Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

of

Orchestrating Least Privilege by Diogo Monica  Slide 1 Orchestrating Least Privilege by Diogo Monica  Slide 2 Orchestrating Least Privilege by Diogo Monica  Slide 3 Orchestrating Least Privilege by Diogo Monica  Slide 4 Orchestrating Least Privilege by Diogo Monica  Slide 5 Orchestrating Least Privilege by Diogo Monica  Slide 6 Orchestrating Least Privilege by Diogo Monica  Slide 7 Orchestrating Least Privilege by Diogo Monica  Slide 8 Orchestrating Least Privilege by Diogo Monica  Slide 9 Orchestrating Least Privilege by Diogo Monica  Slide 10 Orchestrating Least Privilege by Diogo Monica  Slide 11 Orchestrating Least Privilege by Diogo Monica  Slide 12 Orchestrating Least Privilege by Diogo Monica  Slide 13 Orchestrating Least Privilege by Diogo Monica  Slide 14 Orchestrating Least Privilege by Diogo Monica  Slide 15 Orchestrating Least Privilege by Diogo Monica  Slide 16 Orchestrating Least Privilege by Diogo Monica  Slide 17 Orchestrating Least Privilege by Diogo Monica  Slide 18 Orchestrating Least Privilege by Diogo Monica  Slide 19 Orchestrating Least Privilege by Diogo Monica  Slide 20 Orchestrating Least Privilege by Diogo Monica  Slide 21 Orchestrating Least Privilege by Diogo Monica  Slide 22 Orchestrating Least Privilege by Diogo Monica  Slide 23 Orchestrating Least Privilege by Diogo Monica  Slide 24 Orchestrating Least Privilege by Diogo Monica  Slide 25 Orchestrating Least Privilege by Diogo Monica  Slide 26 Orchestrating Least Privilege by Diogo Monica  Slide 27 Orchestrating Least Privilege by Diogo Monica  Slide 28 Orchestrating Least Privilege by Diogo Monica  Slide 29 Orchestrating Least Privilege by Diogo Monica  Slide 30 Orchestrating Least Privilege by Diogo Monica  Slide 31 Orchestrating Least Privilege by Diogo Monica  Slide 32 Orchestrating Least Privilege by Diogo Monica  Slide 33 Orchestrating Least Privilege by Diogo Monica  Slide 34 Orchestrating Least Privilege by Diogo Monica  Slide 35 Orchestrating Least Privilege by Diogo Monica  Slide 36 Orchestrating Least Privilege by Diogo Monica  Slide 37 Orchestrating Least Privilege by Diogo Monica  Slide 38 Orchestrating Least Privilege by Diogo Monica  Slide 39 Orchestrating Least Privilege by Diogo Monica  Slide 40 Orchestrating Least Privilege by Diogo Monica  Slide 41 Orchestrating Least Privilege by Diogo Monica  Slide 42 Orchestrating Least Privilege by Diogo Monica  Slide 43 Orchestrating Least Privilege by Diogo Monica  Slide 44 Orchestrating Least Privilege by Diogo Monica  Slide 45 Orchestrating Least Privilege by Diogo Monica  Slide 46 Orchestrating Least Privilege by Diogo Monica  Slide 47
Upcoming SlideShare
Infinit: Modern Storage Platform for Container Environments
Next
Download to read offline and view in fullscreen.

4 Likes

Share

Download to read offline

Orchestrating Least Privilege by Diogo Monica

Download to read offline

Docker Distributed System Presentation by Diogo Monica

Related Books

Free with a 30 day trial from Scribd

See all

Orchestrating Least Privilege by Diogo Monica

  1. 1. Orchestrating Least Privilege
  2. 2. What is an Orchestrator?
  3. 3. What is an Orchestra?
  4. 4. SWAR M
  5. 5. Job of a Conductor - Casting - Assign sheet music - Unify performers - Set the tempo
  6. 6. Job of an Orchestrator - Node management - Task assignment - Cluster state reconciliation - Resource Management
  7. 7. What is a Least Privilege Orchestrator?
  8. 8. What is Least Privilege?
  9. 9. A process must be able to access only the information and resources that are necessary for its legitimate purpose.Principle of Least Privilege
  10. 10. Why Least Privilege?
  11. 11. What do we need to achieve Least Privilege Orchestration?
  12. 12. Mitigating External Attacker - Externally accessible service ports are explicitly defined - Administration endpoints are authenticated and authorized
  13. 13. Mitigating Internal Network Attacker - Authentication of both network and cluster control-plane communication - Service to service communication is authorized, with orchestrator managed ACLs
  14. 14. Mitigating MiTM Attacker - All control and data-plane traffic is encrypted.
  15. 15. Mitigating Malicious Worker ‣Should only have access to resources currently in use ‣Push VS Pull ‣No ability to modify or access any cluster state except their own. ‣Identity is assigned, never requested
  16. 16. Mitigating Malicious Manager ‣Can’t run arbitrary code on workers ‣No access to secret material ‣No ability to spin up unauthorized nodes/impersonate existing nodes. ‣No ability to read service-to-service communication
  17. 17. Byzantine Consensus.
  18. 18. SWAR M
  19. 19. Mutual TLS by default • First node generates a new self-signed CA.
  20. 20. Mutual TLS by default • First node generates a new self-signed CA. • New nodes can get a certificate issued w/ a token.
  21. 21. Mutual TLS by default • First node generates a new self-signed CA. • New nodes can get a certificate issued w/ a token. • Workers and managers identified by their certificate.
  22. 22. Mutual TLS by default • First node generates a new self-signed CA. • New nodes can get a certificate issued w/ a token. • Workers and managers identified by their certificate. • Communications secured with Mutual TLS.
  23. 23. The Token SWMTKN-1-mx8susrv1etsmc8omaom825bet6-cm6zts22rl4hly2 Prefix to allow VCS searches for leaked Tokens Token Version Cryptographic Hash of the CA Root Certificate for bootstrap Randomly generated Secret
  24. 24. Bootstrap 1. Retrieve and validate Root CA Public key material. 2. Submit new CSR along with secret token. 3. Retrieve the signed certificate.
  25. 25. Automatic Certificate Rotation 1. Submit new CSR using old key-pair. 2. Retrieve the new signed certificate.
  26. 26. Support for External CAs • Managers support BYO CA. • Forwards CSRs to external CA.
  27. 27. Dem o
  28. 28. Thank you
  • linotelera

    Mar. 19, 2017
  • allengaller

    Feb. 13, 2017
  • SandroKeil

    Oct. 20, 2016
  • WayneHurst2

    Oct. 17, 2016

Docker Distributed System Presentation by Diogo Monica

Views

Total views

1,420

On Slideshare

0

From embeds

0

Number of embeds

10

Actions

Downloads

25

Shares

0

Comments

0

Likes

4

×