5. T H E C H A L L E N G E
● NEED WEBSITE FOR TWITCH SHOW
● HOST ON RASPBERRY PI
● CREATED WITH HUGO
● USE NGINX
TRY NOT TO L O O K L I KE TOTAL IDIOT WO R KI N G F O R A N IAC
SECURITY COMPAN Y BY DEPLOYI NG A N NGINX W E B S I T E
F O R A TWITCH S H O W A B O U T C L O U D NATIVE SECURITY
THAT DOESN’ T PA S S O U R C H E C KO V YAML S C A N
6. ● A01:2021-Broken A cce ss Control
● A02:2021-Cryptographic Failures
● A03:2021-Injection
● A04:2021-Insecure De sig n
● A05:2021-Security Misconfiguration
● A06:2021-Vulnerable a n d Outdated C omponents
● A07:2021-Identification and Authentication Failures
● A08:2021-Software and Data Integrity Failures
● A09:2021-Security L o g g i n g and Monitoring Failures
● A10:2021-Server-Side Request Forgery
Coding issues like input
sanitization have been
replaced by
misconfigurations and
dependency (supply
chain) risks
7. The Problem
Defaults are bad!
Misconfigurations are bad!
● Unintended behaviour
● Outage
● Data Breach
● Lateral movement
● Supply Chain
Compromise
● PII Exposure
Security best practices are
important!
8. IF COMPROMISED
● T HE NGINX DEFAULT IMAGE HAS…
○ NSENTER
○ CURL
○ APT
○ And much much more!!
● T HE NGINX IMAGE CAN...
○ Enumerate the network
○ Breakout to the host
■ EG. CVE-2021-22555
○ Serve malicious content
12. S T E P 2 - W R A P IT IN A K8s D E P L O Y M E N T
● Get the code (from somebody else)
○ SEARCH GOOGLE/DUCKDUCKGO?
● Go to the source (kubernetes.io)
13. S T E P 3 - C H E C K IT IS S E C U R E
● Checkov
○ DEPLOYMENT
■ Are my defaults secure and what happens when they
are not?
○ IMAGE
■ Can I use the default image or should I make
changes?
15. W H A T D O E S S E C U R E MEAN
● CIA
○ Confidentiality
■ Least Privilege
○ Integrity
■ Immutability
○ Availability
■ Resilience
16. What is
?
Open source (Apache 2.0)
misconfiguration scanner for IaC,
intended to be used in CI/CD pipelines
1.1000+ built in checks
2. Supports extensions
3. Built in best practices and security
17. W h a t is Checkov
● Open source
● Analyze infrastructure as code (IaC)
● Terraform, CloudFormation,
Kubernetes, Helm, ARM Templates
and Serverless framework
● > 500 rules
● VSCode Plugin
● Optional config file
○ .checkov.yaml
*
19. Add S e c c o m p Profile
● Disables > 44 system calls
○ Expelliarmus
● Eg.
○ Mount (host filesystems)
○ Ptrace (watch everything)
○ Reboot (the host!)
○ Setns (change linux
namespace)
○ Quotactl (mess with cpu limits)
● Default defence in depth
○ Many of these overlap with
blocking CAP_SYS_ADMIN
20. Set allowPrivilegeEscalation to false
setuid
● Prevents binaries from changing
the effective user ID
○ Blocks enabling of extra capabilities,
○ Even blocks the use of ping.
21. D o not run as root (the default)
● Seems obvious but
● Assign a UID and GID > 10000 to avoid conflict
I a m root!
28. Liveness/Readiness Probes
● Let kubernetes know you’re there
and it will keep you alive and kicking
Can be difficult to come up with methods
to determine a ready and live state. Not
the case for NGINX however.
29. C P U / Memory Requests and Limits
● Prevents self induced DoS
● Ensures weighted scheduling of pods
● Limits losses from crypto-mining attacks
Can be difficult to determine up front but
defaults can be quickly derived from the K8s
metrics server.
MO RE P OWE R!
30. Key Takeaways
● Finding Secure Examples Is Difficult
● Basic Best Practices Can Be Easy
● Tools are Available To Help
● Many Defaults Aren’t Secure
Checkov: https://www.checkov.io/
Our blog: https://bridgecrew.io/blog
T H A N KS !
DEPLOYMENTS
SERVICES
JOBS
DEFAULTS
OUR BATTERED POD
COMES FROM A
SECURE SUPPLY
CHAIN
32. Survey Form
We hope you’ve found our session beneficial.
Please help us in answering a short 5 questions survey.
A small INR200,000 Grab thank you token awaits.
https://forms.gle/bGzk2ntgCmuHCuRg7
Please scan the Q R code or use clickable link in Chatbox
33. Stay Connected With Us!
t.me/iddevops
DevOps Indonesia
DevOps Indonesia
DevOps Indonesia
@iddevops
@iddevops
DevOps Indonesia
Scan here