Slide 1

Slide 1 text

Kubernetes Security Challenges

Slide 2

Slide 2 text

Kops Kubernetes Operations

Slide 3

Slide 3 text

Kops - templating - default cluster template

Slide 4

Slide 4 text

Kops - templating - default values

Slide 5

Slide 5 text

Kops - templating - cluster specific values

Slide 6

Slide 6 text

Kops - templating - make Targets!

Slide 7

Slide 7 text

Kops - vpc / subnet management Why not use kops defaults? Routing Tables - VPC Peering - Direct Connections - Egress control

Slide 8

Slide 8 text

Terraform tags!

Slide 9

Slide 9 text

Kops - templating - cluster specific values

Slide 10

Slide 10 text

Kops - clusterSpec

Slide 11

Slide 11 text

Kops - Edge Nodes Why? - Compliance requirements (WAF) How? - Dedicated nodePool / instanceGroup - AWS LB limited to edge nodes

Slide 12

Slide 12 text

Kops - Edge Nodes Dedicated nodePool / instanceGroup:

Slide 13

Slide 13 text

Kops - Edge Nodes AWS LB limited to edge nodes: Problem: - Kubernetes service type LoadBalancer (targets all worker nodes) Solution: - https://github.com/zalando-incubator/kube-ingress-aws-controller CUSTOM_FILTERS

Slide 14

Slide 14 text

Kops - Edge Nodes AWS LB limited to edge nodes:

Slide 15

Slide 15 text

Kops - Edge Nodes AWS LB limited to edge nodes:

Slide 16

Slide 16 text

Prevent misuse of privileges Use Authentication and Authorization - Authentication: SSO (onboarding / offboarding / consistency ) - OpenID Connect (Google / Dex / … ) - Exec (Heptio Authenticator) - Authorization & Logs - RBAC is mandatory - Audit Event Logging (k8s 1.9+) - Audit2rbac: Generates RBAC role and binding objects based on audit log of API requests made by a user - Admission Controls (webhooks after Auth{n,z}) - Image Whitelisting - Workload mutation

Slide 17

Slide 17 text

SSO: AWS Authenticator Kops bootstrapping Overview: - IAM Role - TLS (self-signed CA) - kube-apiserver webhook configuration - Authenticator daemonset on masters How? Terraform + Kops hooks and addons

Slide 18

Slide 18 text

Kops bootstrapping: AWS Authenticator - IAM role (Terraform)

Slide 19

Slide 19 text

Kops bootstrapping: AWS Authenticator - TLS (Terraform)

Slide 20

Slide 20 text

Kops bootstrapping: AWS Authenticator - kube-apiserver webhook configuration file (Terraform)

Slide 21

Slide 21 text

Kops bootstrapping: AWS Authenticator - Node bootstrapping hooks (kops clusterSpec.hooks) (host = CoreOS) Copy webhook config and TLS

Slide 22

Slide 22 text

Kops bootstrapping: AWS Authenticator - Kube Addon bootstrapping (kops clusterSpec.addons)

Slide 23

Slide 23 text

Kops bootstrapping: AWS Authenticator - kops channels manifest:

Slide 24

Slide 24 text

Kops bootstrapping: AWS Authenticator - Templated addons (Terraform)

Slide 25

Slide 25 text

Kubernetes Components Isolate from external access … - API server - Kubelet - Etcd - Firewall between master and worker nodes - Overlay network (Flannel / Calico / Romana / … ) & Etcd And use TLS (etcd / kubelet bootstrapping / …) https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked/

Slide 26

Slide 26 text

When to Opt for Custom Deployment? - Responsibility of maintaining the clusters lies solely with the customer - Master symmetric keys need to be manually rotated https://www.twistlock.com/2017/08/02/kubernetes-secrets-encryption/ - Etcd isolation & TLS configuration https://coreos.com/etcd/docs/latest/op-guide/security.html - Node bootstrapping & TLS configuration https://medium.com/@toddrosner/kubernetes-tls-bootstrapping-cf203776abc7 - Trade-offs - Bleeding edge - Choice (Machine Configuration, Operating Systems, Storage Backends, Network Plugins and HA configuration)

Slide 27

Slide 27 text

Application Lifecycle (containers) ● Security shift Left ● Container Image security ● Container Registry Management ● Immutability Image credit: Aquasec “One of the characteristics of containers is that they’re very predictable, or they should be, This allows you to do security in a more predictable, automated way.” - John Morello CTO Twistlock

Slide 28

Slide 28 text

Feature re-cap (container orchestrators) - Image scanning - Registry scanning - Admission hooks to only run allowed images - Process whitelisting in containers - Binary whitelisting - Node protection - RBAC with least privilege approach

Slide 29

Slide 29 text

Security Platforms ● Aqua Sec ● Twistlock ● Sysdig Secure ● ... Image credit: Aquasec

Slide 30

Slide 30 text

Thank you Questions? More extensive overview: https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked/