Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right path of securing it?


Published on

Kubernetes (K8s) is an open-source system for automating deployment, scaling, and management of containerized applications. K8s groups containers that make up an application into logical units for easy management and discovery. It was originally designed by Google and is now maintained by the Cloud Native Computing Foundation. As organizations accelerate their adoption of containers and container orchestrators, they will need to take necessary steps to protect such a critical part of their compute infrastructure.

How this topic is relevant 1 out of 5 organization going for container installation Container security attack vectors are rising Recently major vulnerability discovered in containers and got good media attention Duration (Mentioned on, if not as per program committee call).

Published in: Technology
  • Be the first to comment

  • Be the first to like this

(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right path of securing it?

  1. 1. SACON SACON International 2020 India | Bangalore | February 21 - 22 | Taj Yeshwantpur Attack Vectors of Kubernetes infra
 Are we on right path of securing it? Anand Tapikar GE Healthcare Product Security Leader @AnandTapikar
  2. 2. SACON 2020 All Information mentioned in the presentation is based on my personal research, understanding and experience. No Inference can be drawn with my organization IT systems and policies. Allmentioned views, recommendations and statements are made from my personal capacity.
  3. 3. SACON 2020 Kubernetes : A Brief Background The Need • Rise in containerization of Micro services • Need Management system to Manage the containers • Automation • Deploying and updating software at scale What is kubernetes? Kubernetes is a portable, extensible, open- source platform for managing containerized applications and services that facilitates both declarative configuration and automation. Kubernetes provides a platform to configure, automate, and manage • Intelligent and balanced scheduling of containers • Creation, deletion, and movement of containers • Easy scaling of containers • Monitoring and self-healing abilities
  4. 4. SACON 2020 Kubernetes Adoption • Strong Organization behind development of software •Cloud Native technology •Ecosystem developed • All major cloud vendor supports k8s
  5. 5. SACON 2020 Lets understand containers from security perspective • Self Contained • Small Foot print than VM • Faster provisioning • Effective solution for micro- services • Kernel shared • Less Isolation • Management issues • Low visibility on processes running containers processes • OS vulnerability, mis- configuration • Accountability
  6. 6. SACON 2020 Managing the containers • Managing containers for production is challenging. • Monitoring running containers • Moving containers so utilization improves • Auto-scaling container instances to handle load • Making the container services easily accessible • Connecting containers to a variety of external data sources
  7. 7. SACON 2020 Kubernetes in container management The Kubernetes architecture enables: • A single administrator to manage thousands of containers running simultaneously • Workload portability and orchestration of containers across on- site deployments to public or private clouds
  8. 8. SACON 2020 Kubernetes Architecture • Kubernetes Master: manage the scheduling and deployment • Ectd: Store the state and configuration data for the entire cluster • API server: Help communicate with rest of the cluster • Kube-Controller-manager: registering the node and monitoing its health • Kube-Sheduler: Keeps track of capacity and resources of nodes and assigns work to nodes based on their availibility • Node : Application runs within node • Kubelet: each Kubernetes node runs an agent process that is responsible for managing the state of the node • Pod: the basic scheduling unit, which consists of one or more containers.
  9. 9. SACON 2020 Evolution of application Infrastructure • Service focused • Ease of use deployment • Power of containers with kubernetes orchestration
  10. 10. SACON 2020 Kubernetes Deployment Pattern
  11. 11. SACON 2020 Kubernetes Network Diagram • By default containers in Pod can see each other as they share a network interface and namespace, but not exposed outside • Exposure outside is established using Load balancer • Communication within the cluster can be implemented • TLS termination generally done at API gateway • Communication between two micro services containers are controlled through service mesh
  12. 12. SACON 2020 Kubernetes Deployment Pattern
  13. 13. SACON 2020 Kubernetes Deployment : CI/CD pipeline
  14. 14. SACON 2020 Security Epics • Safe Images from trusted sources • Network segmentation • Safeguard sensitive data • accountability and audit data of container usage • Data for demonstrating compliance
  15. 15. SACON 2020 DevSecOps
  16. 16. SACON 2020 Security Threats with K8s Complexity and visibility challenges Network security issues Container security issues Configuration security issues Host security issues Data security issues Vulnerability management challenges Operational security issues Multi tenant and credential management •Explosion of East-West Traffic. Containers can be dynamically deployed across hosts or even clouds, dramatically increasing the east-west, or internal, traffic that must be monitored for attacks. •Increased Attack Surface. Each container may have a different attack surface and vulnerabilities which can be exploited. In addition, the additional attack surface introduced by container orchestration tools such as Kubernetes and Docker must be considered. •Privilege escalations to root. •Stealing of secrets used for secure application or infrastructure access. •Changing of cluster admin privileges. •Host resource damage or hijacking (e.g. crypto mining software)
  17. 17. SACON 2020 Security Architecture Node Node POD POD PODPOD Load Balancer Master API Gateway Web UI CI/CD Build Pipeline and registry Container Notary Vulnerability Management Resource Monitoring Identity Management Security Monitoring Threat Intelligence APP Device • Container signing • Vulnerability scanning • Benchmarks • Network segmentation •Host security •SElinux • Namespaces •Logs • User authentication and authorization • Web security protection • Pre registered user/ app/device • DOS, DDOS protection • API security
  18. 18. SACON 2020 Handling K8s Security : Best Practices • Used signed containers • Use namespaces per app with Wallets to store secrets • Restrict Linux capabilities with SElinux • Utilize eco systems • Update systems, patches • Run Benchmarks
  19. 19. SACON 2020 Common Security Tools • Istio : Istio creates a service mesh and provide default Mutual TLS between Micro services • Grafeas : Grafeas provides a uniform way for auditing and governance • Clair: Vulnerability scanning • Harbour: secure Image distribution
  20. 20. SACON 2020 Thank you
  21. 21. SACON 2020 1. A container integration bridge is created initially on the container host system. This bridge lives in the host network namespace and is shared across all containers and PODs on the given host for providing network connectivity. 2. When a POD is created, the container runtime creates a network namespace for the POD. All the containers of the POD will live in this namespace and each POD will have its own namespace. 3. The container network plugin creates a logical ‘cable’ between the POD namespace and the container integration bridge. 4. Traffic between PODs on the same host traverses the local container integration bridge and does not leave the host. 5. Traffic destined for PODs on other hosts are forwarded to the container overlay network. The container network logically spans all hosts in the cluster, i.e. it provides a common layer 3 network for connecting all PODs in the cluster. 6.The container overlay network encapsulates POD traffic and forwards it to the host network. The host network ensures the traffic ends up on the host containing the target POD and the reverse of the steps above are applied. 7. Whether the cluster hosts are VMs or bare-metal systems there will inevitably be an infrastructure below these hosts. It is not always possible to gain access to this infrastructure. However, this infrastructure can be a considerable source of network issues so it is important to remember that it exists. 8. Traffic between PODs on different hosts always traverse the container overlay network, the host network, and the infrastructure network