Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kubernetes-native security with Starboard

Avatar for Liz Rice Liz Rice
January 01, 2021
Programming
220
0

Kubernetes-native security with Starboard

Avatar for Liz Rice

Liz Rice

January 01, 2021

More Decks by Liz Rice

See All by Liz Rice
Building a cloud native business on open source
Avatar for Liz Rice lizrice
0
260
KCD Lima: eBee in Peru!
Avatar for Liz Rice lizrice
0
210
Unleashing the kernel with eBPF
Avatar for Liz Rice lizrice
0
390
eBPF's Abilities and Limitations: The Truth
Avatar for Liz Rice lizrice
0
530
Simplifying multi-cloud and multi-cluster Kubernetes deployments with Cilium
Avatar for Liz Rice lizrice
0
290
When is a Secure Connection not encrypted? And other stories
Avatar for Liz Rice lizrice
1
140
Keeping it simple: Cilium Mesh - networking for multi-cloud Kubernetes and beyond
Avatar for Liz Rice lizrice
1
790
How Many Proxies Do You Need
Avatar for Liz Rice lizrice
1
200
eBPF for Security Observability
Avatar for Liz Rice lizrice
0
1.6k

Other Decks in Programming

See All in Programming
Go1.27で導入されるジェネリクスメソッドでできること
Avatar for mackee mackee
0
120
ローカルLLMでどこまでコードが書けるか -拡張版 / How much code can be written on a local LLM Extended
Avatar for Naoki Kishida kishida
10
4.1k
ふつうのFeature Flag実践入門
Avatar for irof irof
7
3.9k
Contextとはなにか
Avatar for chiroruxx chiroruxx
1
320
DynamoDBには集計系のクエリがないけどなんとかしたい
Avatar for 村上優稀 musan
1
140
「なぜそう決めたのか」を残し続ける仕組み ― Notion AI カスタムエージェント × Slack連携による設計判断の自動記録 - NIKKEI Tech Talk #47
Avatar for ニフティ株式会社 niftycorp
PRO
0
170
Vite+ Unified Toolchain for the Web
Avatar for Naoki Haba naokihaba
0
300
Java × distroless で 軽量なコンテナイメージを / Java on Distroless
Avatar for Daisuke Garaike contour_gara
0
540
Spec Driven Development | AI Summit Lisbon
Avatar for Daniel Sogl danielsogl
PRO
0
190
Even G2とAWSで推しのエージェントを召喚しよう!
Avatar for Har1101 har1101
1
110
キャリア迷子上等 ─ "ない道"は自分で作ればいい
Avatar for 16bit_idol 16bitidol
3
2.1k
コンテキストの使い捨てをやめる — ビジネスルール駆動開発と miko —
Avatar for ioki ioki
0
200

Featured

See All Featured
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
Avatar for Akash Hashmi akashhashmi
0
370
Making Projects Easy
Avatar for Brett Harned brettharned
120
6.7k
GraphQLとの向き合い方2022年版
Avatar for Yosuke Kurami quramy
50
15k
The B2B funnel & how to create a winning content strategy
Avatar for Katarina Dahlin katarinadahlin
PRO
1
380
Git: the NoSQL Database
Avatar for Brandon Keepers bkeepers
PRO
432
67k
Paper Plane (Part 1)
Avatar for Katie Cordina Lindsey katiecoart
PRO
0
8.9k
Hiding What from Whom? A Critical Review of the History of Programming languages for Music
Avatar for Tomoya Matsuura tomoyanonymous
2
850
Jamie Indigo - Trashchat’s Guide to Black Boxes: Technical SEO Tactics for LLMs
Avatar for Tech SEO Connect techseoconnect
PRO
0
160
Statistics for Hackers
Avatar for Jake VanderPlas jakevdp
799
230k
Distributed Sagas: A Protocol for Coordinating Microservices
Avatar for Caitie McCaffrey caitiem20
333
22k
Practical Orchestrator
Avatar for Shlomi Noach shlominoach
191
11k
Speed Design
Avatar for Sergey Chernyshev sergeychernyshev
33
1.8k

Transcript

  1. © 2020 Aqua Security Software Ltd., All Rights Reserved Kubernetes-native

    security with Starboard Liz Rice & Daniel Pacak Open Source Engineering, Aqua Security @lizrice @d_pacak

  2. @lizrice @d_pacak Kubernetes K8s resources Starboard – motivation Dave Loper

    pods deployments statefulsets daemonsets Security tools Image vulnerabilities CIS benchmarks Config auditing Pen testing Dashboard kubectl Kubernetes API

  3. @lizrice @d_pacak Starboard – brings security reports into Kubernetes Kubernetes

    Dashboard Dave Loper K8s resources pods deployments statefulsets daemonsets Security tools Image vulnerabilities CIS benchmarks Config auditing Pen testing kubehunterreports vulnerabilityreports ciskubebenchreports configauditreports Starboard kubectl Kubernetes API

  4. @lizrice @d_pacak Starboard CLI demo

  5. @lizrice @d_pacak Starboard operator Starboard operator – automation Kubernetes Dashboard

    Dave Loper K8s resources pods deployments statefulsets daemonsets Security tools Image vulnerabilities CIS benchmarks Config auditing Pen testing kubehunterreports vulnerabilityreports ciskubebenchreports configauditreports Starboard kubectl Kubernetes API

  6. @lizrice @d_pacak Starboard operator demo

  7. @lizrice @d_pacak Starboard design decisions

  8. @lizrice @d_pacak Resource What security issues are this for this

    resource? Security report Resource type = pod Resource name = my-app owner

  9. @lizrice @d_pacak Resource What security issues are this for this

    resource? Security report Resource type = pod Resource name = my-app owner Resource name

  10. @lizrice @d_pacak namespace Resource What security issues are this for

    this resource? Security report

  11. @lizrice @d_pacak namespace Resource What security issues are this for

    this resource? Security report starboard Scan job

  12. @lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet image:1.3 Pod image:1.3 ReplicaSet

    image:1.3 Pod app-image:1.3 What security issues are there for my workloads? Unmanaged pod other-image:2.0

  13. @lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet image:1.3 Pod image:1.3 ReplicaSet

    image:1.3 Pod app-image:1.3 Unmanaged pod other-image:2.0 Vuln report some-image:2.0

  14. @lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet image:1.3 Pod image:1.3 ReplicaSet

    image:1.3 Pod app-image:1.3 Unmanaged pod other-image:2.0 Vuln report some-image:2.0 Vuln report some-image:2.0 Vuln report some-image:2.0 Vuln report some-image:2.0

  15. @lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet image:1.3 Pod image:1.3 ReplicaSet

    image:1.3 Pod app-image:1.3 Unmanaged pod other-image:2.0 Vuln report some-image:2.0 Vuln report

  16. @lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet app-image:1.6 ReplicaSet image:1.3 Pod

    image:1.3 ReplicaSet image:1.3 Pod app-image:1.3 ReplicaSet image:1.3 Pod app-image:1.6 Unmanaged pod other-image:2.0 Vuln report some-image:2.0 Vuln report

  17. @lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet app-image:1.6 ReplicaSet image:1.3 Pod

    image:1.3 ReplicaSet image:1.3 Pod app-image:1.3 ReplicaSet image:1.3 Pod app-image:1.6 Unmanaged pod some-image:2.0 Vuln report some-image:2.0 Vuln report app-image:1.6 Vuln report app-image:1.3

  18. @lizrice @d_pacak Deployment ReplicaSet ReplicaSet image:1.3 Pod image:1.3 ReplicaSet image:1.3

    Pod Vuln report What vulnerabilities are in my deployment?

  19. @lizrice @d_pacak Starboard hierarchy demo

  20. @lizrice @d_pacak Extending Starboard

  21. @lizrice @d_pacak Kind: Job Name: efavbs-d21... Namespace: starboard-operator Pluggable vulnerability

    scanners Kind: Deployment Name: my-app Image: some-image:2.0 Struct: PodTemplateSpec Image: aquasec/trivy:0.11.0 Command: trivy some-image:2.0 Kind: VulnerabilityReport Name: deployment-my-app-some-container PodSpec Trivy output converter

  22. 22 22 VulnerabilityScanner interface

  23. @lizrice @d_pacak

  24. @lizrice @d_pacak

  25. @lizrice @d_pacak Starboard future

  26. @lizrice @d_pacak Fully pluggable security reporting Kubernetes Dashboard Dave Loper

    K8s resources pods <some resources> replicasets Security tools Image vulnerabilities CIS benchmarks Config auditing Pen testing kubehunterreports vulnerabilityreports ciskubebenchreports configauditreports Starboard kubectl Kubernetes API Starboard ConfigMap Scanners - Tool: Resource: Report: - Tool: Resource: Report: … <other>reports some other security tool

  27. @lizrice @d_pacak What are the most important security issues in

    my cluster? kubectl starboard summary <namespace>

  28. @lizrice @d_pacak github.com/aquasecurity/starboard