Securing Drupal on Kubernetes Sydney Drupal Meetup - March 2020 

Disclaimers * Presentation not finished - DrupalCon postponed :( * Assumes knowledge of infrastructure and Kubernetes concepts * Not a comprehensive guide to security on Kubernetes 

Stop the Boats Bots 

Web Application Firewall (WAF) ● Configure rules to identify malicious requests. ● Analyse incoming requests against configured rules. ● Block matching requests. 

Web Application Firewall (WAF) ● Block common paths for other frameworks /wp-admin.php *.aspx *.cgi /autodiscover/autodiscover.xml ● Managed Rules (eg OWASP Top 10) ● Drupal Steward(?) 

Web Application Firewall (WAF) ● AWS WAF ○ https://aws.amazon.com/waf/ ● CloudFlare WAF ○ https://www.cloudflare.com/waf/ ○ https://www.videodrupal.org/video/20190707/sean-hamlin-securing-your-drupal-site-clou dflare ● Google Cloud Armor ○ https://cloud.google.com/armor 

No content

Encryption at Rest ● Public Files ● Private Files ● Database Volume ● Backups 

Encryption at Rest - S3 Server-Side Encryption ● Pros ○ Easy to setup and use ○ No need to manage keys yourself ○ Good level of protection ● Cons ○ Might not satisfy security requirements of your org. Client-Side Encryption ● Pros ○ Flexibility ○ Portable - can be used on other blob storage services ● Cons ○ Key management is up to you ○ Don’t roll your own crypto... 

Server-Side Encryption https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncrypti on.html Client-Side Encryption https://github.com/jedisct1/libsodium Encryption at Rest - S3 

Encryption at Rest - EFS https://docs.aws.amazon.com/efs/latest/ug/encryption-at-rest.html 

Encryption at Rest - RDS https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encry ption.html 

Encryption in Transit ● Incoming HTTP requests ● Connections to database ● Connections to ancillary services - redis, solr, clamd 

Encryption in Transit - DB Connections settings.php https://www.previousnext.com.au/blog/encrypted-drupal-database-connections-amazon-rds $rds_cert_path = "/etc/ssl/certs/rds-combined-ca-bundle.pem"; if (is_readable($rds_cert_path)) { $databases['default']['default']['pdo'][PDO::MYSQL_ATTR_SSL_CA] = $rds_cert_path; } 

Encryption in Transit - Incoming HTTP Requests 

Encryption in Transit - Ancillary Services 

Encryption in Transit - Options Service Mesh ● Pros ○ Encryption everywhere! ● Cons ○ Setup and maintenance ○ Additional TCP hops / latency ○ Additional resources to run sidecars DIY Certificates ● Pros ○ “Simpler” system ● Cons ○ Only encrypts a single hop - ingress to app ○ Manage certificates yourself 

Service Meshes 

Navigating the Service Mesh Landscape - Paul Bower https://www.youtube.com/watch?v=ZykpIhy6FHo Service Meshes 

Navigating the Service Mesh Landscape - Paul Bower https://www.youtube.com/watch?v=ZykpIhy6FHo Service Meshes 

Open Policy Agent 

Validates objects in kubernetes API meet rules specified in policy documents. ● Ensure images come from a trusted registry only. ● Ensure images run as non-root users. ● Ensure hostnames in ingress rules are allowed. ● So much more! Open Policy Agent (OPA) 

Open Policy Agent (OPA) 

Runtime Monitoring / Anomaly Detection 

Monitors your running containers for all kinds of nefarious things. Uses BPF to monitor syscalls ● Unexpected processes ○ Breaking into a shell ○ Cryptominers ○ RCE ● Unexpected users ● Lots of other good stuff Runtime Monitoring 

● Sysdig Falco - https://github.com/falcosecurity/falco Runtime Monitoring 

Read-Only Filesystems 

Stops: ● Developers changing files in the container to “hotfix” problems. ● Many classes of attacks where files are added or modified for arbitrary code execution. Read-Only Filesystems 

Read-Only Filesystems 

Images 

Scans images for vulnerable OS packages and project dependencies. Put in your CICD Pipeline & regularly scheduled builds ● AquaSec Trivy https://github.com/aquasecurity/trivy ● Clair https://github.com/quay/clair Image Vulnerability Scanning 

Ensures an attacker has not modified an image. ● Notary https://github.com/theupdateframework/notary ● Portieris https://github.com/IBM/portieris Image Signing & Notaries 

Thanks! 

Web Application Firewall Configuration Encryption Packaging Runtime