Slide 1

Slide 1 text

Copyright @ 2018 Aqua Security Software Ltd. All Rights Reserved. Securing your Kubernetes hosts Liz Rice @lizrice | @aquasecteam

Slide 2

Slide 2 text

2 Agenda n Kubernetes configuration for security n CIS benchmarks – testing the configuration n Penetration testing – testing for vulnerabilities

Slide 3

Slide 3 text

6 Kubernetes configuration n Kubernetes components installed on your servers n Master & node components n Many configuration settings have a security impact n Example: open Kubelet port = root access n Defaults depend on the installer What config settings should I use?

Slide 4

Slide 4 text

7 CIS Kubernetes Benchmark

Slide 5

Slide 5 text

8 kube-bench n Open source automated tests for CIS Kubernetes Benchmark n Tests for Kubernetes Masters and Nodes n Available as a container github.com/aquasecurity/kube-bench

Slide 6

Slide 6 text

9

Slide 7

Slide 7 text

10 kube-bench n Job configuration YAML n Run regularly to ensure no configuration drift n Tests defined in YAML n Released code follows the CIS Benchmark n Modify for your own purposes github.com/aquasecurity/kube-bench

Slide 8

Slide 8 text

11 Kubernetes & Docker CIS Benchmarks n Built into the Aqua CSP n Provides a scored report of the results n Can be scheduled to run daily

Slide 9

Slide 9 text

Kubernetes penetration testing

Slide 10

Slide 10 text

13 kube-hunter n Open source penetration tests for Kubernetes n See what an attacker would see n github.com/aquasecurity/kube-hunter n Online report viewer n kube-hunter.aquasec.com How do I know the config is working to secure my cluster?

Slide 11

Slide 11 text

14 kube-hunter.aquasec.com

Slide 12

Slide 12 text

16

Slide 13

Slide 13 text

kube-hunter with kube-bench

Slide 14

Slide 14 text

18

Slide 15

Slide 15 text

19

Slide 16

Slide 16 text

20

Slide 17

Slide 17 text

21 Authored by Liz Rice from Aqua Security and Michael Hausenblas from Red Hat https://info.aquasec.com/kubernetes-security

Slide 18

Slide 18 text

22 Security for containers & cloud native apps Open-source tools for Kubernetes security Find them on GitHub Q&A www.aquasec.com