Successfully reported this slideshow.
Your SlideShare is downloading. ×

How to Prevent Your Kubernetes Cluster From Being Hacked

How to Prevent Your Kubernetes Cluster From Being Hacked

Download to read offline

Nico and Philip will show how to prevent your Kubernetes cluster from being hijacked by introducing you to best practices as well as useful open source projects based on real-world examples.You’ll learn everything you need to know to build and run secure Kubernetes clusters.

Nico and Philip will show how to prevent your Kubernetes cluster from being hijacked by introducing you to best practices as well as useful open source projects based on real-world examples.You’ll learn everything you need to know to build and run secure Kubernetes clusters.

More Related Content

More from Nico Meisenzahl

How to Prevent Your Kubernetes Cluster From Being Hacked

  1. 1. How to Prevent Your Kubernetes Cluster From Being Hacked ContainerDays Meetup 2022
  2. 2. Who we are © white duck GmbH 2022 Nico Meisenzahl (Head of DevOps Consulting and Operations, Cloud Solution Architect, Azure & Developer Technologies MVP, GitLab Hero) Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl/ Philip Welz (Senior Kubernetes & DevOps Engineer, GitLab Hero, CKA, CKAD & CKS) Twitter: @philip_welz LinkedIn: https://www.linkedin.com/in/philip-welz
  3. 3. Security quick wins through the DevOps cycle © white duck GmbH 2022
  4. 4. You should think about • ensure secure application / deployment code • build secure container images • implement Kubernetes policies • introduce Kubernetes network policies • rely on Container Runtime Security • many more… © white duck GmbH 2022
  5. 5. Ensure secure application / deployment code • your cluster is a shared resource • a single compromised application can be enough • automate and enforce code checks (shift left!) • scan your code as well as your dependencies • application code • Dockerfiles • deployment manifests © white duck GmbH 2022
  6. 6. Examples • vulnerable code and dependencies • missing Dockerfile best practices • unsecure Kubernetes manifests They all can lead to someone gaining access to your cluster! © white duck GmbH 2022
  7. 7. SAST in general • Static Application Security Testing (SAST) can help validate you with • application code • Dockerfiles • Kubernetes Manifests • and more • use your existing tooling (GitHub, GitLab) for easy start • there is also a big ecosystem available © white duck GmbH 2022
  8. 8. Software Bill of Materials (SBOM) • “list of ingredients” for all your software and dependencies • supports hierarchy and therefore multi-level dependencies • without you don’t have the full visibility • in an ideal world you would only need to care about your own stuff • SBOMs can be the baseline for your vulnerability scanning © white duck GmbH 2022
  9. 9. Tooling: syft and grype • syft helps you to create Software Bill of Materials (SBOM) • https://github.com/anchore/syft • can also be used via “docker sbom” • grype allows to scan SBOMs for vulnerability • https://github.com/anchore/grype • both • support a large list of programming languages and ecosystems • are easy to integrate into CI • can be integrated with K8s via Operators • https://github.com/ckotzbauer/sbom-operator • https://github.com/ckotzbauer/vulnerability-operator © white duck GmbH 2022
  10. 10. Demo: Vulnerability scanning with SBOM • we will create an SBOM for an existing container image using syft • then analyzing the exported SBOM with grype to detect possible vulnerabilities © white duck GmbH 2022
  11. 11. Further K8s-related tooling • Ensure best practices and detect misconfiguration on clusters • kube-bench: https://github.com/aquasecurity/kube-bench • Kubescape: https://github.com/kubescape/kubescape • Popeye: https://github.com/derailed/popeye • Scan Dockerfiles, K8s manifests or Helm Charts • Checkov: https://github.com/bridgecrewio/checkov • Trivy: https://github.com/aquasecurity/trivy • kics: https://github.com/Checkmarx/kics © white duck GmbH 2022
  12. 12. Implement Kubernetes policies • allows you to enforce what is allowed and what is not • enables you to define guardrails for your user • can limit attackers from gaining further access © white duck GmbH 2022
  13. 13. Examples • attacker spins up a privileged container to escape • someone mounts the nodes disk via hostPath • then gains access to the secret of the underlying cloud identity • exposing a service via LoadBalancer service © white duck GmbH 2022
  14. 14. Tooling: Built-in, OPA or Kyverno • Pod Security Admission • stable since 1.25 • admission controller to enforce the Pod Security Standards • define different isolation levels (Profiles) for Pods • Open Policy Agent Gatekeeper • “jack of all trades” • can become quite complex – Rego J • https://open-policy-agent.github.io/gatekeeper • Kyverno • easy to start • Kubernetes-only (which can be a plus) • https://kyverno.io © white duck GmbH 2022
  15. 15. Introduce Kubernetes network policies • once again: K8s is a shared resource • you need to define guard rails • think about • outgoing traffic into the internet • traffic between applications and namespaces • traffic into your internal network and/or cloud resources © white duck GmbH 2022
  16. 16. Examples • malicious code gets loaded from the internet • attack talks to the Cloud provider matadata service • and retrieve cloud identity secret • vulnerable application has access to other apps backends • and retrieves, dumps, changes data © white duck GmbH 2022
  17. 17. Tooling: There are many… • grab the one that suits your needs • go for managed one in managed Clusters • otherwise: Cilium or Calico • Cilium • based on eBPF • allows Domain name-based policies • https://editor.cilium.io J • https://cilium.io • Calico • supports standard Linux networking or eBPF "now" • Domain name-based policies only via Calico Enterprise • widely adopted (AKS, GKE,…) © white duck GmbH 2022
  18. 18. Rely on Container Runtime Security • gives you awareness into your cluster • without that you won't know what is going on • alerts you on malicious events and workloads • based on the defined rules • real-time enforcement © white duck GmbH 2022
  19. 19. Examples • undetected untrusted process within container • Untrusted shells running inside a container • container process mounting a sensitive path • a process making outbound network connections © white duck GmbH 2022
  20. 20. Tooling: Falco or Tetragon • Falco • parses Linux system calls from the kernel at runtime • “the known one” • https://falco.org • Tetragon • eBPF-based analysis • Process execution events • System call activity • I/O activity including network & file access • “the new one” • https://github.com/cilium/tetragon © white duck GmbH 2022
  21. 21. Demo: Tetragon • we will connect to privileged pod and execute some commands and access files • we will use Tetragon (pre-installed via Helm) and Tetragon CLI to observe process execution, network connections and file access © white duck GmbH 2022
  22. 22. Service Account Token • got more secure with Kubernetes 1.24 • you now must create a token when you need one • do not • share service accounts between applications • enable higher access levels for the default service account if not required • mount service account token if not required • https://kubernetes.io/docs/tasks/configure-pod-container/configure- service-account/#use-the-default-service-account-to-access-the-api- server © white duck GmbH 2022
  23. 23. Web Application Firewall (WAF) • helps you to further secure your application • most of them enforce OWASP 10 by default • https://owasp.org/www-project-top-ten • implement further rules based on your needs • put it in front of your workload as • dedicated WAF • as part of your Ingress Controller • not more than 5 lines to get started with Ingress Nginx © white duck GmbH 2022
  24. 24. Don’t miss your running workload • while shifting left, don’t miss running workload • you have multiple options • run Trivy Operator • https://github.com/aquasecurity/trivy-operator • or Trivy regularly in your cluster with Estafette • https://github.com/estafette/estafette-vulnerability-scanner • or with Jetstack version checker • https://github.com/jetstack/version-checker © white duck GmbH 2022
  25. 25. Links & further details • there are many more projects • we have shown only a very small portion • “Hijack Kubernetes” demo • https://github.com/nmeisenzahl/hijack-kubernetes © white duck GmbH 2022
  26. 26. Questions? © white duck GmbH 2022 Nico Meisenzahl (Head of DevOps Consulting and Operations, Cloud Solution Architect, Azure & Developer Technologies MVP, GitLab Hero) Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl/ Philip Welz (Senior Kubernetes & DevOps Engineer, GitLab Hero, CKA, CKAD & CKS) Twitter: @philip_welz LinkedIn: https://www.linkedin.com/in/philip-welz

×