OpenStack Days Stockholm: A DevOps State of Mind: Continuous Security with Kubernetes

Slide 1

Slide 1 text

A DevOps State of Mind: Continuous Security with Kubernetes Chris Van Tuin Red Hat Chief Technologist, NA West / Silicon Valley cvantuin@redhat.com

Slide 2

Slide 2 text

“Only the paranoid survive” - Andy Grove, 1996

Slide 3

Slide 3 text

THE WORLD IS AUTOMATING Those who succeed in automation will win

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

THE CHALLENGE:   ENABLE INNOVATION AT SPEED, WHILE EXECUTING AT SCALE WITH EFFICIENCY Static &  Planned Dynamic &   Policy Driven Execution Innovation Old New Execution Innovation

Slide 6

Slide 6 text

IT’S NOT JUST SOFTWARE, THE DIGITAL LEADERS = Empowered organization Speed Up   Innovation Time Change Move Fast, Break Things Culture of experimentation A 20% vs. 25% Shorten the Feedback Loop Real-time data-driven intelligence & personalization AI /  ML Data, Data, Data B

Slide 7

Slide 7 text

IT MUST EVOLVE & KEEP UP

Slide 8

Slide 8 text

Applications & devices outside of IT control Cloud computing Software-defined infrastructure Dissolving security perimeter Menacing threat landscape TRADITIONAL NETWORK-BASED DEFENSES ARE NO LONGER ENOUGH SECURING THE ENTERPRISE IS HARDER THAN EVER The way we develop, deploy and manage IT is changing dramatically led by DevOps, Cloud Native Applications, and Hybrid Cloud

Slide 9

Slide 9 text

DEVSECOPS Continuous Security Improvement Process Optimization Security Automation Dev QA Prod Reduce Risks, Lower Costs, Speed Delivery, Speed Reaction

Slide 10

Slide 10 text

DEVSECOPS + + Security DEV QA OPS Culture Process Technology Linux + Containers IaaS Orchestration CI/CD Source Control Management Collaboration Build and Artifact Management Testing Frameworks Cloud Native Applications Hybrid Cloud Open Source

Slide 11

Slide 11 text

Chris Van Tuin Chief Technologist, NA West / Silicon Valley cvantuin@redhat.co docker.io Registry Private Registry FROM fedora:1.0 CMD echo “Hello” Build file Physical, Virtual, Cloud Container Image Container Instance Build Run Ship CONTAINERS ENABLE DEVSECOPS

Slide 12

Slide 12 text

Chris Van Tuin Chief Technologist, NA West / Silicon Valley cvantuin@redhat.co Scheduling Monitoring Persistence Discovery Lifecycle & health Scaling Aggregation Security CONTAINERS AT SCALE BARE METAL VIRTUAL PRIVATE CLOUD PUBLIC CLOUD

Slide 13

Slide 13 text

BARE METAL VIRTUAL PRIVATE CLOUD PUBLIC CLOUD Security Platform

Slide 14

Slide 14 text

AUTOMATION

Slide 15

Slide 15 text

Web Database role=web role=db role=web replicas=1,   role=db replicas=2,   role=web ORCHESTRATION Deployment, Declarative Pods Nodes Services Controller Manager & Data Store (etcd)

Slide 16

Slide 16 text

Web Database replicas=1,   role=db replicas=2,   role=web HEALTH CHECK Pods Nodes Services role=web role=db role=web Controller Manager & Data Store (etcd)

Slide 17

Slide 17 text

Pods Nodes Services Web Database replicas=1,   role=db replicas=3   role=web AUTO-SCALE 50% CPU role=web role=db role=web role=web Controller Manager & Data Store (etcd)

Slide 18

Slide 18 text

Network isolation API & Platform access Federated clusters Storage {} CI/CD Monitoring & Logging Builds Images SECURING YOUR CONTAINER ENVIRONMENT Container host Registry

Slide 19

Slide 19 text

CONTAINER IMAGES

Slide 20

Slide 20 text

LAPTOP Container Application OS dependencies Guest VM LINUX BARE METAL Container Application OS dependencies LINUX VIRTUALIZATION Container Application OS dependencies Virtual Machine LINUX PRIVATE CLOUD Container Application OS dependencies Virtual Machine LINUX PUBLIC CLOUD Container Application OS dependencies Virtual Machine LINUX CONTAINERS - Build Once, Deploy Anywhere Reducing Risk and Improving Security with Improved Consistency

Slide 21

Slide 21 text

CONTAINER IMAGE JAR CONTAINER IMAGE Application Application Language runtimes OS dependencies 1.2/latest 1.1

Slide 22

Slide 22 text

Config Data Kubernetes configmaps secrets Container image Traditional   data services, Kubernetes   persistent volumes TREAT CONTAINERS AS IMMUTABLE Application Language runtimes OS dependencies

Slide 23

Slide 23 text

•Authenticating authorship •Non-repudiation •Ensuring image integrity CONTAINER IMAGE SIGNING Validate what images and version are running

Slide 24

Slide 24 text

CONTAINER BUILDS

Slide 25

Slide 25 text

A CONVERGED SOFTWARE   SUPPLY CHAIN

Slide 26

Slide 26 text

CUSTOM SUPPLY CHAIN

Slide 27

Slide 27 text

• Treat build file as a Blueprint • Version control build file • Don’t login to build/configure • Be explicit with versions, not latest • Always list registry pulling FROM • Specify USER, default is root • Each Run creates a new layer BUILD FILE BEST PRACTICES FROM registry.redhat.com/rhel7 RUN groupadd -g 999 appuser && \ useradd -r -u 999 -g appuser appuser USER appuser CMD echo “Hello” Build file

Slide 28

Slide 28 text

CONTAINER REGISTRY SECURITY

Slide 29

Slide 29 text

64% of official images in Docker Hub   contain high priority security vulnerabilities examples: ShellShock (bash) Heartbleed (OpenSSL) Poodle (OpenSSL) Source: Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities, Jayanth Gummaraju, Tarun Desikan, and Yoshio Turner, BanyanOps, May 2015 (http://www.banyanops.com/pdf/BanyanOps-AnalyzingDockerHub-WhitePaper.pdf) WHAT’S INSIDE THE CONTAINER MATTERS

Slide 30

Slide 30 text

PRIVATE REGISTRY

Slide 31

Slide 31 text

CONTAINER HOST SECURITY

Slide 32

Slide 32 text

Kernel Hardware (Intel, AMD) or Virtual Machine Containers Containers Containers Unit File Docker Image Container CLI SYSTEMD Cgroups Namespaces SELinux Drivers CONTAINERS ARE LINUX seccomp Read Only mounts

Slide 33

Slide 33 text

CGROUPS - RESOURCE ISOLATION

Slide 34

Slide 34 text

NAMESPACES - PROCESS ISOLATION

Slide 35

Slide 35 text

SELINUX - MANDATORY ACCESS CONTROLS Password Files Web Server Attacker Discretionary Access Controls   (file permissions) Mandatory Access Controls   (selinux) Internal Network Firewall Rules Password Files Firewall Rules Internal Network Web Server selinux policy

Slide 36

Slide 36 text

SECCOMP AND LINUX CAPABILITIES  FILTERING SYSTEM CALLS and DROPPING PRIVILEGES

Slide 37

Slide 37 text

READ ONLY MOUNTS

Slide 38

Slide 38 text

Chris Van Tuin Chief Technologist, NA West / Silicon Valley cvantuin@redhat.co Best Practices • Don’t run as root • If you must,   limit Linux Capabilities • Limit SSH Access • Use namespaces • Define resource quotas • Enable logging • Apply Security Errata • Apply Security Context and seccomp filters • Run production   unprivileged containers   as read-only http://blog.kubernetes.io/2016/08/security-best-practices-kubernetes-deployment.html Kernel Hardware (Intel, AMD) or Virtual Machine Containers Containers Containers Unit File Docker Image Container CLI SYSTEMD Cgroups Namespaces SELinux Drivers seccomp Read Only mounts Capabilities CONTAINER HOST SECURITY

Slide 39

Slide 39 text

CONTINUOUS INTEGRATION WITH CONTAINERS

Slide 40

Slide 40 text

CONTINUOUS INTEGRATION + BUILDS

Slide 41

Slide 41 text

WHAT’S INSIDE MATTERS…

Slide 42

Slide 42 text

Security CONTINUOUS INTEGRATION WITH SECURITY SCAN

Slide 43

Slide 43 text

AUTOMATED SECURITY SCANNING with OpenSCAP Reports Scan SCAP Security Guide for RHEL CCE-27002-5 Set Password Minimum Length Content Scan physical servers, virtual machines, docker images and containers  for Security Policy Compliance (CCEs) and known Security Vulnerabilities (CVEs)

Slide 44

Slide 44 text

Standard Docker Host Security Profile Java Runtime Environment (JRE) Upstream Firefox STIG RHEL OSP STIG Red Hat Corporate Profile for Certified Cloud Providers (RH CCP) STIG for Red Hat Enterprise Linux 6, 7 Server STIG for Red Hat Virtualization Hypervisor Common Profile for General-Purpose Debian Systems Common Profile for General-Purpose Fedora Systems Common Profile for General-Purpose Ubuntu Systems Payment Card Industry – Data Security Standard (PCI-DSS) v3 U.S. Government Commercial Cloud Services (C2S) CNSSI 1253 Low/Low/Low Control Baseline for Red Hat Enterprise Linux 7 Criminal Justice Information Services (CJIS) Security Policy Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) U.S. Government Configuration Baseline (NIAP OSPP v4.0, USGCB, STIG) Security Policies in SCAP Security Guide (partial)

Slide 45

Slide 45 text

SECURITY POLICY REPORT

Slide 46

Slide 46 text

SECURITY POLICY REMEDIATION

Slide 47

Slide 47 text

CONTINUOUS DELIVERY WITH CONTAINERS

Slide 48

Slide 48 text

Chris Van Tuin Chief Technologist, NA West / Silicon Valley cvantuin@redhat.co CONTINUOUS DELIVERY WITH CONTAINERS

Slide 49

Slide 49 text

CONTINUOUS DELIVERY DEPLOYMENT STRATEGIES DEPLOYMENT STRATEGIES • Recreate • Rolling updates • Blue / Green deployment • Canary with A/B testing

Slide 50

Slide 50 text

Recreate

Slide 51

Slide 51 text

Version 1 Version 1 Version 1 Version 1.2 ` Tests / CI RECREATE WITH DOWNTIME

Slide 52

Slide 52 text

Version 1 Version 1 Version 1 Version 1.2 ` Tests / CI RECREATE WITH DOWNTIME

Slide 53

Slide 53 text

Version 1.2 Version 1.2 Version 1.2 RECREATE WITH DOWNTIME Use Case • Non-mission critical services Cons • Downtime Pros • Simple, clean • No Schema incompatibilities • No API versioning

Slide 54

Slide 54 text

Rolling Updates

Slide 55

Slide 55 text

Version 1 Version 1 Version 1 Version 1.2 ` Tests / CI ROLLING UPDATES with ZERO DOWNTIME

Slide 56

Slide 56 text

Deploy new version and wait until it’s ready… Version 1 Version 1 V1.2 Health Check: readiness probe e.g. tcp, http, script V1

Slide 57

Slide 57 text

Each container/pod is updated one by one Version 1.2 50% Version 1 V1 V1.2

Slide 58

Slide 58 text

Each container/pod is updated one by one Version 1.2 Version 1.2 Version 1.2 100% Use Case • Horizontally scaled • Backward compatible API/data • Microservices Cons • Require backward compatible APIs/data • Resource overhead Pros • Zero downtime • Reduced risk, gradual rollout w/health checks • Ready for rollback

Slide 59

Slide 59 text

Blue / Green Deployment

Slide 60

Slide 60 text

Version 1 BLUE / GREEN DEPLOYMENT Route BLUE

Slide 61

Slide 61 text

Version 1 BLUE / GREEN DEPLOYMENT Version 1.2 BLUE GREEN

Slide 62

Slide 62 text

Version 1 Tests / CI BLUE / GREEN DEPLOYMENT Version 1.2 BLUE GREEN

Slide 63

Slide 63 text

Version 1 Version 1.2 BLUE / GREEN DEPLOYMENT Route Version 1.2 BLUE GREEN

Slide 64

Slide 64 text

Version 1 BLUE / GREEN DEPLOYMENT Rollback Route Version 1.2 BLUE GREEN Use Case • Self-contained micro services (data) Cons • Resource overhead • Data synchronization Pros • Low risk, never change production • No downtime • Production like testing • Rollback

Slide 65

Slide 65 text

RAPID INNOVATION & EXPERIMENTATION

Slide 66

Slide 66 text

”only about 1/3 of ideas improve the metrics   they were designed to improve.”  Ronny Kohavi, Microsoft (Amazon) MICROSERVICES RAPID INNNOVATION & EXPERIMENTATION

Slide 67

Slide 67 text

CONTINUOUS FEEDBACK LOOP

Slide 68

Slide 68 text

A/B TESTING USING CANARY DEPLOYMENTS

Slide 69

Slide 69 text

Version B Version A 100% Tests / CI Route 25% Conversion Rate ?! Conversion Rate CANARY DEPLOYMENTS

Slide 70

Slide 70 text

50% 50% Version B Version A Route 25% Conversion Rate 30% Conversion Rate CANARY DEPLOYMENTS

Slide 71

Slide 71 text

25% Conversion Rate 100% Version A Version B Route 30% Conversion Rate CANARY DEPLOYMENTS

Slide 72

Slide 72 text

100% Route Rollback 25% Conversion Rate 20% Conversion Rate CANARY DEPLOYMENTS Version B Version A

Slide 73

Slide 73 text

Network isolation API & Platform access Federated clusters Storage {} CI/CD Monitoring & Logging Images Builds Container host Registry SECURING YOUR CONTAINER ENVIRONMENT

Slide 74

Slide 74 text

NETWORK SECURITY

Slide 75

Slide 75 text

Network Namespace   provides resource isolation NETWORK ISOLATION Multi-Environment Multi-Tenant

Slide 76

Slide 76 text

NETWORK POLICY example:   all pods in namespace ‘project-a’ allow traffic   from any other pods in the same namespace.”

Slide 77

Slide 77 text

Kubernetes   Logical Network Model NETWORK SECURITY • Kubernetes uses a flat SDN model • All pods get IP from same CIDR • And live on same logical network • Assumes all nodes communicate  Traditional   Physical Network Model • Each layer represents a Zone with  increased trust - DMZ > App > DB,  interzone flow generally one direction • Intrazone traffic generally unrestricted

Slide 78

Slide 78 text

NETWORK SECURITY MODELS Co-Existence Approaches One Cluster Multiple Zones Kubernete Cluster Physical Compute   isolation based on   Network Zones Kubernete Cluster One Cluster Per Zone Kubernete Cluster B Kubernete Cluster A Kubernetes Cluster B C D https://blog.openshift.com/openshift-and-network-security-zones-coexistence-approaches/

Slide 79

Slide 79 text

MONITORING & LOGGING

Slide 80

Slide 80 text

KUBERNETES MONITORING CONSIDERATIONS Kubernetes* Container* Host Cluster services, services, pods,   deployments metrics Container native metrics Traditional resource metrics - cpu, memory, network, storage prometheus + grafana kubernetes-state-metrics probes Stack Metrics Tool node-exporter kubelet:cAdvisor Application Distributed applications - traditional app metrics - service discovery - distributed tracing prometheus + grafana jaeger tracing istio

Slide 81

Slide 81 text

Aggregate platform and application log access via Kibana + Elasticsearch LOGGING

Slide 82

Slide 82 text

STORAGE SECURITY

Slide 83

Slide 83 text

Local Storage Quota Security Context Constraints STORAGE SECURITY Sometimes we can also have storage isolation requirements:   pods in a network zone must use different storage endpoints   than pods in other network zones. We can create one storage class per storage endpoint and   then control which storage class(es) a project can use

Slide 84

Slide 84 text

API & PLATFORM ACCESS

Slide 85

Slide 85 text

Authentication via OAuth tokens and SSL certificate Authorization via Policy Engine checks User/Group Defined Roles API & PLATFORM ACCESS

Slide 86

Slide 86 text

FEDERATION

Slide 87

Slide 87 text

Amazon East OpenStack FEDERATED CLUSTERS Roles & access management (in-dev)

Slide 88

Slide 88 text

WHAT’S NEXT

Slide 89

Slide 89 text

Traffic Control Service Resiliency Chaos Testing Observ- ability Security

Slide 90

Slide 90 text

OPERATORS

Slide 91

Slide 91 text

Deployment Frequency Lead Time Deployment  Failure Rate Mean Time to Recover 99.999 Service Availability DEVSECOPS METRICS Compliance Score

Slide 92

Slide 92 text

THANK YOU linkedin: Chris Van Tuin email: cvantuin@redhat.com twitter: @chrisvantuin