management • structured metadata API for annotating artefacts + enforcement (Kritis) • backed by Google, JFrog, Red Hat, IBM, Black Duck, Twistlock, Aqua Security Grafeas https://grafeas.io Source: Introducing Grafeas: An open-source API to audit and govern your software supply chain
Provenance and Security in Kubernetes • Image Management & Mutability in Docker and Kubernetes • Container security considerations in a Kubernetes deployment • Building Container Images Securely on Kubernetes • The OpenShift Build Process • Introducing Grafeas: An open-source API to audit and govern your software supply chain Further reading
• pod or container level • defines privilege and access control settings • seccomp, capabilities, SELinux, AppArmor • security policies • cluster resource • via admission controller Pod security context and policies https://kubernetes.io/docs/concepts/policy/pod-security-policy/
no to root (in containers) • Exploring Container Mechanisms Through the Story of a Syscall (slides | video) • Improving your Kubernetes Workload Security • Container Isolation at Scale (Introducing gVisor) (slides | video) Further reading
• managed outside of Kubernetes • LDAP, SAML, Kerberos, etc. • apps • running in containers in pods • first class resources via service accounts Identity $ kubectl app app
for an app • namespaced resources • credentials via secret mounted into pod • default service account per namespace Service accounts system:serviceaccount:$NAMESPACE:$NAME
of 1.8 • entities: service accounts, user, group • scope: namespace or cluster • roles and bindings • privilege escalation prevention RBAC https://kubernetes.io/docs/reference/access-authn-authz/rbac/
to the Kubernetes API • Kubernetes deep dive: API Server – part 1 • Certifik8s: All You Need to Know About Certificates in Kubernetes • Kubernetes Auth and Access Control • Effective RBAC • Single Sign-On for Kubernetes: An Introduction • Let's Encrypt, OAuth 2, and Kubernetes Ingress Further reading
communication • enforced by network plugin Network policies https://kubernetes.io/docs/concepts/services-networking/network-policies/ Source: Securing Kubernetes Cluster Networking by Ahmet Alp Balkan
and access • node-level: • separate sensitive workloads via affinity and taints • minimize blast radius (node authorizer) • pod-level: limit communication via network policies or service mesh Segregation
to store sensitive information • Access via volume or environment variable • Data is stored in tmpfs volumes • Per-secret size limit of 1MB • Only base64 encoded, need to enable encryption at rest Secrets https://kubernetes.io/docs/concepts/configuration/secret/
Configure a Security Context for a Pod or Container • Pod Security Policies • Shipping in Pirate-Infested Waters: Practical Attack and Defense in Kubernetes • Exploring container security: Isolation at different layers of the Kubernetes stack • Security Best Practices for Kubernetes Deployment Further reading
Securing a Cluster • Encrypting Secret Data at Rest • Auditing • Securing Kubernetes components: kubelet, etcd and Docker registry • K8s security best practices • Kubernetes Security - Best Practice Guide • Lessons from the Cryptojacking Attack at Tesla Further reading
Publication 800-190: Application Container Security Guide https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf • Hacking and Hardening Kubernetes Clusters by Example, Brad Geesaman, KubeCon 2017 https://www.youtube.com/watch?v=vTgQLzeBfRU • Kubernetes Security Best Practices, Ian Lewis, FOSDEM 2018 https://www.youtube.com/watch?v=pzAwTC8KYV8 • Continuous Kubernetes Security, Andrew Martin, microXchg 2018 https://www.youtube.com/watch?v=YtrA7eauSSg • What Does “Production Ready” Really Mean for a Kubernetes Cluster? https://weave.works/blog/what-does-production-ready-really-mean-for-a-kubernetes-cluster Articles