Copyright @ 2018 Aqua Security Software Ltd. All Rights Reserved. Securing your Kubernetes hosts Liz Rice @lizrice | @aquasecteam

2 Agenda n Kubernetes configuration for security n CIS benchmarks – testing the configuration n Penetration testing – testing for vulnerabilities

6 Kubernetes configuration n Kubernetes components installed on your servers n Master & node components n Many configuration settings have a security impact n Example: open Kubelet port = root access n Defaults depend on the installer What config settings should I use?

7 CIS Kubernetes Benchmark

8 kube-bench n Open source automated tests for CIS Kubernetes Benchmark n Tests for Kubernetes Masters and Nodes n Available as a container github.com/aquasecurity/kube-bench

9

10 kube-bench n Job configuration YAML n Run regularly to ensure no configuration drift n Tests defined in YAML n Released code follows the CIS Benchmark n Modify for your own purposes github.com/aquasecurity/kube-bench

11 Kubernetes & Docker CIS Benchmarks n Built into the Aqua CSP n Provides a scored report of the results n Can be scheduled to run daily

Kubernetes penetration testing

13 kube-hunter n Open source penetration tests for Kubernetes n See what an attacker would see n github.com/aquasecurity/kube-hunter n Online report viewer n kube-hunter.aquasec.com How do I know the config is working to secure my cluster?

14 kube-hunter.aquasec.com

16

kube-hunter with kube-bench

18

19

20

21 Authored by Liz Rice from Aqua Security and Michael Hausenblas from Red Hat https://info.aquasec.com/kubernetes-security

22 Security for containers & cloud native apps Open-source tools for Kubernetes security Find them on GitHub Q&A www.aquasec.com