Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kubernetes-native security with Starboard

Liz Rice
January 01, 2021
Programming
0
160

Kubernetes-native security with Starboard

Liz Rice

January 01, 2021
Tweet

More Decks by Liz Rice

See All by Liz Rice
Unleashing the kernel with eBPF
lizrice
0
130
eBPF's Abilities and Limitations: The Truth
lizrice
0
240
Simplifying multi-cloud and multi-cluster Kubernetes deployments with Cilium
lizrice
0
140
When is a Secure Connection not encrypted? And other stories
lizrice
1
63
Keeping it simple: Cilium Mesh - networking for multi-cloud Kubernetes and beyond
lizrice
1
570
How Many Proxies Do You Need
lizrice
1
120
eBPF for Security Observability
lizrice
0
1.2k
Beginner's Guide to eBPF Programming for Networking
lizrice
1
2.2k
Contributing to Open Source - what's in it for my business?
lizrice
0
43

Other Decks in Programming

See All in Programming
Snowflake x dbtで作るセキュアでアジャイルなデータ基盤
tsoshiro
2
520
OnlineTestConf: Test Automation Friend or Foe
maaretp
0
110
WebフロントエンドにおけるGraphQL(あるいはバックエンドのAPI)との向き合い方 / #241106_plk_frontend
izumin5210
4
1.4k
Quine, Polyglot, 良いコード
qnighy
4
640
色々なIaCツールを実際に触って比較してみる
iriikeita
0
330
最新TCAキャッチアップ
0si43
0
140
Remix on Hono on Cloudflare Workers
yusukebe
1
290
Flutterを言い訳にしない!アプリの使い心地改善テクニック5選🔥
kno3a87
1
180
Compose 1.7のTextFieldはPOBox Plusで日本語変換できない
tomoya0x00
0
190
Jakarta EE meets AI
ivargrimstad
0
560
Click-free releases & the making of a CLI app
oheyadam
2
120
[Do iOS '24] Ship your app on a Friday...and enjoy your weekend!
polpielladev
0
110

Featured

See All Featured
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
109
49k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
16
2.1k
Typedesign – Prime Four
hannesfritz
40
2.4k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k
Teambox: Starting and Learning
jrom
133
8.8k
YesSQL, Process and Tooling at Scale
rocio
169
14k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.5k
Measuring & Analyzing Core Web Vitals
bluesmoon
4
120
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
Documentation Writing (for coders)
carmenintech
65
4.4k

Transcript

  1. © 2020 Aqua Security Software Ltd., All Rights Reserved Kubernetes-native

    security with Starboard Liz Rice & Daniel Pacak Open Source Engineering, Aqua Security @lizrice @d_pacak

  2. @lizrice @d_pacak Kubernetes K8s resources Starboard – motivation Dave Loper

    pods deployments statefulsets daemonsets Security tools Image vulnerabilities CIS benchmarks Config auditing Pen testing Dashboard kubectl Kubernetes API

  3. @lizrice @d_pacak Starboard – brings security reports into Kubernetes Kubernetes

    Dashboard Dave Loper K8s resources pods deployments statefulsets daemonsets Security tools Image vulnerabilities CIS benchmarks Config auditing Pen testing kubehunterreports vulnerabilityreports ciskubebenchreports configauditreports Starboard kubectl Kubernetes API

  4. @lizrice @d_pacak Starboard CLI demo

  5. @lizrice @d_pacak Starboard operator Starboard operator – automation Kubernetes Dashboard

    Dave Loper K8s resources pods deployments statefulsets daemonsets Security tools Image vulnerabilities CIS benchmarks Config auditing Pen testing kubehunterreports vulnerabilityreports ciskubebenchreports configauditreports Starboard kubectl Kubernetes API

  6. @lizrice @d_pacak Starboard operator demo

  7. @lizrice @d_pacak Starboard design decisions

  8. @lizrice @d_pacak Resource What security issues are this for this

    resource? Security report Resource type = pod Resource name = my-app owner

  9. @lizrice @d_pacak Resource What security issues are this for this

    resource? Security report Resource type = pod Resource name = my-app owner Resource name

  10. @lizrice @d_pacak namespace Resource What security issues are this for

    this resource? Security report

  11. @lizrice @d_pacak namespace Resource What security issues are this for

    this resource? Security report starboard Scan job

  12. @lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet image:1.3 Pod image:1.3 ReplicaSet

    image:1.3 Pod app-image:1.3 What security issues are there for my workloads? Unmanaged pod other-image:2.0

  13. @lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet image:1.3 Pod image:1.3 ReplicaSet

    image:1.3 Pod app-image:1.3 Unmanaged pod other-image:2.0 Vuln report some-image:2.0

  14. @lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet image:1.3 Pod image:1.3 ReplicaSet

    image:1.3 Pod app-image:1.3 Unmanaged pod other-image:2.0 Vuln report some-image:2.0 Vuln report some-image:2.0 Vuln report some-image:2.0 Vuln report some-image:2.0

  15. @lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet image:1.3 Pod image:1.3 ReplicaSet

    image:1.3 Pod app-image:1.3 Unmanaged pod other-image:2.0 Vuln report some-image:2.0 Vuln report

  16. @lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet app-image:1.6 ReplicaSet image:1.3 Pod

    image:1.3 ReplicaSet image:1.3 Pod app-image:1.3 ReplicaSet image:1.3 Pod app-image:1.6 Unmanaged pod other-image:2.0 Vuln report some-image:2.0 Vuln report

  17. @lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet app-image:1.6 ReplicaSet image:1.3 Pod

    image:1.3 ReplicaSet image:1.3 Pod app-image:1.3 ReplicaSet image:1.3 Pod app-image:1.6 Unmanaged pod some-image:2.0 Vuln report some-image:2.0 Vuln report app-image:1.6 Vuln report app-image:1.3

  18. @lizrice @d_pacak Deployment ReplicaSet ReplicaSet image:1.3 Pod image:1.3 ReplicaSet image:1.3

    Pod Vuln report What vulnerabilities are in my deployment?

  19. @lizrice @d_pacak Starboard hierarchy demo

  20. @lizrice @d_pacak Extending Starboard

  21. @lizrice @d_pacak Kind: Job Name: efavbs-d21... Namespace: starboard-operator Pluggable vulnerability

    scanners Kind: Deployment Name: my-app Image: some-image:2.0 Struct: PodTemplateSpec Image: aquasec/trivy:0.11.0 Command: trivy some-image:2.0 Kind: VulnerabilityReport Name: deployment-my-app-some-container PodSpec Trivy output converter

  22. 22 22 VulnerabilityScanner interface

  23. @lizrice @d_pacak

  24. @lizrice @d_pacak

  25. @lizrice @d_pacak Starboard future

  26. @lizrice @d_pacak Fully pluggable security reporting Kubernetes Dashboard Dave Loper

    K8s resources pods <some resources> replicasets Security tools Image vulnerabilities CIS benchmarks Config auditing Pen testing kubehunterreports vulnerabilityreports ciskubebenchreports configauditreports Starboard kubectl Kubernetes API Starboard ConfigMap Scanners - Tool: Resource: Report: - Tool: Resource: Report: … <other>reports some other security tool

  27. @lizrice @d_pacak What are the most important security issues in

    my cluster? kubectl starboard summary <namespace>

  28. @lizrice @d_pacak github.com/aquasecurity/starboard