DockerCon 2018 - Kubernetes secops with Docker

Slide 1

Slide 1 text

Scott Coulton Principal software engineer, Puppet Production SecOps With Kubernetes In Docker

Slide 2

Slide 2 text

About me @scottcoulton

Slide 3

Slide 3 text

v Let’s build a CaaS What's the difference (Swarm vs Kubernetes) Now for the fun stuff secops with Kubernetes Agenda

Slide 4

Slide 4 text

Let’s build a CaaS

Slide 5

Slide 5 text

Live demo time

Slide 6

Slide 6 text

So let's look at the platform architecture

Slide 7

Slide 7 text

Operating Systems Platform Architecture Config Mgt Monitoring Logging CI/CD ..more.. Images Networking Volumes Physical Virtualization Public Cloud Platform Security Developer Services Registry Services Access Policies App Lifecycle Management Automation & Extensibility Networking Orchestration Storage Container Engine ENTERPRISE EDITION PLATFORM

Slide 8

Slide 8 text

Docker EE Architecture Docker EE Cluster Node Node Node DOCKER ENTERPRISE EDITION Node Manager Worker Node Worker Worker Worker Node Manager Node Manager Management Plane

Slide 9

Slide 9 text

Docker EE Orchestration Secure Cluster Management App Scheduler Swarm Kubernetes OR Docker EE Cluster Node Node Node

Slide 10

Slide 10 text

What’s the difference ?

Slide 11

Slide 11 text

● Uses docker cli ● Deploys applications through ‘stacks’ ● Overlay networking Swarm

Slide 12

Slide 12 text

● kubectl as the cli tool ● More deployment definitions ie pods, svc, deployments ● Plug and play networking with CNI Kubernetes

Slide 13

Slide 13 text

In Docker EE you can swap and change

Slide 14

Slide 14 text

Live demo time

Slide 15

Slide 15 text

Now for the fun stuff secops with Kubernetes

Slide 16

Slide 16 text

Real life attacks

Slide 17

Slide 17 text

https://www.fortinet.com/blog/threat-research/yet-another- crypto-mining-botnet.html https://github.com/docker/hub-feedback/issues/1121 This attack allowed the hackers to gain access to your Docker host via a vulnerable image. Hackers going to hack

Slide 18

Slide 18 text

Hackers going to hack

Slide 19

Slide 19 text

How do we protect from this threat ?

Slide 20

Slide 20 text

Secure Supply Chain

Slide 21

Slide 21 text

Secure Supply Chain TEST STAGING • Signature verification • Native encryption Scanning Signing Automated Policies Docker for Mac or Docker for Windows PRODUCTION

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

Production Environments Docker Trusted Registry Docker UCP Production Environments Version Control Docker UCP Non-Production Environments Developer Machine Development CI/CD Operations Datacenter 1 Datacenter 2 Docker Trusted Registry Docker for Secure Supply Chain

Slide 24

Slide 24 text

CI Workflow Docker Trusted Registry Build container $ git clone $ mvn deploy Repository Manager binaries Version Control src Dockerfiles docker-compose.yml files pull push CI Agent $ docker run -it --rm builder build runs build start CI Agent $ git clone $ docker build -t myapp $ docker push myapp push pull CI Agent $ eval $(

Slide 25

Slide 25 text

Notary client config for DockerHub ~/.notary/config.json { "trust_dir" : "~/.docker/trust", "remote_server": { "url": "https://notary.docker.io" } }

Slide 26

Slide 26 text

Notary client config for your registry ~/.notary/config.json { "trust_dir" : "~/.docker/trust", "remote_server": { "url": "dtr_url", "root-ca": "dtr_ca.pem" } }

Slide 27

Slide 27 text

Push and sign your application $ export DOCKER_CONTENT_TRUST=1 $ docker push {dtr_url/registry_url}/{account}/{repository}:{tag}

Slide 28

Slide 28 text

The one take away from this talk “Sign your images” Scott Coulton Principal software engineer Puppet

Slide 29

Slide 29 text

No content

Slide 30

Slide 30 text

Run as non root apiVersion: v1 kind: Pod metadata: name: my-dockercon-app spec: securityContext: runAsUser: 1000

Slide 31

Slide 31 text

Read only file system apiVersion: v1 kind: Pod metadata: name: my-dockercon-app spec: securityContext: readOnlyRootFilesystem: true

Slide 32

Slide 32 text

Privilege escalation apiVersion: v1 kind: Pod metadata: name: my-dockercon-app spec: securityContext: allowPrivilegeEscalation: false

Slide 33

Slide 33 text

You don't have to chose one apiVersion: v1 kind: Pod metadata: name: my-dockercon-app spec: securityContext: runAsUser: 1000 readOnlyRootFilesystem: true allowPrivilegeEscalation: false

Slide 34

Slide 34 text

No content

Slide 35

Slide 35 text

A great blog post on this stuff https://blog.jessfraz.com/post/containers-security-and-echo-chambers/

Slide 36

Slide 36 text

Apparmor apiVersion: v1 kind: Pod metadata: name: my-dockercon-app annotations: container.apparmor.security.beta.kubernetes.io/dockercon: runtime/default spec: containers: - name: dockercon

Slide 37

Slide 37 text

Selinux apiVersion: v1 kind: Pod metadata: name: my-dockercon-app spec: securityContext: seLinuxOptions: level: "s0:c123,c456" containers: - name: dockercon

Slide 1

Slide 1 text

Slide 2

Slide 2 text

Slide 3

Slide 3 text

Slide 4

Slide 4 text

Slide 5

Slide 5 text

Slide 6

Slide 6 text

Slide 7

Slide 7 text

Slide 8

Slide 8 text

Slide 9

Slide 9 text

Slide 10

Slide 10 text

Slide 11

Slide 11 text

Slide 12

Slide 12 text

Slide 13

Slide 13 text

Slide 14

Slide 14 text

Slide 15

Slide 15 text

Slide 16

Slide 16 text

Slide 17

Slide 17 text

Slide 18

Slide 18 text

Slide 19

Slide 19 text

Slide 20

Slide 20 text

Slide 21

Slide 21 text

Slide 22

Slide 22 text

Slide 23

Slide 23 text

Slide 24

Slide 24 text

Slide 25

Slide 25 text

Slide 26

Slide 26 text

Slide 27

Slide 27 text

Slide 28

Slide 28 text

Slide 29

Slide 29 text

Slide 30

Slide 30 text

Slide 31

Slide 31 text

Slide 32

Slide 32 text

Slide 33

Slide 33 text

Slide 34

Slide 34 text

Slide 35

Slide 35 text

Slide 36

Slide 36 text

Slide 37

Slide 37 text

Slide 38

Slide 38 text

Slide 39

Slide 39 text