Slide 1

Slide 1 text

Kubernetes Security Carol Valencia Devops Engineer

Slide 2

Slide 2 text

Agenda Overview Containers Kubernetes 2 Conclusion

Slide 3

Slide 3 text

3 Figure (Wikimedia Infraestructure)

Slide 4

Slide 4 text

4 Figure (https://blog.resellerspanel.com/web-hosting-platform/dirty-cow-linux-exploit-patched-successfully.html) Kernel exploits

Slide 5

Slide 5 text

5 DoS Attacks Figure Botnet Command and Control server (http://bit.ly/2BKHFh7)

Slide 6

Slide 6 text

6 Poisoned Images

Slide 7

Slide 7 text

7 Container Breakouts Figure - RunC vulnerability in Ubuntu (https://kinvolk.io/blog/2019/02/runc-breakout-vulnerability-mitigated-on-flatcar-linux)

Slide 8

Slide 8 text

8 Compromised Credentials Figure - Cyber Attacks Compromising (https://www.lookingpoint.com/blog/dark-web)

Slide 9

Slide 9 text

9 Figure -(pensource security - 2019) 78% vulnerabilities in indirect dependencies 37% of open source developers no security testing in CI 54% docker image no security testing Top 10 docker images contain > 30 vulnerable system libraries

Slide 10

Slide 10 text

10 Figure -(sre19emea - davis)

Slide 11

Slide 11 text

Containers 1 11

Slide 12

Slide 12 text

12 Control what a process can SEE ● PID ● Mount ● Network ● UTS ● IPS ● User Namespaces Control what a process can USE Cgroups

Slide 13

Slide 13 text

13 Linux Capabilities By default, a container own only 14 of 37 capabilities Principle of Least Privilege

Slide 14

Slide 14 text

Container Security Public images ? Run as root ? defaults to root (uid=0) Admin capabilities ? 14 Private register Secure the Docker host Unprivileged users Read only filesystems Security Policies - syscall whitelist: SELinux, AppArmor, Seccomp-bpf.

Slide 15

Slide 15 text

Container Security 15 Remove SUID binaries or drop the SETUID capability Set User ID is a type of permission that allows users to execute a file with the permissions of a specified user. No --privileged containers Drop all capabilities then add needed caps Enable user namespaces Set resource limits and ulimits Mount volumes: ro, noexec, nosuid, nodev

Slide 16

Slide 16 text

Containers are not a sandbox 16 Legacy workloads in a cloud-native ? Kata, gVisor, Hyper RunV, KubeVirt Figure - gVisor (https://thenewstack.io/how-to-implement-secure-containers-using-googles-gvisor/)

Slide 17

Slide 17 text

Pod - Security Context 17 Admission controller

Slide 18

Slide 18 text

Pod Security Policy Admission controller 18

Slide 19

Slide 19 text

Tools ◉ Center for Internet Security (CIS) for Docker ◉ Docker-bench-security ◉ Grafeas: audit and govern your software supply chain ◉ Sysdig: container troubleshooting and security investigation ◉ CoreOs / Clair: Vulnerability Static Analysis for Containers ◉ Aqua / Microscanner: Scan your container images for package vulnerabilities ◉ Capsule8: open-source cloud-native behavioral security monitoring 19

Slide 20

Slide 20 text

Architecting Container Infrastructure for Security And Compliance 20 Figure - https://www.xenonstack.com/blog/devsecops/

Slide 21

Slide 21 text

Cluster 2 21 Kubernetes

Slide 22

Slide 22 text

22 Api Driven

Slide 23

Slide 23 text

Kubernetes Components 23 Figure by Improving your Kubernetes Workload Security with Hardware Virtualization

Slide 24

Slide 24 text

Kubernetes High-level Component Architecture 24 What Does “Production Ready” Really Mean for a Kubernetes Cluster? - Lucas Käldström

Slide 25

Slide 25 text

“ High System Complexity. Defaults are used first, as-is. 25

Slide 26

Slide 26 text

26 Kubernetes Security Book - Liz Rice Possible Attacks

Slide 27

Slide 27 text

27 CVE-2018-1002105 Privilege escalation flaw - Openshift. Tesla Crytomining hackers

Slide 28

Slide 28 text

28 Kubernetes API

Slide 29

Slide 29 text

GKE 29 Api Server Firewall Kops

Slide 30

Slide 30 text

30 Kubelet Config

Slide 31

Slide 31 text

31 Allow Desired Traffic https://github.com/projectcalico/calico/tree/master/v3.5/getting-started/kubernetes/tutorials

Slide 32

Slide 32 text

32 Network Policy Ingress Egress

Slide 33

Slide 33 text

33 Best practices ◉ Hosts: Private topology / bastion ◉ TLS Everywhere - for all API traffic ◉ Certificate rotation (1.8) ◉ Separate and Firewall etcd - Restrict access ◉ Authorization RBAC with Least Privilege ◉ Enable audit logging ◉ Upgrade cluster. ◉ Encrypting Secret Data at Rest (1.13): encrypted in etcd. AES-CBC, AES-GCM, KMS.

Slide 34

Slide 34 text

Tools ◉ Center for Internet Security (CIS) Benchmark for Kubernetes ◉ Aqua - kube-bench: Kubernetes is deployed according to security best practices ◉ Aqua - kube-hunter: hunts for security weaknesses in Kubernetes clusters ◉ K8Guard - An auditing system for Kubernetes ◉ Anchore : kubernetes-admission-controller 34

Slide 35

Slide 35 text

Authentication & Authorization Kubernetes 3 35

Slide 36

Slide 36 text

36 Authorization and RBAC ClusterRole / Roles

Slide 37

Slide 37 text

37 RBAC Reading access in a specific namespaces

Slide 38

Slide 38 text

38 Users in Kubernetes ● X.509 client certs ● Password files ● Bearer token webhook ● Service Account ● OpenID Connect (OIDC)

Slide 39

Slide 39 text

◉ OIDC jwt ◉ Redhat / Keycloak open source identity ◉ Dexidp / dex OpenID Connect is based on OAuth 2.0. ◉ Aws iam authenticator - Heptio and Amazon EKS OSS Engineers. ◉ Hashicorp / vault-plugin-auth-kubernetes ◉ Appscode / Guard Kubernetes Authentication WebHook Server 39 Authentication Tools

Slide 40

Slide 40 text

Authorization Tools ◉ Liggitt / audit2rbac Autogenerate RBAC policies based on Kubernetes audit logs. ◉ FairwindsOps / Rbac-manager. A Kubernetes operator for Role Bindings and Service Accounts. ◉ Jtblin / kube2iam provides different AWS IAM roles for pods running on Kubernetes. 40

Slide 41

Slide 41 text

Admission Control 41 ◉ NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStor ageClass,DefaultTolerationSeconds,MutatingAdmissionWebh ook,ValidatingAdmissionWebhook,ResourceQuota ◉ Dynamic Admission Control ◉ Validating Admission Webhook: Grafeas, Anchore. ◉ Mutating Admission Webhook

Slide 42

Slide 42 text

Security Compliance Tools ◉ OpenSCAP - Open Source Security Content Automation Protocol ◉ Open Policy Agent / OPA. 42

Slide 43

Slide 43 text

Security Compliance Tools 43

Slide 44

Slide 44 text

Best practices 44 ◉ Disable anonymous authentication. ◉ Enabled RBAC ◉ Helm: TLS certificates ◉ Deny by default: RBAC, NetworkPolicy, PodSecurityPolicy ◉ Restrict service token use ◉ Use Third Party Auth for API Server

Slide 45

Slide 45 text

Secrets Kubernetes 4 45

Slide 46

Slide 46 text

Secrets Credentials, configurations, API keys … 46 Secrets are stored in plaintext in etcd, not encrypted.

Slide 47

Slide 47 text

Best practices Source code Dockerfiles / images Base64 is not encryption 47 RBAC limit read secrets 1.10 EncryptionConfiguration - Providers: identity, aesbc, secretbox, aesgcm, kms. Kube-apiserver --encryptation-provider-config=/etc/encryptation-config.yml ….

Slide 48

Slide 48 text

Dynamic Secrets 48 Figure Hashicorp vault - (https://learn.hashicorp.com/vault/identity-access-management/vault-agent-k8s )

Slide 49

Slide 49 text

49 Vault Demo

Slide 50

Slide 50 text

50 Figure - https://github.com/krol3/k8s-vaults/blob/master/hashicorp/pod-example.yml Vault ● Secrets ● Credentials ● Security policies

Slide 51

Slide 51 text

Tools ◉ Hashicorp Vault ◉ CyberArk Conjur ◉ Aqua Secrets 51

Slide 52

Slide 52 text

DevSecOps Reference Architectures 52 Figure - https://www.cloudbees.com/blog/uniting-devops-and-security-devsecops-government

Slide 53

Slide 53 text

How do you define “production ready” and “highly available” anyway? Can a cluster be created so that it’s secured from end-to-end, has no single points of failure, and is upgradable with zero control plane downtime? 53

Slide 54

Slide 54 text

Resources 54

Slide 55

Slide 55 text

Obrigada! Linkedin: linkedin.com/in/carolgv Github: krol3 [email protected] 55