Preventative Security for Kubernetes

Transcript

1. © 2018-19 Aqua Security Software Ltd., All Rights Reserved Preventative

   Security for Kubernetes Liz Rice @lizrice | @aquasecteam

2. @lizrice Agenda ▪ Kubernetes configuration for security ▪ CIS benchmarks

   – testing the configuration ▪ Penetration testing – testing for vulnerabilities

3. 3 Authored by Liz Rice from Aqua Security and Michael

   Hausenblas from Red Hat https://info.aquasec.com/kubernetes-security

4. @lizrice ▪ Secure the CI/CD pipeline ▪ “Shift left” security,

   fix issues early and fast ▪ Accelerate app delivery with security automation Aqua: our approach ▪ Enforce immutability – no patching, no drift ▪ Whitelist good behavior, preventing anomalies ▪ Prevent lateral movement ▪ Secure apps regardless of platform, cloud, or OS ▪ Enable hybrid cloud and cloud migration ▪ Avoid cloud lock-in and security reconfiguration Automate DevSecOps Modernize security through containers Secure once, run anywhere

5. @lizrice Create software Build Deploy Code quality Security testing Vulnerability

   scanning Image policies Runtime protection Artifacts free of security defects Only expected code & config Detect anomalous behaviour Host configuration Automating Security at Every Stage

6. @lizrice Kubernetes Host Configuration

7. @lizrice ▪ Kubernetes components installed on your servers ▪ Master

   & node components ▪ Many configuration settings have a security impact ▪ Example: open Kubelet port = root access ▪ Defaults depend on the installer Kubernetes configuration What config settings should I use?

8. @lizrice CIS Kubernetes Benchmark

9. @lizrice ▪ Open source automated tests for CIS Kubernetes Benchmark

   ▪ Tests for Kubernetes Masters and Nodes ▪ Available as a container kube-bench github.com/aquasecurity/kube-bench

10. @lizrice

11. @lizrice ▪ Job configuration YAML ▪ Run regularly to ensure

    no configuration drift ▪ Tests defined in YAML ▪ Released code follows the CIS Benchmark ▪ Modify for your own purposes kube-bench github.com/aquasecurity/kube-bench

12. @lizrice ▪ Built into the Aqua CSP ▪ Provides a

    scored report of the results ▪ Can be scheduled to run daily Kubernetes & Docker CIS Benchmarks

13. @lizrice Kubernetes penetration testing

14. @lizrice ▪ Open source penetration tests for Kubernetes ▪ See

    what an attacker would see ▪ github.com/aquasecurity/kube-hunter ▪ Online report viewer ▪ kube-hunter.aquasec.com kube-hunter How do I know the config is working to secure my cluster?

15. @lizrice kube-hunter.aquasec.com

16. 16

17. 17

18. @lizrice kube-hunter with kube-bench

19. 19

20. 20

21. 21

22. @lizrice kube-hunter inside a pod

23. @lizrice Kubernetes cluster pod kube-hunter inside a pod What if

    my app gets compromised? token API server

24. @lizrice ▪ Results depend on RBAC settings ▪ and the

    service account you use for the pod kube-hunter inside a pod What if my app gets compromised?

25. © 2018-19 Aqua Security Software Ltd., All Rights Reserved github.com/aquasecurity/kube-bench

    github.com/aquasecurity/kube-hunter @lizrice | @aquasecteam