Kubernetes-Security: 3 Dinge, die jeder Entwickler wissen sollte - IT-Tage 2019

Transcript

1. / 1

2. / @haveibeenpwned https://haveibeenpwned.com/PwnedWebsites 2

3. / 3

4. / 4 . 1

5. / Plenty of security options Plenty of security options 4

   . 2

6. / securityContext runAsNonRoot runAsUser privileged procMount allowPrivilegeEscalation readOnlyRootFilesystem PodSecurityPolicy RBAC

   NetworkPolicy seccomp Linux Capabilities AppArmor SELinux Falco Open Policy Agent gVisor Kata Containers Nabla Containers Service Mesh KubeSec KubeBench 5

7. / 3 Things Every Developer 3 Things Every Developer Should

   Know About K8s Should Know About K8s Security Security 6

8. / 0. Role Base Access 0. Role Base Access Control

   Control (RBAC) (RBAC) 7 . 1

9. / https://memegenerator.net/instance/83566913/homer-simpson-boring 7 . 2

10. / • RBAC active by default since K8s 1.6 •

    ... but not if you migrated! 7 . 3

11. / • Try • If not needed, disable access to

    K8s API curl --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ https://${KUBERNETES_SERVICE_HOST}/api/v1/secrets automountServiceAccountToken: false 7 . 4

12. / Demo Demo Cluster legacy authz Namespace 'default' Cluster RBAC

    Namespace 'default' Web Console Web Console HTTPS • • legacy-authz RBAC 7 . 5

13. / 1. Network Policies 1. Network Policies (netpol) (netpol) 8

    . 1

14. / A "firewall" for communication between pods. • Applied to

    pods • within namespace • via labels • Ingress / egress • to/from pods (in namespaces) or CIDRs (egress only) • for specific ports (optional) • Enforced by the CNI Plugin (e.g. Calico) • No Network Policies: All traffic allowed 8 . 2

15. / Helpful to get started Helpful to get started •

    • Securing Cluster Networking with Network Policies - Ahmet Balkan • Interactively describes what a netpol does: https://github.com/ahmetb/kubernetes-network-policy-recipes https://www.youtube.com/watch?v=3gGpMmYeEO8 kubectl describe netpol <name> 8 . 3

16. / Recommendation: Whitelist ingress Recommendation: Whitelist ingress traffic traffic In

    every namespace except kube-system: • Deny ingress between pods, • then whitelist all allowed routes. 8 . 4

17. / Advanced: ingress to Advanced: ingress to kube-system kube-system Might

    stop the apps in your cluster from working Don't forget to: • Allow external access to ingress controller • Allow access to kube-dns/core-dns to every namespace 8 . 5

18. / Advanced: egress Advanced: egress • Verbose solution: • Deny

    egress between pods, • then whitelist all allowed routes, • repeating all ingress rules. • More pragmatic solution: • Allow only egress within the cluster, • then whitelist pods that need access to internet. 8 . 6

19. / Net pol pitfalls Net pol pitfalls • Whitelisting monitoring

    tools (e.g. Prometheus) • Restart might be necessary (e.g. Prometheus) • No labels on namespaces by default • egress more recent than ingress rules and less sophisticated • Policies might not be supported by CNI Plugin. Testing! https://www.inovex.de/blog/test-kubernetes-network-policies/ 8 . 7

20. / More Features? More Features? • Proprietary extensions of CNI

    Plugin (e.g. cilium or calico) • Service Meshes: similar features, also work with multiple clusters ➜ different strengths, support each other https://istio.io/blog/2017/0.1-using-network-policy/ 8 . 8

21. / Demo Demo Cluster Network Policies Namespace 'kube-system' Namespace 'default'

    Namespace 'production' Traefik Web Console nosqlclient mongodb HTTP web-console:80 nosqlclient:3000 mongodb:/mongodb:27017 • • nosqlclient web-console 8 . 9

22. / Wrap-Up: Network Policies Wrap-Up: Network Policies My recommendations: •

    Ingress whitelisting in non-kube-system namespaces • Use with care • whitelisting in kube-system • egress whitelisting for cluster-external traffic 8 . 10

23. / 2. Security Context 2. Security Context 9 . 1

24. / Defines security parameter per pod/container ➜ container runtime Secure

    Pods - Tim Allclair https://www.youtube.com/watch?v=GLwmJh-j3rs 9 . 2

25. / Recommendations per Container Recommendations per Container apiVersion: v1 kind:

    Pod metadata: annotations: seccomp.security.alpha.kubernetes.io/pod: runtime/default spec: containers: - name: restricted securityContext: runAsNonRoot: true runAsUser: 100000 runAsGroup: 100000 readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: - ALL enableServiceLinks: false 9 . 3

26. / Recommendation per Container in Detail Recommendation per Container in

    Detail 9 . 4

27. / Enable seccomp Enable seccomp • Enables e.g. docker's seccomp

    default profile that block 44/~300 Syscalls • Has mitigated Kernel vulns in past and might in future • See also k8s security audit: https://docs.docker.com/engine/security/non-events/ https://www.cncf.io/blog/2019/08/06/open-sourcing-the- kubernetes-security-audit/ 9 . 5

28. / Run as unprivileged user Run as unprivileged user •

    runAsNonRoot: true Container is not started when the user is root • runAsUser and runAsGroup > 10000 • Reduces risk to run as user existing on host • In case of container escape UID/GID does not have privileges on host • Mitigates vuln in runc (used by Docker among others) https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/ 9 . 6

29. / No Privilege escalation No Privilege escalation • Container can't

    increase privileges • E.g. sudo, setuid, Kernel vulnerabilities 9 . 7

30. / Read-only root file system Read-only root file system •

    Starts container without read-write layer • Writing only allowed in volumes • Config or code within the container cannot be manipulated • Perk: More efficient (no CoW) 9 . 8

31. / Drop Capabilities Drop Capabilities • Drops even the default

    caps: • Mitigates CapNetRaw attack - DNS Spoofing on Kubernetes Clusters https://github.com/moby/moby/blob/3152f94/oci/caps/defaults.go https://blog.aquasec.com/dns-spoofing-kubernetes-clusters 9 . 9

32. / Bonus: No Services in Environment Bonus: No Services in

    Environment • By default: Each K8s service written to each container's env vars ➜ Docker Link legacy, no longer needed • But convenient info for attacker where to go next 9 . 10

33. / Security context pitfalls Security context pitfalls 9 . 11

34. / Read-only root file system Read-only root file system Application

    might need temp folder to write to • Run image locally using docker, access app Run automated e2e/integration tests • Review container's read-write layer via • Mount folders as emptyDir volumes in pod docker diff <containerName> 9 . 12

35. / Drop Capabilities Drop Capabilities Some images require capabilities •

    Find out needed Caps locally: • Add necessary caps to k8s resource • Alternative: Find image with same app that does not require caps, e.g. nginxinc/nginx-unprivileged docker run --rm --cap-drop ALL <image> # Check error docker run --rm --cap-drop ALL --cap-add CAP_CHOWN <image> # Keep adding caps until no more error 9 . 13

36. / Run as unprivileged user Run as unprivileged user •

    Non-root verification only supports numeric user. • runAsUser: 100000 in securityContext of pod or • USER 100000 in Dockerfile of image. • Some official images run as root by default. • Find a trusted image that does not run as root e.g. for mongo or postgres: • Derive from the original image and create your own non-root image e.g. nginx: https://hub.docker.com/r/bitnami/ https://github.com/schnatterer/nginx-unpriv 9 . 14

37. / • UID 100000 might not have permissions. Solutions: •

    Init Container sets permissions for PVCs • Permissions in image ➜ chmod/chown in Dockerfile • Application requires user for UID in /etc/passwd • New image that contains a user for UID e.g. 100000 or • Create /etc/passwd in init container and mount into app container • runAsGroup - beta from K8s 1.14. Before that defaults to GID 0 https://github.com/kubernetes/enhancements/issues/213 9 . 15

38. / Tools Tools Find out if your cluster adheres to

    these and other good security practices: • - managable amount of checks • • a whole lot of checks, • even deny all ingress and egress NetPols and AppArmor Annotations ➜ Be prepared for a lot of findings ➜ Create your own good practices controlplaneio/kubesec Shopify/kubeaudit 9 . 16

39. / Demo Demo Security Context & PSP Namespace 'wild-west' nginx

    nginxinc/nginx-unprivileged docker-sudo 9 . 17

40. / Wrap-Up: Security Context Wrap-Up: Security Context My recommendations: •

    Start with least privilege • Only differ if there's absolutely no other way 9 . 18

41. / 3. Pod Security Policies 3. Pod Security Policies (PSP)

    (PSP) 10 . 1

42. / • enforce security context cluster-wide • additional options for

    blocking pods trying to • enter node's Linux namespaces (net, PID, etc.) • mounting docker socket, • binding ports to nodes, • starting privileged containers • etc. • more effort than security context and different syntax ➜ Still highly recommended! 10 . 2

43. / Recommendation Recommendation https://github.com/cloudogu/k8s-security-demos/blob/master/4-pod- security-policies/demo/01-psp-restrictive.yaml 10 . 3

44. / Too much ground to cover for 45 min! Too

    much ground to cover for 45 min! See Demo Repo on last slide 10 . 4

45. / Summary Summary • Enable RBAC • Don't allow arbitrary

    connections between pods, e.g. via NetPols • Start with least privilege for your containers • using either securityContext or • PodSecurityPolicy 11 . 1

46. / What for? What for? • Increase security • Reduce

    risk of data breach • Don't end up on @haveibeenpwned 11 . 2

47. / Johannes Schnatterer Johannes Schnatterer Cloudogu GmbH K8s Security series

    on JavaSPEKTRUM starting 05/2019 See also Demo Source: https://cloudogu.com/schulungen https://cloudogu.com/blog @jschnatterer @cloudogu https://github.com/cloudogu/k8s-security-demos 11 . 3