Successfully reported this slideshow.
Your SlideShare is downloading. ×

Kube Security Shifting left | Scanners & OPA

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad

Check these out next

1 of 38 Ad

Kube Security Shifting left | Scanners & OPA

Download to read offline

As kubernetes matures into the standard de facto Operating System of the Cloud, in addition to a shift in deployment methods such as GitOps and Continuous delivery paradigms - automation of security is one of our main concerns

The security policy alignment starts from the CI/CD pipelines, and continues to runtime security solutions.
In this talk, we will introduce a few solutions built around kubernetes from the early stages of the CI/CD pipelines through runtime application security models which we are seeing from many companies on the security vertical.

Scanning tools [ static ]
Runtime [ pro-active, permissive ]
Few words about Haggai:
Haggai is a DevOps Architect, Group & TechLead at Tikal, for the past 15 years Haggai’s has provided solutions in the domains of Ci/CD, Configuration Management, and Security.
And in the past, ~4 years specialized in Kubernetes-based deployment schemes.

As kubernetes matures into the standard de facto Operating System of the Cloud, in addition to a shift in deployment methods such as GitOps and Continuous delivery paradigms - automation of security is one of our main concerns

The security policy alignment starts from the CI/CD pipelines, and continues to runtime security solutions.
In this talk, we will introduce a few solutions built around kubernetes from the early stages of the CI/CD pipelines through runtime application security models which we are seeing from many companies on the security vertical.

Scanning tools [ static ]
Runtime [ pro-active, permissive ]
Few words about Haggai:
Haggai is a DevOps Architect, Group & TechLead at Tikal, for the past 15 years Haggai’s has provided solutions in the domains of Ci/CD, Configuration Management, and Security.
And in the past, ~4 years specialized in Kubernetes-based deployment schemes.

Advertisement
Advertisement

More Related Content

Recently uploaded (20)

Advertisement

Kube Security Shifting left | Scanners & OPA

  1. 1. Kube Security Shifting left Haggai Philip Zagury DevOps BP, GL & TL
  2. 2. Open thinking and open techniques ideology - driven by Open Source technologies My Solution driven approach is based on hands-on and deep understanding of Operating Systems, applications stacks software languages and frameworks, Networking, Cloud and Cloud Native solutions. Haggai Philip Zagury DevOps BP, GL & TL
  3. 3. Tikal is a leading Israeli hands-on tech consultancy, scaling R&D teams with cutting-edge technologies. Our experts join development teams across the tech industry and help them make a tech Impact on their product. Tikal - Home of Tech Experts
  4. 4. An Opinionated map of the latest technologies and trends in the Israeli Tech industry. The 6th edition of the Tech Radar was built in collaboration with leading tech companies such as: Playtika, Taboola, Intel, and more. The Tech Radar
  5. 5. Building a platform brick by brick The evolution of Software Development
  6. 6. The evolution of Software Development
  7. 7. The evolution of Software Development Reducing the TOIL’s of Software Development - It’s a long process
  8. 8. The evolution of Software Development Reducing the TOIL’s of Software Development - It’s a long process
  9. 9. A long long time ago … - When servers were related to as pizza-boxes - When the cloud was in the sky ;)
  10. 10. We asked for it ;) - SOA - Microservices - Serverless - Saas, PaaS, IaaS, MaaS … - Multiple architectures for different Goals
  11. 11. We asked for it ;) - SOA - Microservices - Serverless - Saas, PaaS, IaaS, MaaS … - Multiple architectures for different Goals - Polyglot Programming
  12. 12. We asked for it ;) - SOA - Microservices - Serverless - Saas, PaaS, IaaS, MaaS … - Multiple architectures for different Goals - Polyglot Programming - Multi Cloud
  13. 13. We have some Answers ! - Untangle systems complexity - Identify common patterns - Small (Micro Teams) -> Micro Services
  14. 14. Answers! - Declarative Programming - Be Declarative - There is no chance we know all the Bells and Whistles in every subsystem - We don’t have the time for imperative
  15. 15. Answers! - Pipelines - Be Declarative - There is no chance we know all the Bells and Whistles in every subsystem - We don’t have the time for imperative - Bells and Whistles ? - we have a pipeline for that !
  16. 16. Use the same methods for security | shift left - Be Declarative - There is no chance we know all the Bells and Whistles in every subsystem - We don’t have the time for imperative - Bells and Whistles ? - we have a pipeline for that !
  17. 17. Security -> Onboarding❓ - In many cases a few questioners 😉 - And in some cases some videos to watch on security and your Good2Go …
  18. 18. - Security Onboarding - Where do I understand what security measures were taken - Tooling - Focus on that today - Sharing information - dev portal - How do we start shifting left?
  19. 19. Developer Portals - One place to store product information - About our project - About our microservice - Our proven security rank || rate
  20. 20. Developer Experience - One place to store product information - About our project - About our microservice - Our proven security rank || rate - Changes the way we developer - Introducces new tooling - Learn more about security
  21. 21. The developer approach to security ● Scanning ● From the developer -> ci process -> runtime environment scanning
  22. 22. Security related Operators - ~32 operators related to security - What is there to secure you ask ? - RBAC - Network policies - Image vulnerabilities - Network Access - Libraries & third party threats
  23. 23. Kube what ? - For kubernetes everything starts with kube ;) - Kubernetes Security - Portable, Declarative, Extensible - Automatable - Another DevOps spin-off = DevSecOps
  24. 24. Types of Security scans (traditional) ● Vulnerability Scanning ● Compliance Scanning ● Misconfigurations Scanning ● Spot all operating system, third-party + zero-day vulnerabilities.
  25. 25. Security Pipelines - Part of the Development lifecycle in the CI phase
  26. 26. Security Pipelines [ SAST ] Static Application Security Testing (SAST) .
  27. 27. Many Cloud Native Under the hood https://geekflare.com/kubernetes-security-scanner/ ● Kube Hunter ● Kube Bench ● Checkov ● MKIT ● Kubei ● Kube Scan ● Kubeaudit ● Kubesec
  28. 28. Security related Operators - Active / Periodic scan - Scheduled scan - Customize rules to apply to your companies policy
  29. 29. What is Open Policy Agent ? - Rule engine (not only for Kubernetes) - Which users can access which resources. - Which subnets egress traffic is allowed to. - Which clusters a workload must be deployed to. - Which registries binaries can be downloaded from. - Which OS capabilities a container can execute with. - Which times of day the system can be accessed at.
  30. 30. What is Open Policy Agent - on Kubernetes ? - OPA-Gatekeeper e.g. - Duplicate Ingress urls - Unused secrets - Owner of resource (required labels) - …
  31. 31. Admission Control
  32. 32. Evaluating & Testing policies - OPA-Gatekeeper - ensure image is from a well known source repository https://play.openpolicyagent.org/
  33. 33. Evaluating & Testing policies - OPA-Gatekeeper - ensure we don’t have 2 ingress resources with the same url https://play.openpolicyagent.org/
  34. 34. Evaluating & Testing policies - OPA-Gatekeeper - ensure we don’t have 2 ingress resources with the same url https://play.openpolicyagent.org/
  35. 35. ACTIVE STATIC
  36. 36. Boosting developer experience - Boosting developer experience - Reducing the Toil - OPA - not only for k8s … - Terraform Configuration as Code - Application realtime policy engine - Rego as configuration language - Rego playground
  37. 37. Thank you! Haggai Philip Zagury DevOps BP, GL & TL
  38. 38. References ● https://play.openpolicyagent.org/ ● https://github.com/kubescape/regolibrary ● https://github.com/open-policy-agent/gatekeeper ● https://www.nist.gov/programs-projects/national-vulnerability-database-nvd ● https://geekflare.com/kubernetes-security-scanner/ ● https://www.fissionlabs.com/blog-posts/what-is-devsecops-types-of-security-scans ● https://insights.sei.cmu.edu/blog/the-current-state-of-devsecops-metrics/ ● https://kondukto.io/blog/5-circular-phases-of-sec-in-devsecops ● https://dt-cdn.net/images/devsecops-image-2000-6557ba1b00.png

×