Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.
Security Best Practices for
Kubernetes Deployment
Michae...
2
WHO AM I
 Head of Security Research at Aqua Security, a leader
in container security
 20 years of building security pr...
3
BUILD SECURITY ALIGNED WITH DEVOPS
Build Ship Cluster
Environment
Networking
and Runtime
Monitoring
Productio
n
Dev. / T...
BUILD AND SHIP
5
BUILD AND SHIP
 Ensure That Only Authorized Images are Used in Your
Environment
 Ensure That Images Are Free of Vulner...
6
SECURITY INTEGRATED WITH CI/CD
Build
• Only vetted code (approved for production) is
used for building the images
ShipTe...
7
SECURITY INTEGRATED WITH CI/CD
Build
• Implement Continuous Security Vulnerability
Scanning
• Regularly Apply Security U...
8
SECURITY INTEGRATED WITH CI/CD
Build
• Use private registries to store your approved
images - make sure you only push ap...
CLUSTER ENVIRONMENT
10
SSH
LIMIT DIRECT ACCESS TO KUBERNETES
NODES
 Limit SSH access to Kubernetes nodes
 Ask users to use “kubectl exec”
11
CONSIDER KUBERNETES AUTHORIZATION
PLUGINS
 Enables define fine-grained-access control rules
 Namespaces
 Containers
...
12
CREATE ADMINISTRATIVE BOUNDARIES
BETWEEN RESOURCES
 Limits the damage of mistake or malicious intent
 Partition resou...
13
CREATE ADMINISTRATIVE BOUNDARIES
BETWEEN RESOURCES
 Example: allow ‘alice’ to read pods from namespace
‘fronto’
{
"api...
14
DEFINE RESOURCE QUOTA
 Resource-unbound containers in shared cluster are
bad practice
 Create resource quota policies...
15
DEFINE RESOURCE QUOTA EXAMPLE
 computer-resource.yaml
apiVersion: v1
kind: ResourceQuota
metadata:
name: compute-resou...
16
SAFELY DISTRIBUTE YOUR SECRETS
 Storing sensitive data in docker file, POD definition
etc. is not safe
 Centrally and...
17
KUBERNETES SECRETS
 Secret object
 As file
 As Environment variable
 Risks
 Secrets stored in plain text
 Is at r...
18
KUBERNETES SECRETS - EXAMPLE
 echo -n "admin" > ./username.txt
echo -n "1f2d1e2e67df" > ./password.txt
 kubectl creat...
19
KUBERNETES SECRETS - EXAMPLE
 It call also be done manually
 echo -n "admin" | base64
YWRtaW4=
 echo -n "1f2d1e2e67d...
NETWORKING
21
IMPLEMENT NETWORK SEGMENTATION
 “Good neighbor” compromised application is a door
open into cluster
 Network segmenta...
22
IMPLEMENT NETWORK SEGMENTATION
 Cross-cluster segmentation can be achieved using
firewall rules
 “dynamic” nature of ...
23
IMPLEMENT NETWORK SEGMENTATION:
EXAMPLE
 Enable using an annotation on the Namespace
kind: Namespace
apiVersion: v1
me...
24
IMPLEMENT NETWORK SEGMENTATION:
EXAMPLE
apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
name: test-network...
RUNTIME
26
RUNTIME
 Implement “least privileges” principal
 Security Context control security parameters to be assigned
 Pod
 ...
27
SECURITY CONTEXT
Security Context Setting Description
SecurityContext->runAsNonRoot Indicates that containers should ru...
28
SECURITY CONTEXT: EXAMPLE
apiVersion: v1
kind: Pod
metadata:
name: hello-world
spec:
containers:
# specification of the...
29
IMAGE POLICY WEBHOOK
 api.imagepolicy.v1alpha1.ImageReview object
describing the action
 Fields describing the contai...
30
IMAGE POLICY WEBHOOK: EXAMPLE
{
"apiVersion":"imagepolicy.k8s.io/v1alpha1",
"kind":"ImageReview",
"spec":{
"containers"...
31
MONITORING AND VISIBILITY
 Log everything
 Cluster-based logging
 Log container activity into a central log hub.
 U...
SUMMARY
33
SECURITY ALIGNED WITH DEVOPS
Build Ship Cluster
Environment
Networking
and Runtime
Monitoring
Productio
n
Dev. / Testin...
THANK YOU
Michael Cherny
cherny@aquasec.com
@chernymi
https://www.aquasec.com
Upcoming SlideShare
Loading in …5
×

of

Security best practices for kubernetes deployment Slide 1 Security best practices for kubernetes deployment Slide 2 Security best practices for kubernetes deployment Slide 3 Security best practices for kubernetes deployment Slide 4 Security best practices for kubernetes deployment Slide 5 Security best practices for kubernetes deployment Slide 6 Security best practices for kubernetes deployment Slide 7 Security best practices for kubernetes deployment Slide 8 Security best practices for kubernetes deployment Slide 9 Security best practices for kubernetes deployment Slide 10 Security best practices for kubernetes deployment Slide 11 Security best practices for kubernetes deployment Slide 12 Security best practices for kubernetes deployment Slide 13 Security best practices for kubernetes deployment Slide 14 Security best practices for kubernetes deployment Slide 15 Security best practices for kubernetes deployment Slide 16 Security best practices for kubernetes deployment Slide 17 Security best practices for kubernetes deployment Slide 18 Security best practices for kubernetes deployment Slide 19 Security best practices for kubernetes deployment Slide 20 Security best practices for kubernetes deployment Slide 21 Security best practices for kubernetes deployment Slide 22 Security best practices for kubernetes deployment Slide 23 Security best practices for kubernetes deployment Slide 24 Security best practices for kubernetes deployment Slide 25 Security best practices for kubernetes deployment Slide 26 Security best practices for kubernetes deployment Slide 27 Security best practices for kubernetes deployment Slide 28 Security best practices for kubernetes deployment Slide 29 Security best practices for kubernetes deployment Slide 30 Security best practices for kubernetes deployment Slide 31 Security best practices for kubernetes deployment Slide 32 Security best practices for kubernetes deployment Slide 33 Security best practices for kubernetes deployment Slide 34
Upcoming SlideShare
Extend and build on Kubernetes
Next
Download to read offline and view in fullscreen.

18 Likes

Share

Download to read offline

Security best practices for kubernetes deployment

Download to read offline

Security best practices for a Kubernetes Deployment - from development, through build, ship, networking and run time controls.
Was presented at New York Kubernetes meetup https://www.meetup.com/New-York-Kubernetes-Meetup/events/237790149/

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Security best practices for kubernetes deployment

  1. 1. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. Security Best Practices for Kubernetes Deployment Michael Cherny Head of Research, Aqua Security
  2. 2. 2 WHO AM I  Head of Security Research at Aqua Security, a leader in container security  20 years of building security products, development and research  Held senior security research positions at Microsoft, Aorato and Imperva.  Presented at security conferences, among them, BlackHat Europe, RSA Europe and Virus Bulleting.
  3. 3. 3 BUILD SECURITY ALIGNED WITH DEVOPS Build Ship Cluster Environment Networking and Runtime Monitoring Productio n Dev. / Testing  
  4. 4. BUILD AND SHIP
  5. 5. 5 BUILD AND SHIP  Ensure That Only Authorized Images are Used in Your Environment  Ensure That Images Are Free of Vulnerabilities  Integrate Security into your CI/CD pipeline
  6. 6. 6 SECURITY INTEGRATED WITH CI/CD Build • Only vetted code (approved for production) is used for building the images ShipTest  
  7. 7. 7 SECURITY INTEGRATED WITH CI/CD Build • Implement Continuous Security Vulnerability Scanning • Regularly Apply Security Updates to Your Environment ShipTest  
  8. 8. 8 SECURITY INTEGRATED WITH CI/CD Build • Use private registries to store your approved images - make sure you only push approved images to these registries ShipTest  
  9. 9. CLUSTER ENVIRONMENT
  10. 10. 10 SSH LIMIT DIRECT ACCESS TO KUBERNETES NODES  Limit SSH access to Kubernetes nodes  Ask users to use “kubectl exec”
  11. 11. 11 CONSIDER KUBERNETES AUTHORIZATION PLUGINS  Enables define fine-grained-access control rules  Namespaces  Containers  Operations  ABAC mode  RBAC mode  Webhook mode  Custom mode
  12. 12. 12 CREATE ADMINISTRATIVE BOUNDARIES BETWEEN RESOURCES  Limits the damage of mistake or malicious intent  Partition resources into logical groups  Use Kubernetes namespaces to facilitate resource segregation  Kubernetes Authorization plugins to segregate user’s access to namespace resources
  13. 13. 13 CREATE ADMINISTRATIVE BOUNDARIES BETWEEN RESOURCES  Example: allow ‘alice’ to read pods from namespace ‘fronto’ { "apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": { "user": "alice", "namespace": "fronto", "resource": "pods", "readonly": true } }
  14. 14. 14 DEFINE RESOURCE QUOTA  Resource-unbound containers in shared cluster are bad practice  Create resource quota policies  Pods  CPUs  Memory  Etc.  Assigned to namespace
  15. 15. 15 DEFINE RESOURCE QUOTA EXAMPLE  computer-resource.yaml apiVersion: v1 kind: ResourceQuota metadata: name: compute-resources spec: hard: pods: "4“ requests.cpu: "1“ requests.memory: 1Gi limits.cpu: "2“ limits.memory: 2Gi  kubectl create -f ./compute-resources.yaml -- namespace=myspace
  16. 16. 16 SAFELY DISTRIBUTE YOUR SECRETS  Storing sensitive data in docker file, POD definition etc. is not safe  Centrally and securely stored secrets  Manage user access  Manage containers/pods access  Store securely  Facilitate secrets expiry and rotation  Etc.
  17. 17. 17 KUBERNETES SECRETS  Secret object  As file  As Environment variable  Risks  Secrets stored in plain text  Is at rest  No separation of duties: operator can see secret value  Secrets are available, even if there is no container using it
  18. 18. 18 KUBERNETES SECRETS - EXAMPLE  echo -n "admin" > ./username.txt echo -n "1f2d1e2e67df" > ./password.txt  kubectl create secret generic db-user-pass --from- file=./username.txt --from-file=./password.txt secret "db-user-pass" created  kubectl get secrets  Kubectl describe secrets/db-user-pass
  19. 19. 19 KUBERNETES SECRETS - EXAMPLE  It call also be done manually  echo -n "admin" | base64 YWRtaW4=  echo -n "1f2d1e2e67df" | base64 MWYyZDFlMmU2N2Rm apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: username: YWRtaW4= password: MWYyZDFlMmU2N2Rm  kubectl create -f ./secret.yaml
  20. 20. NETWORKING
  21. 21. 21 IMPLEMENT NETWORK SEGMENTATION  “Good neighbor” compromised application is a door open into cluster  Network segmentation  Ensures that container can communicate only with whom it must
  22. 22. 22 IMPLEMENT NETWORK SEGMENTATION  Cross-cluster segmentation can be achieved using firewall rules  “dynamic” nature of container network identities makes container network segmentation a true challenge  Kubernetes Network SIG works on pod-to-pod network policies  Currently only ingress policies can be defined
  23. 23. 23 IMPLEMENT NETWORK SEGMENTATION: EXAMPLE  Enable using an annotation on the Namespace kind: Namespace apiVersion: v1 metadata: annotations: net.beta.kubernetes.io/network-policy: | { "ingress": { "isolation": "DefaultDeny" } } kubectl annotate ns <namespace> "net.beta.kubernetes.io/network-policy={"ingress": {"isolation": "DefaultDeny"}}"
  24. 24. 24 IMPLEMENT NETWORK SEGMENTATION: EXAMPLE apiVersion: extensions/v1beta1 kind: NetworkPolicy metadata: name: test-network-policy namespace: default spec: podSelector: matchLabels: role: db ingress: - from: - namespaceSelector: matchLabels: project: myproject - podSelector: matchLabels: role: frontend ports: - protocol: tcp port: 6379 kubectl create -f policy.yaml
  25. 25. RUNTIME
  26. 26. 26 RUNTIME  Implement “least privileges” principal  Security Context control security parameters to be assigned  Pod  Containers  Pod Security Policy  Consider Kubernetes admission controllers:  “DenyEscalatingExec” – for containers/pods with elevated privileges  “ImagePolicyWebhook” – Kubernetes support to plug external image reviewer  “AlwaysPullImages” – in multitenant cluster
  27. 27. 27 SECURITY CONTEXT Security Context Setting Description SecurityContext->runAsNonRoot Indicates that containers should run as non-root user SecurityContext->Capabilities Controls the Linux capabilities assigned to the container. SecurityContext->readOnlyRootFilesystem Controls whether a container will be able to write into the root filesystem. PodSecurityContext->runAsNonRoot Prevents running a container with ‘root’ user as part of the pod
  28. 28. 28 SECURITY CONTEXT: EXAMPLE apiVersion: v1 kind: Pod metadata: name: hello-world spec: containers: # specification of the pod’s containers # ... securityContext: readOnlyRootFilesystem: true runAsNonRoot: true
  29. 29. 29 IMAGE POLICY WEBHOOK  api.imagepolicy.v1alpha1.ImageReview object describing the action  Fields describing the containers being admitted, as well as any pod annotations that match *.image- policy.k8s.io/*
  30. 30. 30 IMAGE POLICY WEBHOOK: EXAMPLE { "apiVersion":"imagepolicy.k8s.io/v1alpha1", "kind":"ImageReview", "spec":{ "containers":[ { "image":"myrepo/myimage:v1“ }, { "image":"myrepo/myimage@sha256:beb6bd6a68f114c1dc2ea4b28db81bdf91de202a9014972bec5e4d9171d 90ed“ } ], "annotations":[ "mycluster.image-policy.k8s.io/ticket-1234": "break-glass“ ], "namespace":"mynamespace“ } }
  31. 31. 31 MONITORING AND VISIBILITY  Log everything  Cluster-based logging  Log container activity into a central log hub.  Use Fluentd agent on each node  Ingested logs using  Google Stackdriver Logging  Elasticsearch  Viewed with Kibana.
  32. 32. SUMMARY
  33. 33. 33 SECURITY ALIGNED WITH DEVOPS Build Ship Cluster Environment Networking and Runtime Monitoring Productio n Dev. / Testing Only vetted code can be used for build Scan images against known vulnerabilities Use private registries Only approved images are pushed Only use kubectl Fine-grained-access control to resources Create administrative boundaries and assign resource quotas Manage your secrets Implement “least privileges” principal Isolate container networks in logical application groups Log everything Integrates with SIEM and monitoring systems  
  34. 34. THANK YOU Michael Cherny cherny@aquasec.com @chernymi https://www.aquasec.com
  • kalyan120

    Apr. 1, 2021
  • jeremybae

    May. 24, 2018
  • GrigoreDutcovici

    May. 4, 2018
  • jayjbeale

    Mar. 30, 2018
  • snow3d

    Dec. 21, 2017
  • PeterRossi3

    Dec. 13, 2017
  • drewlll2ll

    Sep. 28, 2017
  • marciocamurati

    Aug. 2, 2017
  • PetteriTeikariPhD

    Jul. 27, 2017
  • Yibaini

    Jul. 24, 2017
  • PengzhiSun

    Jun. 30, 2017
  • madhuakula

    Jun. 6, 2017
  • sadhiesh

    May. 30, 2017
  • CarlosFuchenCISSPCIS

    May. 11, 2017
  • stania_ang

    Apr. 21, 2017
  • tomoyausami

    Mar. 22, 2017
  • MarcDArcy1

    Mar. 12, 2017
  • RaniOsnat

    Mar. 12, 2017

Security best practices for a Kubernetes Deployment - from development, through build, ship, networking and run time controls. Was presented at New York Kubernetes meetup https://www.meetup.com/New-York-Kubernetes-Meetup/events/237790149/

Views

Total views

13,741

On Slideshare

0

From embeds

0

Number of embeds

2,611

Actions

Downloads

228

Shares

0

Comments

0

Likes

18

×