Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kubernetes-native security with Starboard

Liz Rice
January 01, 2021
Programming
0
160

Kubernetes-native security with Starboard

Liz Rice

January 01, 2021
Tweet

More Decks by Liz Rice

See All by Liz Rice
Unleashing the kernel with eBPF
lizrice
0
130
eBPF's Abilities and Limitations: The Truth
lizrice
0
220
Simplifying multi-cloud and multi-cluster Kubernetes deployments with Cilium
lizrice
0
130
When is a Secure Connection not encrypted? And other stories
lizrice
1
60
Keeping it simple: Cilium Mesh - networking for multi-cloud Kubernetes and beyond
lizrice
1
560
How Many Proxies Do You Need
lizrice
1
120
eBPF for Security Observability
lizrice
0
1.2k
Beginner's Guide to eBPF Programming for Networking
lizrice
1
2.2k
Contributing to Open Source - what's in it for my business?
lizrice
0
42

Other Decks in Programming

See All in Programming
Golang と Erlang
taiyow
8
1.9k
ECSのサービス間通信 4つの方法を比較する 〜Canary,Blue/Greenも添えて〜
tkikuc
11
2.3k
Vaporモードを大規模サービスに最速導入して学びを共有する
kazukishimamoto
4
4.3k
Progressive Web Apps für Desktop und Mobile mit Angular (Hands-on)
christianliebel
PRO
0
110
Vue3の一歩踏み込んだパフォーマンスチューニング2024
hal_spidernight
3
3.1k
Realtime API 入門
riofujimon
0
110
Pinia Colada が実現するスマートな非同期処理
naokihaba
2
150
とにかくAWS GameDay!AWSは世界の共通言語! / Anyway, AWS GameDay! AWS is the world's lingua franca!
seike460
PRO
1
540
gopls を改造したら開発生産性が高まった
satorunooshie
8
240
のびしろを広げる巻き込まれ力:偶然を活かすキャリアの作り方/oso2024
takahashiikki
1
410
qmuntal/stateless のススメ
sgash708
0
120
アジャイルを支えるテストアーキテクチャ設計/Test Architecting for Agile
goyoki
7
2.8k

Featured

See All Featured
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
Rails Girls Zürich Keynote
gr2m
93
13k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
The Cult of Friendly URLs
andyhume
78
6k
The Language of Interfaces
destraynor
154
24k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
231
17k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.2k
It's Worth the Effort
3n
183
27k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
27
1.9k
Agile that works and the tools we love
rasmusluckow
327
21k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
7.9k

Transcript

  1. © 2020 Aqua Security Software Ltd., All Rights Reserved Kubernetes-native

    security with Starboard Liz Rice & Daniel Pacak Open Source Engineering, Aqua Security @lizrice @d_pacak

  2. @lizrice @d_pacak Kubernetes K8s resources Starboard – motivation Dave Loper

    pods deployments statefulsets daemonsets Security tools Image vulnerabilities CIS benchmarks Config auditing Pen testing Dashboard kubectl Kubernetes API

  3. @lizrice @d_pacak Starboard – brings security reports into Kubernetes Kubernetes

    Dashboard Dave Loper K8s resources pods deployments statefulsets daemonsets Security tools Image vulnerabilities CIS benchmarks Config auditing Pen testing kubehunterreports vulnerabilityreports ciskubebenchreports configauditreports Starboard kubectl Kubernetes API

  4. @lizrice @d_pacak Starboard CLI demo

  5. @lizrice @d_pacak Starboard operator Starboard operator – automation Kubernetes Dashboard

    Dave Loper K8s resources pods deployments statefulsets daemonsets Security tools Image vulnerabilities CIS benchmarks Config auditing Pen testing kubehunterreports vulnerabilityreports ciskubebenchreports configauditreports Starboard kubectl Kubernetes API

  6. @lizrice @d_pacak Starboard operator demo

  7. @lizrice @d_pacak Starboard design decisions

  8. @lizrice @d_pacak Resource What security issues are this for this

    resource? Security report Resource type = pod Resource name = my-app owner

  9. @lizrice @d_pacak Resource What security issues are this for this

    resource? Security report Resource type = pod Resource name = my-app owner Resource name

  10. @lizrice @d_pacak namespace Resource What security issues are this for

    this resource? Security report

  11. @lizrice @d_pacak namespace Resource What security issues are this for

    this resource? Security report starboard Scan job

  12. @lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet image:1.3 Pod image:1.3 ReplicaSet

    image:1.3 Pod app-image:1.3 What security issues are there for my workloads? Unmanaged pod other-image:2.0

  13. @lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet image:1.3 Pod image:1.3 ReplicaSet

    image:1.3 Pod app-image:1.3 Unmanaged pod other-image:2.0 Vuln report some-image:2.0

  14. @lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet image:1.3 Pod image:1.3 ReplicaSet

    image:1.3 Pod app-image:1.3 Unmanaged pod other-image:2.0 Vuln report some-image:2.0 Vuln report some-image:2.0 Vuln report some-image:2.0 Vuln report some-image:2.0

  15. @lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet image:1.3 Pod image:1.3 ReplicaSet

    image:1.3 Pod app-image:1.3 Unmanaged pod other-image:2.0 Vuln report some-image:2.0 Vuln report

  16. @lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet app-image:1.6 ReplicaSet image:1.3 Pod

    image:1.3 ReplicaSet image:1.3 Pod app-image:1.3 ReplicaSet image:1.3 Pod app-image:1.6 Unmanaged pod other-image:2.0 Vuln report some-image:2.0 Vuln report

  17. @lizrice @d_pacak Deployment ReplicaSet app-image:1.3 ReplicaSet app-image:1.6 ReplicaSet image:1.3 Pod

    image:1.3 ReplicaSet image:1.3 Pod app-image:1.3 ReplicaSet image:1.3 Pod app-image:1.6 Unmanaged pod some-image:2.0 Vuln report some-image:2.0 Vuln report app-image:1.6 Vuln report app-image:1.3

  18. @lizrice @d_pacak Deployment ReplicaSet ReplicaSet image:1.3 Pod image:1.3 ReplicaSet image:1.3

    Pod Vuln report What vulnerabilities are in my deployment?

  19. @lizrice @d_pacak Starboard hierarchy demo

  20. @lizrice @d_pacak Extending Starboard

  21. @lizrice @d_pacak Kind: Job Name: efavbs-d21... Namespace: starboard-operator Pluggable vulnerability

    scanners Kind: Deployment Name: my-app Image: some-image:2.0 Struct: PodTemplateSpec Image: aquasec/trivy:0.11.0 Command: trivy some-image:2.0 Kind: VulnerabilityReport Name: deployment-my-app-some-container PodSpec Trivy output converter

  22. 22 22 VulnerabilityScanner interface

  23. @lizrice @d_pacak

  24. @lizrice @d_pacak

  25. @lizrice @d_pacak Starboard future

  26. @lizrice @d_pacak Fully pluggable security reporting Kubernetes Dashboard Dave Loper

    K8s resources pods <some resources> replicasets Security tools Image vulnerabilities CIS benchmarks Config auditing Pen testing kubehunterreports vulnerabilityreports ciskubebenchreports configauditreports Starboard kubectl Kubernetes API Starboard ConfigMap Scanners - Tool: Resource: Report: - Tool: Resource: Report: … <other>reports some other security tool

  27. @lizrice @d_pacak What are the most important security issues in

    my cluster? kubectl starboard summary <namespace>

  28. @lizrice @d_pacak github.com/aquasecurity/starboard