Secure your Kubernetes Containers - All Day DevOps

Transcript

1. Secure your Kubernetes Containers Hossam Barakat Lead Consultant at Telstra

   Purple @hossambarakat_

2. @hossambarakat_ 3

3. @hossambarakat_ Attack Vectors 4 OS Application

4. @hossambarakat_ Attack Vectors 5 OS Kubernetes Container Image Container Application

5. @hossambarakat_ 6

6. @hossambarakat_ Kubernetes Cluster 7

7. @hossambarakat_ Kubernetes Architecture Master Worker Worker Client Worker Cluster

8. @hossambarakat_ Kubernetes Architecture Master API Server Worker Kubelet Container Runtime

   UI (Dashboard) CLI (Kubectl) Other Client(s) Pod Pod Cluster Scheduler TLS TLS

9. @hossambarakat_ Role Based Access Control (RBAC) 10 Role Binding Role

   Resource User Group Service Account Verb Verb Subject

10. @hossambarakat_ Service Account 11 apiVersion: v1 kind: ServiceAccount metadata: name:

    webapp-service-account namespace: default

11. @hossambarakat_ Role 12 Role Based Access Control (RBAC) Role Binding

    kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: my-role namespace: default rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list"] kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: my-role-binding namespace: default subjects: - kind: ServiceAccount name: webapp-service-account namespace: default roleRef: kind: Role name: my-role apiGroup: rbac.authorization.k8s.io

12. @hossambarakat_ Pod 13 Role Based Access Control (RBAC) kind: Pod

    apiVersion: v1 metadata: name: webapp spec: serviceAccountName: webapp-service-account containers: - name: webapp image: hossambarakat/k8s-security-webapp ports: - containerPort: 3000

13. @hossambarakat_ CIS Kubernetes Benchmark » Document that provide guidance for

    establishing a secure configuration posture for Kubernetes » Specific recommendations with a description, rationale, method of audit and remediation » Can be automated with kube-bench 14

14. @hossambarakat_ Container Images 15

15. @hossambarakat_ Images Security » Never run as root • Set

    USER in Dockerfile » Minimal base image • Alpine 2 MB • Ubuntu 60 MB » Trusted base image » Private image registry » Do NOT use latest tag » Vulnerability scans 16

16. @hossambarakat_ Image Scanning Tools » aquasecurity/trivy » coreos/clair » optiopay/klar

    » aquasecurity/microscanner » Aqua Security » Twistlock 17

17. @hossambarakat_ Trivy 18

18. @hossambarakat_ Vulnerability Scanning CI Pipeline Integration 19 Code CI Vulnerability

    Scanning Image Registry Schedule Container

19. @hossambarakat_ Vulnerability Scanning CI Pipeline Integration 20 Code CI Vulnerability

    Scanning Image Registry Schedule Container Publish Scanning Results Is Scanned Image? Admission Webhook

20. @hossambarakat_ Containers 21

21. @hossambarakat_ Privilege Escalation 22 Pod Worker Container Modify container file

    system Modify host file system Crypto Miner Hacker icon by karina from the Noun Project

22. @hossambarakat_ Demo 23 Privilege Escalation

23. @hossambarakat_ » RunAsUser » RunAsGroup 24 Security Context securityContext: runAsUser:

    1000 runAsGroup: 3000

24. @hossambarakat_ » AllowPrivilegdeEscalation 25 Security Context securityContext: allowPrivilegeEscalation: false

25. @hossambarakat_ » ReadOnlyRootFilesystem 26 Security Context securityContext: readOnlyRootFilesystem: true

26. @hossambarakat_ » RunAsUser » RunAsGroup » AllowPrivilegdeEscalation » ReadOnlyRootFilesystem 27

    Security Context apiVersion: v1 kind: Pod metadata: name: my-app spec: securityContext: runAsUser: 1000 RunAsGroup: 2000 containers: - name: my-app image: my-app securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true

27. @hossambarakat_ Enter Pod Security Policy 28

28. @hossambarakat_ Pod Security Policy » A Pod Security Policy is

    a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access. » The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system. 29

29. @hossambarakat_ Pod Security Policy » privileged » volumes » fsGroup

    » runAsUser, runAsGroup » readOnlyRootFilesystem » allowedHostPaths » hostNetwork » Linux capabilities 30

30. @hossambarakat_ kube-psp-advisor 31

31. @hossambarakat_ » All pods can communicate with each other 32

    Network Communication Pod Pod Pod

32. @hossambarakat_ App 1 33 Network Communication Frontend DB Pod apiVersion:

    networking.k8s.io/v1 kind: NetworkPolicy metadata: name: my-frontend-policy spec: podSelector: matchLabels: app: db ingress: - from: - podSelector: matchLabels: app: frontend

33. @hossambarakat_ Network Plugin » Calico » Cilium » Kube-Router »

    Weave Net » … 34

34. @hossambarakat_ 35

35. @hossambarakat_ Service Mesh » Security specific policy enforcement » End-to-end

    encryption » Rolling certificates 38

36. @hossambarakat_ Summary 39 Kubernetes Cluster Bootstrap TLS Authentication Enable RBAC

    CIS Benchmark Container Images No root user Small images Do NOT use latest Private Image Registry Containers Pod Security Context Pod Security Policy Network Policy Service Mesh Vulnerability Scans

37. @hossambarakat_ Resources » https://kubernetes-security.info » http://github.com/hossambarakat/secure-k8s-containers 40

38. @hossambarakat_ Questions? #2019addo-devsecops 41

39. @hossambarakat_ 42

40. Thank You Hossam Barakat @hossambarakat_