Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kubernetes Security: from Image Hygiene to Netw...

Kubernetes Security: from Image Hygiene to Network Policies

Michael Hausenblas

May 29, 2018
Tweet

More Decks by Michael Hausenblas

Other Decks in Technology

Transcript

  1. Kubernetes Security
 From Image Hygiene to Network Policies Michael Hausenblas

    @mhausenblas
 Developer Advocate, Red Hat
 2018-05-29, DevOpsCon, Berlin
  2. Hit me up on Twitter: @mhausenblas 2 • Developer Advocate

    @ Red Hat (Go, Kubernetes, OpenShift) • Developer Advocate @ Mesosphere (Mesos, DC/OS, Kubernetes) • Chief Data Engineer @ MapR (HDFS, HBase, Drill, etc.) • Applied research (4y in Ireland, 7y in Austria) • Nowadays mainly developing tools in Go (Python, Node, Java, C++) • Kinda developer turned ops (aka appops) $ whois mhausenblas
  3. Hit me up on Twitter: @mhausenblas 5 container images running

    container authn & authz communication apps control plane
  4. Hit me up on Twitter: @mhausenblas 7 • build-time vs

    run-time • immutability & automation • responsibilities • moving parts
 Terminology
  5. Hit me up on Twitter: @mhausenblas 8 • infrastructure admin

    • namespace admin • developer Responsibilities
  6. Hit me up on Twitter: @mhausenblas 12 Build container images

    that … • have a small attack surface • are checked for vulnerabilities • are reproducible What?
  7. Hit me up on Twitter: @mhausenblas 13 • use trusted

    base images • define user in image • perform automated CVE scans • use private registries • pin dependencies
 (reproducible builds) Good practices
  8. Hit me up on Twitter: @mhausenblas 14 • supply chain

    management • structured metadata API for annotating artefacts + enforcement (Kritis) • backed by Google, JFrog, Red Hat, IBM, Black Duck, Twistlock, Aqua Security Grafeas https://grafeas.io Source: Introducing Grafeas: An open-source API to audit and govern your software supply chain
  9. Hit me up on Twitter: @mhausenblas 15 • https://docs.docker.com/docker-cloud/builds/image-scan/ •

    https://github.com/coreos/clair • https://www.open-scap.org/tools/ • https://www.aquasec.com/use-cases/continuous-image-assurance/ • https://neuvector.com/container-compliance-auditing-solutions/ • https://github.com/theupdateframework/notary • https://github.com/in-toto Tooling
  10. Hit me up on Twitter: @mhausenblas 16 • Establishing Image

    Provenance and Security in Kubernetes • Image Management & Mutability in Docker and Kubernetes • Container security considerations in a Kubernetes deployment • Building Container Images Securely on Kubernetes • The OpenShift Build Process • Introducing Grafeas: An open-source API to audit and govern your software supply chain Further reading
  11. Hit me up on Twitter: @mhausenblas 18 • Run containers

    … • with known origin (image & registry) • use least privilege to carry out the task • do only minimal host mounts necessary What?
  12. Hit me up on Twitter: @mhausenblas 19 • verify the

    defaults • don’t run as root • use security context & policies • use security benchmarks Good practices http://containerz.info
  13. Hit me up on Twitter: @mhausenblas 20 • security context

    • pod or container level • defines privilege and access control settings • seccomp, capabilities, SELinux, AppArmor • security policies • cluster resource • via admission controller Pod security context and policies https://kubernetes.io/docs/concepts/policy/pod-security-policy/
  14. Hit me up on Twitter: @mhausenblas 22 • https://github.com/aquasecurity/kube-bench •

    https://github.com/docker/docker-bench-security • https://sysdig.com/opensource/falco/ • https://kubesec.io/ • https://www.twistlock.com/ Tooling
  15. Hit me up on Twitter: @mhausenblas 23 • Just say

    no to root (in containers) • Exploring Container Mechanisms Through the Story of a Syscall (slides | video) • Improving your Kubernetes Workload Security • Container Isolation at Scale (Introducing gVisor) (slides | video) Further reading
  16. Hit me up on Twitter: @mhausenblas 25 • human users

    • managed outside of Kubernetes • LDAP, SAML, Kerberos, etc. • apps • running in containers in pods • first class resources via service accounts Identity $ kubectl app app
  17. Hit me up on Twitter: @mhausenblas 26 • provide identity

    for an app • namespaced resources • credentials via secret mounted into pod • default service account per namespace Service accounts system:serviceaccount:$NAMESPACE:$NAME
  18. Hit me up on Twitter: @mhausenblas 28 • static password/token

    file • X509 client certs • proxy+header • OpenID Connect • custom via Webhook Authentication https://kubernetes.io/docs/admin/authentication/ API server client authn plugins identity provider • username • ID • group
  19. Hit me up on Twitter: @mhausenblas 29 • Node (kubelet)

    • ABAC (outdated) • RBAC • Webhook (external) Authorization https://kubernetes.io/docs/admin/authorization/ authentication • username • ID • group client • path • resource • verb • namespace • … authorization 1 2 3 authz modules 403 admission controllers 401 4
  20. Hit me up on Twitter: @mhausenblas 30 • stable as

    of 1.8 • entities: service accounts, user, group • scope: namespace or cluster • roles and bindings • privilege escalation prevention RBAC https://kubernetes.io/docs/reference/access-authn-authz/rbac/
  21. Hit me up on Twitter: @mhausenblas 33 • kubectl create,

    kubectl auth • https://github.com/coreos/dex • https://github.com/heptio/authenticator • https://github.com/liggitt/audit2rbac Tooling
  22. Hit me up on Twitter: @mhausenblas 34 • Controlling Access

    to the Kubernetes API • Kubernetes deep dive: API Server – part 1 • Certifik8s: All You Need to Know About Certificates in Kubernetes • Kubernetes Auth and Access Control • Effective RBAC • Single Sign-On for Kubernetes: An Introduction • Let's Encrypt, OAuth 2, and Kubernetes Ingress Further reading
  23. Hit me up on Twitter: @mhausenblas 36 • encryption on

    the wire (TLS everywhere) • network policies • service meshes What?
  24. Hit me up on Twitter: @mhausenblas 37 • defines pod-to-pod

    communication • enforced by network plugin Network policies https://kubernetes.io/docs/concepts/services-networking/network-policies/ Source: Securing Kubernetes Cluster Networking by Ahmet Alp Balkan
  25. Hit me up on Twitter: @mhausenblas 38 Service meshes istio.io

    • traffic management • policy enforcement • monitoring & tracing • no app code changes
  26. Hit me up on Twitter: @mhausenblas 39 • https://github.com/aporeto-inc/trireme-kubernetes •

    https://github.com/jetstack/cert-manager/ • https://spiffe.io/ • https://www.openpolicyagent.org/ • https://linkerd.io/ • https://conduit.io/ Tooling
  27. Hit me up on Twitter: @mhausenblas 40 • How Kubernetes

    certificate authorities work • Securing Kubernetes Cluster Networking • Tutorials and Recipes for Kubernetes Network Policies feature • Kubernetes Security Context and Kubernetes Network Policy • Kubernetes Application Operator Basics Further reading
  28. Hit me up on Twitter: @mhausenblas 42 • security boundaries

    • segregation • secrets What? Based on: Exploring container security: Isolation at different layers of the Kubernetes stack
  29. Hit me up on Twitter: @mhausenblas 43 • namespace-level: visibility

    and access • node-level: • separate sensitive workloads via affinity and taints • minimize blast radius (node authorizer) • pod-level: limit communication via network policies or service mesh Segregation
  30. Hit me up on Twitter: @mhausenblas 44 • Namespaced objects

    to store sensitive information • Access via volume or environment variable • Data is stored in tmpfs volumes • Per-secret size limit of 1MB • Only base64 encoded, need to enable encryption at rest Secrets https://kubernetes.io/docs/concepts/configuration/secret/
  31. Hit me up on Twitter: @mhausenblas 45 • https://github.com/kelseyhightower/konfd •

    https://github.com/hashicorp/vault-plugin-auth-kubernetes • https://github.com/bitnami-labs/sealed-secrets • https://github.com/shyiko/kubesec • https://github.com/weaveworks/flux Tooling
  32. Hit me up on Twitter: @mhausenblas 46 • Docs: •

    Configure a Security Context for a Pod or Container • Pod Security Policies • Shipping in Pirate-Infested Waters: Practical Attack and Defense in Kubernetes • Exploring container security: Isolation at different layers of the Kubernetes stack • Security Best Practices for Kubernetes Deployment Further reading
  33. Hit me up on Twitter: @mhausenblas 48 • secure API

    server, etcd, dashboard • secure kubelet • limit access to cloud provider metadata • limit access to metrics • perform auditing Good practices
  34. Hit me up on Twitter: @mhausenblas 49 • https://github.com/bgeesaman/kubeatf •

    https://github.com/Shopify/kubeaudit • https://k8guard.github.io/ • https://www.vaultproject.io/ Tooling
  35. Hit me up on Twitter: @mhausenblas 50 • Docs: •

    Securing a Cluster • Encrypting Secret Data at Rest • Auditing • Securing Kubernetes components: kubelet, etcd and Docker registry • K8s security best practices • Kubernetes Security - Best Practice Guide • Lessons from the Cryptojacking Attack at Tesla Further reading
  36. Hit me up on Twitter: @mhausenblas 52 Demos and references

    https://github.com/mhausenblas/k8s-sec
  37. Hit me up on Twitter: @mhausenblas 53 • NIST Special

    Publication 800-190: Application Container Security Guide
 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf • Hacking and Hardening Kubernetes Clusters by Example, Brad Geesaman, KubeCon 2017
 https://www.youtube.com/watch?v=vTgQLzeBfRU • Kubernetes Security Best Practices, Ian Lewis, FOSDEM 2018
 https://www.youtube.com/watch?v=pzAwTC8KYV8 • Continuous Kubernetes Security, Andrew Martin, microXchg 2018
 https://www.youtube.com/watch?v=YtrA7eauSSg • What Does “Production Ready” Really Mean for a Kubernetes Cluster?
 https://weave.works/blog/what-does-production-ready-really-mean-for-a-kubernetes-cluster Articles