SlideShare a Scribd company logo

Kubernetes Security Best Practices - With tips for the CKS exam

Ahmed AbouZaid
Ahmed AbouZaid

Agenda: 1. Introduction 2. Shift-left and DevSecOps 3. General Security Concepts 4. The 4C’s of Cloud Native Security 5. Kubernetes Security Starter Kit 6. CKS Exam Overview and Tips Overview: A dive into Kubernetes Security Best Practices in addition to tips for the Certified Kubernetes Security Specialist (CKS) exam. The 1-3 sections are for everyone and they will cover the security in the container era. So it doesn’t matter what’s your title or background, they are a good start for anyone. The 4-6 sections will dive more into Kubernetes security, so probably DevOps engineers and SREs will find that more interesting. But in general anyone interested in Kubernetes security is more than welcome.

Technology
1 of 23
Download to read offline
Kubernetes Security Best Practices With tips for the CKS exam Ahmed AbouZaid, Sr. DevOps Engineer, Camunda June 2022 1
About 2 Ahmed AbouZaid Passionate about DevOps, Cloud/Kubernetes specialist, Free/Open source geek, and an author. • I believe in self CI/CD (Continuous Improvements/Development) also that “The whole is greater than the sum of its parts”. • DevOps transformation, automation, data, and metrics. are my preferred areas. • And I like to help both businesses and people to grow. Find me at: tech.aabouzaid.com | linkedin.com/in/aabouzaid
3 Introduction Agenda Shift-left and DevSecOps General Security Concepts The 4C’s of Cloud Native Security Kubernetes Security Starter Kit 1 5 4 3 2 CKS Exam Overview and Tips 6 For Everyone For Kubernetes Specialists
Introduction 4
Containers Technology for packaging an application along with its runtime dependencies Container Runtime A software that is responsible for running containers (e.g. Docker Engine, containerd, etc.) Kubernetes A cloud-native platform to manage and orchestrate containers workloads Introduction 5
Shift-left and DevSecOps 6
Shift-left and DevSecOps Shift-left A practice of moving quality measures and development activities as early as possible in the software lifecycle. Which reduces time and risk of issues before the release. 7 Image source: Devopedia
DevSecOps (Development, Security, and Operations) An approach that extends DevOps to integrate security as a shared responsibility throughout the entire software lifecycle. DevSecOps relies on iterative methodologies like Agile. Shift-left and DevSecOps 8 Image source: Dynatrace
General Security Concepts 9
General Security Concepts 10 Reducing Attack Surface Least Privilege Principle Security by Design and Secure by Default Updating Frequently 1 2 3 4
The 4C’s of Cloud Native Security 11
The 4C's of Cloud Native Security 12 Container The security of Dockerfile/Containerfile, container image, and container access and isolation. Code The security of actual programming language code like implementation, 3rd party dependency. Cluster The Kubernetes cluster-level security like configuration, access, and internal network. Cloud The security of cloud infrastructure, co-located servers, or corporate datacenter like OS and external network. 1 2 3 4 Image source: EDB
■ Cloud/Infrastructure Provider Security Best Practices ■ External Network Restriction ■ Operating System Hardening ■ Areas: Disabling root login, access control, firewall, SSH configuration, etc. ■ Tools: CIS Benchmarks C1: Cloud 13
C2: Cluster ■ Overall Cluster Hardening ■ Areas: Authentication, authorization, etcd ■ Tools: RBAC, Kube-bench, Kube-hunt ■ Security Policies ■ Areas: Deployment specs, services access, admission controllers ■ Tools: Network Policy, Pod Security Admission, Open Policy Agent ■ Auditing ■ Tools: Built-in Audit Policy, Falco, Tracee ■ Container Runtime Sandbox ■ Tools: Kata containers, gVisor 14
■ Static Code Analysis ■ Areas: Kubernetes resources, Docker/container files ■ Tools: Kubesec, Checkov ■ Container Image Supply Chain ■ Areas: Trusted container registry, container image vulnerability ■ Tools: Trivy, Snyk, ImagePolicyWebhook ■ Container Access ■ Areas: Container user, container filesystem access, privileged container ■ Tools: Built-in SecurityContext, Seccomp, AppArmor, SElinux C3: Container 15
C4: Code ■ Programming Language Security Best Practices ■ Static Code Analysis ■ Tools: SonarQube, Snyk ■ Penetration Testing ■ 3rd Party Dependency Security 16
Kubernetes Security Starter Kit 17
4 Kubernetes security tools that everyone should have: ■ Kube-linter Use it to lint and unify your Kubernetes manifests to apply best practices. (Also check Conftest for more powerful options) ■ Kubesec Use it to analyze Kubernetes manifests either statically in the CI or dynamically as an admission webhook. ■ Snyk Use it to scan programming code and Docker/container image for vulnerabilities. ■ Kube-hunter Use it to spot and identify the weaknesses in Kubernetes clusters. Try first the “passive mode”, and be careful with the “active mode” (it could be dangerous). 18
CKS Exam Overview and Tips 19
Overview ■ Certified Kubernetes Security Specialist (CKS) was introduced in 2020 which is the 3rd certificate after CKA and CKAD. ■ A valid CKA certification is required as a prerequisite. ■ The CKS certificate is valid for 2 years. ■ The exam available in a remote setup (you can make it from your home) and it costs 300$ (but could get up to 50% discount around the year). ■ The exam has 12 months eligibility and 1-time free retake. ■ CKS is a hands-on exam that takes 2 hours, 15-20 tasks with different weights. CKS Exam Overview and Tips 20
Tips ■ Practices a lot! It’s a hands-on exam! Especially Killer.sh exam simulator. ■ Time management is the key. 2 hours are not much for all those questions. ■ Track the questions. Use the embedded notepad or flags in the exam. ■ Familiarize yourself with official documentation. You can open 1 extra tab. ■ Get familiar with the web terminal. It has different shortcuts for copy/paste. ■ Get a bigger screen! The laptop or small screen will limit you a lot. ■ Disable "Ctrl + w" shortcut! This shortcut is used almost everywhere! And it will close your exam tab if you hit it unintentionally. More details at my blog: Certified Kubernetes Security Specialist exam tips CKS Exam Overview and Tips 21
Thank You :-) linkedin.com/in/aabouzaid tech.aabouzaid.com 22 Questions?
Resources 23 ■ Overview of Cloud Native Security - Kubernetes ■ Kubernetes Security Cheat Sheet - OWASP ■ Shift Left - Devopedia ■ Shift-Left Security: The Basics of Threat Modeling - Iterasec ■ What is DevSecOps? And what you need to do it well - Dynatrace ■ How DevSecOps brings security into the development process - Red Hat Developer

Recommended

Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)Megan O'Keefe
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Edureka!
 
Best Practices with Azure Kubernetes Services
Best Practices with Azure Kubernetes ServicesBest Practices with Azure Kubernetes Services
Best Practices with Azure Kubernetes ServicesQAware GmbH
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesSlideTeam
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes securityThomas Fricke
 
Kubernetes
KubernetesKubernetes
Kuberneteserialc_w
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetesGabriel Carro
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with KubernetesEastBanc Tachnologies
 

Recommended

Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)Megan O'Keefe
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Edureka!
 
Best Practices with Azure Kubernetes Services
Best Practices with Azure Kubernetes ServicesBest Practices with Azure Kubernetes Services
Best Practices with Azure Kubernetes ServicesQAware GmbH
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesSlideTeam
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes securityThomas Fricke
 
Kubernetes
KubernetesKubernetes
Kuberneteserialc_w
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetesGabriel Carro
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with KubernetesEastBanc Tachnologies
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes IntroductionPeng Xiao
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetesRishabh Indoria
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes BasicsEueung Mulyana
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to KubernetesImesh Gunaratne
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 
Getting Started with Kubernetes
Getting Started with Kubernetes Getting Started with Kubernetes
Getting Started with Kubernetes VMware Tanzu
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes IntroductionMartin Danielsson
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoOpsta
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetesMichal Cwienczek
 
Deploy Application on Kubernetes
Deploy Application on KubernetesDeploy Application on Kubernetes
Deploy Application on KubernetesOpsta
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes SecurityKarthik Gaekwad
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopBob Killen
 
Introduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang NguyenIntroduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang NguyenTrang Nguyen
 
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...Weaveworks
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetesRaffaele Di Fazio
 
Kubernetes a comprehensive overview
Kubernetes a comprehensive overviewKubernetes a comprehensive overview
Kubernetes a comprehensive overviewGabriel Carro
 
Rancher 2.0 Technical Deep Dive
Rancher 2.0 Technical Deep DiveRancher 2.0 Technical Deep Dive
Rancher 2.0 Technical Deep DiveLINE Corporation
 
Quick introduction to Kubernetes
Quick introduction to KubernetesQuick introduction to Kubernetes
Quick introduction to KubernetesEduardo Garcia Moyano
 
Kubernetes Architecture and Introduction
Kubernetes Architecture and IntroductionKubernetes Architecture and Introduction
Kubernetes Architecture and IntroductionStefan Schimanski
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summaryKarun Chennuri
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendEric Smalling
 

More Related Content

What's hot

Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes IntroductionPeng Xiao
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetesRishabh Indoria
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to KubernetesImesh Gunaratne
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 
Getting Started with Kubernetes
Getting Started with Kubernetes Getting Started with Kubernetes
Getting Started with Kubernetes VMware Tanzu
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoOpsta
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetesMichal Cwienczek
 
Deploy Application on Kubernetes
Deploy Application on KubernetesDeploy Application on Kubernetes
Deploy Application on KubernetesOpsta
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopBob Killen
 
Introduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang NguyenIntroduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang NguyenTrang Nguyen
 
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...Weaveworks
 
Kubernetes a comprehensive overview
Kubernetes a comprehensive overviewKubernetes a comprehensive overview
Kubernetes a comprehensive overviewGabriel Carro
 
Rancher 2.0 Technical Deep Dive
Rancher 2.0 Technical Deep DiveRancher 2.0 Technical Deep Dive
Rancher 2.0 Technical Deep DiveLINE Corporation
 
Kubernetes Architecture and Introduction
Kubernetes Architecture and IntroductionKubernetes Architecture and Introduction
Kubernetes Architecture and IntroductionStefan Schimanski
 

What's hot (20)

Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
 
Getting Started with Kubernetes
Getting Started with Kubernetes Getting Started with Kubernetes
Getting Started with Kubernetes
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with Demo
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
Deploy Application on Kubernetes
Deploy Application on KubernetesDeploy Application on Kubernetes
Deploy Application on Kubernetes
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes Workshop
 
Introduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang NguyenIntroduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang Nguyen
 
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
Kubernetes a comprehensive overview
Kubernetes a comprehensive overviewKubernetes a comprehensive overview
Kubernetes a comprehensive overview
 
Rancher 2.0 Technical Deep Dive
Rancher 2.0 Technical Deep DiveRancher 2.0 Technical Deep Dive
Rancher 2.0 Technical Deep Dive
 
Quick introduction to Kubernetes
Quick introduction to KubernetesQuick introduction to Kubernetes
Quick introduction to Kubernetes
 
Kubernetes Architecture and Introduction
Kubernetes Architecture and IntroductionKubernetes Architecture and Introduction
Kubernetes Architecture and Introduction
 

Similar to Kubernetes Security Best Practices - With tips for the CKS exam

IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summaryKarun Chennuri
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendEric Smalling
 
Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool sangam biradar
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native SecurityKarthik Gaekwad
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSEric Smalling
 
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldHere Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldC4Media
 
Tampere Docker meetup - Happy 5th Birthday Docker
Tampere Docker meetup - Happy 5th Birthday DockerTampere Docker meetup - Happy 5th Birthday Docker
Tampere Docker meetup - Happy 5th Birthday DockerSakari Hoisko
 
Journey Through Four Stages of Kubernetes Deployment Maturity
Journey Through Four Stages of Kubernetes Deployment MaturityJourney Through Four Stages of Kubernetes Deployment Maturity
Journey Through Four Stages of Kubernetes Deployment MaturityAltoros
 
Secure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldSecure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldOllie Whitehouse
 
Kubernetes best practices.odf
Kubernetes best practices.odfKubernetes best practices.odf
Kubernetes best practices.odfAkash Agrawal
 
Container Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container securityContainer Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container securityEric Smalling
 
Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?All Things Open
 
ATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdfATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdfEric Smalling
 
Docker Birthday #5 Meetup Cluj - Presentation
Docker Birthday #5 Meetup Cluj - PresentationDocker Birthday #5 Meetup Cluj - Presentation
Docker Birthday #5 Meetup Cluj - PresentationAlex Vranceanu
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudVelocidex Enterprises
 
Python Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdfPython Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdfEric Smalling
 
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...PranavPatil822557
 
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015Vimal Suba
 
Shifting security to the left with kubernetes, azure, and istio
Shifting security to the left with kubernetes, azure, and istioShifting security to the left with kubernetes, azure, and istio
Shifting security to the left with kubernetes, azure, and istioChristian Melendez
 
Microservices at Scale: How to Reduce Overhead and Increase Developer Product...
Microservices at Scale: How to Reduce Overhead and Increase Developer Product...Microservices at Scale: How to Reduce Overhead and Increase Developer Product...
Microservices at Scale: How to Reduce Overhead and Increase Developer Product...DevOps.com
 

Similar to Kubernetes Security Best Practices - With tips for the CKS exam (20)

IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friend
 
Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native Security
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
 
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldHere Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New World
 
Tampere Docker meetup - Happy 5th Birthday Docker
Tampere Docker meetup - Happy 5th Birthday DockerTampere Docker meetup - Happy 5th Birthday Docker
Tampere Docker meetup - Happy 5th Birthday Docker
 
Journey Through Four Stages of Kubernetes Deployment Maturity
Journey Through Four Stages of Kubernetes Deployment MaturityJourney Through Four Stages of Kubernetes Deployment Maturity
Journey Through Four Stages of Kubernetes Deployment Maturity
 
Secure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldSecure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real world
 
Kubernetes best practices.odf
Kubernetes best practices.odfKubernetes best practices.odf
Kubernetes best practices.odf
 
Container Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container securityContainer Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container security
 
Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?
 
ATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdfATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdf
 
Docker Birthday #5 Meetup Cluj - Presentation
Docker Birthday #5 Meetup Cluj - PresentationDocker Birthday #5 Meetup Cluj - Presentation
Docker Birthday #5 Meetup Cluj - Presentation
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The Cloud
 
Python Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdfPython Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdf
 
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
 
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
 
Shifting security to the left with kubernetes, azure, and istio
Shifting security to the left with kubernetes, azure, and istioShifting security to the left with kubernetes, azure, and istio
Shifting security to the left with kubernetes, azure, and istio
 
Microservices at Scale: How to Reduce Overhead and Increase Developer Product...
Microservices at Scale: How to Reduce Overhead and Increase Developer Product...Microservices at Scale: How to Reduce Overhead and Increase Developer Product...
Microservices at Scale: How to Reduce Overhead and Increase Developer Product...
 

More from Ahmed AbouZaid

Platform Engineering: Manage your infrastructure using Kubernetes and Crossplane
Platform Engineering: Manage your infrastructure using Kubernetes and CrossplanePlatform Engineering: Manage your infrastructure using Kubernetes and Crossplane
Platform Engineering: Manage your infrastructure using Kubernetes and CrossplaneAhmed AbouZaid
 
Docker Best Practices Workshop
Docker Best Practices WorkshopDocker Best Practices Workshop
Docker Best Practices WorkshopAhmed AbouZaid
 
Kubernetes Requests and Limits
Kubernetes Requests and LimitsKubernetes Requests and Limits
Kubernetes Requests and LimitsAhmed AbouZaid
 
How contributing to Open-source made me a better DevOps
How contributing to Open-source made me a better DevOpsHow contributing to Open-source made me a better DevOps
How contributing to Open-source made me a better DevOpsAhmed AbouZaid
 
Developing Ansible Dynamic Inventory Script - Nov 2017
Developing Ansible Dynamic Inventory Script - Nov 2017Developing Ansible Dynamic Inventory Script - Nov 2017
Developing Ansible Dynamic Inventory Script - Nov 2017Ahmed AbouZaid
 
Introduction to InfluxDB and TICK Stack
Introduction to InfluxDB and TICK StackIntroduction to InfluxDB and TICK Stack
Introduction to InfluxDB and TICK StackAhmed AbouZaid
 
Getting Started with Ansible
Getting Started with AnsibleGetting Started with Ansible
Getting Started with AnsibleAhmed AbouZaid
 

More from Ahmed AbouZaid (9)

Platform Engineering: Manage your infrastructure using Kubernetes and Crossplane
Platform Engineering: Manage your infrastructure using Kubernetes and CrossplanePlatform Engineering: Manage your infrastructure using Kubernetes and Crossplane
Platform Engineering: Manage your infrastructure using Kubernetes and Crossplane
 
Docker Best Practices Workshop
Docker Best Practices WorkshopDocker Best Practices Workshop
Docker Best Practices Workshop
 
Kubernetes Requests and Limits
Kubernetes Requests and LimitsKubernetes Requests and Limits
Kubernetes Requests and Limits
 
DevOps for Engineers
DevOps for EngineersDevOps for Engineers
DevOps for Engineers
 
How contributing to Open-source made me a better DevOps
How contributing to Open-source made me a better DevOpsHow contributing to Open-source made me a better DevOps
How contributing to Open-source made me a better DevOps
 
Developing Ansible Dynamic Inventory Script - Nov 2017
Developing Ansible Dynamic Inventory Script - Nov 2017Developing Ansible Dynamic Inventory Script - Nov 2017
Developing Ansible Dynamic Inventory Script - Nov 2017
 
Introduction to InfluxDB and TICK Stack
Introduction to InfluxDB and TICK StackIntroduction to InfluxDB and TICK Stack
Introduction to InfluxDB and TICK Stack
 
Getting Started with Ansible
Getting Started with AnsibleGetting Started with Ansible
Getting Started with Ansible
 
Why Ubuntu? - Arabic
Why Ubuntu? - ArabicWhy Ubuntu? - Arabic
Why Ubuntu? - Arabic
 

Recently uploaded

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 

Recently uploaded (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Kubernetes Security Best Practices - With tips for the CKS exam

  • 1. Kubernetes Security Best Practices With tips for the CKS exam Ahmed AbouZaid, Sr. DevOps Engineer, Camunda June 2022 1
  • 2. About 2 Ahmed AbouZaid Passionate about DevOps, Cloud/Kubernetes specialist, Free/Open source geek, and an author. • I believe in self CI/CD (Continuous Improvements/Development) also that “The whole is greater than the sum of its parts”. • DevOps transformation, automation, data, and metrics. are my preferred areas. • And I like to help both businesses and people to grow. Find me at: tech.aabouzaid.com | linkedin.com/in/aabouzaid
  • 3. 3 Introduction Agenda Shift-left and DevSecOps General Security Concepts The 4C’s of Cloud Native Security Kubernetes Security Starter Kit 1 5 4 3 2 CKS Exam Overview and Tips 6 For Everyone For Kubernetes Specialists
  • 5. Containers Technology for packaging an application along with its runtime dependencies Container Runtime A software that is responsible for running containers (e.g. Docker Engine, containerd, etc.) Kubernetes A cloud-native platform to manage and orchestrate containers workloads Introduction 5
  • 7. Shift-left and DevSecOps Shift-left A practice of moving quality measures and development activities as early as possible in the software lifecycle. Which reduces time and risk of issues before the release. 7 Image source: Devopedia
  • 8. DevSecOps (Development, Security, and Operations) An approach that extends DevOps to integrate security as a shared responsibility throughout the entire software lifecycle. DevSecOps relies on iterative methodologies like Agile. Shift-left and DevSecOps 8 Image source: Dynatrace
  • 10. General Security Concepts 10 Reducing Attack Surface Least Privilege Principle Security by Design and Secure by Default Updating Frequently 1 2 3 4
  • 11. The 4C’s of Cloud Native Security 11
  • 12. The 4C's of Cloud Native Security 12 Container The security of Dockerfile/Containerfile, container image, and container access and isolation. Code The security of actual programming language code like implementation, 3rd party dependency. Cluster The Kubernetes cluster-level security like configuration, access, and internal network. Cloud The security of cloud infrastructure, co-located servers, or corporate datacenter like OS and external network. 1 2 3 4 Image source: EDB
  • 13. ■ Cloud/Infrastructure Provider Security Best Practices ■ External Network Restriction ■ Operating System Hardening ■ Areas: Disabling root login, access control, firewall, SSH configuration, etc. ■ Tools: CIS Benchmarks C1: Cloud 13
  • 14. C2: Cluster ■ Overall Cluster Hardening ■ Areas: Authentication, authorization, etcd ■ Tools: RBAC, Kube-bench, Kube-hunt ■ Security Policies ■ Areas: Deployment specs, services access, admission controllers ■ Tools: Network Policy, Pod Security Admission, Open Policy Agent ■ Auditing ■ Tools: Built-in Audit Policy, Falco, Tracee ■ Container Runtime Sandbox ■ Tools: Kata containers, gVisor 14
  • 15. ■ Static Code Analysis ■ Areas: Kubernetes resources, Docker/container files ■ Tools: Kubesec, Checkov ■ Container Image Supply Chain ■ Areas: Trusted container registry, container image vulnerability ■ Tools: Trivy, Snyk, ImagePolicyWebhook ■ Container Access ■ Areas: Container user, container filesystem access, privileged container ■ Tools: Built-in SecurityContext, Seccomp, AppArmor, SElinux C3: Container 15
  • 16. C4: Code ■ Programming Language Security Best Practices ■ Static Code Analysis ■ Tools: SonarQube, Snyk ■ Penetration Testing ■ 3rd Party Dependency Security 16
  • 18. 4 Kubernetes security tools that everyone should have: ■ Kube-linter Use it to lint and unify your Kubernetes manifests to apply best practices. (Also check Conftest for more powerful options) ■ Kubesec Use it to analyze Kubernetes manifests either statically in the CI or dynamically as an admission webhook. ■ Snyk Use it to scan programming code and Docker/container image for vulnerabilities. ■ Kube-hunter Use it to spot and identify the weaknesses in Kubernetes clusters. Try first the “passive mode”, and be careful with the “active mode” (it could be dangerous). 18
  • 19. CKS Exam Overview and Tips 19
  • 20. Overview ■ Certified Kubernetes Security Specialist (CKS) was introduced in 2020 which is the 3rd certificate after CKA and CKAD. ■ A valid CKA certification is required as a prerequisite. ■ The CKS certificate is valid for 2 years. ■ The exam available in a remote setup (you can make it from your home) and it costs 300$ (but could get up to 50% discount around the year). ■ The exam has 12 months eligibility and 1-time free retake. ■ CKS is a hands-on exam that takes 2 hours, 15-20 tasks with different weights. CKS Exam Overview and Tips 20
  • 21. Tips ■ Practices a lot! It’s a hands-on exam! Especially Killer.sh exam simulator. ■ Time management is the key. 2 hours are not much for all those questions. ■ Track the questions. Use the embedded notepad or flags in the exam. ■ Familiarize yourself with official documentation. You can open 1 extra tab. ■ Get familiar with the web terminal. It has different shortcuts for copy/paste. ■ Get a bigger screen! The laptop or small screen will limit you a lot. ■ Disable "Ctrl + w" shortcut! This shortcut is used almost everywhere! And it will close your exam tab if you hit it unintentionally. More details at my blog: Certified Kubernetes Security Specialist exam tips CKS Exam Overview and Tips 21
  • 23. Resources 23 ■ Overview of Cloud Native Security - Kubernetes ■ Kubernetes Security Cheat Sheet - OWASP ■ Shift Left - Devopedia ■ Shift-Left Security: The Basics of Threat Modeling - Iterasec ■ What is DevSecOps? And what you need to do it well - Dynatrace ■ How DevSecOps brings security into the development process - Red Hat Developer