Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

La sécurité avec Kubernetes et les conteneurs Docker (June 19th, 2019)

164 views

Published on

Avec l’essor de Kubernetes dans le petit monde des moteurs d’orchestration de conteneurs, nous nous rendons compte à quel point nos logiciels, conteneurs et plateformes sont vulnérables. Toute l’attention portée sur Kubernetes et les images Docker amène à découvrir des failles de sécurité plus ou moins importantes, avec un rythme de plus en plus soutenu.

Est-ce que votre installation Kubernetes est à jour ? Quelle est votre stratégie de mise à jour ? Comment garantir la sécurité des images Docker, alors même que de nouvelles failles apparaissent chaque jour ?

Equifax, Tesla, Marriott : nombreux sont les acteurs qui, ces dernières années, ont dû faire face à des incidents de sécurité majeurs, avec à la clé des fuites de données sensibles en grande quantité. Un rapport a montré récemment que 10 des images Docker les plus populaires contiennent au moins 30 vulnérabilités.

En s’appuyant sur les technologies Pivotal, venez découvrir comment sécuriser les images Docker avec des outils modernes, et comment patcher un cluster K8s avec un correctif pour la faille runC, sans interruption.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

La sécurité avec Kubernetes et les conteneurs Docker (June 19th, 2019)

  1. 1. © Copyright 2019 Pivotal Software, Inc. All rights Reserved. Une histoire sans fin La sécurité avec Kubernetes et les conteneurs Docker © Copyright 2019 Pivotal Software, Inc. All rights Reserved.
  2. 2. ➔ Alexandre Roman Platform Architect, Pivotal (Paris) aroman@pivotal.io github.com/alexandreroman @Alexandre_Roman About me
  3. 3. ➔ What’s a container? What about containerization? ➔ Container images & Kubernetes from a security perspective ➔ How to address these issues? Agenda
  4. 4. What’s a container? Infrastructure Host OS Container Runtime Container Container Container Container Container Application Layer Runtime Layer OS Image
  5. 5. What’s containerization? - 1. Create an image # Use a base image: runtime environment, dependencies FROM adoptopenjdk:jre # Include your application in this image COPY myapp.jar /myapp.jar # Set runtime configuration EXPOSE 8080 # Run your app ENTRYPOINT [“java”, “-jar”, “/myapp.jar”]
  6. 6. Container RegistryMy laptop What’s containerization? - 2. Publish this image # Build an image $ docker build -t foo/myapp . # Publish this image to a container registry $ docker push foo/myapp My app in a container
  7. 7. Docker Hub Where are container layers coming from? Private Container Registry Container ba9cc93520ce6 - Middleware 7d793037a0760 - AdoptOpenJDK aee2c51c0ef3a - App bits 5d41402abc4b2 - Ubuntu OS Image Container layers are coming from different sources (registries)
  8. 8. Container images and Kubernetes from a security perspective
  9. 9. Top ten most popular Docker images each contain at least 30 vulnerabilities https://snyk.io/blog/top-ten-most-popular-docker-images-each-contain-at-least-30-vulnerabilities/
  10. 10. Common threats Infrastructure Host OS Container Runtime Container Application Layer Runtime Layer OS Image App & frameworks bugs JVM, PHP, etc. Heartbleed (OpenSSL) runC vulnerability Meltdown, Spectre dirtyc0w
  11. 11. Everyone has a plan until they get punched in the face
  12. 12. Demo
  13. 13. What does this demo look like? ➔ Upgrade a Kubernetes cluster runC vulnerability made public 3 worker nodes to upgrade ➔ Apps in production We don’t want any interruption service ➔ Upgrade live, on stage No fluff, just stuff
  14. 14. chatboxx.alexandreroman.fr
  15. 15. How to address these issues?
  16. 16. Stay up to date?
  17. 17. How to address these issues? Infrastructure Host OS Container Runtime Container Application Layer Runtime Layer OS Image App-team provided Infrastructure Host OS Container Runtime Container Application Layer Runtime Layer OS Image Platform-team provided
  18. 18. Teams delivering outcomes App team Platform team Iteratively building and delivering digital offerings to the consumer Enabling app teams while maintaining: Security Compliance Resilience Cost Efficiency Trusted Container Pipeline You need a
  19. 19. ➔ Use tailored tools jib-maven-plugin / Buildah / Kaniko ➔ Trust the experts Use Cloud Native Buildpacks, a CNCF project Inspired by buildpacks from Cloud Foundry & Heroku Why build and maintain your own containers, when buildpacks can do it for you? ➔ Now available for Kubernetes Developers: no more Dockerfiles https://content.pivotal.io/blog/cloud-native-buildpacks-for-kubernetes-and-beyond “ ”
  20. 20. Cloud Native Buildpack - example of Java JVM / Java Runtime Env. OpenJDK & Oracle JRE Runtime env. Java main() Tomcat JavaEE (Liberty / Wildfly) Spring Boot Other JVM languages Frameworks Spring JEE Play / other Java fwk APM agent Java options, JMX Application (jar, war, ear, ...) $ pack build Centrally managed by Platform operation team Simplified security & governance Default opinions with configurability Container rootfs & OCI runC Platform provided buildpack or Custom buildpack Source code / compiled app Run this image on any OCI container runtimes
  21. 21. Pivotal Container Service (PKS): a runtime for containers + A turnkey solution to provision, operate and manage enterprise grade Kubernetes clusters Kubernetes Dial Tone: • Health management • Aggregated metrics and logging • Autoscaling • Persistence interface Multi Cluster Control Plane: • Provisioning engine • T-shirt sized clusters • Self-service clusters • Software update automation • Load balancing • Networking • Multi-tenancy on any private & public cloud
  22. 22. Embedded OS v1 v2 v3 ... CVEs Product Updates Pivotal Container Service (PKS) vSphere AzureGoogle CloudAWS Pivotal Network “3Rs” Concourse Repair — CVEs Repave Rotate — Credhub Multi AZ, multi region, self healing & automation Automated Platform Updates Container Application Layer Runtime Layer OS Image OpenStack
  23. 23. Trusted Container Pipeline
  24. 24. An example of Trusted Container Pipeline
  25. 25. ➔ Security is a never ending story Be ready to upgrade: more CVE to come! ➔ Build a Trusted Container Pipeline What’s your plan for upgrading 10k containers? ➔ We can help you! Learn about Pivotal Container Service (PKS) Recap
  26. 26. Thank you for attending this session Let’s keep in touch! github.com/alexandreroman @Alexandre_Roman Want more? Chatboxx: app source code github.com/alexandreroman/chatboxx Why you need a secure by default platform content.pivotal.io/blog/runc-vulnerability-secure-by-default-platform Using Concourse + Harbor + Spinnaker to build a trusted container pipeline youtube.com/watch?v=57asZ7_2w5Q
  27. 27. Thank you!
  28. 28. Join us at Pivotal Paris on July 4th connect.pivotal.io/PivotalParis19.html
  29. 29. Register Today Use Discount Code Attendee_Speaker_200 October 7–10, 2019 Austin Convention Center and Save!
  30. 30. Questions?
  31. 31. Transforming how the world builds software © Copyright 2019 Pivotal Software, Inc. All rights Reserved.

×