1.
Kube Security
Shifting left
Haggai Philip Zagury
DevOps BP, GL & TL

2.
Open thinking and open
techniques ideology - driven by
Open Source technologies
My Solution driven approach is based
on hands-on and deep understanding
of Operating Systems, applications
stacks software languages and
frameworks, Networking, Cloud and
Cloud Native solutions.
Haggai Philip Zagury
DevOps BP, GL & TL

3.
Tikal is a leading Israeli hands-on tech
consultancy, scaling R&D teams with
cutting-edge technologies. Our experts join
development teams across the tech
industry and help them make a tech Impact
on their product.
Tikal -
Home of Tech Experts

4.
An Opinionated map of the
latest technologies and trends
in the Israeli Tech industry.
The 6th edition of the Tech Radar was built in
collaboration with leading tech companies
such as: Playtika, Taboola, Intel, and more.
The Tech Radar

5.
Building a
platform brick by
brick
The evolution of
Software Development

6.
The evolution of
Software Development

7.
The evolution of
Software Development
Reducing the TOIL’s of Software Development - It’s a long process

8.
The evolution of
Software Development
Reducing the TOIL’s of Software Development - It’s a long process

9.
A long long time ago …
- When servers were related to as
pizza-boxes
- When the cloud was in the sky ;)

10.
We asked for it ;)
- SOA
- Microservices
- Serverless
- Saas, PaaS, IaaS, MaaS …
- Multiple architectures for different Goals

11.
We asked for it ;)
- SOA
- Microservices
- Serverless
- Saas, PaaS, IaaS, MaaS …
- Multiple architectures for different Goals
- Polyglot Programming

12.
We asked for it ;)
- SOA
- Microservices
- Serverless
- Saas, PaaS, IaaS, MaaS …
- Multiple architectures for different Goals
- Polyglot Programming
- Multi Cloud

13.
We have some Answers !
- Untangle systems complexity
- Identify common patterns
- Small (Micro Teams) -> Micro Services

14.
Answers! - Declarative Programming
- Be Declarative
- There is no chance we know all the
Bells and Whistles in every subsystem
- We don’t have the time for imperative

15.
Answers! - Pipelines
- Be Declarative
- There is no chance we know all the
Bells and Whistles in every subsystem
- We don’t have the time for imperative
- Bells and Whistles ? - we have a
pipeline for that !

16.
Use the same methods for security | shift left
- Be Declarative
- There is no chance we know all the
Bells and Whistles in every subsystem
- We don’t have the time for imperative
- Bells and Whistles ? - we have a
pipeline for that !

17.
Security -> Onboarding❓
- In many cases a few questioners 😉
- And in some cases some videos to
watch on security and your Good2Go …

18.
- Security Onboarding
- Where do I understand what security
measures were taken
- Tooling
- Focus on that today
- Sharing information - dev portal
-
How do we start shifting left?

19.
Developer Portals
- One place to store product information
- About our project
- About our microservice
- Our proven security rank || rate

20.
Developer Experience
- One place to store product information
- About our project
- About our microservice
- Our proven security rank || rate
- Changes the way we developer
- Introducces new tooling
- Learn more about security

21.
The developer approach to security
● Scanning
● From the developer -> ci process -> runtime
environment scanning

22.
Security related Operators
- ~32 operators related to security
- What is there to secure you ask ?
- RBAC
- Network policies
- Image vulnerabilities
- Network Access
- Libraries & third party threats

23.
Kube what ?
- For kubernetes everything starts with kube ;)
- Kubernetes Security
- Portable, Declarative, Extensible - Automatable
- Another DevOps spin-off = DevSecOps

24.
Types of Security scans (traditional)
● Vulnerability Scanning
● Compliance Scanning
● Misconfigurations Scanning
● Spot all operating system, third-party + zero-day vulnerabilities.

25.
Security Pipelines
- Part of the Development
lifecycle in the CI phase

26.
Security Pipelines [ SAST ]
Static Application Security
Testing (SAST) .

27.
Many Cloud Native Under the hood
https://geekflare.com/kubernetes-security-scanner/
● Kube Hunter
● Kube Bench
● Checkov
● MKIT
● Kubei
● Kube Scan
● Kubeaudit
● Kubesec

28.
Security related Operators
- Active / Periodic
scan
- Scheduled scan
- Customize rules
to apply to your
companies
policy

29.
What is Open Policy Agent ?
- Rule engine (not only for Kubernetes)
- Which users can access which resources.
- Which subnets egress traffic is allowed to.
- Which clusters a workload must be deployed to.
- Which registries binaries can be downloaded from.
- Which OS capabilities a container can execute with.
- Which times of day the system can be accessed at.

30.
What is Open Policy Agent - on Kubernetes ?
- OPA-Gatekeeper
e.g.
- Duplicate Ingress urls
- Unused secrets
- Owner of resource (required labels)
- …

31.
Admission Control

32.
Evaluating & Testing policies
- OPA-Gatekeeper
- ensure image is from a well
known source repository
https://play.openpolicyagent.org/

33.
Evaluating & Testing policies
- OPA-Gatekeeper
- ensure we don’t have 2 ingress
resources with the same url
https://play.openpolicyagent.org/

34.
Evaluating & Testing policies
- OPA-Gatekeeper
- ensure we don’t have 2 ingress
resources with the same url
https://play.openpolicyagent.org/

35.
ACTIVE STATIC

36.
Boosting developer experience
- Boosting developer experience
- Reducing the Toil
- OPA - not only for k8s …
- Terraform Configuration as Code
- Application realtime policy engine
- Rego as configuration language
- Rego playground

37.
Thank you!
Haggai Philip Zagury
DevOps BP, GL & TL

38.
References
● https://play.openpolicyagent.org/
● https://github.com/kubescape/regolibrary
● https://github.com/open-policy-agent/gatekeeper
● https://www.nist.gov/programs-projects/national-vulnerability-database-nvd
● https://geekflare.com/kubernetes-security-scanner/
● https://www.fissionlabs.com/blog-posts/what-is-devsecops-types-of-security-scans
● https://insights.sei.cmu.edu/blog/the-current-state-of-devsecops-metrics/
● https://kondukto.io/blog/5-circular-phases-of-sec-in-devsecops
● https://dt-cdn.net/images/devsecops-image-2000-6557ba1b00.png