Preventative Security for Kubernetes

Slide 1

Slide 1 text

Slide 2

Slide 2 text

@lizrice Agenda ■ Kubernetes configuration for security ■ CIS benchmarks – testing the configuration ■ Penetration testing – testing for vulnerabilities

Slide 3

Slide 3 text

3 Authored by Liz Rice from Aqua Security and Michael Hausenblas from Red Hat https://info.aquasec.com/kubernetes-security

Slide 4

Slide 4 text

@lizrice ▪ Secure the CI/CD pipeline ▪ “Shift left” security, fix issues early and fast ▪ Accelerate app delivery with security automation Aqua: our approach ▪ Enforce immutability – no patching, no drift ▪ Whitelist good behavior, preventing anomalies ▪ Prevent lateral movement ▪ Secure apps regardless of platform, cloud, or OS ▪ Enable hybrid cloud and cloud migration ▪ Avoid cloud lock-in and security reconfiguration Automate DevSecOps Modernize security through containers Secure once, run anywhere

Slide 5

Slide 5 text

@lizrice Create software Build Deploy Code quality Security testing Vulnerability scanning Image policies Runtime protection Artifacts free of security defects Only expected code & config Detect anomalous behaviour Host configuration Automating Security at Every Stage

Slide 6

Slide 6 text

@lizrice Kubernetes Host Configuration

Slide 7

Slide 7 text

@lizrice ■ Kubernetes components installed on your servers ■ Master & node components ■ Many configuration settings have a security impact ■ Example: open Kubelet port = root access ■ Defaults depend on the installer Kubernetes configuration What config settings should I use?

Slide 8

Slide 8 text

@lizrice CIS Kubernetes Benchmark

Slide 9

Slide 9 text

@lizrice ■ Open source automated tests for CIS Kubernetes Benchmark ■ Tests for Kubernetes Masters and Nodes ■ Available as a container kube-bench github.com/aquasecurity/kube-bench

Slide 10

Slide 10 text

@lizrice

Slide 11

Slide 11 text

@lizrice ■ Job configuration YAML ■ Run regularly to ensure no configuration drift ■ Tests defined in YAML ■ Released code follows the CIS Benchmark ■ Modify for your own purposes kube-bench github.com/aquasecurity/kube-bench

Slide 12

Slide 12 text

@lizrice ■ Built into the Aqua CSP ■ Provides a scored report of the results ■ Can be scheduled to run daily Kubernetes & Docker CIS Benchmarks

Slide 13

Slide 13 text

@lizrice Kubernetes penetration testing

Slide 14

Slide 14 text

@lizrice ■ Open source penetration tests for Kubernetes ■ See what an attacker would see ■ github.com/aquasecurity/kube-hunter ■ Online report viewer ■ kube-hunter.aquasec.com kube-hunter How do I know the config is working to secure my cluster?

Slide 15

Slide 15 text

@lizrice kube-hunter.aquasec.com

Slide 16

Slide 16 text

Slide 17

Slide 17 text

Slide 18

Slide 18 text

@lizrice kube-hunter with kube-bench

Slide 19

Slide 19 text

Slide 20

Slide 20 text

Slide 21

Slide 21 text

Slide 22

Slide 22 text

@lizrice kube-hunter inside a pod

Slide 23

Slide 23 text

@lizrice Kubernetes cluster pod kube-hunter inside a pod What if my app gets compromised? token API server

Slide 24

Slide 24 text

@lizrice ■ Results depend on RBAC settings ■ and the service account you use for the pod kube-hunter inside a pod What if my app gets compromised?