Cloud Native platforms such as Kubernetes and Cloud Foundry help developers to easily get started deploying and running their applications at scale. But as this access to compute starts to become ubiquitous, how you secure and maintain compliance standards in these environments becomes extremely important. In this talk we'll cover the basics of securing Cloud Native platforms such as Kubernetes. We will also cover open source tools - such as Clair, Anchore, and Sysdig Falco - that can be used to maintain secure computing environment. Attendees will walk away with a good understanding of the challenges of securing a Cloud Native platform and practical advice on using open source tools as part of their security strategy.
Security Policies define:
- Access to host resources:
- Filesystem, Host Network, Namespaces
- User/Group of Container
- Read Only Filesystem
- Linux capabilities available:
- Seccomp, AppArmor, or SELinux profiles
Linux Security Modules
System wide execution policy
System wide execution policy, focused on processes
Per process system call isolation
$ docker run --security-opt "apparmor=<profile>"
$ docker run --security-opt
# Required to prevent escalations to root.
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
# Allow core volume types.
# Assume that persistentVolumes set up by the cluster admin are safe to use.
- Containers with sensitive data or data processing routines are
next scheduled next to other containers
Strong labeling schema encouraged/required.
Host/Container Runtime Security
CIS Benchmarks for Docker Hosts
- Chef’s Inspec to scan for policy violations
- Docker Bench for Security
Standard Firewall Rules/Security Groups
- Common exploit point are dashboards or API ports open.
- Network Policies, Container Networking Interface
- Kernel level L3/L4/L7
- Cilium - https://cilium.io/
- Static analysis of vulnerabilities in application containers.
- Focuses on Operating System packages and libraries
- Analyzes container images against user defined policies.
CoPilot & Openhub
- Open Source Application Dependency Vulnerability Management
- Incorporate into your build process
- Compare open source project usage, and project health
Notary & Portieris
- Signs collections of digital content (Artifacts)
- Project from Docker - Docker Content Trust
- Implementation of The Update Framework
- Kubernetes Admission controller for enforcing Content Trust
- What’s Allowed to Run/Join a Service
- How do applications authenticate
- Is my runtime environment being tampered with?
- What happened if something was compromised?
How can you verify a service is who it says it is?
- Secure Production Identity Framework For Everyone
- Cryptographically verifiable Service IDs
- Containers are isolated processes.
- Processes are “scoped” as to what’s expected.
- Container images are immutable, runtime environments
- How do you detect “abnormal” behavior.
A behavioral activity monitor
•Detects suspicious activity defined by a set of rules
•Uses Sysdig’s flexible and powerful filtering expressions
With full support for containers/orchestration
•Utilizes sysdig’s container & orchestrator support
And flexible notification methods
•Alert to files, standard output, syslog, programs
•Anyone can contribute rules or improvements
A shell is run in a container container.id != host and proc.name = bash
Overwrite system binaries
fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
Container namespace change
evt.type = setns and not proc.name in
Non-device files written in /dev
(evt.type = create or evt.arg.flags contains O_CREAT)
and proc.name != blkid and fd.directory = /dev and
fd.name != /dev/null
Process tries to access camera
evt.type = open and fd.name = /dev/video0
and not proc.name in (skype, webex)
25 common rules available OOTB
Focused on common container best practices:
■ Writing files in bin or etc directories
■ Reading sensitive files
■ Binaries being executed other than CMD/ENTRYPOINT
.yaml file containing Macros, Lists, and Rules
- macro: bin_dir
condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
- list: shell_binaries
items: [bash, csh, ksh, sh, tcsh, zsh, dash]
- rule: write_binary_dir
desc: an attempt to write to any file below a set of binary directories
condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs
output: "File below a known binary directory opened for writing
(user=%user.name command=%proc.cmdline file=%fd.name)"
Active Security with Falco, NATS,
Falco NATS Kubeless
Detects abnormal event,
Publishes alert to NATS
Falco Alert through
Falco Alert, firing a
function to delete the
Join the community
• Public Slack
• Sysdig Secure
• Pull Requests welcome!