Building Network Security Boundaries in Kubernetes null - The Open Security Community Madhu Akula

About Me ● Creator of Kubernetes Goat, Hacker Container, tools.tldr.run, many others ● Speaker & Trainer @ BlackHat, DEFCON, USENIX, OWASP, All Day DevOps, GitHub, SANS, DevSecCon, c0c0n, Nullcon, null, many others ● Co-Author of Security Automation with Ansible 2 ● Found vulnerabilities in 200+ organisations & products (Google, Microsoft, Wordpress, Ntop, etc.) ● Technical reviewer of Learn Kubernetes Security, etc. ● Never Ending Learner! @madhuakula https://madhuakula.com

What you will learn today? ● What is Kubernetes? ● Why Kubernetes Security? ● Why Network Security Boundaries? ● Layered Approach (Defense-in-Depth) ● Attacker-View of Breaking Network Security Boundaries (No NSP by default) ● Cilium Hubble for observing & monitoring ● Applying Network Security Policies ● Building Secure Defaults using Kyverno ● Embedding Security early stages (GitOps/DevSecOps) using KICS ● Resources & References @madhuakula

What is Docker? https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/#going-back-in-time @madhuakula

What is Docker? ● Docker is an open source platform for building, deploying, and managing containerized applications ● Docker became the de facto standard to build and share containerized apps - from desktop, to the cloud, even edge devices ● Docker enables developers to easily pack, ship, and run any application as a lightweight, portable, self-sufficient container, which can run virtually anywhere https://docs.docker.com/get-started/overview/ @madhuakula

What is Kubernetes? Kubernetes is a portable, extensible, open-source platform for managing containerized workloads and services, that facilitates both declarative configuration and automation. It has a large, rapidly growing ecosystem. Kubernetes services, support, and tools are widely available. https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/ @madhuakula

What is Kubernetes? https://commons.wikimedia.org/wiki/File:Kubernetes.png @madhuakula

The illustrated children's guide to Kubernetes https://www.youtube.com/watch?v=3I9PkvZ80BQ @madhuakula

Why Kubernetes Security? @madhuakula

MITRE ATT&CK for Kubernetes https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ @madhuakula

Why Kubernetes Network Security Boundaries? https://github.com/GoogleCloudPlatform/microservices-demo/ @madhuakula

Why Kubernetes Network Security Boundaries? By default, Kubernetes has a flat networking schema, which means any pod/service within the cluster can talk to other without any restrictions. The namespaces within the cluster don't have any network security restrictions by default, anyone in the namespace can talk to other namespaces. Network Security Policies provides a declarative way to specify which pods are allowed to talk to which pods. There are many options and features we can include in the policy to enforce this by specifying parameters like labels, namespaces, ports, etc. @madhuakula

There is lot more than just Network Security Boundaries There are many higher level of abstraction layers we can think of applying security for Kubernetes. What we are going to see today is just small part of Kubernetes Security primarily focusing on Network Security Boundaries. https://github.com/ahmetb/kubernetes-network-policy-recipes @madhuakula

Defense In Depth - Layered Approach Some of the very high level abstraction layers, each layer contains many ways how we can secure and defend against attackers. ● Application Security ● Supply Chain Security ● Infrastructure Security ● Runtime Security ● Continuous Security @madhuakula

Why Layered Approach? https://github.com/cncf/financial-user-group/blob/master/projects/k8s-threat-model/AttackTrees/AttackerOnTheNetwork.md Attackers have many ways! Defenders have many layers! @madhuakula

Demo Time 🤞 @madhuakula

Summary of what just happened - No NSP by default in K8S @madhuakula

Approaches to Defense & Building the boundaries ● There are many ways we can leverage this to build defense and boundaries, it’s always better to apply layered approach ● Starting with Monitoring & Observability is key as most of the microservices owners doesn’t know what they need for their services (Ex: Cilium Hubble) ● Applying Network Security Policies once we have the details like namespace, labels, ports, services, etc. (Ex: NetworkPolicy with CNI) ● Building secure defaults, like if anyone creates new namespace or deployment by default it should deny to ensure they create and follow NSP (Ex: Kyverno) ● Embedding security into early stages of lifecycle like GitOps stage by performing scanning of Manifests, Helm charts, etc. (Ex: KICS) ● Many other approaches based on the context and organisation @madhuakula

Hubble - Network, Service & Security Observability for K8S Hubble is a fully distributed networking and security observability platform for cloud native workloads. It is built on top of Cilium and eBPF to enable deep visibility into the communication and behavior of services as well as the networking infrastructure in a completely transparent manner. Some of the things we can achieve using Hubble includes ● Service dependencies & communication map ● Operational monitoring & alerting ● Application monitoring ● Security observability @madhuakula https://github.com/cilium/hubble

Hubble - Network, Service & Security Observability for K8S https://github.com/cilium/hubble @madhuakula

Demo Time 🤞 @madhuakula

Summary of what just happened - NSP Policy Ingress @madhuakula

Kyverno - Kubernetes Native Policy Management Kyverno is a policy engine designed for Kubernetes. With Kyverno, policies are managed as Kubernetes resources and no new language is required to write policies. This allows using familiar tools such as kubectl, git, and kustomize to manage policies. Kyverno policies can validate, mutate, and generate Kubernetes resources. The Kyverno CLI can be used to test policies and validate resources as part of a CI/CD pipeline. Kyverno allows cluster administrators to manage environment specific configurations independently of workload configurations and enforce configuration best practices for their clusters. Kyverno can be used to scan existing workloads for best practices, or can be used to enforce best practices by blocking or mutating API requests. @madhuakula https://kyverno.io/

Kyverno - Kubernetes Native Policy Management @madhuakula https://kyverno.io/docs/introduction/

Demo Time 🤞 @madhuakula

KICS - Embedding Security early (GitOps/DevSecOps) Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx. ● Fully customizable and adjustable heuristics rules, called queries. These can be easily edited, extended and added ● Robust but yet simple architecture, which allows quick addition of support for new Infrastructure as Code solutions @madhuakula https://kics.io/

KICS - Embedding Security early (GitOps/DevSecOps) @madhuakula https://kics.io/

Demo Time 🤞 @madhuakula

Try it out yourself using online playground @madhuakula https://katacoda.com/madhuakula/scenarios/kubernetes-network-security-boundaries

References & Resources @madhuakula ● https://kubernetes.io/docs/concepts/services-networking/network-policies ● https://github.com/ahmetb/kubernetes-network-policy-recipes ● https://github.com/cncf/financial-user-group ● https://cilium.io ● https://github.com/cilium/hubble ● https://kyverno.io ● https://kics.io ● https://editor.cilium.io ● https://katacoda.com/madhuakula/scenarios/kubernetes-network-security-boundaries

Thank you 🙏 Madhu Akula https://madhuakula.com