AppSec USA 2016 talk on using containers and Kubernetes to manage a variety of security tools. Includes best practices for securing Kubernetes implementations.
24. Step 3: Install Homebrew
But I use Macports and ZSH.. where’s
my .bash_profile?
source ~/.bash_profile
ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/.../)"
brew tap homebrew/versions
25. Step 4: Update $PATH
and Install Dependencies
Wait a minute. I need a local
Postgres DB to run this thing?
echo PATH=/usr/local/bin:/usr/local/sbin:$PATH >> ~/.bash_profile
brew install nmap && brew install postgresql
26. Step 5: Initialize the DB
What?! Postgres didn’t initialize?
Forget this. Hacking is hard.
cp /user/local/Cellar/postgresql/9.4.0/.../...
initdb /usr/local/var/postgres
launchctl load -w ~/Library/LaunchAgents/homebrew.mxcl.postgresql.plist
27. You just lost a golden
opportunity to foster a
co-worker's interest in
security.
28. How can we make our
security tooling more about
using the tool and less
about maintenance?
60. - Don’t orchestrate for the
sake of orchestration (or
because the cool kids are
doing it)
- Containers first, then
orchestration
- docker-compose does a
fine job for many things
94. - K8S API typically serves traffic over TLS
- Self-Signed Cert provisioned on
operators laptop in $USER/.kube/config
Transport Security
apiserver
Authentication
(Who can
access the
cluster?
kubectl
Authorization
(What can
they access?)
Admission
Control
(Which policies
are applied for
this user?
Access
Granted
https://
95. - Supports many authentication modules:
HTTP Basic, OpenID, Tokens, Client Cert, Keystone
- Multiple modules can be specified
Authentication
apiserver
Authentication
(Who can
access the
cluster?
kubectl
Authorization
(What can
they access?)
Admission
Control
(Which policies
are applied for
this user?
Access
Granted
https://
96. - Every HTTP request is authorized
get, list, create, update, etc.
- Request attributes are checked against
policy
Authorization
apiserver
Authentication
(Who can
access the
cluster?
kubectl
Authorization
(What can
they access?)
Admission
Control
(Which policies
are applied for
this user?
Access
Granted
https://
97. Authorization
--authorization-mode=AlwaysAllow allows all requests;
use if you don’t need authorization.
--authorization-mode=ABAC allows for a simple
local-file-based user-configured authorization policy.
--authorization-mode=RBAC is an experimental
implementation which allows for authorization to be driven by the
Kubernetes API.
100. - Intercept requests prior to object
creation
- May mutate incoming request to apply
system defaults
Admission Controllers
apiserver
Authentication
(Who can
access the
cluster?
kubectl
Authorization
(What can
they access?)
Admission
Control
(Which policies
are applied for
this user?
Access
Granted
https://
103. K8S Secret Object
- Secrets can only be accessed by pods in
the same namespace
- Secrets are only sent to nodes with pods
that require it
- Not written to disk - stored on tmpfs
- Deleted once dependent pod is removed
104. Buyer Beware
- Secrets are stored in plaintext on the
apiserver (etcd)
- Protect etcd with your life
- Don’t forget what OWASP taught you!
- Secrets in logs, app security, etc.
- Anyone with root on any node can read
secrets by impersonating kubelet
105. Vault
- It works! But no official K8S support
(yet)
- API driven, do what you will
- Customize your deployment
109. Security Hygiene
- Restrict SSH access to nodes
- Only use trusted images
- Regularly apply updates to your K8S
environment (including kubectl)
- Log all of the things
- Apply SecurityContext to deployments
runAsNonRoot, readOnlyRootFilesystem
125. - Maintain one K8S cluster
- Deploy and scale security tooling
- DevSecOps all the things
- We are part of this container journey
together
Security can be an enabler