Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Deploying Kubernetes without scaring off your security team - KubeCon 2017

1,037 views

Published on

Kubernetes provides plenty of enhancements for deploying software, but it can cause anxiety on the corporate security team. This talk explains how to approach your security team and how to push them to provide guardrails, not deployments.

Published in: Technology
  • Be the first to comment

Deploying Kubernetes without scaring off your security team - KubeCon 2017

  1. 1. Deploying Kubernetes without scaring away your security team Paul Czarkowski, Pivotal Software (@pczarkowsi) Major Hayden, Rackspace (@majorhayden)
  2. 2. Deploying Kubernetes Without Scaring Away Your Security Team Principal Technologist @ Pivotal Always doing things and promoting agile synergistic principles that resonate down the value chain Principal Architect @ Rackspace Secures OpenStack/Kubernetes clouds and owns far too many domain names (including icanhazip.com)
  3. 3. Photo credit: Pixabay
  4. 4. Your first day back at the office talking about Kubernetes feels like this Photo credit: Pixabay
  5. 5. Talking to your corporate security team about Kubernetes feels more like this Photo credit: Breaking Bad Wikia
  6. 6. Deploying Kubernetes Without Scaring Away Your Security Team Enterprise security teams demand security layers that are: • Valuable • Non-disruptive • Documented • Auditable • Easily understood
  7. 7. Deploying Kubernetes Without Scaring Away Your Security Team DevOps Security Automated Infrastructure Find a way to get here
  8. 8. Security requirements and restrictions should be guardrails, not roadblocks Photo credit: Wikipedia
  9. 9. PUBLIC SERVICE ANNOUNCEMENT: Always enable Linux Security Modules in your container deployments. (like SELinux or AppArmor)
  10. 10. SERIOUSLY. STOP DISABLING SELINUX.
  11. 11. Deploying Kubernetes Without Scaring Away Your Security Team Luckily, there are tools that help with many of these challenges.
  12. 12. Deploying Kubernetes Without Scaring Away Your Security Team • Orchestration • Configuration management • Software deployment • Stackable building blocks • Everything as codehttps://www.ansible.com/
  13. 13. Deploying Kubernetes Without Scaring Away Your Security Team Tasks Role Tasks Tasks Tasks Role Tasks Tasks Tasks Role Tasks Tasks Playbook Ansible explained in three bullets: • Each task does one thing • Tasks are grouped into roles • Playbooks apply one or more roles to one or more servers
  14. 14. Deploying Kubernetes Without Scaring Away Your Security Team • Tasks are read one at a time, top-down • Tasks are written in YAML • No need for dependency chaining or complex ordering • Simple inventory system Ansible is simple
  15. 15. Deploying Kubernetes Without Scaring Away Your Security Team • Automates containers, virtual machines, servers, network devices, clouds, laptops • No daemons or complex dependencies • Got Python installed on your nodes? You’re ready. Ansible is versatile
  16. 16. Deploying Kubernetes Without Scaring Away Your Security Team • A playbook can be run repeatedly with the same results • Ansible can audit a system and show potential changes before making them Ansible is repeatable
  17. 17. Deploying Kubernetes Without Scaring Away Your Security Team Ansible playbook
  18. 18. Deploying Kubernetes Without Scaring Away Your Security Team Networking as code
  19. 19. Deploying Kubernetes Without Scaring Away Your Security Team Infrastructure as code
  20. 20. Deploying Kubernetes Without Scaring Away Your Security Team Infrastructure as Code
  21. 21. Deploying Kubernetes Without Scaring Away Your Security Team Ansible Tower ● Adds reporting/accountability ● Dashboards ● Scheduled Jobs ● Multi-Playbook Workflows
  22. 22. Deploying Kubernetes Without Scaring Away Your Security Team • Applies and audits over 180 controls from the STIG* in a few minutes. • Supports CentOS/RHEL 7, Debian, Fedora, OpenSUSE, and Ubuntu 16.04. • Fully open source and looking for new contributors/testers https://github.com/openstack/ansible-hardening * The Security Technical Implementation Guide (STIG) is a set of hardening configurations for various systems published by the US Department of Defense.
  23. 23. Deploying Kubernetes Without Scaring Away Your Security Team • Compliance as Code • Ruby DSL for testing desired state • Ansible to install Inspec • Ansible to deploy Inspec Rules • Sensu Check / Pagerduty Alert • Inspec logs to ELK for Audit https://www.inspec.io
  24. 24. Deploying Kubernetes Without Scaring Away Your Security Team
  25. 25. Deploying Kubernetes Without Scaring Away Your Security Team Example INSPEC rule https://github.com/inspec-stigs/inspec-stig-rhel7
  26. 26. Deploying Kubernetes Without Scaring Away Your Security Team Compliance as Code
  27. 27. Deploying Kubernetes Without Scaring Away Your Security Team Ops Platform [as code] • 2FA SSH Bastion • OAuth Web Portal • Centralized Logging (ELK) • Centralized Monitoring (Sensu) • Builds / Tests / Jobs ( Jenkins ) • Mirrors ( ubuntu, pypi, rubygems ) • and a LOT MORE!https://github.com/sitectl/cuttle Cuttle(pronounced Cuddle)
  28. 28. Deploying Kubernetes Without Scaring Away Your Security Team
  29. 29. Deploying Kubernetes Without Scaring Away Your Security Team
  30. 30. Deploying Kubernetes Without Scaring Away Your Security Team
  31. 31. Deploying Kubernetes Without Scaring Away Your Security Team Cuttle - Bastion ● SSH ( obviously! ) ● 2FA ( Google Authenticator or Yubikey ) ○ https://github.com/blueboxgroup/yubiauthd ○ Each user has own user + pubkey + second factor. ● SSH Agent Auth Proxy ○ https://github.com/blueboxgroup/sshagentmux ○ Adds keys to user’s Agent based on group membership ● ttyspy ○ https://github.com/ibm/ttyspy ○ emulates `script | curl -XPOST https://log-server`
  32. 32. Deploying Kubernetes Without Scaring Away Your Security Team • Ansible Playbooks to deploy Kubernetes • Official(ish) • Install K8s on any Infrastructure • Bare Metal • private cloud • public cloud • VMWare https://github.com/kubernetes-incubator/kubespray
  33. 33. Deploying Kubernetes Without Scaring Away Your Security Team Kubespray is production ready! • Continuous integration • High availability • Upgrades! https://github.com/kubernetes-incubator/kubespray
  34. 34. Deploying Kubernetes Without Scaring Away Your Security Team
  35. 35. Deploying Kubernetes Without Scaring Away Your Security Team Other Considerations: • Build Pipeline - ConcourseCI, Jenkins, etc • Registry - Quay.io or vmware/harbor • extra secure containers - Clear Linux and Kata Containers • Secret Management - Vault • k8s auth/acls - openpolicyagent
  36. 36. Deploying Kubernetes Without Scaring Away Your Security Team Thank you! Paul Czarkowski @pczarkowski Major Hayden @majorhayden

×