Secure your Kubernetes Containers Hossam Barakat Lead Consultant at Telstra Purple @hossambarakat_ 

@hossambarakat_ 3 

@hossambarakat_ Attack Vectors 4 OS Application 

@hossambarakat_ Attack Vectors 5 OS Kubernetes Container Image Container Application 

@hossambarakat_ 6 

@hossambarakat_ Kubernetes Cluster 7 

@hossambarakat_ Kubernetes Architecture Master Worker Worker Client Worker Cluster 

@hossambarakat_ Kubernetes Architecture Master API Server Worker Kubelet Container Runtime UI (Dashboard) CLI (Kubectl) Other Client(s) Pod Pod Cluster Scheduler TLS TLS 

@hossambarakat_ Role Based Access Control (RBAC) 10 Role Binding Role Resource User Group Service Account Verb Verb Subject 

@hossambarakat_ Service Account 11 apiVersion: v1 kind: ServiceAccount metadata: name: webapp-service-account namespace: default 

@hossambarakat_ Role 12 Role Based Access Control (RBAC) Role Binding kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: my-role namespace: default rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list"] kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: my-role-binding namespace: default subjects: - kind: ServiceAccount name: webapp-service-account namespace: default roleRef: kind: Role name: my-role apiGroup: rbac.authorization.k8s.io 

@hossambarakat_ Pod 13 Role Based Access Control (RBAC) kind: Pod apiVersion: v1 metadata: name: webapp spec: serviceAccountName: webapp-service-account containers: - name: webapp image: hossambarakat/k8s-security-webapp ports: - containerPort: 3000 

@hossambarakat_ CIS Kubernetes Benchmark » Document that provide guidance for establishing a secure configuration posture for Kubernetes » Specific recommendations with a description, rationale, method of audit and remediation » Can be automated with kube-bench 14 

@hossambarakat_ Container Images 15 

@hossambarakat_ Images Security » Never run as root • Set USER in Dockerfile » Minimal base image • Alpine 2 MB • Ubuntu 60 MB » Trusted base image » Private image registry » Do NOT use latest tag » Vulnerability scans 16 

@hossambarakat_ Image Scanning Tools » aquasecurity/trivy » coreos/clair » optiopay/klar » aquasecurity/microscanner » Aqua Security » Twistlock 17 

@hossambarakat_ Trivy 18 

@hossambarakat_ Vulnerability Scanning CI Pipeline Integration 19 Code CI Vulnerability Scanning Image Registry Schedule Container 

@hossambarakat_ Vulnerability Scanning CI Pipeline Integration 20 Code CI Vulnerability Scanning Image Registry Schedule Container Publish Scanning Results Is Scanned Image? Admission Webhook 

@hossambarakat_ Containers 21 

@hossambarakat_ Privilege Escalation 22 Pod Worker Container Modify container file system Modify host file system Crypto Miner Hacker icon by karina from the Noun Project 

@hossambarakat_ Demo 23 Privilege Escalation 

@hossambarakat_ » RunAsUser » RunAsGroup 24 Security Context securityContext: runAsUser: 1000 runAsGroup: 3000 

@hossambarakat_ » AllowPrivilegdeEscalation 25 Security Context securityContext: allowPrivilegeEscalation: false 

@hossambarakat_ » ReadOnlyRootFilesystem 26 Security Context securityContext: readOnlyRootFilesystem: true 

@hossambarakat_ » RunAsUser » RunAsGroup » AllowPrivilegdeEscalation » ReadOnlyRootFilesystem 27 Security Context apiVersion: v1 kind: Pod metadata: name: my-app spec: securityContext: runAsUser: 1000 RunAsGroup: 2000 containers: - name: my-app image: my-app securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true 

@hossambarakat_ Enter Pod Security Policy 28 

@hossambarakat_ Pod Security Policy » A Pod Security Policy is a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access. » The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system. 29 

@hossambarakat_ Pod Security Policy » privileged » volumes » fsGroup » runAsUser, runAsGroup » readOnlyRootFilesystem » allowedHostPaths » hostNetwork » Linux capabilities 30 

@hossambarakat_ kube-psp-advisor 31 

@hossambarakat_ » All pods can communicate with each other 32 Network Communication Pod Pod Pod 

@hossambarakat_ App 1 33 Network Communication Frontend DB Pod apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: my-frontend-policy spec: podSelector: matchLabels: app: db ingress: - from: - podSelector: matchLabels: app: frontend 

@hossambarakat_ Network Plugin » Calico » Cilium » Kube-Router » Weave Net » … 34 

@hossambarakat_ 35 

@hossambarakat_ Service Mesh » Security specific policy enforcement » End-to-end encryption » Rolling certificates 38 

@hossambarakat_ Summary 39 Kubernetes Cluster Bootstrap TLS Authentication Enable RBAC CIS Benchmark Container Images No root user Small images Do NOT use latest Private Image Registry Containers Pod Security Context Pod Security Policy Network Policy Service Mesh Vulnerability Scans 

@hossambarakat_ Resources » https://kubernetes-security.info » http://github.com/hossambarakat/secure-k8s-containers 40 

@hossambarakat_ Questions? #2019addo-devsecops 41 

@hossambarakat_ 42 

Thank You Hossam Barakat @hossambarakat_