Exploring iOS App Development: Simplifying the Process
Taking the scissors away - Make K8S safe(er) for DevOps (shorter version)
1. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Taking the scissors away
Make your K8S cluster safe for DevOps
3. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Topics
Scissors, scissors everywhere
Securing the cluster kernel
RBAC, the pains and gains
Enforcing workload configuration
No one likes hoarders
5. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps https://commons.wikimedia.org/wiki/File:Kookie_Studio_Mixer.JPG
6. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Root vs. non-root
86% of images in Docker Hub use root
Root is root
Userns remap not available in K8S
7. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Capabilities
Fine grained permission checks
Lot of default caps
Privileged == all caps
10. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps By Source (WP:NFCC#4), Fair use, https://en.wikipedia.org/w/index.php?curid=19565850
11. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Securing cluster kernel
Use benchmark tools
Lock all doors by default
Auth complexity
12. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Things to watch out
Auth configured properly
Everything has proper TLS
No exposed APIs
...
15. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
RBAC - Pains
Fine grained controls
Sea of YAML
What can I do?
18. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Pod Security Policy
Control for Pod security aspects
An Admission Controller
Enforcer
Can also set some defaults
20. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
PSP - Pains
Easy to cap your cluster
Enforced policy selected via RBAC
When did you last create a pod?
23. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Resource Quota
Limit aggregate resource consumption
Scoped per namespace
YAAC - YetAnotherAdmissionController
27. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Putting all this together
29. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Namespaces FTW, ensure:
Resource Quotas
PSP setup properly
Network Policies
LimitRanges
30. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Customize K8S
Custom operators
Operator SDK
Custom admission webhooks
31. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Operator Framework
Operator running in the cluster
Reacts to changes of specific objects
Can setup ”adjacent” resources
Namespace created à configure it
32. www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps www.kontena.ioKubernetes Meetup Helsinki June 2019 // Removing the scissors - Making K8S safe for DevOps
Thank you!