K8sNativeSecurityToolkit

Slide 1

Slide 1 text

マスタータイトルの書式設定 Kubernetes-native security tool kit を触ってみた Kubernetes Novice Tokyo #2 - LT

Slide 2

Slide 2 text

マスタータイトルの書式設定自己紹介 ● 名前 : 松尾 ● 所属 : 株式会社オージス総研 ● 職種 : インフラエンジニア 1

Slide 3

Slide 3 text

マスタータイトルの書式設定 Kubernetes security 2

Slide 4

Slide 4 text

マスタータイトルの書式設定 Kubernetes security 3 ● You can think about security in layers. ● The 4C's of Cloud Native security are Cloud, Clusters, Containers, and Code. https://kubernetes.io/docs/concepts/security/overview/

Slide 5

Slide 5 text

マスタータイトルの書式設定 Kubernetes security 4 ● Cloud ● Network, Host, Endpoint security ● Data protection and encryption ● Identity and Access management ● Vulnerlability and Config analytics ● Logging, Monitoring, Tracing ● ・・・

Slide 6

Slide 6 text

マスタータイトルの書式設定 Kubernetes security 5 ● Cluster ● RBAC ● Authentication ● Application secrets management ● Pod Security Policies ● Network Policies ● ・・・

Slide 7

Slide 7 text

マスタータイトルの書式設定 Kubernetes security 6 ● Container ● Container Vulnerability ● Image signing and Enforcement ● Disallow privileged users ● ・・・

Slide 8

Slide 8 text

マスタータイトルの書式設定 Kubernetes security 7 ● Code ● 3rd Party Dependency Security ● Statice Code Analysis ● Dynamic probing attacks ● ・・・

Slide 9

Slide 9 text

マスタータイトルの書式設定 How to secure 8

Slide 10

Slide 10 text

マスタータイトルの書式設定 How to secure 9 ● Code ● Lint, UnitTest ● Code review ● ・・・ ● Container ● Scanning - Trivy ● Check dockerfile – hadolint ● ・・・ ● Cluster ● Yaml Test - Kubeval, kubetest ● REGO test – conftest, gatekeeper ● ・・・ ● Cloud(AWS) ● IAM least privilege principle ● Backup volume and use KMS ● Use optimized AMI ● Guardduty ● Cloudwatch ● ・・・

Slide 11

Slide 11 text

マスタータイトルの書式設定 How to operate 10

Slide 12

Slide 12 text

マスタータイトルの書式設定 How to operate 11 L oG Log lO g loG Ops Visualization Report

Slide 13

Slide 13 text

マスタータイトルの書式設定 How to operate 12 LoG Log lO g loG K8s Native Security Tool kit Visualization Report Ops Security Tools

Slide 14

Slide 14 text

マスタータイトルの書式設定 Kubernetes-native security tool kit ? 13

Slide 15

Slide 15 text

マスタータイトルの書式設定 Kubernetes-native security tool kit 14 ● Integrates security tools into the k8s environment. ● Users can find and view risks. ● Starboard provides CRD and go module to work with those tools. ● v0.2.5 (2020/6/28) https://github.com/aquasecurity/starboard ● Overview

Slide 16

Slide 16 text

マスタータイトルの書式設定 Kubernetes-native security tool kit 15 ● Architecture https://blog.aquasec.com/starboard-kubernetes-tools

Slide 17

Slide 17 text

マスタータイトルの書式設定 Kubernetes-native security tool kit 16 ● Integrate ● Container Vulnerability scan - Trivy ● K8sWorkload governance - Fairwinds Polaris ● CIS k8s Benchmark check - Kube-bench ● K8s Penetration test – kube-hunter

Slide 18

Slide 18 text

マスタータイトルの書式設定 Kubernetes-native security tool kit 17 ● Roadmap ● Roll-up of security risk information in each namespace ● Starboard Admission Webhook that can take policy decisions based on the security information from any Starboard-compatible CRD ● ・・・ https://blog.aquasec.com/starboard-kubernetes-tools

Slide 19

Slide 19 text

マスタータイトルの書式設定 Getting Started 18

Slide 20

Slide 20 text

マスタータイトルの書式設定 Getting Started 19 Starboard # wget https://github.com/aquasecurity/starboard/releases/download/v0.2.1/starboard_linux_x86_64.tar.gz # tar zxvf starboard_linux_x86_64.tar.gz # mv starboard /usr/local/bin/ # starboard init # kubectl create deployment nginx --image nginx:1.16 Octant # wget octant.rpm && rpm -ivh octant.rpm # wget https://github.com/aquasecurity/starboard-octant-plugin/releases/download/v0.2.0/starboard-octant-plugin_linux_x86_64.tar.gz # tar zxvf starboard-octant-plugin_linux_x86_64.tar.gz # mkdir -p $HOME/.config/octant/plugins # mv starboard-octant-plugin $HOME/.config/octant/plugins # OCTANT_LISTENER_ADDR=0.0.0.0:8900 octant

Slide 21

Slide 21 text

マスタータイトルの書式設定 Getting Started 20 Octant overview

Slide 22

Slide 22 text

マスタータイトルの書式設定 Getting Started 21 Check # starboard find vulnerabilities pod/nginx- 59d5958c9f-66j5d --namespace default

Slide 23

Slide 23 text

マスタータイトルの書式設定 Getting Started 22 Check # starboard polaris

Slide 24

Slide 24 text

マスタータイトルの書式設定 Getting Started 23 Check # starboard kube-hunter

Slide 25

Slide 25 text

マスタータイトルの書式設定 Getting Started 24 Starboard CLI Usage: starboard [command] Available Commands: cleanup Delete custom resource definitions created by starboard find Manage security scanners get Get security reports help Help about any command init Create custom resource definitions used by starboard kube-bench Run the CIS Kubernetes Benchmark https://www.cisecurity.org/benchmark/kubernetes kube-hunter Hunt for security weaknesses polaris Run a variety of checks to ensure that Kubernetes pods and controllers are configured using best practices rbac Get RBAC config to run starboard version Print the version information

Slide 26

Slide 26 text

マスタータイトルの書式設定 Takeaways 25

Slide 27

Slide 27 text

マスタータイトルの書式設定 Takeaways 26 Points of interest to me ● Operational Functions ● Filtering of vulnerability check results in octant ● PCI-DSS / HIPAA / GDPR ● Issue Management / Triage ● Alerting / Reporting ● Availability of CSRD

Slide 28

Slide 28 text

マスタータイトルの書式設定 If you’re interested, let’s contribute to starboard and grow it! 27