Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CloudBurst Malmö: Best practices of securing web applications running on Azure Kubernetes Service

232 views

Published on

The multitude of security controls and guidelines for both Kubernetes and Azure can be overwhelming. Based on real-life experiences from securing web applications running on Azure Kubernetes Service, Karl has compiled a list of best practices that bring these worlds together.
In this session, you will learn how to build, operate and develop secure web applications on top of Azure Kubernetes Service. After this session, you will know which security controls are available, how effective they are and what will be the cost of implementing them.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

CloudBurst Malmö: Best practices of securing web applications running on Azure Kubernetes Service

  1. 1. @fincooper Best practices of securing web applications running on Azure Kubernetes Service Karl Ots 28.8.2019 CloudBurst Malmö
  2. 2. Karl Ots Chief Consulting Officer karl.ots@zure.com • Cloud & cybersecurity expert from Finland • Community leader, speaker, author & patented inventor • Working on Azure since 2011 • Helped to secure 100+ Azure applications, from startups to Fortune 500 enterprises • zure.ly/karl
  3. 3. 13,7 92 4,5 / 5 3 100% 37 / 40 experts years avg. employee NPS customer satisfaction Azure MVPs Azure
  4. 4. @fincooper What to expect in this session • You will learn how to build, operate and architect secure web applications on top of Azure Kubernetes Service. • You will learn which security controls are available, how effective they are and what will be the cost of implementing them. • Resources to help you better secure your AKS environment in Azure, regardless of your current level!
  5. 5. @fincooper What to expect in this session
  6. 6. @fincooper Securing web apps on AKS • Cluster security • Network security • Pod security • Deployment considerations
  7. 7. @fincooper Azure Kubernetes Service A fully managed Kubernetes cluster Managed Azure infrastructure services Docker Kubernetes Managed Kubernetes control pane Application architect Infrastructure architect Applications Operations
  8. 8. @fincooper
  9. 9. @fincooper Cluster security controls
  10. 10. @fincooper Access control to Azure management pane • To provision Azure infrastructure, the AKS resource will need the following AAD entities: • A service principal for the Kubernetes cluster to create new resources and modify existing ones • RBAC role assignment for the Service Principal • A service principal for accessing the container registry • In addition, you will need to configure: • An app registration for acting as the AAD Server • An app registration for acting as the AAD Client
  11. 11. @fincooper Access control when connecting to cluster • By default, when you use the az aks get-credentials command, the admin credentials for the AKS cluster and added to your kubectl config. • The admin user bypasses does not allow for granular access control. • AKS can be configured to use Azure AD for user authentication. In this configuration, you can sign in to an AKS cluster by using your Azure AD authentication token.
  12. 12. @fincooper Access control when connecting to cluster
  13. 13. @fincooper Access control when connecting to cluster • By default, when you use the az aks get-credentials command, the admin credentials for the AKS cluster and added to your kubectl config. • The admin user bypasses the enforcement of pod security policies and does not allow for granular access control. • AKS can be configured to use Azure AD for user authentication. In this configuration, you can sign in to an AKS cluster by using your Azure AD authentication token. • But what about az aks get-credentials --admin?
  14. 14. @fincooper Access control when connecting to cluster
  15. 15. @fincooper
  16. 16. @fincooper Access control once inside the cluster • Once our users are authenticated through Azure AD, we can implement proper access control. • Kubernetes RBAC and Pod Security policies allow us to restrict which pods our dev/ops can operate.
  17. 17. @fincooper Often overlooked in AKS ops • Azure automatically applies security patches to the Linux nodes in your cluster on a nightly schedule. • You are responsible for ensuring that those Linux nodes are rebooted as required.
  18. 18. @fincooper You are responsible for ensuring AKS nodes are rebooted as required AKS is not PaaS
  19. 19. @fincooper Often overlooked in AKS ops • Azure automatically applies security patches to the Linux nodes in your cluster on a nightly schedule. • You are responsible for ensuring that those Linux nodes are rebooted as required. • Because AKS is free, no cost is available to reimburse, so AKS has no formal SLA. • AKS “seeks to maintain” availability of at least 99.5 percent for the Kubernetes API server.
  20. 20. @fincooper Network controls
  21. 21. @fincooper User Admin access Azure SQL Database Application access End user access k8s
  22. 22. @fincooper User AppAKSSubnet Application VNET Access only over SSL Admin access Azure SQL Database Access restricted Access only from AppAKSSubnet Access restricted k8s
  23. 23. @fincooper User WAFSubnet 10.0.2.0/24 AppAKSSubnet 10.0.1.0/24 Application VNET 10.0.0.0/16 Web Application Firewall Frontend IP Configuration Public IP Web Application Firewall Enabled, Prevention mode Access only over SSL IP restriction Web Application Firewall Frontend IP only Admin access Azure SQL Database Access restricted Access only from AppAKSSubnet Access restricted Access only over SSL k8s HTTP Listener HTTPS Port 443 Private SSL certificate Backend Pool Kubernetes Internal Load Balancer IP address HTTP Settings HTTPS redirect SSL: Public Certificate Health Probe Kubernetes Internal Load Balancer IP address
  24. 24. @fincooper Pod security
  25. 25. @fincooper Network policies • Control the flow of traffic between pods in the AKS cluster • ingress from / egress to • namespaceSelector / podSelector • Network policies are translated into sets of allowed and disallowed IP pairs • Kubernetes implements these pairs as IPTable rules
  26. 26. @fincooper AAD Pod identity
  27. 27. @fincooper AAD Pod identity
  28. 28. @fincooper Key Vault FlexVol
  29. 29. @fincooper Deployment
  30. 30. @fincooper Deployment • Deploy the cluster using ARM templates • Deploy the applications using Helm charts • Connections strings and other secrets should be stored in Azure Key Vault • Bind secrets as Kubernetes Secrets using Key Vault FlexVolume • github.com/Azure/kubernetes-keyvault-flexvol • What about WAF certificates?
  31. 31. @fincooper Securing web apps on AKS • Cluster security • Network security • Pod security • Deployment considerations
  32. 32. @fincooper Automated security recommendations
  33. 33. @fincooper
  34. 34. @fincooper
  35. 35. @fincooper Securing AKS web apps best practices • Control access to Microsoft.ContainerService/managedClusters/listClusterAdminCredential/acti on • Cluster operators should authenticate with AAD to appropriate cluster RBAC role • Control ingress traffic to the cluster • Store secret in Azure Key Vault and access them at runtime • Ops is key – spend enough design time on how you deploy new services and maintain the cluster • Not the first web app in the cluster? Control cross-pod networking and access with Pod Identity
  36. 36. @fincooper Wrapping up • Compared to PaaS, AKS allows for more security controls to be put in place • This comes with more responsibilities! • Every application is different • You might not need all (or any) of the security controls listed in this session • AKS is continuously evolving • Check the backlog and challenge your (perceived) security requirements • Use AzSK and Azure Policy to automatically scan the security posture of your cluster and Azure environment
  37. 37. @fincooper Resources • My slides: zure.ly/karl/slides • AKS Roadmap at https://github.com/Azure/AKS/projects/1 • docs.microsoft.com/en-us/azure/aks/api-server-authorized-ip-ranges • github.com/Azure/kubernetes-keyvault-flexvol • github.com/Azure/aad-pod-identity • azure.github.io/application-gateway-kubernetes-ingress/ • docs.microsoft.com/en-us/azure/aks/concepts-security • docs.microsoft.com/en-us/azure/aks/operator-best-practices-cluster-security • docs.microsoft.com/en-us/azure/aks/developer-best-practices-pod-security
  38. 38. @fincooper zure.ly/karl/kubevideo
  39. 39. @fincooper

×