Running security service in gcloud

•Download as PPTX, PDF•

3 likes•3,428 views

How Aqua runs its own security service in gcloud using Kubernetes. Was presented at Seattle Kubernetes meetup (http://www.meetup.com/Seattle-Kubernetes-Meetup/events/231348751/)

Software

2
WHO AM I
 Head of Security Research at Aqua Security, a leader
in container security
 20 years of building security products, development
and research
 Held senior security research positions at Microsoft,
Aorato
and Imperva.
 Presented at security conferences, among them,
BlackHat Europe, RSA Europe and Virus Bulleting.

3
PEEKR
 Scans for known vulnerabilities (CVEs)
 Profiles container activities on host and network
 Automatically runs the image and checks it against malicious
behaviors
 Highlights suspicious container behavior
 Free (no credit card needed for registration)
 https://peekr.aquasec.com

5
YOU WERE SAYING...
 Automatically runs the image and checks it against
malicious behaviors
 Meaning we are running arbitrary, unknown containers
on our infrastructure
 Every time we consulted people and organizations, we
got same response...

6
YOU ARE CRAZY
INSANE, NUTS, KOOKY,
WACKY...

7
ARCHITECTURAL REQUIREMENTS
 Scalable web front end
 Scalable Scanner workers
 Asynchronous processing
 Security

8
SECURITY CONCERNS
 Web front end
 Malicious containers
 Exploding containers
 Lateral movement
 Attacking from our infrastructure

9
MALICIOUS CONTAINERS
 Local behavior
 Fork Bomb
 Fallocate
 Resource consumption
 Network
 East-West
 North-East

10
IMPLEMENTATION
 Kubernetes
 Security
 Kubernetes
 Aqua

11
PEEKR ARCHITECTURE OVERVIEW
Front end cluster
Front
end
Service
Web
Queue
CVEs
Back end cluster
Scanner

12
OVERALL SECURITY
 Log everything
 Use Kubectl to access containers, to limit ssh access
 Apply resource quota and limits with Kubernetes
namespaces
 Network segregation through Kubernetes clusters

13
PROTECTING AGAINST MALICIOUS
CONTAINERS
 Local
 Run unprivileged
 Run with user namespace
 Containers data (volumes) on separate partition
 Aqua
 Network
 Deny network access
 No internet access to backend cluster
 Communication between clusters is limited to absolute
minimum

14
FORK BOMB
 :(){ :|:& };:
 Exhausts PIDs
 System freezes

15
FORK BOMB PROTECTION
 nproc
 ulimit –u 100
 Limit per user per session
 Can be done either for docker daemon or per container
 Doesn’t enforce for root
 PID cgroup
 Future, kernel 4.3

THANK YOU
Michael Cherny
cherny@aquasec.com
@chernymi

Viewers also liked

Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13

Zach Hill

Veer's Container Security

Jim Barlow

Monetising Your Skill

'Detola Amure

ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...

DynamicInfraDays

Get hands-on with security features and best practices to protect your containerized services. Learn to push and verify signed images with Docker Content Trust, and collaborate with delegation roles. Intermediate to advanced level Docker experience recommended, participants will be building and pushing with Docker during the workshop. Led By Docker Security Experts: Riyaz Faizullabhoy David Lawrence Viktor Stanchev Experience Level: Intermediate to advanced level Docker experience recommended

Docker Security workshop slides

Docker, Inc.

AWS Security Architecture - Overview

Sai Kesavamatham

AWS Security Best Practices and Design Patterns

Amazon Web Services

Security best practices for kubernetes deployment

Michael Cherny

Monitoring, Logging and Tracing on Kubernetes

Martin Etmajer

How to securely deploy your containers, by the author of rkhunter and auditing tool Lynis. Many introductory talks about Docker and its container technology, have been given. This attention to the subject is not surprising, seeing the amount of people "doing DevOps" now. With container technology being fairly new on the Linux platform, the security aspects of containers are often being overlooked. While Linux containers do still not fully contain from a security point of view, we can definitely improve the security level of them. In this talk, we have a look at the underlying Linux security measures, followed by the features Docker itself has to offer. The goal is to get an understanding how we can deploy containers in a secure way. After all, Docker is no longer just a toy, and our precious data is involved.

Docker Security - Secure Container Deployment on Linux

Michael Boelen

London HUG 19/5 - Kubernetes and vault

London HashiCorp User Group

Video: https://youtu.be/C_u4_l84ED8 Karl Isenberg reviews the history of distributed computing, clarifies terminology for layers in the container stack, and does a head to head comparison of several tools in the space, including Kubernetes, Marathon, and Docker Swarm. Learn which features and qualities are critical for container orchestration and how you can apply this knowledge when evaluating platforms.

Container Orchestration Wars

Karl Isenberg

Docker Security Overview

Sreenivas Makam

Viewers also liked (13)

Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13

Veer's Container Security

Monetising Your Skill

ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...

Docker Security workshop slides

AWS Security Architecture - Overview

AWS Security Best Practices and Design Patterns

Security best practices for kubernetes deployment

Monitoring, Logging and Tracing on Kubernetes

Docker Security - Secure Container Deployment on Linux

London HUG 19/5 - Kubernetes and vault

Container Orchestration Wars

Docker Security Overview

Recently uploaded

Direct Style Effect Systems -The Print[A] Example- A Comprehension Aid

Philip Schwarz

Technology has taken up space all over the world. From generating content with a single command on ChatGPT to getting your food served by Robots at your favorite restaurant, artificial advancements have ruled every space. Every industry is set to develop top-notch technology in every sector; finance, IT, healthcare, gaming, and banking, with competitive market standards. One of these rapidly growing industries is Mobile App Development. According to the Straits Research report, it is expected to reach USD 583.03 billion at a CAGR OF 12.8% between (2022 and 2030). It clearly shows how mobile app development has become an integral part of the digital landscape and revolutionized technology.

The Top App Development Trends Shaping the Industry in 2024-25 .pdf

ayushiqss

%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview

masabamasaba

8257 interfacing 2 in microprocessor for btech students

HimanshiGarg82

Announcing Codolex 2.0 from GDK Software

Jim McKeeth

%in Midrand+277-882-255-28 abortion pills for sale in midrand

masabamasaba

VTU technical seminar 8Th Sem on Scikit-learn

AmarnathKambale

The title is not connected to what is inside

shinachiaurasa2

OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...

Shane Coughlan

Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...

SelfMade bd

Foundation models are machine learning models which are easily capable of performing variable tasks on large and huge datasets. FMs have managed to get a lot of attention due to this feature of handling large datasets. It can do text generation, video editing to protein folding and robotics. In case we believe that FMs can help the hospitals and patients in any way, we need to perform some important evaluations, tests to test these assumptions. In this review, we take a walk through Fms and their evaluation regimes assumed clinical value. To clarify on this topic, we reviewed no less than 80 clinical FMs built from the EMR data. We added all the models trained on structured and unstructured data. We are referring to this combination of structured and unstructured EMR data or clinical data.

Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...

harshavardhanraghave

+971565801893 Mtp-Kit (500MG) Prices » Dubai [(+971565801893**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Leen Whatsapp +971565801893 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971565801893''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971565801893' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Clinic in Abu Dhabi, United Arab Emirates.+971565801893

+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...

Health

Looking for an efficient way to manage your finances? Look no further than our money management app. With easy-to-use features, you can track your expenses, create budgets, and monitor your savings goals all in one place. Our app provides real-time updates on your spending habits and helps you make smarter financial decisions. Take control of your finances today with our user-friendly money management app.

Right Money Management App For Your Financial Goals

Jhone kinadey

%in Harare+277-882-255-28 abortion pills for sale in Harare

masabamasaba

(Vivek)Call Us, 8448380779,Call girls in Delhi NCr – We Offer best in class call girls. escort Service At Affordable Price At low Rate with Space Night 8000 We Are One Of The Oldest Escort and Call girls Agencies in Delhi. You Will Find That Our Female Escorts Are Full Of Fun, Sexy And They Would Love Enjoy Your Company. We Have A Fantastic Selection Of Escort Ladies Available For In-Calls As Well As Out-Calls. Our Escorts Are Not Only Beautiful But All Have Great Personalities Making Them The Perfect Companion For Any Occasion. In-Call:- You Can Come At Our Place in Delhi Our place Which Is Very Clean Hygienic 100% safe Accommodation. Out-Call:- You have To Come Pick The Girl From My Place We Are Also Provide Door Step Services (Delhi Ncr, Noida, Gurgaon, Faridabad, Ghaziabad Note:- Pic Collectors Time Passers Bargainers Stay Away As We Respect The Value For Your Money Time And Expect The Same From You Hygienic:- Full Ac room And Clean Rooms Available In Hotel 24 * 7 Hourly In Delhi NCR More Details, With WhatsApp Number, +91-8448380779

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

Delhi Call girls

In the past six months, the AI landscape has undergone a massive transformation, ushering in a new era of productivity with the latest in Large Language Models (LLMs) and AI technology. This deep dive unlocks how to: Create CustomGPT Models: No coding needed to tailor AI for your unique projects. Integrate your own data, including PDFs and Excel sheets, making information handling a breeze. Plus, discover how to call your own actions/integrations for even more personalized utility. Navigate Advanced Prompting: Overcome AI's memory limits and utilize Retrieval-Augmented Generation for accessing your personalized data, streamlining how you interact with AI. Stay Ahead with AI Trends: Peek into the evolving world of LLMs, featuring newcomers like Google Gemini, Anthropic Claude, Open Sora, and Twitter Grok, and understand what their advancements mean for your productivity. Witness Real-Life Transformations: Through examples and prompt demonstrations, see firsthand how these AI strategies revolutionize routine tasks, from data analysis to content creation. Learn to leverage image output and input for advanced practical use cases, adding a new dimension to your productivity toolkit. No previous coding or AI experience is needed for this talk. Stay ahead in the fast-evolving world of work. Embrace the AI revolution and transform your workflow with advanced LLM techniques. Join us to ensure you're not left behind in the productivity race.

AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques

VictorSzoltysek

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

Delhi Call girls

Define the academic and professional writing..pdf

PearlKirahMaeRagusta1

%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein

masabamasaba

%in tembisa+277-882-255-28 abortion pills for sale in tembisa

masabamasaba

Recently uploaded (20)

Direct Style Effect Systems -The Print[A] Example- A Comprehension Aid

The Top App Development Trends Shaping the Industry in 2024-25 .pdf

%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview

8257 interfacing 2 in microprocessor for btech students

Announcing Codolex 2.0 from GDK Software

%in Midrand+277-882-255-28 abortion pills for sale in midrand

VTU technical seminar 8Th Sem on Scikit-learn

The title is not connected to what is inside

OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...

Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...

Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...

+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...

Right Money Management App For Your Financial Goals

%in Harare+277-882-255-28 abortion pills for sale in Harare

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

Define the academic and professional writing..pdf

%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein

%in tembisa+277-882-255-28 abortion pills for sale in tembisa

Running security service in gcloud

2. 2 WHO AM I  Head of Security Research at Aqua Security, a leader in container security  20 years of building security products, development and research  Held senior security research positions at Microsoft, Aorato and Imperva.  Presented at security conferences, among them, BlackHat Europe, RSA Europe and Virus Bulleting.

3. 3 PEEKR  Scans for known vulnerabilities (CVEs)  Profiles container activities on host and network  Automatically runs the image and checks it against malicious behaviors  Highlights suspicious container behavior  Free (no credit card needed for registration)  https://peekr.aquasec.com

4. 4 PEEKR

5. 5 YOU WERE SAYING...  Automatically runs the image and checks it against malicious behaviors  Meaning we are running arbitrary, unknown containers on our infrastructure  Every time we consulted people and organizations, we got same response...

6. 6 YOU ARE CRAZY INSANE, NUTS, KOOKY, WACKY...

7. 7 ARCHITECTURAL REQUIREMENTS  Scalable web front end  Scalable Scanner workers  Asynchronous processing  Security

8. 8 SECURITY CONCERNS  Web front end  Malicious containers  Exploding containers  Lateral movement  Attacking from our infrastructure

9. 9 MALICIOUS CONTAINERS  Local behavior  Fork Bomb  Fallocate  Resource consumption  Network  East-West  North-East

10. 10 IMPLEMENTATION  Kubernetes  Security  Kubernetes  Aqua

11. 11 PEEKR ARCHITECTURE OVERVIEW Front end cluster Front end Service Web Queue CVEs Back end cluster Scanner

12. 12 OVERALL SECURITY  Log everything  Use Kubectl to access containers, to limit ssh access  Apply resource quota and limits with Kubernetes namespaces  Network segregation through Kubernetes clusters

13. 13 PROTECTING AGAINST MALICIOUS CONTAINERS  Local  Run unprivileged  Run with user namespace  Containers data (volumes) on separate partition  Aqua  Network  Deny network access  No internet access to backend cluster  Communication between clusters is limited to absolute minimum

14. 14 FORK BOMB  :(){ :|:& };:  Exhausts PIDs  System freezes

15. 15 FORK BOMB PROTECTION  nproc  ulimit –u 100  Limit per user per session  Can be done either for docker daemon or per container  Doesn’t enforce for root  PID cgroup  Future, kernel 4.3

16. FORK BOMB DEMO

17. 17 SO WITH A LITTLE HELP

18. THANK YOU Michael Cherny cherny@aquasec.com @chernymi

Editor's Notes

Two words about me, one word about Aqua

Running security service in gcloud

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (13)

Recently uploaded

Recently uploaded (20)

Running security service in gcloud

Editor's Notes