The Art of Building Secure Kubernetes Pipelines

Transcript

1. Presented to you by: KubeSec Enterprise Online A Webinar Series

   www.aquasec.com |@AquaSecTeam | #KubeSec2021

2. Housekeeping Housekeeping To ask a question click on the Question

   button to the right hand chat menu Questions A recording of this session will be made available to all attendees Recording Feedback on the webinar series, topics you’d like to see, welcome at [email protected] Feedback www.aquasec.com |@AquaSecTeam | #KubeSec2021

3. www.aquasec.com |@AquaSecTeam | #KubeSec2021 The Art of Building Secure Kubernetes

   Pipelines Renaldi Gondosubroto

4. A Bit About Myself • 12x AWS, 3x Azure Certified

   and 2x Google Cloud Certified • Personal field of interest is in penetration testing and accessibility practices • On the side: Running meetups, hackathons, doing tech talks and VR tech enthusiast Renaldi Gondosubroto Founder and Developer Advocate @ GReS Studio @Renaldig @renaldigondosubroto

5. The Agenda Admission Controllers Vulnerability Scanning The Motivation 01 02

   03 Security Guidelines for Business 04 What we Got Out of it 05

6. Poll #1: Where do you run your Kubernetes containers? •

   A. On-premises • B. On the cloud • C. Hybrid

7. The Motivation • Keeping updated with the world of cybersecurity,

   especially with the ‘work from home’ culture • The growing use of Kubernetes • Securing Infrastructure from the start and continuously

8. Understanding the Container Lifecycle (CDLC) Base Image Build Deliver Deploy

   Run Maintain

9. Vulnerability Scanning – An Overview • Understanding it depends on

   understanding the tool’s scope • Can be as shallow as scanning operation system package manager versions • Can go deeper to check permissions of entities, policies, etc

10. Approaches to Vulnerability Scanning So what’s scanned? • Packages (OS,

    app library) • Configurations • Secrets • Compressed files Scan encompasses all or a few layers 81e53fs1192 0B d83526jy5593 1.762 KB c5251b82621 186.5 KB b2c5g55d7f3s 190.2 MB

11. Security in Registry/Pulling • Limiting user privileges • Continuous monitoring

12. Sample Image Scan

13. Advise from Scan

14. Building with Admission Controllers API HTTP handler Authentication Authorization Mutating

    admission Object Schema Validation Validating admission Persisted to etcd Webhook Webhook

15. Deciding Security Guidelines for your Business • What are your

    current security guidelines? • Are security practitioners in the company already used to the practices (e.g. image scanning) • What are the security considerations that need to be considered?

16. Image Scanning Policy Fail

17. Deciding Security Guidelines for your Business Cont. Analyzer Evaluation Database

    Fail Pass

18. Building Proper Security Policies

19. Poll #2: Which Methodology Do You Use for Developing and

    Security? • A. DevSecOps • B. DevOps • C. Agile • D. Waterfall • E. Other

20. The Future of Kubernetes Security • The continuous notion of

    policy as security • The left and right shift of container security • The greater need for in during work from home

21. What we Got Out of it Better practices for future

    groundwork Better client feedback Better Analytics

22. Simple It’s simple to implement Up-to-date Users appreciate security with

    updates Usability Ensure that the service is still usable The Wrap-up Code as security Because it’s all about the code Feedback Continuous evaluation through feedback builds security Future Use it as a pathway towards future security

23. Thank You! Connect with me! @Renaldig @renaldigondosubroto

24. Q & A www.aquasec.com |@AquaSecTeam | #KubeSec2021

25. Upcoming Sessions: Thank You! www.aquasec.com |@AquaSecTeam | #KubeSec2021