Tweet
Tweet

Slide 1

Slide 1 text

© 2020 Aqua Security Software Ltd., All Rights Reserved Kubernetes-native security with Starboard Liz Rice & Daniel Pacak Open Source Engineering, Aqua Security @lizrice @d_pacak

Slide 2

Slide 2 text

@lizrice @d_pacak Kubernetes K8s resources Starboard – motivation Dave Loper pods deployments statefulsets daemonsets Security tools Image vulnerabilities CIS benchmarks Config auditing Pen testing Dashboard kubectl Kubernetes API

Slide 3

Slide 3 text

@lizrice @d_pacak Starboard – brings security reports into Kubernetes Kubernetes Dashboard Dave Loper K8s resources pods deployments statefulsets daemonsets Security tools Image vulnerabilities CIS benchmarks Config auditing Pen testing kubehunterreports vulnerabilityreports ciskubebenchreports configauditreports Starboard kubectl Kubernetes API

Slide 4

Slide 4 text

@lizrice @d_pacak Starboard CLI demo

Slide 5

Slide 5 text

@lizrice @d_pacak Starboard operator Starboard operator – automation Kubernetes Dashboard Dave Loper K8s resources pods deployments statefulsets daemonsets Security tools Image vulnerabilities CIS benchmarks Config auditing Pen testing kubehunterreports vulnerabilityreports ciskubebenchreports configauditreports Starboard kubectl Kubernetes API

Slide 6

Slide 6 text

@lizrice @d_pacak Starboard operator demo

Slide 7

Slide 7 text

@lizrice @d_pacak Starboard design decisions

Slide 8

Slide 8 text

@lizrice @d_pacak Resource What security issues are this for this resource? Security report Resource type = pod Resource name = my-app owner

Slide 9

Slide 9 text

@lizrice @d_pacak Resource What security issues are this for this resource? Security report Resource type = pod Resource name = my-app owner Resource name

Slide 10

Slide 10 text

@lizrice @d_pacak namespace Resource What security issues are this for this resource? Security report

Slide 11

Slide 11 text

@lizrice @d_pacak namespace Resource What security issues are this for this resource? Security report starboard Scan job

Slide 12

Slide 12 text

@lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet image:1.3 Pod image:1.3 ReplicaSet image:1.3 Pod app-image:1.3 What security issues are there for my workloads? Unmanaged pod other-image:2.0

Slide 13

Slide 13 text

@lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet image:1.3 Pod image:1.3 ReplicaSet image:1.3 Pod app-image:1.3 Unmanaged pod other-image:2.0 Vuln report some-image:2.0

Slide 14

Slide 14 text

@lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet image:1.3 Pod image:1.3 ReplicaSet image:1.3 Pod app-image:1.3 Unmanaged pod other-image:2.0 Vuln report some-image:2.0 Vuln report some-image:2.0 Vuln report some-image:2.0 Vuln report some-image:2.0

Slide 15

Slide 15 text

@lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet image:1.3 Pod image:1.3 ReplicaSet image:1.3 Pod app-image:1.3 Unmanaged pod other-image:2.0 Vuln report some-image:2.0 Vuln report

Slide 16

Slide 16 text

@lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet app-image:1.6 ReplicaSet image:1.3 Pod image:1.3 ReplicaSet image:1.3 Pod app-image:1.3 ReplicaSet image:1.3 Pod app-image:1.6 Unmanaged pod other-image:2.0 Vuln report some-image:2.0 Vuln report

Slide 17

Slide 17 text

@lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet app-image:1.6 ReplicaSet image:1.3 Pod image:1.3 ReplicaSet image:1.3 Pod app-image:1.3 ReplicaSet image:1.3 Pod app-image:1.6 Unmanaged pod some-image:2.0 Vuln report some-image:2.0 Vuln report app-image:1.6 Vuln report app-image:1.3

Slide 18

Slide 18 text

@lizrice @d_pacak Deployment ReplicaSet ReplicaSet image:1.3 Pod image:1.3 ReplicaSet image:1.3 Pod Vuln report What vulnerabilities are in my deployment?

Slide 19

Slide 19 text

@lizrice @d_pacak Starboard hierarchy demo

Slide 20

Slide 20 text

@lizrice @d_pacak Extending Starboard

Slide 21

Slide 21 text

@lizrice @d_pacak Kind: Job Name: efavbs-d21... Namespace: starboard-operator Pluggable vulnerability scanners Kind: Deployment Name: my-app Image: some-image:2.0 Struct: PodTemplateSpec Image: aquasec/trivy:0.11.0 Command: trivy some-image:2.0 Kind: VulnerabilityReport Name: deployment-my-app-some-container PodSpec Trivy output converter

Slide 22

Slide 22 text

22 22 VulnerabilityScanner interface

Slide 23

Slide 23 text

@lizrice @d_pacak

Slide 24

Slide 24 text

@lizrice @d_pacak

Slide 25

Slide 25 text

@lizrice @d_pacak Starboard future

Slide 26

Slide 26 text

@lizrice @d_pacak Fully pluggable security reporting Kubernetes Dashboard Dave Loper K8s resources pods replicasets Security tools Image vulnerabilities CIS benchmarks Config auditing Pen testing kubehunterreports vulnerabilityreports ciskubebenchreports configauditreports Starboard kubectl Kubernetes API Starboard ConfigMap Scanners - Tool: Resource: Report: - Tool: Resource: Report: … reports some other security tool

Slide 27

Slide 27 text

@lizrice @d_pacak What are the most important security issues in my cluster? kubectl starboard summary

Slide 28

Slide 28 text

@lizrice @d_pacak github.com/aquasecurity/starboard