SlideShare a Scribd company logo

Kubernetes and container security

Everyone heard about Kubernetes. Everyone wants to use this tool. However, sometimes we forget about security, which is essential throughout the container lifecycle. Therefore, our journey with Kubernetes security should begin in the build stage when writing the code becomes the container image. Kubernetes provides innate security advantages, and together with solid container protection, it will be invincible. During the sessions, we will review all those features and highlight which are mandatory to use. We will discuss the main vulnerabilities which may cause compromising your system. Contacts: LinkedIn - https://www.linkedin.com/in/vshynkar/ GitHub - https://github.com/sqerison ------------------------------------------------------------------------------------- Materials from the video: The policies and docker files examples: https://gist.github.com/sqerison/43365e30ee62298d9757deeab7643a90 The repo with the helm chart used in a demo: https://github.com/sqerison/argo-rollouts-demo Tools that showed in the last section: https://github.com/armosec/kubescape https://github.com/aquasecurity/kube-bench https://github.com/controlplaneio/kubectl-kubesec https://github.com/Shopify/kubeaudit#installation https://github.com/eldadru/ksniff Further learning. A book released by CISA (Cybersecurity and Infrastructure Security Agency): https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF O`REILLY Kubernetes Security: https://kubernetes-security.info/ O`REILLY Container Security: https://info.aquasec.com/container-security-book Thanks for watching!

1 of 51
Download to read offline
Kubernetes & Container Security
by Volodymyr Shynkar
Senior Lead DevOps Engineer
2021 | intellias.com
[devops@stage ~]$ cat ABOUT_ME.md
• 6+ years of commercial DevOps experience. Overall 8+ years of
Engineering
• Member of Technology Office
• Member of the Center of Excellence
• Successfully migrated, rolled out, consulted over 15 projects in
the healthcare, gambling, automotive, e-commerce industries
• Certified SAFe Agile Software Engineer
• Addicted to IoT and Smart Home
• Cyclist, promoter of a healthy lifestyle
Volodymyr Shynkar
Senior Lead DevOps Engineer at Intellias
[devops@stage ~]$
Agenda Overview
Container Security
Kubernetes Security
Other Tooling to help
01
Overview
Will talk about:
• Scan containers and Pods for vulnerabilities or misconfigurations.
• Run containers and Pods with the least privileges possible.
• Use network separation to control the amount of damage a
compromise can cause.
• Use firewalls to limit unneeded network connectivity and
encryption to protect confidentiality.
• Use strong authentication and authorization to limit user and
administrator access as well as to limit the attack surface.
• Periodically review all Kubernetes settings and use vulnerability
scans to help ensure risks are appropriately accounted for and
security patches are applied.
Attack Surface
Analysis for:
• Cloud and Host
• Kubernetes Cluster
• Container (images and running)
Goal: Reduce the attack surface

Recommended

Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)Megan O'Keefe
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practicesSharon Vendrov
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopBob Killen
 
Hardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsHardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsSuraj Deshmukh
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 

More Related Content

What's hot

Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker, Inc.
 
What Is Kubernetes | Kubernetes Introduction | Kubernetes Tutorial For Beginn...
What Is Kubernetes | Kubernetes Introduction | Kubernetes Tutorial For Beginn...What Is Kubernetes | Kubernetes Introduction | Kubernetes Tutorial For Beginn...
What Is Kubernetes | Kubernetes Introduction | Kubernetes Tutorial For Beginn...Edureka!
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes IntroductionEric Gustafson
 
Container Security
Container SecurityContainer Security
Container SecuritySalman Baset
 
Docker introduction
Docker introductionDocker introduction
Docker introductiondotCloud
 
Kubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive OverviewKubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive OverviewBob Killen
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Edureka!
 
Secret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesSecret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesAn Nguyen
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetesRishabh Indoria
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetesGabriel Carro
 
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...Edureka!
 
Docker 101 : Introduction to Docker and Containers
Docker 101 : Introduction to Docker and ContainersDocker 101 : Introduction to Docker and Containers
Docker 101 : Introduction to Docker and ContainersYajushi Srivastava
 
Kubernetes or OpenShift - choosing your container platform for Dev and Ops
Kubernetes or OpenShift - choosing your container platform for Dev and OpsKubernetes or OpenShift - choosing your container platform for Dev and Ops
Kubernetes or OpenShift - choosing your container platform for Dev and OpsTomasz Cholewa
 
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShiftKubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShiftDevOps.com
 

What's hot (20)

Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker Swarm 0.2.0
Docker Swarm 0.2.0
 
What Is Kubernetes | Kubernetes Introduction | Kubernetes Tutorial For Beginn...
What Is Kubernetes | Kubernetes Introduction | Kubernetes Tutorial For Beginn...What Is Kubernetes | Kubernetes Introduction | Kubernetes Tutorial For Beginn...
What Is Kubernetes | Kubernetes Introduction | Kubernetes Tutorial For Beginn...
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 
Container Security
Container SecurityContainer Security
Container Security
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 
Kubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive OverviewKubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive Overview
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 
Introduction to helm
Introduction to helmIntroduction to helm
Introduction to helm
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
 
Secret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesSecret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on Kubernetes
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
Docker Basics
Docker BasicsDocker Basics
Docker Basics
 
Introduction to container based virtualization with docker
Introduction to container based virtualization with dockerIntroduction to container based virtualization with docker
Introduction to container based virtualization with docker
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
 
Docker 101 : Introduction to Docker and Containers
Docker 101 : Introduction to Docker and ContainersDocker 101 : Introduction to Docker and Containers
Docker 101 : Introduction to Docker and Containers
 
Kubernetes or OpenShift - choosing your container platform for Dev and Ops
Kubernetes or OpenShift - choosing your container platform for Dev and OpsKubernetes or OpenShift - choosing your container platform for Dev and Ops
Kubernetes or OpenShift - choosing your container platform for Dev and Ops
 
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShiftKubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 

Similar to Kubernetes and container security

Container Days: Hijack a Kubernetes Cluster - a Walkthrough
Container Days: Hijack a Kubernetes Cluster - a WalkthroughContainer Days: Hijack a Kubernetes Cluster - a Walkthrough
Container Days: Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Alexey Dremin
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers SecurityStephane Woillez
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendEric Smalling
 
Hijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughHijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl
 
ContainerConf 2022: Hijack Kubernetes
ContainerConf 2022: Hijack KubernetesContainerConf 2022: Hijack Kubernetes
ContainerConf 2022: Hijack KubernetesNico Meisenzahl
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys
 
Hijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughHijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native SecurityKarthik Gaekwad
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?Eric Smalling
 
How to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedHow to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 
Open Source License Compliance with AGL
Open Source License Compliance with AGLOpen Source License Compliance with AGL
Open Source License Compliance with AGLPaul Barker
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
Tips and best practices for Docker
Tips and best practices for DockerTips and best practices for Docker
Tips and best practices for DockerCalidad Infotech
 
Container Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container securityContainer Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container securityEric Smalling
 
Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?All Things Open
 
ATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdfATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdfEric Smalling
 

Similar to Kubernetes and container security (20)

Container Days: Hijack a Kubernetes Cluster - a Walkthrough
Container Days: Hijack a Kubernetes Cluster - a WalkthroughContainer Days: Hijack a Kubernetes Cluster - a Walkthrough
Container Days: Hijack a Kubernetes Cluster - a Walkthrough
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friend
 
Hijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughHijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a Walkthrough
 
ContainerConf 2022: Hijack Kubernetes
ContainerConf 2022: Hijack KubernetesContainerConf 2022: Hijack Kubernetes
ContainerConf 2022: Hijack Kubernetes
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
 
Hijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughHijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a Walkthrough
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native Security
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?
 
How to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedHow to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being Hacked
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
 
Open Source License Compliance with AGL
Open Source License Compliance with AGLOpen Source License Compliance with AGL
Open Source License Compliance with AGL
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
Tips and best practices for Docker
Tips and best practices for DockerTips and best practices for Docker
Tips and best practices for Docker
 
Container Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container securityContainer Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container security
 
Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?
 
ATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdfATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdf
 

Recently uploaded

Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17Ana-Maria Mihalceanu
 
Confoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceConfoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceSusan Ibach
 
Building Products That Think- Bhaskaran Srinivasan & Ashish Gupta
Building Products That Think- Bhaskaran Srinivasan & Ashish GuptaBuilding Products That Think- Bhaskaran Srinivasan & Ashish Gupta
Building Products That Think- Bhaskaran Srinivasan & Ashish GuptaISPMAIndia
 
Campotel: Telecommunications Infra and Network Builder - Company Profile
Campotel: Telecommunications Infra and Network Builder - Company ProfileCampotel: Telecommunications Infra and Network Builder - Company Profile
Campotel: Telecommunications Infra and Network Builder - Company ProfileCampotelPhilippines
 
Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?MENGSAYLOEM1
 
AI Act & Standardization: UNINFO involvement
AI Act & Standardization: UNINFO involvementAI Act & Standardization: UNINFO involvement
AI Act & Standardization: UNINFO involvementMimmo Squillace
 
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Umar Saif
 
M.Aathiraju Self Intro.docx-AD21001_____
M.Aathiraju Self Intro.docx-AD21001_____M.Aathiraju Self Intro.docx-AD21001_____
M.Aathiraju Self Intro.docx-AD21001_____Aathiraju
 
Automate Your Master Data Processes for Shared Service Center Excellence
Automate Your Master Data Processes for Shared Service Center ExcellenceAutomate Your Master Data Processes for Shared Service Center Excellence
Automate Your Master Data Processes for Shared Service Center ExcellencePrecisely
 
LF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIELF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIEDanBrown980551
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVARobert McDermott
 
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...DianaGray10
 
How to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response PlanHow to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response PlanDatabarracks
 
21ST CENTURY LITERACY FROM TRADITIONAL TO MODERN
21ST CENTURY LITERACY FROM TRADITIONAL TO MODERN21ST CENTURY LITERACY FROM TRADITIONAL TO MODERN
21ST CENTURY LITERACY FROM TRADITIONAL TO MODERNRonnelBaroc
 
"Platform Engineering with Development Containers", Igor Fesenko
"Platform Engineering with Development Containers", Igor Fesenko"Platform Engineering with Development Containers", Igor Fesenko
"Platform Engineering with Development Containers", Igor FesenkoFwdays
 
Zi-Stick UBS Dongle ZIgbee from Aeotec manual
Zi-Stick UBS Dongle ZIgbee from  Aeotec manualZi-Stick UBS Dongle ZIgbee from  Aeotec manual
Zi-Stick UBS Dongle ZIgbee from Aeotec manualDomotica daVinci
 
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...UiPathCommunity
 
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes", Volodymyr TsapFwdays
 
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, GoogleISPMAIndia
 
Battle of React State Managers in frontend applications
Battle of React State Managers in frontend applicationsBattle of React State Managers in frontend applications
Battle of React State Managers in frontend applicationsEvangelia Mitsopoulou
 

Recently uploaded (20)

Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
 
Confoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceConfoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data science
 
Building Products That Think- Bhaskaran Srinivasan & Ashish Gupta
Building Products That Think- Bhaskaran Srinivasan & Ashish GuptaBuilding Products That Think- Bhaskaran Srinivasan & Ashish Gupta
Building Products That Think- Bhaskaran Srinivasan & Ashish Gupta
 
Campotel: Telecommunications Infra and Network Builder - Company Profile
Campotel: Telecommunications Infra and Network Builder - Company ProfileCampotel: Telecommunications Infra and Network Builder - Company Profile
Campotel: Telecommunications Infra and Network Builder - Company Profile
 
Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?
 
AI Act & Standardization: UNINFO involvement
AI Act & Standardization: UNINFO involvementAI Act & Standardization: UNINFO involvement
AI Act & Standardization: UNINFO involvement
 
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
 
M.Aathiraju Self Intro.docx-AD21001_____
M.Aathiraju Self Intro.docx-AD21001_____M.Aathiraju Self Intro.docx-AD21001_____
M.Aathiraju Self Intro.docx-AD21001_____
 
Automate Your Master Data Processes for Shared Service Center Excellence
Automate Your Master Data Processes for Shared Service Center ExcellenceAutomate Your Master Data Processes for Shared Service Center Excellence
Automate Your Master Data Processes for Shared Service Center Excellence
 
LF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIELF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIE
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVA
 
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
 
How to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response PlanHow to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response Plan
 
21ST CENTURY LITERACY FROM TRADITIONAL TO MODERN
21ST CENTURY LITERACY FROM TRADITIONAL TO MODERN21ST CENTURY LITERACY FROM TRADITIONAL TO MODERN
21ST CENTURY LITERACY FROM TRADITIONAL TO MODERN
 
"Platform Engineering with Development Containers", Igor Fesenko
"Platform Engineering with Development Containers", Igor Fesenko"Platform Engineering with Development Containers", Igor Fesenko
"Platform Engineering with Development Containers", Igor Fesenko
 
Zi-Stick UBS Dongle ZIgbee from Aeotec manual
Zi-Stick UBS Dongle ZIgbee from  Aeotec manualZi-Stick UBS Dongle ZIgbee from  Aeotec manual
Zi-Stick UBS Dongle ZIgbee from Aeotec manual
 
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
 
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
 
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
 
Battle of React State Managers in frontend applications
Battle of React State Managers in frontend applicationsBattle of React State Managers in frontend applications
Battle of React State Managers in frontend applications
 

Kubernetes and container security

  • 1. Kubernetes & Container Security by Volodymyr Shynkar Senior Lead DevOps Engineer 2021 | intellias.com
  • 2. [devops@stage ~]$ cat ABOUT_ME.md • 6+ years of commercial DevOps experience. Overall 8+ years of Engineering • Member of Technology Office • Member of the Center of Excellence • Successfully migrated, rolled out, consulted over 15 projects in the healthcare, gambling, automotive, e-commerce industries • Certified SAFe Agile Software Engineer • Addicted to IoT and Smart Home • Cyclist, promoter of a healthy lifestyle Volodymyr Shynkar Senior Lead DevOps Engineer at Intellias [devops@stage ~]$
  • 3. Agenda Overview Container Security Kubernetes Security Other Tooling to help
  • 5. Will talk about: • Scan containers and Pods for vulnerabilities or misconfigurations. • Run containers and Pods with the least privileges possible. • Use network separation to control the amount of damage a compromise can cause. • Use firewalls to limit unneeded network connectivity and encryption to protect confidentiality. • Use strong authentication and authorization to limit user and administrator access as well as to limit the attack surface. • Periodically review all Kubernetes settings and use vulnerability scans to help ensure risks are appropriately accounted for and security patches are applied.
  • 6. Attack Surface Analysis for: • Cloud and Host • Kubernetes Cluster • Container (images and running) Goal: Reduce the attack surface
  • 7. Attack Surface – Cloud & Host There are at least few things that you do yo achive base security level: • Run instances in private network • Expose services only through external services like LB or Proxy • Block all external traffic except exposed ports, like 80, 443 • Do not expose SSH. Try to use SSM instead. • Minimize privilege to applications running on the host • Optional: for HTTP traffic, use WAF if posiable Goal: Follow “Principle of least privilege” Managed K8s services already goes with most of this features enabled
  • 9. Dockerfile best practices 1.Avoid unnecessary privileges. 1. Avoid running containers as root. 2. Don’t bind to a specific UID. 3. Make executables owned by root and not writable. 2.Reduce attack surface. 1. Leverage multistage builds. 2. Use distroless images, or build your own from scratch. 3. Update your images frequently. 4. Watch out for exposed ports. 3.Prevent confidential data leaks. 1. Never put secrets or credentials in Dockerfile instructions. 2. Prefer COPY over ADD. 3. Be aware of the Docker context, and use .dockerignore. 4.Others. 1. Reduce the number of layers, and order them intelligently. 2. Add metadata and labels. 3. Leverage linters to automatize checks. 4. Scan your images locally during development. 5.Beyond image building. 1. Protect the docker socket and TCP connections. 2. Sign your images, and verify them on runtime. 3. Avoid tag mutability. 4. Don’t run your environment as root. 5. Include a health check. 6. Restrict your application capabilities. Source: https://sysdig.com/blog/dockerfile-best-practices/
  • 10. Let’s start from scratch First steps Start from your app • unprivileged user (rootless) • read-only • no shell, cat, grep, less, tail, echo, etc • focus on fewer data stored inside the container - only app, no source code, and build dependencies • no backed secrets or bind through volume or encrypted Seriously :)
  • 11. Let’s start from scratch First steps Start from your app • unprivileged user (rootless) • read-only • no shell, cat, grep, less, tail, echo, etc • focus on fewer data stored inside the container - only app, no source code, and build dependencies • no backed secrets or bind through volume or encrypted Serious :)
  • 12. Let’s start from scratch First steps Start from your app • unprivileged user (rootless) • read-only • no shell, cat, grep, less, tail, echo, etc • focus on fewer data stored inside the container - only app, no source code, and build dependencies • no backed secrets or bind through volume or encrypted Seriously :)
  • 13. Let’s start from scratch First steps Start from your app • unprivileged user (rootless) • read-only • no shell, cat, grep, less, tail, echo, etc • focus on fewer data stored inside the container - only app, no source code, and build dependencies • no backed secrets or bind through volume or encrypted Seriously :) More examples: https://github.com/GoogleContainerTools/distroless
  • 14. Let’s start from scratch First steps Start from your app • unprivileged user (rootless) • read-only • no shell, cat, grep, less, tail, echo, etc • focus on fewer data stored inside the container - only app, no source code, and build dependencies • no backed secrets or bind through volume or encrypted Seriously :)
  • 15. Let’s start from scratch First steps Start from your app • unprivileged user (rootless) • read-only • no shell, cat, grep, less, tail, echo, etc • focus on fewer data stored inside the container - only app, no source code, and build dependencies • no backed secrets or bind through volume or encrypted Seriously :)
  • 16. Scan your image Docker and Snyk recently entered into a partnership to provide container vulnerability scanning. Alternative Source: https://www.docker.com/blog/bringing-docker-scan-to-linux/
  • 18. Next to discuss: • Deployment to the cluster • Pod Security Policy • Open Policy Agent • Network Policy • Secrets • Securing the Cluster Kubernetes Hardening Remember: follow the “Principle of least privilege”
  • 19. Deployment to the cluster kubectl apply –f my_app.yaml helm install my_app charts/my_app
  • 20. How to automate deploy? There are two approaches: • Push-based • Regular CI (Jenkins, Gitlab, GitHub, CircleCI)
  • 21. How to automate deploy? There are two approaches: • Pull-based • GitOps strategy (ArgoCD, Flux)
  • 22. How to manage manage By only two resources: AppProject and Application
  • 23. By only two resources: AppProject and Application How to manage manage
  • 24. How to grant access ArgoCD provided with powerful UI • Embedded security features • Support of SAML/OKTA. • Enhanced experience • Role-based • Easy to use
  • 25. Pod Security Policy PSP are one way to control the security-related attributes of pods, including container privilege levels. • Do not run application processes as root • Do not allow privilege escalation • Use a read-only root filesystem • Use the default (masked) /proc filesystem mount • Do not use the host network or process space • Drop unused and unnecessary Linux capabilities • Service Account control
  • 26. Pod Security Policy When a PSP resource is created, it does nothing. You need to authorize using RBAC!
  • 27. Pod Security Policies is going to be marked as deprecated since v1.21 and will be removed in v1.25 The PSP Replacement Policy is the new enhancement: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2579-psp-replacement PSP Replacement Policy The way PSPs are applied to Pods has proven confusing to nearly everyone that has attempted to use them.
  • 28. Open Policy Agent (Gatekeeper) Gatekeeper controller provides you ability to: • Required labels • Required resources section • Mutate container images to always point to the corporate image registry. • Set node and pod affinity and anti-affinity selectors to Deployments • You can enforce anything that you want to see or not to see in configs I need to control other pod fields or any fields in other resource? How can I achieve that? The answer is:
  • 29. Open Policy Agent (Gatekeeper) Example: enforce to use only allowed container registries
  • 30. Open Policy Agent (Gatekeeper) Example: enforce to use only allowed container registries The other examples can be found here: https://github.com/open-policy-agent/gatekeeper/tree/master/demo
  • 31. Network Policy By default, namespaces are not automatically isolated. For that we have networking policies and RBAC. With this simple config you will isolate NS from other NS
  • 32. Network Policy Network policy will not work with default CNI from AWS EKS. You need to install Calico. With this simple config you will allow traffic from specific namespace
  • 33. Network Policy With AWS EKS CNI you can use different security groups per pod which makes network policy redundant With this simple config you will allow traffic to a specific port You can also specify protocol.
  • 34. Secrets Where do I version control my secrets? What is solution for this? • Paper/USB/CDR two fireproof safes? • Vault (or actually Consul)?
  • 35. Secrets Where do I version control my secrets? What is solution for this? • Sealed Secrets (a Kubernetes controller and a tool for one-way encrypted Secrets):​ https://github.com/bitnami-labs/sealed-secrets • Git Crypt - transparent file encryption in git:​ https://www.agwa.name/projects/git-crypt/
  • 36. Sealed Secrets example As you can see the value of the secret is enrypted
  • 37. Sealed Secrets example The controller will unseal that into something like:
  • 38. Securing the Cluster API Server By default, the API server will listen on what is rightfully port 8080 • Close the insecure port by arg in API server’s --insecure-port flag to 0 • And --insecure-bind-address is not set. Any requests to this port bypass authentication and authorization checks.
  • 39. Securing the Cluster etcd The etcd backend database is a critical component and the to secure within the cluster. Close the insecure port by arg in API server’s --insecure-port flag to 0 • And --insecure-bind-address is not set. etcd server should be configured to only trust certificates assigned to API servers
  • 40. Securing the Cluster Kubelet The kubelet is the agent that is responsible launching pods (not Check this parameters: • Disable anonymous access with --anonymous-auth=false • Ensure that requests are authorized by setting -- other than AlwaysAllow
  • 41. Securing the Cluster Kubernetes Dashboard The Dashboard has historically been used by attackers to gain Kubernetes clusters. Check this parameters: • Allow only authenticated access. Only known users should be able Dashboard. • Use RBAC. Limit the privileges that users have so they can they need to. • Don’t expose your Dashboard to the public internet • Unless you really know what you’re doing.
  • 42. Securing the Cluster Protocol Direction Port Range Purpose TCP Inbound 6443 or 8080 if not disabled Kubernetes API server TCP Inbound 2379-2380 etcd server client API TCP Inbound 10250 kubelet API TCP Inbound 10251 kube-scheduler TCP Inbound 10252 kube-controller-manager TCP Inbound 10258 cloud-controller-manager (optional) The following table lists the control plane ports and services. You can try to curl on each port to check if it’s secured.
  • 44. Kubescape Kubescape is the first tool for testing if Kubernetes deployed securely Source: https://github.com/armosec/kubescape
  • 45. Kube-bench The same tool as Kubescape but could be deployed as CronJob and executed on regular bases Source: https://github.com/aquasecurity/kube-bench
  • 46. Kubesec kubectl plugin for scanning Kubernetes pods, deployments, daemonsets and statefulsets Source: https://github.com/controlplaneio/kubectl-kubesec Suggests what should be improved or changed
  • 47. Kubeaudit kubeaudit is a command line tool to audit Kubernetes clusters for various security concerns, such as: • run as non-root • use a read-only root filesystem • drop scary capabilities, don't add new ones • don't run privileged Source: https://github.com/Shopify/kubeaudit
  • 48. Ksniff A kubectl plugin that utilize tcpdump and Wireshark to start a remote capture on any pod in your Kubernetes cluster. Source: https://github.com/eldadru/ksniff

Editor's Notes

  1. List of tools: Kubeflow, Apache Airflow, AWS Batch, AWS Lambda
  2. List of tools: Kubeflow, Apache Airflow, AWS Batch, AWS Lambda
  3. List of tools: Kubeflow, Apache Airflow, AWS Batch, AWS Lambda
  4. List of tools: Kubeflow, Apache Airflow, AWS Batch, AWS Lambda
  5. List of tools: Kubeflow, Apache Airflow, AWS Batch, AWS Lambda
  6. List of tools: Kubeflow, Apache Airflow, AWS Batch, AWS Lambda
  7. List of tools: Kubeflow, Apache Airflow, AWS Batch, AWS Lambda
  8. List of tools: Kubeflow, Apache Airflow, AWS Batch, AWS Lambda
  9. List of tools: Kubeflow, Apache Airflow, AWS Batch, AWS Lambda
  10. List of tools: Kubeflow, Apache Airflow, AWS Batch, AWS Lambda
  11. List of tools: Kubeflow, Apache Airflow, AWS Batch, AWS Lambda
  12. List of tools: Kubeflow, Apache Airflow, AWS Batch, AWS Lambda
  13. List of tools: Kubeflow, Apache Airflow, AWS Batch, AWS Lambda
  14. List of tools: Kubeflow, Apache Airflow, AWS Batch, AWS Lambda
  15. List of tools: Kubeflow, Apache Airflow, AWS Batch, AWS Lambda