanted to say 👋 @madhuakula https://madhuakula.com