Many organizations are shifting to containers and Kubernetes, and that move means learning new ways to secure their environments. Kubernetes clusters have to be hardened at different levels. We have to consider the nodes where the Kubernetes control plane is running. We also need to secure the Kubernetes workloads and check the files that create them. And we need to inspect the containers we are using for vulnerabilities and unusual behavior.
Gene will show you some open-source tools that can find issues and vulnerabilities at each layer. You will see how they can be used in a pipeline to build your Kubernetes cluster safely and keep it secure.

  1. 1. D E S I G N . D I S R U P T . R E P E A T . Keeping your Kubernetes Cluster Secure J A N U A R Y 1 3 , 2 0 2 2
  2. 2. Define and Design the Optimal Survey Experience​ KUBERNETES SECURITY Layers • Infrastructure • Hosts • Networking • Cluster • Build • Static code analysis • Containers • Runtime • Workloads • Resource constraints • Behavior @OtherDevOpsGene #CodeMash 2
  3. 3. Define and Design the Optimal Survey Experience​ KUBERNETES SECURITY Terminology Security is a type of quality • You cannot be insecure and have high quality • You cannot have low quality but high security I will use “properly”, “correctly”, and “securely” interchangeably. @OtherDevOpsGene #CodeMash 3
  4. 4. Infrastructure Build Runtime Wrap-up @OtherDevOpsGene #CodeMash 4
  5. 5. Define and Design the Optimal Survey Experience​ INFRASTRUCTURE Hardening Kubernetes Hardening Guidance, National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA). • Start with the kubernetes.io article Kubernetes Security Technical Implementation Guide, Cybersecurity and Infrastructure Security Agency (CISA). • Start with the stigviewer.com client. CIS Kubernetes Benchmark, Center for Internet Security (CIS), non-government, non-profit. https://www.cisecurity.org/benchmark/kubernetes/ @OtherDevOpsGene #CodeMash 5
  6. 6. Define and Design the Optimal Survey Experience​ INFRASTRUCTURE Host security Kubernetes hosts need the same security as other hosts • Harden the servers • Use automation for repeatability • eksctl • Terraform • Only run what you need • Keep the systems up-to-date • Critical vulnerabilities within 15 days • High vulnerabilities within 30 days @OtherDevOpsGene #CodeMash 6
  7. 7. Cluster configuration INFRASTRUCTURE @OtherDevOpsGene #CodeMash 7 Is my Kubernetes cluster installed and configured properly? • Use Aqua kube-bench • May not apply to master nodes • Runs as a kubectl job
  8. 8. Cluster vulnerabilities INFRASTRUCTURE @OtherDevOpsGene #CodeMash 8 What security weaknesses does my cluster expose? • Use Aqua kube-hunter • Sign up at kube-hunter.aquasec.com • Run on container • Can also be run locally as Python tool
  9. 9. Infrastructure Build Runtime Wrap-up @OtherDevOpsGene #CodeMash 9
  10. 10. Define and Design the Optimal Survey Experience​ BUILD Develop secure software Deploying crappy code will lead to crappy security. For the applications you are building and deploying • Use pair programming and/or code reviews • Frequently update • libraries • frameworks • runtimes • Use static analysis • Test your software • No, really. Test. @OtherDevOpsGene #CodeMash 10
  11. 11. Define and Design the Optimal Survey Experience​ BUILD Stay up-to-date Keep resources up-to-date • Infrastructure-as-code • Tools • Dependencies • Container images • Container contents • Base images • Don’t underestimate the value of frequent docker pull image and git fetch upstream @OtherDevOpsGene #CodeMash 11
  12. 12. Static code analysis BUILD @OtherDevOpsGene #CodeMash 12 Are resources configured properly? • Use Checkov • Scans source code for • Dockerfiles • Kubernetes • Terraform • Python pip install or use Docker container • Scan code with checkov -d directory
  13. 13. Container image scanning BUILD @OtherDevOpsGene #CodeMash 13 Are there vulnerabilities on the container image? • Use docker scan image • Uses Snyk • 10 free scans per month • Paid plans available
  14. 14. Container image scanning BUILD @OtherDevOpsGene #CodeMash 14 Are there vulnerabilities or misconfigurations on the container image? • Use Trivy • Installs as package, from script, container, etc. • Scan image with trivy image image • Scan Terraform and Dockerfile with trivy config dir
  15. 15. Infrastructure Build Runtime Wrap-up @OtherDevOpsGene #CodeMash 15
  16. 16. Define and Design the Optimal Survey Experience​ RUNTIME Monitoring Don’t stop watching once you deploy. Make sure you are monitoring the running cluster. • Don’t forget the obvious: • Disk space • CPU • Memory @OtherDevOpsGene #CodeMash 16
  17. 17. Workload configuration RUNTIME @OtherDevOpsGene #CodeMash 17 Are the workloads using recommended practices? • Use Polaris • Dashboard • Admission controller • Static analysis
  18. 18. Resource constraints RUNTIME @OtherDevOpsGene #CodeMash 18 Can a few containers consume use too much memory or CPU? • Set the resource requests and limits for memory and CPU • Use Goldilocks to get recommendations
  19. 19. Define and Design the Optimal Survey Experience​ RUNTIME Network isolation Can Kubernetes resources reach others they don’t need to? • Use a CNI network plugin • Amazon EKS • Cilium • Build a Network Policy • Tutorial at https://networkpolicy.io @OtherDevOpsGene #CodeMash 19
  20. 20. Behavior monitoring RUNTIME @OtherDevOpsGene #CodeMash 20 Are any workloads doing something unexpected? • Use Falco • Watches system calls • Privilege escalation • Ownership and mode changes • Unexpected network connections • Install to host so it is isolated from Kubernetes • Can also install into cluster using Helm if you don’t control the host, e.g., EKS
  21. 21. Infrastructure Build Runtime Wrap-up @OtherDevOpsGene #CodeMash 21
  22. 22. Define and Design the Optimal Survey Experience​ WRAP-UP Key takeaways • Harden your infrastructure using recommended practices. • Keep everything up-to-date. • Scan your container images frequently. • Use an admission controller as a gatekeeper to your cluster. • Monitor your runtime for unexpected behavior. @OtherDevOpsGene #CodeMash 22
  23. 23. Define and Design the Optimal Survey Experience​ WRAP-UP Reading list Kubernetes Hardening Guidance, National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA). https://media.defense.gov/2021/Aug/03/2002820425/-1/- 1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF A Closer Look at NSA/CISA Kubernetes Hardening Guidance, Jim Angel, Pushkar Joglekar, and Savitha Reghunathan. https://kubernetes.io/blog/2021/10/05/nsa-cisa- kubernetes-hardening-guidance/ Kubernetes Security Technical Implementation Guide, Cybersecurity and Infrastructure Security Agency (CISA). https://public.cyber.mil/stigs/downloads/ CIS Kubernetes Benchmark, Center for Internet Security (CIS), https://www.cisecurity.org/benchmark/kubernetes/ @OtherDevOpsGene #CodeMash 23
  24. 24. Define and Design the Optimal Survey Experience​ WRAP-UP Tools Aqua Security kube-bench: https://github.com/aquasecurity/kube-bench Aqua Security kube-hunter: https://github.com/aquasecurity/kube-hunter Checkov: https://github.com/bridgecrewio/checkov Docker scan: https://docs.docker.com/engine/scan/ Aqua Security Trivy: https://github.com/aquasecurity/trivy Fairwinds Polaris: https://github.com/fairwindsops/polaris Fairwinds Goldilocks: https://github.com/fairwindsops/goldilocks Network Policy Editor: https://networkpolicy.io Cilium: https://cilium.io Falco: https://falco.org @OtherDevOpsGene #CodeMash 24
  25. 25. Questions? @OtherDevOpsGene #CodeMash 25 D E S I G N . D I S R U P T . R E P E A T .

