Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure your Kubernetes Containers - All Day DevOps

Hossam Barakat
November 06, 2019
Programming
0
110

Secure your Kubernetes Containers - All Day DevOps

Hossam Barakat

November 06, 2019
Tweet

More Decks by Hossam Barakat

See All by Hossam Barakat
Build Your Cloud Infrastructure as Code With .Net Core - Build Stuff
hossambarakat
0
61
Kubernetes Blue-Green Deployment Made Easy with Argo Rollouts - ADDO
hossambarakat
0
77
Build Your Azure Infrastructure as Code With .NET Core - Azure Day
hossambarakat
0
30
Build Your Azure Infrastructure as Code With .Net Core - Global Azure 2021
hossambarakat
0
42
Practical Domain-Driven Design with EF Core - NDC London 2021
hossambarakat
0
230
Build Your Cloud Infrastructure as Code With .Net Core - ADDO 2020
hossambarakat
0
120
Practical Domain Driven Design With EFCore - NDC Sydney 2020
hossambarakat
0
130
Build Your Cloud Infrastructure as Code With .Net Core - NDC Porto 2020
hossambarakat
2
150
Kubernetes for Developers - All Day DevOps
hossambarakat
2
170

Other Decks in Programming

See All in Programming
Realtime API 入門
riofujimon
0
110
cXML という電子商取引の トランザクションを支える プロトコルと向きあっている話
phigasui
3
2.3k
弊社の「意識チョット低いアーキテクチャ」10選
texmeijin
5
23k
go.mod、DockerfileやCI設定に分散しがちなGoのバージョンをまとめて管理する / Go Connect #3
arthur1
10
2.4k
Hotwire or React? ~Reactの録画機能をHotwireに置き換えて得られた知見~ / hotwire_or_react
harunatsujita
9
4.1k
のびしろを広げる巻き込まれ力:偶然を活かすキャリアの作り方/oso2024
takahashiikki
1
410
Pinia Colada が実現するスマートな非同期処理
naokihaba
2
160
Amazon Neptuneで始めてみるグラフDB -OpenSearchによるグラフの全文検索-
satoshi256kbyte
4
330
gopls を改造したら開発生産性が高まった
satorunooshie
8
240
CSC509 Lecture 09
javiergs
PRO
0
110
Kotlin2でdataクラスの copyメソッドを禁止する/Data class copy function to have the same visibility as constructor
eichisanden
1
140
Honoの来た道とこれから
yusukebe
19
3.1k

Featured

See All Featured
10 Git Anti Patterns You Should be Aware of
lemiorhan
654
59k
YesSQL, Process and Tooling at Scale
rocio
167
14k
Code Review Best Practice
trishagee
64
17k
Imperfection Machines: The Place of Print at Facebook
scottboms
264
13k
Speed Design
sergeychernyshev
24
570
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
43
6.6k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
328
21k
Fontdeck: Realign not Redesign
paulrobertlloyd
81
5.2k
How to Think Like a Performance Engineer
csswizardry
19
1.1k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
37
1.8k
Testing 201, or: Great Expectations
jmmastey
38
7k

Transcript

  1. Secure your Kubernetes Containers Hossam Barakat Lead Consultant at Telstra

    Purple @hossambarakat_

  2. @hossambarakat_ 3

  3. @hossambarakat_ Attack Vectors 4 OS Application

  4. @hossambarakat_ Attack Vectors 5 OS Kubernetes Container Image Container Application

  5. @hossambarakat_ 6

  6. @hossambarakat_ Kubernetes Cluster 7

  7. @hossambarakat_ Kubernetes Architecture Master Worker Worker Client Worker Cluster

  8. @hossambarakat_ Kubernetes Architecture Master API Server Worker Kubelet Container Runtime

    UI (Dashboard) CLI (Kubectl) Other Client(s) Pod Pod Cluster Scheduler TLS TLS

  9. @hossambarakat_ Role Based Access Control (RBAC) 10 Role Binding Role

    Resource User Group Service Account Verb Verb Subject

  10. @hossambarakat_ Service Account 11 apiVersion: v1 kind: ServiceAccount metadata: name:

    webapp-service-account namespace: default

  11. @hossambarakat_ Role 12 Role Based Access Control (RBAC) Role Binding

    kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: my-role namespace: default rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list"] kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: my-role-binding namespace: default subjects: - kind: ServiceAccount name: webapp-service-account namespace: default roleRef: kind: Role name: my-role apiGroup: rbac.authorization.k8s.io

  12. @hossambarakat_ Pod 13 Role Based Access Control (RBAC) kind: Pod

    apiVersion: v1 metadata: name: webapp spec: serviceAccountName: webapp-service-account containers: - name: webapp image: hossambarakat/k8s-security-webapp ports: - containerPort: 3000

  13. @hossambarakat_ CIS Kubernetes Benchmark » Document that provide guidance for

    establishing a secure configuration posture for Kubernetes » Specific recommendations with a description, rationale, method of audit and remediation » Can be automated with kube-bench 14

  14. @hossambarakat_ Container Images 15

  15. @hossambarakat_ Images Security » Never run as root • Set

    USER in Dockerfile » Minimal base image • Alpine 2 MB • Ubuntu 60 MB » Trusted base image » Private image registry » Do NOT use latest tag » Vulnerability scans 16

  16. @hossambarakat_ Image Scanning Tools » aquasecurity/trivy » coreos/clair » optiopay/klar

    » aquasecurity/microscanner » Aqua Security » Twistlock 17

  17. @hossambarakat_ Trivy 18

  18. @hossambarakat_ Vulnerability Scanning CI Pipeline Integration 19 Code CI Vulnerability

    Scanning Image Registry Schedule Container

  19. @hossambarakat_ Vulnerability Scanning CI Pipeline Integration 20 Code CI Vulnerability

    Scanning Image Registry Schedule Container Publish Scanning Results Is Scanned Image? Admission Webhook

  20. @hossambarakat_ Containers 21

  21. @hossambarakat_ Privilege Escalation 22 Pod Worker Container Modify container file

    system Modify host file system Crypto Miner Hacker icon by karina from the Noun Project

  22. @hossambarakat_ Demo 23 Privilege Escalation

  23. @hossambarakat_ » RunAsUser » RunAsGroup 24 Security Context securityContext: runAsUser:

    1000 runAsGroup: 3000

  24. @hossambarakat_ » AllowPrivilegdeEscalation 25 Security Context securityContext: allowPrivilegeEscalation: false

  25. @hossambarakat_ » ReadOnlyRootFilesystem 26 Security Context securityContext: readOnlyRootFilesystem: true

  26. @hossambarakat_ » RunAsUser » RunAsGroup » AllowPrivilegdeEscalation » ReadOnlyRootFilesystem 27

    Security Context apiVersion: v1 kind: Pod metadata: name: my-app spec: securityContext: runAsUser: 1000 RunAsGroup: 2000 containers: - name: my-app image: my-app securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true

  27. @hossambarakat_ Enter Pod Security Policy 28

  28. @hossambarakat_ Pod Security Policy » A Pod Security Policy is

    a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access. » The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system. 29

  29. @hossambarakat_ Pod Security Policy » privileged » volumes » fsGroup

    » runAsUser, runAsGroup » readOnlyRootFilesystem » allowedHostPaths » hostNetwork » Linux capabilities 30

  30. @hossambarakat_ kube-psp-advisor 31

  31. @hossambarakat_ » All pods can communicate with each other 32

    Network Communication Pod Pod Pod

  32. @hossambarakat_ App 1 33 Network Communication Frontend DB Pod apiVersion:

    networking.k8s.io/v1 kind: NetworkPolicy metadata: name: my-frontend-policy spec: podSelector: matchLabels: app: db ingress: - from: - podSelector: matchLabels: app: frontend

  33. @hossambarakat_ Network Plugin » Calico » Cilium » Kube-Router »

    Weave Net » … 34

  34. @hossambarakat_ 35

  35. @hossambarakat_ Service Mesh » Security specific policy enforcement » End-to-end

    encryption » Rolling certificates 38

  36. @hossambarakat_ Summary 39 Kubernetes Cluster Bootstrap TLS Authentication Enable RBAC

    CIS Benchmark Container Images No root user Small images Do NOT use latest Private Image Registry Containers Pod Security Context Pod Security Policy Network Policy Service Mesh Vulnerability Scans

  37. @hossambarakat_ Resources » https://kubernetes-security.info » http://github.com/hossambarakat/secure-k8s-containers 40

  38. @hossambarakat_ Questions? #2019addo-devsecops 41

  39. @hossambarakat_ 42

  40. Thank You Hossam Barakat @hossambarakat_