Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Practical Guide to Kubernetes Security for Deve...

Practical Guide to Kubernetes Security for Developers 🚀

Kubernetes become the defacto for deploying and managing applications from startups to enterprises. This means most developers start writing their application code, package them into containers and deploy them into clusters to serve the customers. But if you look at typical day-to-day development and operations from local development to production deployment, we perform a ton of things that can be potentially insecure patterns. As we use modern tools, and technologies we tend to forget to secure them while building and serving our customers. In this talk, we will see how we can secure Kubernetes workflows and how we can automate these security checks and validate them to identify potential security risks before deploying our applications and code into production.

Madhu Akula will be using Kubernetes Goat, an interactive Kubernetes security learning playground in this talk to demonstrate some security concerns and fix them live 🚀

Madhu Akula

January 12, 2023
Tweet

More Decks by Madhu Akula

Other Decks in Technology

Transcript

  1. • Pragmatic Security Leader focusing on Cloud Native infrastructure, security,

    and startups • Creator of Kubernetes Goat, Hacker Container, tools.tldr.run, many other OSS projects. • Speaks & Trains at Blackhat, DEFCON, GitHub, USENIX, OWASP, All Day DevOps, SANS, DevSecCon, CNCF, c0c0n, Nullcon, SACON, null, many others around the globe. • Author of Security Automation with Ansible2, OWASP KSTG, whitepapers, etc. • Technical reviewer (multiple books) & Review board member of multiple conferences, organizations, communities, advisory, etc. • Found security vulnerabilities in 200+ organizations and products including Google, Microsoft, AT&T, Adobe, eBay, WordPress, Ntop, Cloudflare, Yahoo, LocalBitcoins, etc. • Certified Kubernetes(CKA/CKS), Offensive Security Certified Professional, etc. • Never ending learner! About Me 👋 @madhuakula
  2. • Introduction to Kubernetes & Architecture • Why developers should

    care about Kubernetes security? ◦ Threat Model, Attack Trees, MITRE, etc. ◦ Some real-world attacks, threats and examples ◦ Showcasing live hacking of attacks • What developer can do about Kubernetes security? ◦ Examples, patterns, core issues, etc. ◦ Education, Training, Knowledge and skill gaps • How developers can add value to Kubernetes security? ◦ What’s we really missing here! ◦ How we can achieve them? ◦ Tools, techniques and processes • Key takeaways and learnings! • Questions & Discussions? Today’s Agenda @madhuakula
  3. • Docker is an open source platform for building, deploying,

    and managing containerized applications • Docker became the de facto standard to build and share containerized apps - from desktop, to the cloud, even edge devices • Docker enables developers to easily pack, ship, and run any application as a lightweight, portable, self-sufficient container, which can run virtually anywhere https://docs.docker.com/get-started/overview/ What is Docker? @madhuakula
  4. Kubernetes is a portable, extensible, open-source platform for managing containerized

    workloads and services, that facilitates both declarative configuration and automation. It has a large, rapidly growing ecosystem. Kubernetes services, support, and tools are widely available. https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/ What is Kubernetes? @madhuakula
  5. What is Kubernetes Goat 🐐 Kubernetes Goat is an interactive

    Kubernetes security learning playground. Intentionally vulnerable by design scenarios to showcase the common misconfigurations, real-world vulnerabilities, and security issues in Kubernetes clusters, containers, and cloud native environments. @madhuakula
  6. @madhuakula What developers can do about Kubernetes Security? • I

    think there is no single answer, approach here • Always look at the core problem and root cause and fix at that layer • Try to be self-service model by providing patterns in an actionable way • Be an helping hand for DevOps, SRE and Engineering teams rather pointing just issues ◦ Helping them to create secure and safe Helm charts, Dockerfiles, Templates, etc. ◦ Removing the blockers by being pragmatic and empathetic ◦ Eliminate the possible things early and at scale • Repeat after me: Education, Education, Education ◦ Most people don’t even understand the technology, leave about security. So educating them by teaching and practicing is the way to go 🚀
  7. @madhuakula The missing pieces in the puzzle! • Nature of

    immutable infrastructure • Matching the speed of containers, infrastructure with security • Frequency of deployments and workloads • Size of the teams, deployments from both dev, ops, engineering and security • How frequently and repetitively we fix certain issues • Education, knowledge and skill gap • Maturity of the security and the alignment with stakeholders • Many others…
  8. ✅ Security is everyone’s responsibility (Dev, Ops, Security, Management, etc.)

    ⚠ Threat model your architecture and identify risks/threats 🙌 Follow and apply secure defaults 📚Know what you have (Inventory of assets) 🧱Adopt zero trust model (Zoning, Containment & Segmentation) 🎯Apply security at each layer (Defense in depth strategy) 🚨Follow least privilege principle 👮AuthN & AuthZ 🔐Encryption at REST & TRANSIT 🛡Proactive monitoring & Active defense 🔁Continuously analyse and apply feedback loops 👉 Crawl 🐢, Walk 🚶, Run 🏃, Fly ✈ Key Takeaways! @madhuakula
  9. Dank je wel 🙏 Want to learn more, have some

    feedback, or just wanted to say 👋 @madhuakula https://madhuakula.com