Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Segurança em Kubernetes

Carol
July 20, 2019

Segurança em Kubernetes

Explorar as camadas de segurança no orquestrador Kubernetes junto as ferramentas que nos ajudem a ter um cluster confiável e não vulnerável a ataques.

Carol

July 20, 2019
Tweet

More Decks by Carol

Other Decks in Technology

Transcript

  1. 9 Figure -(pensource security - 2019) 78% vulnerabilities in indirect

    dependencies 37% of open source developers no security testing in CI 54% docker image no security testing Top 10 docker images contain > 30 vulnerable system libraries
  2. 12 Control what a process can SEE • PID •

    Mount • Network • UTS • IPS • User Namespaces Control what a process can USE Cgroups
  3. 13 Linux Capabilities By default, a container own only 14

    of 37 capabilities Principle of Least Privilege
  4. Container Security Public images ? Run as root ? defaults

    to root (uid=0) Admin capabilities ? 14 Private register Secure the Docker host Unprivileged users Read only filesystems Security Policies - syscall whitelist: SELinux, AppArmor, Seccomp-bpf.
  5. Container Security 15 Remove SUID binaries or drop the SETUID

    capability Set User ID is a type of permission that allows users to execute a file with the permissions of a specified user. No --privileged containers Drop all capabilities then add needed caps Enable user namespaces Set resource limits and ulimits Mount volumes: ro, noexec, nosuid, nodev
  6. Containers are not a sandbox 16 Legacy workloads in a

    cloud-native ? Kata, gVisor, Hyper RunV, KubeVirt Figure - gVisor (https://thenewstack.io/how-to-implement-secure-containers-using-googles-gvisor/)
  7. Tools ◉ Center for Internet Security (CIS) for Docker ◉

    Docker-bench-security ◉ Grafeas: audit and govern your software supply chain ◉ Sysdig: container troubleshooting and security investigation ◉ CoreOs / Clair: Vulnerability Static Analysis for Containers ◉ Aqua / Microscanner: Scan your container images for package vulnerabilities ◉ Capsule8: open-source cloud-native behavioral security monitoring 19
  8. 33 Best practices ◉ Hosts: Private topology / bastion ◉

    TLS Everywhere - for all API traffic ◉ Certificate rotation (1.8) ◉ Separate and Firewall etcd - Restrict access ◉ Authorization RBAC with Least Privilege ◉ Enable audit logging ◉ Upgrade cluster. ◉ Encrypting Secret Data at Rest (1.13): encrypted in etcd. AES-CBC, AES-GCM, KMS.
  9. Tools ◉ Center for Internet Security (CIS) Benchmark for Kubernetes

    ◉ Aqua - kube-bench: Kubernetes is deployed according to security best practices ◉ Aqua - kube-hunter: hunts for security weaknesses in Kubernetes clusters ◉ K8Guard - An auditing system for Kubernetes ◉ Anchore : kubernetes-admission-controller 34
  10. 38 Users in Kubernetes • X.509 client certs • Password

    files • Bearer token webhook • Service Account • OpenID Connect (OIDC)
  11. ◉ OIDC jwt ◉ Redhat / Keycloak open source identity

    ◉ Dexidp / dex OpenID Connect is based on OAuth 2.0. ◉ Aws iam authenticator - Heptio and Amazon EKS OSS Engineers. ◉ Hashicorp / vault-plugin-auth-kubernetes ◉ Appscode / Guard Kubernetes Authentication WebHook Server 39 Authentication Tools
  12. Authorization Tools ◉ Liggitt / audit2rbac Autogenerate RBAC policies based

    on Kubernetes audit logs. ◉ FairwindsOps / Rbac-manager. A Kubernetes operator for Role Bindings and Service Accounts. ◉ Jtblin / kube2iam provides different AWS IAM roles for pods running on Kubernetes. 40
  13. Security Compliance Tools ◉ OpenSCAP - Open Source Security Content

    Automation Protocol ◉ Open Policy Agent / OPA. 42
  14. Best practices 44 ◉ Disable anonymous authentication. ◉ Enabled RBAC

    ◉ Helm: TLS certificates ◉ Deny by default: RBAC, NetworkPolicy, PodSecurityPolicy ◉ Restrict service token use ◉ Use Third Party Auth for API Server
  15. Best practices Source code Dockerfiles / images Base64 is not

    encryption 47 RBAC limit read secrets 1.10 EncryptionConfiguration - Providers: identity, aesbc, secretbox, aesgcm, kms. Kube-apiserver --encryptation-provider-config=/etc/encryptation-config.yml ….
  16. How do you define “production ready” and “highly available” anyway?

    Can a cluster be created so that it’s secured from end-to-end, has no single points of failure, and is upgradable with zero control plane downtime? 53