Original presentation on JAX DevOps, this is the shorter version for Kubernetes Helsinki MeetUp.

1. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Taking the scissors away
Make your K8S cluster safe for DevOps

2. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Well, safer at least

3. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Topics
Scissors, scissors everywhere
Securing the cluster kernel
RBAC, the pains and gains
Enforcing workload configuration
No one likes hoarders

4. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps

5. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps https://commons.wikimedia.org/wiki/File:Kookie_Studio_Mixer.JPG

6. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Root vs. non-root
86% of images in Docker Hub use root
Root is root
Userns remap not available in K8S

7. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Capabilities
Fine grained permission checks
Lot of default caps
Privileged == all caps

8. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps

9. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps https://www.flickr.com/photos/jdickert/1270880225

10. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps By Source (WP:NFCC#4), Fair use, https://en.wikipedia.org/w/index.php?curid=19565850

11. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Securing cluster kernel
Use benchmark tools
Lock all doors by default
Auth complexity

12. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Things to watch out
Auth configured properly
Everything has proper TLS
No exposed APIs
...

13. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
RBAC
Who can do what?
Super fine grained
Scoped

14. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps

15. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
RBAC - Pains
Fine grained controls
Sea of YAML
What can I do?

16. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
RBAC - Helpers
RBAC Manager
kubectl-who-can

17. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
No root allowed

18. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Pod Security Policy
Control for Pod security aspects
An Admission Controller
Enforcer
Can also set some defaults

19. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps

20. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
PSP - Pains
Easy to cap your cluster
Enforced policy selected via RBAC
When did you last create a pod?

21. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps

22. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps https://www.flickr.com/photos/71622328@N08/36359861566

23. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Resource Quota
Limit aggregate resource consumption
Scoped per namespace
YAAC - YetAnotherAdmissionController

24. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Limits on
CPU
MEM
Storage
Object counts

25. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps

26. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps

27. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Putting all this together

28. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Secure cluster kernel
Auth
RBAC
ALL components secured

29. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Namespaces FTW, ensure:
Resource Quotas
PSP setup properly
Network Policies
LimitRanges

30. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Customize K8S
Custom operators
Operator SDK
Custom admission webhooks

31. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Operator Framework
Operator running in the cluster
Reacts to changes of specific objects
Can setup ”adjacent” resources
Namespace created à configure it

32. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Thank you!