Kubernetes security 101

Slide 1

Slide 1 text

@scottcoulton

Slide 2

Slide 2 text

@scottcoulton scotty-c Scott Coulton Developer Advocate Spent the last 4 years on container related development I am also a Docker Captain

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

Code example from this talk can be downloaded from https://github.com/scotty- c/kubernetes-on-azure- workshop @scottcoulton

Slide 5

Slide 5 text

@scottcoulton

Slide 6

Slide 6 text

Kubernetes is broken down into two node types.  Master node  Worker node Kubernetes components @scottcoulton

Slide 7

Slide 7 text

A master node is responsible for  Running the control plane  Scheduling workloads  Security controls Master node @scottcoulton

Slide 8

Slide 8 text

A worker node is responsible for  Running workloads Worker node @scottcoulton

Slide 9

Slide 9 text

A master nodes components (control plane)  kube-apiserver  etcd  kube-scheduler  kube-controller-manager  cloud-controller-manager Master node @scottcoulton

Slide 10

Slide 10 text

A worker nodes components  kubelet  Kube-proxy Worker node @scottcoulton

Slide 11

Slide 11 text

The kube-apiserver is responsible for  The entry point into the cluster  It exposes the Kubernetes API  It’s a REST service  Validates and configures data for the api objects Kube-apiserver @scottcoulton

Slide 12

Slide 12 text

Consistent and highly-available key value store used as Kubernetes’ backing store for all cluster data etcd @scottcoulton

Slide 13

Slide 13 text

Kube-scheduler is responsible for  watches newly created pods that have no node assigned, and selects a node for them to run on Factors taken into account for scheduling decisions include individual and collective resource requirements, hardware/software/policy constraints, affinity and anti-affinity specifications, data locality, inter-workload interference and deadlines kube-scheduler @scottcoulton

Slide 14

Slide 14 text

Kube-controller-manager is responsible for  Node Controller: Responsible for noticing and responding when nodes go down.  Replication Controller: Responsible for maintaining the correct number of pods for every replication controller object in the system.  Endpoints Controller: Populates the Endpoints object (that is, joins Services & Pods)  Service Account & Token Controllers: Create default accounts and API access tokens for new namespaces. kube-controller-manager @scottcoulton

Slide 15

Slide 15 text

Cloud-controller-manager is responsible for  For checking the cloud provider to determine if a node has been deleted in the cloud after it stops responding  For setting up routes in the underlying cloud infrastructure  For creating, updating and deleting cloud provider load balancers  For creating, attaching, and mounting volumes, and interacting with the cloud provider to orchestrate volumes cloud-controller-manager @scottcoulton

Slide 16

Slide 16 text

Kubelet is responsible for  All containers in a pod are running The kubelet takes a set of PodSpecs that are provided through various mechanisms and ensures that the containers described in those PodSpecs are running and healthy kubelet @scottcoulton

Slide 17

Slide 17 text

This reflects services as defined in the Kubernetes API on each node and can do simple TCP , UDP , and SCTP stream forwarding or round robin TCP , UDP , and SCTP forwarding across a set of backends Kube-proxy @scottcoulton

Slide 18

Slide 18 text

Kubernetes can use differnet container runtimes  Docker  Moby  Containerd  Cri-o At Azure we use Moby Container runtimes @scottcoulton

Slide 19

Slide 19 text

Kubernetes architecture

Slide 20

Slide 20 text

Securing Kubernetes components @scottcoulton

Slide 21

Slide 21 text

Networks ports need for Kubernetes @scottcoulton Port Process Description 4149/TCP kubelet Default cAdvisor port used to query container metrics 10250/TCP kubelet API which allows full node access 10255/TCP kubelet Unauthenticated read- only port, allowing access to node state 10256/TCP kube-proxy Health check server for Kube Proxy 9099/TCP calico-felix Health check server for Calico (if using Calico/Canal) 6443/TCP kube-apiserver Kubernetes API port

Slide 22

Slide 22 text

In this section we will look at some flags that should be set on the API server and why Securing the API @scottcoulton

Slide 23

Slide 23 text

By default anonymous auth is turned on Safe configurations on the kube api flags Bad configuration would be Authorization mode and anonymous auth @scottcoulton

Slide 24

Slide 24 text

Running Kube API on a insecure port is not recommended Safe configurations on the kube api flags Bad configuration would be Insecure port @scottcoulton

Slide 25

Slide 25 text

Running Kube API without x.509 certificates not recommended Safe configurations on the kube api flags Using certificates @scottcoulton

Slide 26

Slide 26 text

An admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized. Admission controllers @scottcoulton

Slide 27

Slide 27 text

There are a couple of recommended ways you could handle your admission controllers Safe configurations on the kube api flags Or Admission controllers @scottcoulton

Slide 28

Slide 28 text

There are tools and documentation to make this process easier  CIS Kubernetes bench mark https://www.cisecurity.org/benchmark/kubernetes/  Aqua securities Kube bench https://github.com/aquasecurity/kube-bench Making sure we have the right configurations @scottcoulton

Slide 29

Slide 29 text

No content

Slide 30

Slide 30 text

Just because we are using Kubernetes means we are secure by defaut. There are a lot of good security features in Kubernetes that are not turned on. Pod security context @scottcoulton

Slide 31

Slide 31 text

Pod security is an abstraction from the Linux secuirty subsytem.  Apparmor  Selinux  Secomp Pod security context @scottcoulton

Slide 32

Slide 32 text

A container is a process that is isolated via kernel namespaces and cgroups Pod security context @scottcoulton

Slide 33

Slide 33 text

In Azure our pods are talking to the kernel via Moby Today we are going to look at three of the important default policies. In a production environment I would personally use secomp https://www.kernel.org/doc/html/v4.16/userspace-api/seccomp_filter.html With libsecomp https://github.com/seccomp/libseccomp Pod security context @scottcoulton

Slide 34

Slide 34 text

The three default policies are  runAsUser  readOnlyRootFilesystem  allowPrivilegeEscalation Pod security context @scottcoulton

Slide 35

Slide 35 text

cat <

Slide 36

Slide 36 text

No content

Slide 37

Slide 37 text

cat <

Slide 38

Slide 38 text

No content

Slide 39

Slide 39 text

Role based access control (rbac)  Seperation of applications  Access control for users  Access control for applications (service accounts) rbac @scottcoulton

Slide 40

Slide 40 text

Namespaces are the logical serperation in kubernetes Things that are namespaced  dns ..svc.cluster.local  Deployments, services and pods  Access control for applications (service accounts)  Resource quotas  Secrets namespaces @scottcoulton

Slide 41

Slide 41 text

Things that are NOT namespaced  Nodes  Networking  Storage namespaces @scottcoulton

Slide 42

Slide 42 text

The differences are  User accounts are for humans. Service accounts are for processes, which run in pods.  User accounts are intended to be global. Names must be unique across all namespaces of a cluster, future user resource will not be namespaced. Service accounts are namespaced. Service accounts vs user accounts @scottcoulton

Slide 43

Slide 43 text

Let’s automate that

Slide 44

Slide 44 text

Its YAML !!! GitOps for the win

Slide 45

Slide 45 text

Due to all Kubernetes configuration being yaml you can  Use what ever CI tools you are using today  Have security checks in the pipelines for unsafe values  Use the deployment pipeline as your auditing tool All your current CD/CI tools work

Slide 46

Slide 46 text

Questions @scottcoulton

Slide 47

Slide 47 text

Code example from this talk can be downloaded from https://github.com/scotty- c/kubernetes-on-azure- workshop @scottcoulton

Slide 48

Slide 48 text

No content