SlideShare a Scribd company logo

Kubernetes #3 security

Download as PPTX, PDF
Terry Cho
Terry Cho

쿠버네티스 보안 계정 관리와 권한 컨트롤 네트워크 보안 보안 컨택스트

Technology
1 of 28
Kubernetes #3. Security 조대협 (http://bcho.tistory.com)
Agenda ● Authentication & Authorization ● Network Policy ● Security Context ● Security best practice
Authentication & Authorization
User identity in k8s Kubernetes distinguishes between two kinds of clients connection to API Server ● Users (Actual human user) Kubernetes doesn’t have built in user account management system It should use integrate with external identity management system ○ Open ID (OAuth2) ○ Webhook ● Service account (Machine like Pod) ○ Identity of Pod to call API ■ Create : kubectl create serviceaccount {service account name} ■ List : kubectl list sa ■ Assign SA to POD
Authenticate ● User identity is used for authenticate request for API Server ● How to authenticate user request ○ Basic HTTP Auth ○ Access token via HTTP Header ○ Client cert ○ Custom made
RBAC (Resource based access control) Role ResourceRoleBinding users User group Service account get list watch create update patch delete : pod node service : Role RoleBinding
apigroups ● Core group, often referred to as the legacy group /api/v1 ● Names group /apis/$GROUP_NAME/$VERSION ex) Create daemonSet : POST /apis/apps/v1/namespaces/{namespace}/daemonsets
Namespace : default Role & namespace Role PodsRoleBindingjane
Namespace : foo1 Namespace : default Role & namespace Role PodsRoleBindingtom - kind : User name : tom namespace : foo
Cluster Role ● Role,RoleBinding : namespace d resource ● ClusterRole,ClusterRoleBinidng : Cluster wide ○ Role for all of resources in cluster (across multiple namespaces) ○ There are resources that are not namespaced
Predefined Role From https://kubernetes.io/docs/reference/access-authn-authz/rbac/#permissive-rbac-permissions
Network Policy
Network Policy ● Network policy can control ingress & egress traffic for Pod ● It is based on ○ Label (label selector) ○ Protocol (TCP/UDP), Port ○ IP range (CIDR) ● Recipes https://github.com/ahmetb/kubernetes-network-policy-recipes
Ingress control ● Deny all ingress traffic to Pod ● Limit ingress traffic to Pod
Egress control ● Deny egress traffic app=foo Other Pod ● Limit egress traffic app=foo Other Pod UDP:53 TCP:53
Security Context
Security Context ● Security-related feature can be configured on Pod and its container through-out security-Context properties ● It can ○ Specify the user under which the process in the container will run ○ Prevest the container from running as root ○ Privileged mode (full access to it’s node’s kernel) ○ Fine grained privileged mode (partial access for node’s kernel)
Security context example ● Prevent container run as root ● Run container with specified user
Security context example ● Run container with full kernel capabilities (Privileged mode) For example NFS ● Set capabilities for Container Adding individual kernel capabilities to a container
Best practice
Security best practice Reference ● https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes- deployment/
Container Image control ● Implement continuous security vulnerability scanning Include security scanning process in CI/CD pipeline ● Regularly apply security updates Update container image to latest version (ex node.js etc) ● Ensure that only authorized images are used in your environment
Authorization control ● Create Administrative Boundaries between Resources ● Limit direct access to Kubernetes Nodes You should limit SSH access to Kubernetes nodes. (instead of that user to use kubectl exec)
Quota control ● Define Resource Quota Give resource limit to namespace
Network control ● Implement network segmentation POST /apis/net.alpha.kubernetes.io/v1alpha1/namespaces/tenant-a/networkpolicys { "kind": "NetworkPolicy", "metadata": { "name": "pol1" }, "spec": { "allowIncoming": { "from": [{ "pods": { "segment": "frontend" } }], "toPorts": [{ "port": 80, "protocol": "TCP" }] }, "podSelector": { "segment": "backend" } } }
Security context for Pod ● SecurityContext->runAsNonRoot : Indicates that containers should run as non-root user ● SecurityContext->Capabilities : Controls the Linux capabilities assigned to the container. ● SecurityContext->readOnlyRootFilesystem : Controls whether a container will be able to write into the root filesystem. ● PodSecurityContext->runAsNonRoot: Prevents running a container with ‘root’ user as part of the pod
Log Cluster ● Build log system (ELK) and gather Log
End of document

Recommended

Kubernetes #2 monitoring
Kubernetes #2 monitoring Kubernetes #2 monitoring
Kubernetes #2 monitoring Terry Cho
 
Kubernetes #4 volume & stateful set
Kubernetes #4 volume & stateful setKubernetes #4 volume & stateful set
Kubernetes #4 volume & stateful setTerry Cho
 
Kubernetes Basic Operation
Kubernetes Basic OperationKubernetes Basic Operation
Kubernetes Basic OperationSimon Su
 
Container-relevant Upstream Kernel Developments
Container-relevant Upstream Kernel DevelopmentsContainer-relevant Upstream Kernel Developments
Container-relevant Upstream Kernel DevelopmentsDocker, Inc.
 
OpenCensus with Prometheus and Kubernetes
OpenCensus with Prometheus and KubernetesOpenCensus with Prometheus and Kubernetes
OpenCensus with Prometheus and KubernetesJinwoong Kim
 
Kubernetes Walk Through from Technical View
Kubernetes Walk Through from Technical ViewKubernetes Walk Through from Technical View
Kubernetes Walk Through from Technical ViewLei (Harry) Zhang
 
Scaling Microservices with Kubernetes
Scaling Microservices with KubernetesScaling Microservices with Kubernetes
Scaling Microservices with KubernetesDeivid Hahn Fração
 
Openstack study-nova-02
Openstack study-nova-02Openstack study-nova-02
Openstack study-nova-02Jinho Shin
 

Recommended

Kubernetes #2 monitoring
Kubernetes #2 monitoring Kubernetes #2 monitoring
Kubernetes #2 monitoring Terry Cho
 
Kubernetes #4 volume & stateful set
Kubernetes #4 volume & stateful setKubernetes #4 volume & stateful set
Kubernetes #4 volume & stateful setTerry Cho
 
Kubernetes Basic Operation
Kubernetes Basic OperationKubernetes Basic Operation
Kubernetes Basic OperationSimon Su
 
Container-relevant Upstream Kernel Developments
Container-relevant Upstream Kernel DevelopmentsContainer-relevant Upstream Kernel Developments
Container-relevant Upstream Kernel DevelopmentsDocker, Inc.
 
OpenCensus with Prometheus and Kubernetes
OpenCensus with Prometheus and KubernetesOpenCensus with Prometheus and Kubernetes
OpenCensus with Prometheus and KubernetesJinwoong Kim
 
Kubernetes Walk Through from Technical View
Kubernetes Walk Through from Technical ViewKubernetes Walk Through from Technical View
Kubernetes Walk Through from Technical ViewLei (Harry) Zhang
 
Scaling Microservices with Kubernetes
Scaling Microservices with KubernetesScaling Microservices with Kubernetes
Scaling Microservices with KubernetesDeivid Hahn Fração
 
Openstack study-nova-02
Openstack study-nova-02Openstack study-nova-02
Openstack study-nova-02Jinho Shin
 
Kubernetes in 30 minutes (2017/03/10)
Kubernetes in 30 minutes (2017/03/10)Kubernetes in 30 minutes (2017/03/10)
Kubernetes in 30 minutes (2017/03/10)lestrrat
 
Kubernetes 1.3 - Highlights
Kubernetes 1.3 - HighlightsKubernetes 1.3 - Highlights
Kubernetes 1.3 - HighlightsMatthew Barker
 
Containerd internals: building a core container runtime
Containerd internals: building a core container runtimeContainerd internals: building a core container runtime
Containerd internals: building a core container runtimeDocker, Inc.
 
KubeCon EU 2016: A Practical Guide to Container Scheduling
KubeCon EU 2016: A Practical Guide to Container SchedulingKubeCon EU 2016: A Practical Guide to Container Scheduling
KubeCon EU 2016: A Practical Guide to Container SchedulingKubeAcademy
 
Gluster d thread_synchronization_using_urcu_lca2016
Gluster d thread_synchronization_using_urcu_lca2016Gluster d thread_synchronization_using_urcu_lca2016
Gluster d thread_synchronization_using_urcu_lca2016Gluster.org
 
Gluster Containerized Storage for Cloud Applications
Gluster Containerized Storage for Cloud ApplicationsGluster Containerized Storage for Cloud Applications
Gluster Containerized Storage for Cloud ApplicationsGluster.org
 
Kubernetes introduction
Kubernetes introductionKubernetes introduction
Kubernetes introductionDongwon Kim
 
Practical Glusto Example
Practical Glusto ExamplePractical Glusto Example
Practical Glusto ExampleGluster.org
 
KubeCon EU 2016: Kubernetes Storage 101
KubeCon EU 2016: Kubernetes Storage 101KubeCon EU 2016: Kubernetes Storage 101
KubeCon EU 2016: Kubernetes Storage 101KubeAcademy
 
Containers > VMs
Containers > VMsContainers > VMs
Containers > VMsDavid Timothy Strauss
 
Gluster and Kubernetes
Gluster and KubernetesGluster and Kubernetes
Gluster and KubernetesGluster.org
 
Kubernetes dealing with storage and persistence
Kubernetes dealing with storage and persistenceKubernetes dealing with storage and persistence
Kubernetes dealing with storage and persistenceJanakiram MSV
 
Docker 1.5
Docker 1.5Docker 1.5
Docker 1.5rajdeep
 
Using linuxKit to build custom rancherOS systems
Using linuxKit to build custom rancherOS systems Using linuxKit to build custom rancherOS systems
Using linuxKit to build custom rancherOS systems Moby Project
 
Hands On Gluster with Jeff Darcy
Hands On Gluster with Jeff DarcyHands On Gluster with Jeff Darcy
Hands On Gluster with Jeff DarcyGluster.org
 
[OpenInfra Days Korea 2018] Day 1 - T4-7: "Ceph 스토리지, PaaS로 서비스 운영하기"
[OpenInfra Days Korea 2018] Day 1 - T4-7: "Ceph 스토리지, PaaS로 서비스 운영하기"[OpenInfra Days Korea 2018] Day 1 - T4-7: "Ceph 스토리지, PaaS로 서비스 운영하기"
[OpenInfra Days Korea 2018] Day 1 - T4-7: "Ceph 스토리지, PaaS로 서비스 운영하기"OpenStack Korea Community
 
Couch to OpenStack: Cinder - August 6, 2013
Couch to OpenStack: Cinder - August 6, 2013Couch to OpenStack: Cinder - August 6, 2013
Couch to OpenStack: Cinder - August 6, 2013Trevor Roberts Jr.
 
[OpenInfra Days Korea 2018] Day 2 - E6 - OpenInfra monitoring with Prometheus
[OpenInfra Days Korea 2018] Day 2 - E6 - OpenInfra monitoring with Prometheus[OpenInfra Days Korea 2018] Day 2 - E6 - OpenInfra monitoring with Prometheus
[OpenInfra Days Korea 2018] Day 2 - E6 - OpenInfra monitoring with PrometheusOpenStack Korea Community
 
Load Balancing Applications with NGINX in a CoreOS Cluster
Load Balancing Applications with NGINX in a CoreOS ClusterLoad Balancing Applications with NGINX in a CoreOS Cluster
Load Balancing Applications with NGINX in a CoreOS ClusterKevin Jones
 
1909 Hyperledger Besu(a.k.a pantheon) Overview
1909 Hyperledger Besu(a.k.a pantheon) Overview1909 Hyperledger Besu(a.k.a pantheon) Overview
1909 Hyperledger Besu(a.k.a pantheon) OverviewHyperledger Korea User Group
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetesRishabh Indoria
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbain|u - The Open Security Community
 

More Related Content

What's hot

Kubernetes in 30 minutes (2017/03/10)
Kubernetes in 30 minutes (2017/03/10)Kubernetes in 30 minutes (2017/03/10)
Kubernetes in 30 minutes (2017/03/10)lestrrat
 
Kubernetes 1.3 - Highlights
Kubernetes 1.3 - HighlightsKubernetes 1.3 - Highlights
Kubernetes 1.3 - HighlightsMatthew Barker
 
Containerd internals: building a core container runtime
Containerd internals: building a core container runtimeContainerd internals: building a core container runtime
Containerd internals: building a core container runtimeDocker, Inc.
 
KubeCon EU 2016: A Practical Guide to Container Scheduling
KubeCon EU 2016: A Practical Guide to Container SchedulingKubeCon EU 2016: A Practical Guide to Container Scheduling
KubeCon EU 2016: A Practical Guide to Container SchedulingKubeAcademy
 
Gluster d thread_synchronization_using_urcu_lca2016
Gluster d thread_synchronization_using_urcu_lca2016Gluster d thread_synchronization_using_urcu_lca2016
Gluster d thread_synchronization_using_urcu_lca2016Gluster.org
 
Gluster Containerized Storage for Cloud Applications
Gluster Containerized Storage for Cloud ApplicationsGluster Containerized Storage for Cloud Applications
Gluster Containerized Storage for Cloud ApplicationsGluster.org
 
Kubernetes introduction
Kubernetes introductionKubernetes introduction
Kubernetes introductionDongwon Kim
 
Practical Glusto Example
Practical Glusto ExamplePractical Glusto Example
Practical Glusto ExampleGluster.org
 
KubeCon EU 2016: Kubernetes Storage 101
KubeCon EU 2016: Kubernetes Storage 101KubeCon EU 2016: Kubernetes Storage 101
KubeCon EU 2016: Kubernetes Storage 101KubeAcademy
 
Gluster and Kubernetes
Gluster and KubernetesGluster and Kubernetes
Gluster and KubernetesGluster.org
 
Kubernetes dealing with storage and persistence
Kubernetes dealing with storage and persistenceKubernetes dealing with storage and persistence
Kubernetes dealing with storage and persistenceJanakiram MSV
 
Docker 1.5
Docker 1.5Docker 1.5
Docker 1.5rajdeep
 
Using linuxKit to build custom rancherOS systems
Using linuxKit to build custom rancherOS systems Using linuxKit to build custom rancherOS systems
Using linuxKit to build custom rancherOS systems Moby Project
 
Hands On Gluster with Jeff Darcy
Hands On Gluster with Jeff DarcyHands On Gluster with Jeff Darcy
Hands On Gluster with Jeff DarcyGluster.org
 
[OpenInfra Days Korea 2018] Day 1 - T4-7: "Ceph 스토리지, PaaS로 서비스 운영하기"
[OpenInfra Days Korea 2018] Day 1 - T4-7: "Ceph 스토리지, PaaS로 서비스 운영하기"[OpenInfra Days Korea 2018] Day 1 - T4-7: "Ceph 스토리지, PaaS로 서비스 운영하기"
[OpenInfra Days Korea 2018] Day 1 - T4-7: "Ceph 스토리지, PaaS로 서비스 운영하기"OpenStack Korea Community
 
Couch to OpenStack: Cinder - August 6, 2013
Couch to OpenStack: Cinder - August 6, 2013Couch to OpenStack: Cinder - August 6, 2013
Couch to OpenStack: Cinder - August 6, 2013Trevor Roberts Jr.
 
[OpenInfra Days Korea 2018] Day 2 - E6 - OpenInfra monitoring with Prometheus
[OpenInfra Days Korea 2018] Day 2 - E6 - OpenInfra monitoring with Prometheus[OpenInfra Days Korea 2018] Day 2 - E6 - OpenInfra monitoring with Prometheus
[OpenInfra Days Korea 2018] Day 2 - E6 - OpenInfra monitoring with PrometheusOpenStack Korea Community
 
Load Balancing Applications with NGINX in a CoreOS Cluster
Load Balancing Applications with NGINX in a CoreOS ClusterLoad Balancing Applications with NGINX in a CoreOS Cluster
Load Balancing Applications with NGINX in a CoreOS ClusterKevin Jones
 

What's hot (20)

Kubernetes in 30 minutes (2017/03/10)
Kubernetes in 30 minutes (2017/03/10)Kubernetes in 30 minutes (2017/03/10)
Kubernetes in 30 minutes (2017/03/10)
 
Kubernetes 1.3 - Highlights
Kubernetes 1.3 - HighlightsKubernetes 1.3 - Highlights
Kubernetes 1.3 - Highlights
 
Containerd internals: building a core container runtime
Containerd internals: building a core container runtimeContainerd internals: building a core container runtime
Containerd internals: building a core container runtime
 
KubeCon EU 2016: A Practical Guide to Container Scheduling
KubeCon EU 2016: A Practical Guide to Container SchedulingKubeCon EU 2016: A Practical Guide to Container Scheduling
KubeCon EU 2016: A Practical Guide to Container Scheduling
 
Gluster d thread_synchronization_using_urcu_lca2016
Gluster d thread_synchronization_using_urcu_lca2016Gluster d thread_synchronization_using_urcu_lca2016
Gluster d thread_synchronization_using_urcu_lca2016
 
Gluster Containerized Storage for Cloud Applications
Gluster Containerized Storage for Cloud ApplicationsGluster Containerized Storage for Cloud Applications
Gluster Containerized Storage for Cloud Applications
 
Kubernetes introduction
Kubernetes introductionKubernetes introduction
Kubernetes introduction
 
Practical Glusto Example
Practical Glusto ExamplePractical Glusto Example
Practical Glusto Example
 
KubeCon EU 2016: Kubernetes Storage 101
KubeCon EU 2016: Kubernetes Storage 101KubeCon EU 2016: Kubernetes Storage 101
KubeCon EU 2016: Kubernetes Storage 101
 
Containers > VMs
Containers > VMsContainers > VMs
Containers > VMs
 
Gluster and Kubernetes
Gluster and KubernetesGluster and Kubernetes
Gluster and Kubernetes
 
Kubernetes dealing with storage and persistence
Kubernetes dealing with storage and persistenceKubernetes dealing with storage and persistence
Kubernetes dealing with storage and persistence
 
Docker 1.5
Docker 1.5Docker 1.5
Docker 1.5
 
Using linuxKit to build custom rancherOS systems
Using linuxKit to build custom rancherOS systems Using linuxKit to build custom rancherOS systems
Using linuxKit to build custom rancherOS systems
 
Hands On Gluster with Jeff Darcy
Hands On Gluster with Jeff DarcyHands On Gluster with Jeff Darcy
Hands On Gluster with Jeff Darcy
 
[OpenInfra Days Korea 2018] Day 1 - T4-7: "Ceph 스토리지, PaaS로 서비스 운영하기"
[OpenInfra Days Korea 2018] Day 1 - T4-7: "Ceph 스토리지, PaaS로 서비스 운영하기"[OpenInfra Days Korea 2018] Day 1 - T4-7: "Ceph 스토리지, PaaS로 서비스 운영하기"
[OpenInfra Days Korea 2018] Day 1 - T4-7: "Ceph 스토리지, PaaS로 서비스 운영하기"
 
Couch to OpenStack: Cinder - August 6, 2013
Couch to OpenStack: Cinder - August 6, 2013Couch to OpenStack: Cinder - August 6, 2013
Couch to OpenStack: Cinder - August 6, 2013
 
[OpenInfra Days Korea 2018] Day 2 - E6 - OpenInfra monitoring with Prometheus
[OpenInfra Days Korea 2018] Day 2 - E6 - OpenInfra monitoring with Prometheus[OpenInfra Days Korea 2018] Day 2 - E6 - OpenInfra monitoring with Prometheus
[OpenInfra Days Korea 2018] Day 2 - E6 - OpenInfra monitoring with Prometheus
 
Load Balancing Applications with NGINX in a CoreOS Cluster
Load Balancing Applications with NGINX in a CoreOS ClusterLoad Balancing Applications with NGINX in a CoreOS Cluster
Load Balancing Applications with NGINX in a CoreOS Cluster
 
1909 Hyperledger Besu(a.k.a pantheon) Overview
1909 Hyperledger Besu(a.k.a pantheon) Overview1909 Hyperledger Besu(a.k.a pantheon) Overview
1909 Hyperledger Besu(a.k.a pantheon) Overview
 

Similar to Kubernetes #3 security

Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetesRishabh Indoria
 
Extending kubernetes
Extending kubernetesExtending kubernetes
Extending kubernetesGigi Sayfan
 
kubernetesssssssssssssssssssssssssss.pdf
kubernetesssssssssssssssssssssssssss.pdfkubernetesssssssssssssssssssssssssss.pdf
kubernetesssssssssssssssssssssssssss.pdfbchiriamina2
 
Kubernetes for Beginners
Kubernetes for BeginnersKubernetes for Beginners
Kubernetes for BeginnersDigitalOcean
 
User authentication and authorizarion in Kubernetes
User authentication and authorizarion in KubernetesUser authentication and authorizarion in Kubernetes
User authentication and authorizarion in KubernetesNeependra Khare
 
Evolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfEvolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfJose Manuel Ortega Candel
 
Securing Containerized Applications: A Primer
Securing Containerized Applications: A PrimerSecuring Containerized Applications: A Primer
Securing Containerized Applications: A PrimerPhil Estes
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Michael Man
 
Kubernetes basics information along with stateful session info
Kubernetes basics information along with stateful session infoKubernetes basics information along with stateful session info
Kubernetes basics information along with stateful session infoKapildev292285
 
Kubernetes #1 intro
Kubernetes #1 introKubernetes #1 intro
Kubernetes #1 introTerry Cho
 
Kubernetes secret introduction
Kubernetes secret introductionKubernetes secret introduction
Kubernetes secret introductionEvan Lin
 
containerD
containerDcontainerD
containerDstrikr .
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container PlatformAll Things Open
 
DevOps in AWS with Kubernetes
DevOps in AWS with KubernetesDevOps in AWS with Kubernetes
DevOps in AWS with KubernetesOleg Chunikhin
 
Introduction to rook
Introduction to rookIntroduction to rook
Introduction to rookRohan Gupta
 
Introduction to Container Storage Interface (CSI)
Introduction to Container Storage Interface (CSI)Introduction to Container Storage Interface (CSI)
Introduction to Container Storage Interface (CSI)Idan Atias
 

Similar to Kubernetes #3 security (20)

Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
 
Extending kubernetes
Extending kubernetesExtending kubernetes
Extending kubernetes
 
kubernetesssssssssssssssssssssssssss.pdf
kubernetesssssssssssssssssssssssssss.pdfkubernetesssssssssssssssssssssssssss.pdf
kubernetesssssssssssssssssssssssssss.pdf
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
 
Kubernetes for Beginners
Kubernetes for BeginnersKubernetes for Beginners
Kubernetes for Beginners
 
User authentication and authorizarion in Kubernetes
User authentication and authorizarion in KubernetesUser authentication and authorizarion in Kubernetes
User authentication and authorizarion in Kubernetes
 
Evolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfEvolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdf
 
Securing Containerized Applications: A Primer
Securing Containerized Applications: A PrimerSecuring Containerized Applications: A Primer
Securing Containerized Applications: A Primer
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with Kubernetes
 
Kubernetes basics information along with stateful session info
Kubernetes basics information along with stateful session infoKubernetes basics information along with stateful session info
Kubernetes basics information along with stateful session info
 
Kubernetes #1 intro
Kubernetes #1 introKubernetes #1 intro
Kubernetes #1 intro
 
Kubernetes secret introduction
Kubernetes secret introductionKubernetes secret introduction
Kubernetes secret introduction
 
Kubernetes security with AWS
Kubernetes security with AWSKubernetes security with AWS
Kubernetes security with AWS
 
containerD
containerDcontainerD
containerD
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container Platform
 
DevOps in AWS with Kubernetes
DevOps in AWS with KubernetesDevOps in AWS with Kubernetes
DevOps in AWS with Kubernetes
 
Introduction to rook
Introduction to rookIntroduction to rook
Introduction to rook
 
Introduction to Container Storage Interface (CSI)
Introduction to Container Storage Interface (CSI)Introduction to Container Storage Interface (CSI)
Introduction to Container Storage Interface (CSI)
 

More from Terry Cho

Kubernetes #6 advanced scheduling
Kubernetes #6 advanced schedulingKubernetes #6 advanced scheduling
Kubernetes #6 advanced schedulingTerry Cho
 
머신러닝으로 얼굴 인식 모델 개발 삽질기
머신러닝으로 얼굴 인식 모델 개발 삽질기머신러닝으로 얼굴 인식 모델 개발 삽질기
머신러닝으로 얼굴 인식 모델 개발 삽질기Terry Cho
 
5. 솔루션 카달로그
5. 솔루션 카달로그5. 솔루션 카달로그
5. 솔루션 카달로그Terry Cho
 
4. 대용량 아키텍쳐 설계 패턴
4. 대용량 아키텍쳐 설계 패턴4. 대용량 아키텍쳐 설계 패턴
4. 대용량 아키텍쳐 설계 패턴Terry Cho
 
3. 마이크로 서비스 아키텍쳐
3. 마이크로 서비스 아키텍쳐3. 마이크로 서비스 아키텍쳐
3. 마이크로 서비스 아키텍쳐Terry Cho
 
서비스 지향 아키텍쳐 (SOA)
서비스 지향 아키텍쳐 (SOA)서비스 지향 아키텍쳐 (SOA)
서비스 지향 아키텍쳐 (SOA)Terry Cho
 
1. 아키텍쳐 설계 프로세스
1. 아키텍쳐 설계 프로세스1. 아키텍쳐 설계 프로세스
1. 아키텍쳐 설계 프로세스Terry Cho
 
애자일 스크럼과 JIRA
애자일 스크럼과 JIRA 애자일 스크럼과 JIRA
애자일 스크럼과 JIRA Terry Cho
 
REST API 설계
REST API 설계REST API 설계
REST API 설계Terry Cho
 
모바일 개발 트랜드
모바일 개발 트랜드모바일 개발 트랜드
모바일 개발 트랜드Terry Cho
 
소프트웨어 개발 트랜드 및 MSA (마이크로 서비스 아키텍쳐)의 이해
소프트웨어 개발 트랜드 및 MSA (마이크로 서비스 아키텍쳐)의 이해소프트웨어 개발 트랜드 및 MSA (마이크로 서비스 아키텍쳐)의 이해
소프트웨어 개발 트랜드 및 MSA (마이크로 서비스 아키텍쳐)의 이해Terry Cho
 
Micro Service Architecture의 이해
Micro Service Architecture의 이해Micro Service Architecture의 이해
Micro Service Architecture의 이해Terry Cho
 
머신 러닝 입문 #1-머신러닝 소개와 kNN 소개
머신 러닝 입문 #1-머신러닝 소개와 kNN 소개머신 러닝 입문 #1-머신러닝 소개와 kNN 소개
머신 러닝 입문 #1-머신러닝 소개와 kNN 소개Terry Cho
 
R 프로그래밍-향상된 데이타 조작
R 프로그래밍-향상된 데이타 조작R 프로그래밍-향상된 데이타 조작
R 프로그래밍-향상된 데이타 조작Terry Cho
 
R 프로그래밍 기본 문법
R 프로그래밍 기본 문법R 프로그래밍 기본 문법
R 프로그래밍 기본 문법Terry Cho
 
R 기본-데이타형 소개
R 기본-데이타형 소개R 기본-데이타형 소개
R 기본-데이타형 소개Terry Cho
 
2014 공개소프트웨어 대회 소프트웨어 개발 트렌드의 변화
2014 공개소프트웨어 대회 소프트웨어 개발 트렌드의 변화2014 공개소프트웨어 대회 소프트웨어 개발 트렌드의 변화
2014 공개소프트웨어 대회 소프트웨어 개발 트렌드의 변화Terry Cho
 
Redis data modeling examples
Redis data modeling examplesRedis data modeling examples
Redis data modeling examplesTerry Cho
 
빠르게훓어보는 Node.js와 Vert.x
빠르게훓어보는 Node.js와 Vert.x빠르게훓어보는 Node.js와 Vert.x
빠르게훓어보는 Node.js와 Vert.xTerry Cho
 
대용량 분산 아키텍쳐 설계 #5. rest
대용량 분산 아키텍쳐 설계 #5. rest대용량 분산 아키텍쳐 설계 #5. rest
대용량 분산 아키텍쳐 설계 #5. restTerry Cho
 

More from Terry Cho (20)

Kubernetes #6 advanced scheduling
Kubernetes #6 advanced schedulingKubernetes #6 advanced scheduling
Kubernetes #6 advanced scheduling
 
머신러닝으로 얼굴 인식 모델 개발 삽질기
머신러닝으로 얼굴 인식 모델 개발 삽질기머신러닝으로 얼굴 인식 모델 개발 삽질기
머신러닝으로 얼굴 인식 모델 개발 삽질기
 
5. 솔루션 카달로그
5. 솔루션 카달로그5. 솔루션 카달로그
5. 솔루션 카달로그
 
4. 대용량 아키텍쳐 설계 패턴
4. 대용량 아키텍쳐 설계 패턴4. 대용량 아키텍쳐 설계 패턴
4. 대용량 아키텍쳐 설계 패턴
 
3. 마이크로 서비스 아키텍쳐
3. 마이크로 서비스 아키텍쳐3. 마이크로 서비스 아키텍쳐
3. 마이크로 서비스 아키텍쳐
 
서비스 지향 아키텍쳐 (SOA)
서비스 지향 아키텍쳐 (SOA)서비스 지향 아키텍쳐 (SOA)
서비스 지향 아키텍쳐 (SOA)
 
1. 아키텍쳐 설계 프로세스
1. 아키텍쳐 설계 프로세스1. 아키텍쳐 설계 프로세스
1. 아키텍쳐 설계 프로세스
 
애자일 스크럼과 JIRA
애자일 스크럼과 JIRA 애자일 스크럼과 JIRA
애자일 스크럼과 JIRA
 
REST API 설계
REST API 설계REST API 설계
REST API 설계
 
모바일 개발 트랜드
모바일 개발 트랜드모바일 개발 트랜드
모바일 개발 트랜드
 
소프트웨어 개발 트랜드 및 MSA (마이크로 서비스 아키텍쳐)의 이해
소프트웨어 개발 트랜드 및 MSA (마이크로 서비스 아키텍쳐)의 이해소프트웨어 개발 트랜드 및 MSA (마이크로 서비스 아키텍쳐)의 이해
소프트웨어 개발 트랜드 및 MSA (마이크로 서비스 아키텍쳐)의 이해
 
Micro Service Architecture의 이해
Micro Service Architecture의 이해Micro Service Architecture의 이해
Micro Service Architecture의 이해
 
머신 러닝 입문 #1-머신러닝 소개와 kNN 소개
머신 러닝 입문 #1-머신러닝 소개와 kNN 소개머신 러닝 입문 #1-머신러닝 소개와 kNN 소개
머신 러닝 입문 #1-머신러닝 소개와 kNN 소개
 
R 프로그래밍-향상된 데이타 조작
R 프로그래밍-향상된 데이타 조작R 프로그래밍-향상된 데이타 조작
R 프로그래밍-향상된 데이타 조작
 
R 프로그래밍 기본 문법
R 프로그래밍 기본 문법R 프로그래밍 기본 문법
R 프로그래밍 기본 문법
 
R 기본-데이타형 소개
R 기본-데이타형 소개R 기본-데이타형 소개
R 기본-데이타형 소개
 
2014 공개소프트웨어 대회 소프트웨어 개발 트렌드의 변화
2014 공개소프트웨어 대회 소프트웨어 개발 트렌드의 변화2014 공개소프트웨어 대회 소프트웨어 개발 트렌드의 변화
2014 공개소프트웨어 대회 소프트웨어 개발 트렌드의 변화
 
Redis data modeling examples
Redis data modeling examplesRedis data modeling examples
Redis data modeling examples
 
빠르게훓어보는 Node.js와 Vert.x
빠르게훓어보는 Node.js와 Vert.x빠르게훓어보는 Node.js와 Vert.x
빠르게훓어보는 Node.js와 Vert.x
 
대용량 분산 아키텍쳐 설계 #5. rest
대용량 분산 아키텍쳐 설계 #5. rest대용량 분산 아키텍쳐 설계 #5. rest
대용량 분산 아키텍쳐 설계 #5. rest
 

Recently uploaded

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 

Recently uploaded (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 

Kubernetes #3 security

  • 2. Agenda ● Authentication & Authorization ● Network Policy ● Security Context ● Security best practice
  • 4. User identity in k8s Kubernetes distinguishes between two kinds of clients connection to API Server ● Users (Actual human user) Kubernetes doesn’t have built in user account management system It should use integrate with external identity management system ○ Open ID (OAuth2) ○ Webhook ● Service account (Machine like Pod) ○ Identity of Pod to call API ■ Create : kubectl create serviceaccount {service account name} ■ List : kubectl list sa ■ Assign SA to POD
  • 5. Authenticate ● User identity is used for authenticate request for API Server ● How to authenticate user request ○ Basic HTTP Auth ○ Access token via HTTP Header ○ Client cert ○ Custom made
  • 6. RBAC (Resource based access control) Role ResourceRoleBinding users User group Service account get list watch create update patch delete : pod node service : Role RoleBinding
  • 7. apigroups ● Core group, often referred to as the legacy group /api/v1 ● Names group /apis/$GROUP_NAME/$VERSION ex) Create daemonSet : POST /apis/apps/v1/namespaces/{namespace}/daemonsets
  • 8. Namespace : default Role & namespace Role PodsRoleBindingjane
  • 9. Namespace : foo1 Namespace : default Role & namespace Role PodsRoleBindingtom - kind : User name : tom namespace : foo
  • 10. Cluster Role ● Role,RoleBinding : namespace d resource ● ClusterRole,ClusterRoleBinidng : Cluster wide ○ Role for all of resources in cluster (across multiple namespaces) ○ There are resources that are not namespaced
  • 13. Network Policy ● Network policy can control ingress & egress traffic for Pod ● It is based on ○ Label (label selector) ○ Protocol (TCP/UDP), Port ○ IP range (CIDR) ● Recipes https://github.com/ahmetb/kubernetes-network-policy-recipes
  • 14. Ingress control ● Deny all ingress traffic to Pod ● Limit ingress traffic to Pod
  • 15. Egress control ● Deny egress traffic app=foo Other Pod ● Limit egress traffic app=foo Other Pod UDP:53 TCP:53
  • 17. Security Context ● Security-related feature can be configured on Pod and its container through-out security-Context properties ● It can ○ Specify the user under which the process in the container will run ○ Prevest the container from running as root ○ Privileged mode (full access to it’s node’s kernel) ○ Fine grained privileged mode (partial access for node’s kernel)
  • 18. Security context example ● Prevent container run as root ● Run container with specified user
  • 19. Security context example ● Run container with full kernel capabilities (Privileged mode) For example NFS ● Set capabilities for Container Adding individual kernel capabilities to a container
  • 21. Security best practice Reference ● https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes- deployment/
  • 22. Container Image control ● Implement continuous security vulnerability scanning Include security scanning process in CI/CD pipeline ● Regularly apply security updates Update container image to latest version (ex node.js etc) ● Ensure that only authorized images are used in your environment
  • 23. Authorization control ● Create Administrative Boundaries between Resources ● Limit direct access to Kubernetes Nodes You should limit SSH access to Kubernetes nodes. (instead of that user to use kubectl exec)
  • 24. Quota control ● Define Resource Quota Give resource limit to namespace
  • 25. Network control ● Implement network segmentation POST /apis/net.alpha.kubernetes.io/v1alpha1/namespaces/tenant-a/networkpolicys { "kind": "NetworkPolicy", "metadata": { "name": "pol1" }, "spec": { "allowIncoming": { "from": [{ "pods": { "segment": "frontend" } }], "toPorts": [{ "port": 80, "protocol": "TCP" }] }, "podSelector": { "segment": "backend" } } }
  • 26. Security context for Pod ● SecurityContext->runAsNonRoot : Indicates that containers should run as non-root user ● SecurityContext->Capabilities : Controls the Linux capabilities assigned to the container. ● SecurityContext->readOnlyRootFilesystem : Controls whether a container will be able to write into the root filesystem. ● PodSecurityContext->runAsNonRoot: Prevents running a container with ‘root’ user as part of the pod
  • 27. Log Cluster ● Build log system (ELK) and gather Log