The document discusses security best practices for Kubernetes. It covers topics like authentication using PKI certificates, authorization using role-based access control (RBAC), securing the API server, auditing the cluster configuration, and using admission controllers to enforce security policies. The presentation includes code examples and demos of tools like kube-hunter and admission controllers.
6. • SMALLEST DEPLOYABLE
ONE OR MORE
•
STATELESS
• AN ABSTRACT (IPTABLES + DNS) WAY TO EXPOSE AN
APP RUNNING ON A SET OF PODS AS A NETWORK SERVICE
Dharshin De Silva @ AppSec Australia 18 May 2021 6
10. •
• SERVICE ACCOUNTS
• USERS
•
• CLUSTER-INDEPENDENT SERVICE
•
• STATIC FILE
• EXTERNAL OPENID CONNECT WEBHOOK AUTHENTICATION PROXY
Dharshin De Silva @ AppSec Australia 18 May 2021 10
11. •
• CSR
• CA API SERVER TRUSTS
•
• USERNAME COMMON NAME SUBJECT
•
• NO REVOKE ACCESS CLUSTER RE-KEY’ED ALL
BE RE-ISSUED
• BREAK-GLASS SCENARIOS
Image source: https://www.magalix.com/blog/kubernetes-authentication
Dharshin De Silva @ AppSec Australia 18 May 2021
11
12. •
•
• STRONGER AUTHENTICATION
2FA WEBAUTHN
•
•
•
Image source: https://www.magalix.com/blog/kubernetes-authentication
Dharshin De Silva @ AppSec Australia 18 May 2021 12
29. •
•
• CLOUD PROVIDER APIS KUBERNETES
•
•
•
Dharshin De Silva @ AppSec Australia 18 May 2021
29
30. • APPS DEPLOYED
• MANAGEMENT
•
• PRIVILEGE ESCALATION
• SERVICE ACCOUNTS, HOSTPATH MOUNTS (DOCKER SOCKET), METADATA INTERFACE ACCESS,
SECRETS, ENVIRONMENT VARIABLES
• CONTAINER EVASION TECHNIQUE
Dharshin De Silva @ AppSec Australia 18 May 2021 30
31. • LEAST PRIVILEGED
•
• HOST’S METADATA
•
•
• INIT CONTAINERS
•
• DEFAULT DENY
•
Dharshin De Silva @ AppSec Australia 18 May 2021 31
32. •
• HAS THREE MODES:
1. MANIFEST MODE – AUDIT KUBERNETES MANIFEST FILES (STATIC ANALYSIS)
2. LOCAL MODE – REMOTELY CONNECT TO A CLUSTER USING THE KUBECONFIG
3. CLUSTER MODE – DEPLOYED AS A POD IN THE CLUSTER AND AUDIT KUBERNETES RESOURCE IN THE
CLUSTER (DYNAMIC)
• GITHUB.COM/SHOPIFY/KUBEAUDIT
Dharshin De Silva @ AppSec Australia 18 May 2021 32