This document discusses securing Kubernetes and the software supply chain. It outlines how to implement a DevSecOps lifecycle using tools like cnquery and cnspec to continuously check for vulnerabilities and misconfigurations during development and the CI/CD pipeline. The goal is to automate security testing and remediation to validate infrastructure and applications are secure.
2. About me
2
Ivan Milchev
Senior Software Engineer
ivan@mondoo.com
● Mondoo Kubernetes Operator
● Kubernetes, containers and Linux integration
● Tech Lead Operations
● Architect of the in-house Manufacturing Execution System
(MES)
● Created a Kubernetes scheduler extension for network-aware
scheduling
● Developed a customized managed Kubernetes platform
21. Security for Kubernetes runtime
21
Cloud Services
Cluster Nodes
Workloads
(Deployments / Pods)
Control Plane
Application Containers
Kubernetes is a complex system
requiring deep inspection
across multiple layers of
infrastructure and services to
ensure security
23. 23
Cluster Nodes
Cloud Services
Workloads
(Deployments / Pods)
Cluster Configuration
Application Containers
Cluster Nodes
Cloud Services
Workloads
(Deployments / Pods)
Control Plane
Application Containers
Are my cluster nodes secure?
● Operating system end-of-life?
● Operating system patched?
● Operating system hardened?
● Is the container runtime hardened?
● Is the Kubelet hardened?
node node node
24. 24
Cloud Services
Cluster Nodes
Workloads
(Deployments / Pods)
Control Plane
Application Containers
Control Plane
Cloud Services
Cluster Nodes
Workloads
(Deployments / Pods)
Application Containers
Is the Kubernetes API secure?
● Use TLS for all API traffic
● API authentication
● API authorization
● Audit logging
Is etcd secure?
● Restrict access to etcd
● Encryption at rest
25. 25
Workloads
(Deployments / Pods)
Cloud Services
Cluster Nodes
Cluster Configuration
Application Containers
Workloads
Cloud Services
Cluster Nodes
Control Plane
Application Containers
Are the Kubernetes workloads secure?
● Limiting resource usage on a cluster
● Limit privileges
● Restrict network access
26. 26
Workloads
(Deployments / Pods)
Cloud Services
Cluster Nodes
Cluster Configuration
Application Containers
Application Containers
Are the containers running in Kubernetes secure?
● Container vulnerability scanning
● Provenance and attestation
● Disallow privileged users
Workloads
(Deployments / Pods)
Cloud Services
Cluster Nodes
Control Plane
29. GitOps workflow
29
ci / cd runtime
Cloud Services
Control Plane
Workloads
(Deployments / Pods)
Cluster Configuration
Application Containers
source control
local development
30. Securing the GitOps workflow
30
ci / cd runtime
Cloud Services
Control Plane
Workloads
(Deployments / Pods)
Cluster Configuration
Application Containers
source control
local development
● Are my developer’s workstations
secure?
● Can developers find vulnerabilities
in containers before pushing
changes?
● Can developers evaluate risk of an
open source project they want to
use?
● Are there misconfigurations in IaC
code (Terraform, K8s manifests,
CloudFormation)?
? ?
● Are developers using MFA?
● Do the correct developers have
access to the repository?
● Who can review/approve/merge
changes to the code base?
● Is branch protection configured?
● Are we running automated security
tests on each pull request?
● Do we test for security
misconfigurations before deploying?
● Do we test for known vulnerabilities
before deploying?
● Does our CI/CD tooling have known
vulnerabilities?
?
37. Check automatically and continuously
37
ci / cd runtime
Cloud Services
Control Plane
Workloads
(Deployments / Pods)
Cluster Configuration
Application Containers
source control
local development
● Are my developer’s workstations
secure?
● Can developers find vulnerabilities
in containers before pushing
changes?
● Can developers evaluate risk of an
open source project they want to
use?
● Are there misconfigurations in IaC
code (Terraform, K8s manifests,
CloudFormation)?
? ?
● Are developers using MFA?
● Do the correct developers have
access to the repository?
● Who can review/approve/merge
changes to the code base?
● Is branch protection configured?
● Are we running automated security
tests on each pull request?
?
● Do we test for security
misconfigurations before deploying?
● Do we test for known vulnerabilities
before deploying?
● Does our CI/CD tooling have known
vulnerabilities?
43. Welcome cnquery and cnspec
Search within your infrastructure
https://cnquery.io
Scan for vulnerabilities and
misconfiguration
https://cnspec.io
43
44. CI / CD Runtime
Cloud Services
Cluster Nodes
Workloads
(Deployments / Pods)
Cluster Configuration
Application Containers
Source Control
Automate Security
Local Dev
44
A story about innovation
Everyone likes new technologies and new approaches
We want speed and efficiency
Write your code, setup your server, load balancer, got a deployment script
I know you are the best at what you do but there is a better way
A tool that can do it all for you. No need to manage infra, failover, autoscaling, etc.
Body, hair, shave,
Brush your teeth, wash the car, mop the floor,
Obviously, the bad guys
They operate as a business
Quotas, negotiations, live chat
Referrals
Manuals, playbooks
How secure is your infrastructure?
Do you know for a fact that the nice and secure configuration you applied yesterday is still there? Did someone modify it?
Fort Knox
Lots of moving parts
Take away the complexity
Reduce maintenance
Digital innovation is the ultimate source of competitiveness and value creation for almost every type of business. As a result, three things are increasingly common among corporate software engineering teams and the 20 million software developers that work for them:
They seek faster innovation
They seek improved security
They utilize a massive volume of open source libraries
The universal desire for faster innovation demands efficient reuse of code, which in turn has led to a growing dependence on open source and third- party software libraries. These artifacts serve as reusable building blocks, which are fed into public repositories (npm, Maven Central, PyPI, NuGet Gallery, RubyGems, etc.) where they are freely borrowed by millions of developers in the pursuit of faster innovation. This is the definition of the modern software supply chain.
Answer a list of questions
How often? How certain?
Exponentially higher - codecov, solarwinds, uber
How does it look?
Summary
Scary?
No magical/universal solution
If there is one question 42 cannot answer, it is this
It is a thing. Just knowing the word and talking about it doesn’t make you more secure
First security audit ever (or in a year) and you see this…
Is everything really relevant?
Where do you start from? Smallest effort with the highest gain?
No magical/universal solution
If there is one question 42 cannot answer, it is this