SlideShare a Scribd company logo
1 of 39
Download to read offline
London | 14-15 November 2019
How to Secure OpenShift Environments
and What Happens If You Don´t
JAN HARRIE
@NodyTweet
London | 14-15 November 2019
$ whoami – Jan Harrie
• Security Consultant @ERNW GmbH
• Former Security Analyst/Pentester/WebApp-
Monkey/Social-Engineer
• M.Sc. IT-Security TU Darmstadt
• Research // Interests:
• K8s on-prem solutions
• Cluster extensions
• Gardening
@NodyTweet
@NodyTweet
London | 14-15 November 2019
Agenda
1. OpenShift & Kubernetes – Introduction & Differences
2. Cluster Threats
3. (In-)Security of Clusters
4. Conclusion & Future Work
@NodyTweet
London | 14-15 November 2019
OpenShift & Kubernetes –
Introduction & Differences
@NodyTweet
London | 14-15 November 2019
Introduction OpenShift
• (On-Premise) Container Execution Platform from RedHat
• First Release 05/2011
• Current Stable Release: 4.2 (11/2019)
• Host Operation System is RedHat Enterprise Linux and Container Linux from
CoreOS
• Since Version 3 with K8s under the hood
• Since Version 4 Based on CRI-O, previously Docker
• OKD Community Version, e.g., CentOS
• Current Stable Release (10/2018): v3.11
• Builds on K8s 1.11
@NodyTweet
London | 14-15 November 2019
OpenShift vs. K8s – Differences
Kubernetes
• Role Based Access Control
• Namespaces
• Resource Limits
• Security Context
• Network Policies
• Pod Security Policies
OpenShift
• Image Streams
• Application Catalogue
• User Management
• Templates
• Revision History
• Security Context Constraints
@NodyTweet
London | 14-15 November 2019
Cluster Threats
@NodyTweet
London | 14-15 November 2019
Cluster Threats
What kind of threat model exist
for a cluster?
@NodyTweet
London | 14-15 November 2019
Cluster Threats
External Attacker
• (Only) Access to Offered
Services
• No API Access
• No Cluster-Insights Knowledge
• Maybe public knowledge from
DockerHub and Quay or GitHub
ETCD
Master
Worker
Container
@NodyTweet
London | 14-15 November 2019
Cluster Threats
Internal Attacker
• API Access
• Control over Images and
Deployments
• Access to Code Repositories
• Internal Cluster Knowledge
ETCD
Master
Worker
Container
@NodyTweet
London | 14-15 November 2019
Internal are External Attackers one Step ahead
ETCD
Master
Worker
Container
@NodyTweet
London | 14-15 November 2019
Internal are External Attackers one Step ahead
Internal Attacker
• API Access
• Control over Images and
Deployments
• Access to Code Repositories
• “Cluster Internal Knowledge”
ETCD
Master
Worker
Container
@NodyTweet
London | 14-15 November 2019
(In-)Security of Clusters
@NodyTweet
London | 14-15 November 2019
(In-)Security of the Cluster
User management
Role Based Access Control (RBAC)
Service Accounts (SA’s)
A dive into Security Context Constraints (SCC’s)
Network Security
Source: KubeCon NA 2017 by Brad Geesaman [7]
@NodyTweet
London | 14-15 November 2019
(In-)Security of the Cluster
User management
Role Based Access Control (RBAC)
Service Accounts (SA’s)
A dive into Security Context Constraints (SCC’s)
Network Security
Source: KubeCon NA 2017 by Brad Geesaman [7]
@NodyTweet
London | 14-15 November 2019
(In-)Security of the Cluster
User Management
Network Security
A dive into Security Context Constraints (SCC’s)
@NodyTweet
London | 14-15 November 2019
(In-)Security of the Cluster
User Management
Network Security
A dive into Security Context Constraints (SCC’s)
@NodyTweet
London | 14-15 November 2019
User Management in OpenShift
OpenShift offers integration into multiple Identity Provider (IdP)
→ E.g., HTPasswd, Keystone, LDAP authentication, Basic authentication (remote), Request header, GitHub, GitLab, Google,
OpenID connect ; one IdP configureable
→ Implicit: mappingMethod: claim, Explicit: mappingMethod: lookup
Identities are Mapped to User in the Cluster
→ Identities are bases on the IdP, while a User is an Objects in the Cluster
Users can be organized in Groups
→ LDAP sync and manual assignment possible
“True User Removal” only possible in the IdP
→ Manual deleted Users and Identities are re-created on next login.
@NodyTweet
London | 14-15 November 2019
Role Based Access Control
A lot of default cluster-roles are shipped with OpenShift
→ Introduction of new roles is recommended rather then adjustment
→ Modification may lead to broken functionality
Authenticated User:
→ Implicit association with virtual group system:authenticated // system:authenticated:oauth
→ What does this mean?
Demo 1: https://asciinema.org/a/281016
@NodyTweet
London | 14-15 November 2019
What can probably go wrong?
If IdP Is wrong configured:
→ Users can deploy workload in the cluster
and
→ Inspection of resolv.conf of the Pods:
$ cat /etc/resolv.conf
nameserver 172.30.0.2
search user1-p0.svc.cluster.local svc.cluster.local cluster.local
options ndots:5
Demo 2: https://asciinema.org/a/281704
@NodyTweet
London | 14-15 November 2019
Mitigation Strategy
• Patch the Cluster Role:
$ oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated
clusterrolebinding.rbac.authorization.k8s.io/self-provisioners patched
$ oc login -u user1
$ oc new-project user1-p1
Error from server (Forbidden): You may not request a new project via this API.
• Define DNS policy per Pod [12]
@NodyTweet
London | 14-15 November 2019
(In-)Security of Clusters
User Management
Network Security
A dive into Security Context Constraints (SCC’s)
@NodyTweet
London | 14-15 November 2019
Network Security
Software Defined Networking build on Open vSwitch
• Master-Nodes do not participate in the Cluster Network
• Each Node gets its own Class-C network for the Pods assigned
• Overlay communication via VXLAN
• Integration of other Hosts into the cluster network by:
• Host as an OpenShift node
• Creating a VXLAN tunnel
Three plugins available:
• Open vSwitch Subnet
• Open vSwitch Multitenant
• Open vSwitch Networkpolicy
@NodyTweet
London | 14-15 November 2019
Network Security – Open vSwitch Subnet
Configuration of Open vSwitch Subnet is not recommended
→ Cross project communication is possible
Demo 3: https://asciinema.org/a/280323
@NodyTweet
London | 14-15 November 2019
Network Security – Open vSwitch Multitenant
Setup Plugin Open vSwitch Multitenannt to “prevent” cross-project communication
• Each Project get ist own Virtual Network ID (VNID)
• Communication between different projects prohibit.
• Projects can be joined together
BUT !
• Separation on Namespace-Level
• Projects with VNID 0 are more privileged
• The project default has VNID 0
Side reference: TR19 – VXLAN Security or Injection [8]
@NodyTweet
London | 14-15 November 2019
Network Security – Open vSwitch
Networkpolicy
Alternatively: stick to ovs-networkpolicy which allows you to
deploy NetworkPolicies, and bock all ingress traffic [9] and add
explicit whitelistings.
Further more, the plugin allows White- an Black-Listing on
Layer3 [10] with CIDR notation or DNS
Configuration of Egress IP’s and Egress Proxies is possible [11]
https://twitter.com/JackKleeman/status/1190354757308862468
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector: {}
policyTypes:
- Ingress
@NodyTweet
London | 14-15 November 2019
(In-)Security of Clusters
User Management
Network Security
A dive into Security Context Constraints (SCC’s)
@NodyTweet
London | 14-15 November 2019
Security Context Constraints
• Introduced by release 3.0 (05/2015)
• Secure Context Constraints (SCC’s) is for Pods what RBAC is for the SAs
• Restrict execution of Pods
• Created by Cluster Administrator and assigned to Service Account
• Default SCC is ‘restricted’
@NodyTweet
London | 14-15 November 2019
Security Context Constraints
Predefines Profiles
$ oc get scc
NAME PRIV CAPS SELINUX RUNASUSER [...]
anyuid false [] MustRunAs RunAsAny [...]
hostaccess false [] MustRunAs MustRunAsRange [...]
hostmount-anyuid false [] MustRunAs RunAsAny [...]
hostnetwork false [] MustRunAs MustRunAsRange [...]
nonroot false [] MustRunAs MustRunAsNonRoot [...]
privileged true [*] RunAsAny RunAsAny [...]
restricted false [] MustRunAs MustRunAsRange [...]
@NodyTweet
London | 14-15 November 2019
Security Context Constraints
Predefines Profiles – that allow privileged
$ oc get scc
NAME PRIV CAPS SELINUX RUNASUSER [...]
anyuid false [] MustRunAs RunAsAny [...]
hostaccess false [] MustRunAs MustRunAsRange [...]
hostmount-anyuid false [] MustRunAs RunAsAny [...]
hostnetwork false [] MustRunAs MustRunAsRange [...]
nonroot false [] MustRunAs MustRunAsNonRoot [...]
privileged true [*] RunAsAny RunAsAny [...]
restricted false [] MustRunAs MustRunAsRange [...]
Demo 4: https://asciinema.org/a/280383
@NodyTweet
London | 14-15 November 2019
Security Context Constraints
Predefines Profiles – that allow hostPath, hostIPC, hostPID
$ oc get scc
NAME PRIV CAPS SELINUX RUNASUSER [...]
anyuid false [] MustRunAs RunAsAny [...]
hostaccess false [] MustRunAs MustRunAsRange [...]
hostmount-anyuid false [] MustRunAs RunAsAny [...]
hostnetwork false [] MustRunAs MustRunAsRange [...]
nonroot false [] MustRunAs MustRunAsNonRoot [...]
privileged true [*] RunAsAny RunAsAny [...]
restricted false [] MustRunAs MustRunAsRange [...]
Demo 5: https://asciinema.org/a/280388
@NodyTweet
London | 14-15 November 2019
Security Context Constraints
Predefines Profiles – that allow root in container
$ oc get scc
NAME PRIV CAPS SELINUX RUNASUSER [...]
anyuid false [] MustRunAs RunAsAny [...]
hostaccess false [] MustRunAs MustRunAsRange [...]
hostmount-anyuid false [] MustRunAs RunAsAny [...]
hostnetwork false [] MustRunAs MustRunAsRange [...]
nonroot false [] MustRunAs MustRunAsNonRoot [...]
privileged true [*] RunAsAny RunAsAny [...]
restricted false [] MustRunAs MustRunAsRange [...]
@NodyTweet
London | 14-15 November 2019
Security Context Constraints
Predefines Profiles – available
$ oc get scc
NAME PRIV CAPS SELINUX RUNASUSER [...]
anyuid false [] MustRunAs RunAsAny [...]
hostaccess false [] MustRunAs MustRunAsRange [...]
hostmount-anyuid false [] MustRunAs RunAsAny [...]
hostnetwork false [] MustRunAs MustRunAsRange [...]
nonroot false [] MustRunAs MustRunAsNonRoot [...]
privileged true [*] RunAsAny RunAsAny [...]
restricted false [] MustRunAs MustRunAsRange [...]
@NodyTweet
London | 14-15 November 2019
Security Context Constraints
Predefines Profiles – available
$ oc get scc
NAME PRIV CAPS SELINUX RUNASUSER [...]
anyuid false [] MustRunAs RunAsAny [...]
hostaccess false [] MustRunAs MustRunAsRange [...]
hostmount-anyuid false [] MustRunAs RunAsAny [...]
hostnetwork false [] MustRunAs MustRunAsRange [...]
nonroot false [] MustRunAs MustRunAsNonRoot [...]
privileged true [*] RunAsAny RunAsAny [...]
restricted false [] MustRunAs MustRunAsRange [...]
@NodyTweet
London | 14-15 November 2019
Security Context Constraints – Summary
• Integration of SELinux is great benefit
• Do not use existing Security Context Constraints except:
• restricted
• nonroot
• Create dedicated SCC’s with least privilege principle if necessary
Demo 6: https://asciinema.org/a/280392
Source: [13]
@NodyTweet
London | 14-15 November 2019
Conclusion & Future Work
@NodyTweet
London | 14-15 November 2019
Conclusion & Future Work
• OpenShift raises the bar by it’s defaults, but must be further adjusted
• Quick releases with feature extension/adjustment challenges the security
research
• Multiple components are dedicated developed by RedHat and are not
spread for the community
• OpenShift 4.2 is already available and components have been refactored
and, new features and concepts are available
@NodyTweet
London | 14-15 November 2019
Thanks for you Attention
and take care of your
defaults ;)
@NodyTweet
London | 14-15 November 2019
References
[1] https://blog.openshift.com/introducing-red-hat-openshift-4-2-developers-get-an-expanded-and-improved-toolbox/
[2] https://twitter.com/bradgeesaman/status/1188541320626921473
[3] https://blog.openshift.com/red-hat-chose-kubernetes-openshift/
[4]https://kubernetes.io/blog/2015/04/borg-predecessor-to-kubernetes/
[5] https://ai.google/research/pubs/pub43438
[6] https://twitter.com/iancoldwater/status/1174793280011325456
[7] https://goo.gl/TNRxtd
[8] https://troopers.de/downloads/troopers19/TROOPERS19_AR_VXLAN_Security.pdf
[9] https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-ingress-traffic
[10] https://docs.openshift.com/container-platform/3.11/admin_guide/managing_networking.html#admin-guide-limit-pod-access-egress
[11] https://docs.openshift.com/container-platform/3.11/admin_guide/managing_networking.html#admin-guide-limit-pod-access-egress-
router
[12] https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
[13] https://cookbook.openshift.org/users-and-role-based-access-control/how-can-i-enable-an-image-to-run-as-a-set-user-id.html

More Related Content

What's hot

Microservices Training | Microservices Docker Example | Microservices Tutoria...
Microservices Training | Microservices Docker Example | Microservices Tutoria...Microservices Training | Microservices Docker Example | Microservices Tutoria...
Microservices Training | Microservices Docker Example | Microservices Tutoria...Edureka!
 
Ivan Jovanovic - Micro Frontends - Codemotion Rome_2019
Ivan Jovanovic - Micro Frontends - Codemotion Rome_2019Ivan Jovanovic - Micro Frontends - Codemotion Rome_2019
Ivan Jovanovic - Micro Frontends - Codemotion Rome_2019Codemotion
 
Api Gateway - What's the use of an api gateway?
Api Gateway - What's the use of an api gateway?Api Gateway - What's the use of an api gateway?
Api Gateway - What's the use of an api gateway?inovia
 
Multi-tenant web applications with ASP.NET Core
Multi-tenant web applications with ASP.NET CoreMulti-tenant web applications with ASP.NET Core
Multi-tenant web applications with ASP.NET CoreGunnar Peipman
 
ITCamp 2018 - Gunnar Peipman - Multi-tenant web applications with ASP.NET Core
ITCamp 2018 - Gunnar Peipman - Multi-tenant web applications with ASP.NET CoreITCamp 2018 - Gunnar Peipman - Multi-tenant web applications with ASP.NET Core
ITCamp 2018 - Gunnar Peipman - Multi-tenant web applications with ASP.NET CoreITCamp
 
Role of edge gateways in relation to service mesh adoption
Role of edge gateways in relation to service mesh adoptionRole of edge gateways in relation to service mesh adoption
Role of edge gateways in relation to service mesh adoptionChristian Posta
 
Cloud Native Middleware Microservices - Lessons Learned with Docker, Kubernet...
Cloud Native Middleware Microservices - Lessons Learned with Docker, Kubernet...Cloud Native Middleware Microservices - Lessons Learned with Docker, Kubernet...
Cloud Native Middleware Microservices - Lessons Learned with Docker, Kubernet...Kai Wähner
 
Web of Things Book Launch
Web of Things Book LaunchWeb of Things Book Launch
Web of Things Book LaunchVlad Trifa
 
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays
 
ITCamp 2017 - Laurent Ellerbach - Bot. You said bot? Let's build a bot then...
ITCamp 2017 - Laurent Ellerbach - Bot. You said bot? Let's build a bot then...ITCamp 2017 - Laurent Ellerbach - Bot. You said bot? Let's build a bot then...
ITCamp 2017 - Laurent Ellerbach - Bot. You said bot? Let's build a bot then...ITCamp
 
Micro frontend architecture_presentation_ssoni
Micro frontend architecture_presentation_ssoniMicro frontend architecture_presentation_ssoni
Micro frontend architecture_presentation_ssoniSandeep Soni
 
Get the Exact Identity Solution You Need - In the Cloud - Overview
Get the Exact Identity Solution You Need - In the Cloud - OverviewGet the Exact Identity Solution You Need - In the Cloud - Overview
Get the Exact Identity Solution You Need - In the Cloud - OverviewForgeRock
 
XBOM On Hyperledger Fabric Overview
XBOM On Hyperledger Fabric OverviewXBOM On Hyperledger Fabric Overview
XBOM On Hyperledger Fabric OverviewPrasaga
 
Buzzwords: Microservices, containers and serverless - real life applications ...
Buzzwords: Microservices, containers and serverless - real life applications ...Buzzwords: Microservices, containers and serverless - real life applications ...
Buzzwords: Microservices, containers and serverless - real life applications ...drnugent
 
Bluemix overview with Internet of Things
Bluemix overview with Internet of ThingsBluemix overview with Internet of Things
Bluemix overview with Internet of ThingsEric Cattoir
 
Monoliths, Myths, and Microservices
Monoliths, Myths, and MicroservicesMonoliths, Myths, and Microservices
Monoliths, Myths, and MicroservicesMichael Ducy
 
[WSO2 API Day Dallas 2019] Cloud-native Integration for the Enterprise
[WSO2 API Day Dallas 2019] Cloud-native Integration for the Enterprise[WSO2 API Day Dallas 2019] Cloud-native Integration for the Enterprise
[WSO2 API Day Dallas 2019] Cloud-native Integration for the EnterpriseWSO2
 

What's hot (20)

Microservices Training | Microservices Docker Example | Microservices Tutoria...
Microservices Training | Microservices Docker Example | Microservices Tutoria...Microservices Training | Microservices Docker Example | Microservices Tutoria...
Microservices Training | Microservices Docker Example | Microservices Tutoria...
 
Ivan Jovanovic - Micro Frontends - Codemotion Rome_2019
Ivan Jovanovic - Micro Frontends - Codemotion Rome_2019Ivan Jovanovic - Micro Frontends - Codemotion Rome_2019
Ivan Jovanovic - Micro Frontends - Codemotion Rome_2019
 
ThingStudio_persys17
ThingStudio_persys17ThingStudio_persys17
ThingStudio_persys17
 
Api Gateway - What's the use of an api gateway?
Api Gateway - What's the use of an api gateway?Api Gateway - What's the use of an api gateway?
Api Gateway - What's the use of an api gateway?
 
Multi-tenant web applications with ASP.NET Core
Multi-tenant web applications with ASP.NET CoreMulti-tenant web applications with ASP.NET Core
Multi-tenant web applications with ASP.NET Core
 
ITCamp 2018 - Gunnar Peipman - Multi-tenant web applications with ASP.NET Core
ITCamp 2018 - Gunnar Peipman - Multi-tenant web applications with ASP.NET CoreITCamp 2018 - Gunnar Peipman - Multi-tenant web applications with ASP.NET Core
ITCamp 2018 - Gunnar Peipman - Multi-tenant web applications with ASP.NET Core
 
Role of edge gateways in relation to service mesh adoption
Role of edge gateways in relation to service mesh adoptionRole of edge gateways in relation to service mesh adoption
Role of edge gateways in relation to service mesh adoption
 
The user s identities
The user s identitiesThe user s identities
The user s identities
 
Cloud Native Middleware Microservices - Lessons Learned with Docker, Kubernet...
Cloud Native Middleware Microservices - Lessons Learned with Docker, Kubernet...Cloud Native Middleware Microservices - Lessons Learned with Docker, Kubernet...
Cloud Native Middleware Microservices - Lessons Learned with Docker, Kubernet...
 
1 billion thngs at a time
1 billion thngs at a time1 billion thngs at a time
1 billion thngs at a time
 
Web of Things Book Launch
Web of Things Book LaunchWeb of Things Book Launch
Web of Things Book Launch
 
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
 
ITCamp 2017 - Laurent Ellerbach - Bot. You said bot? Let's build a bot then...
ITCamp 2017 - Laurent Ellerbach - Bot. You said bot? Let's build a bot then...ITCamp 2017 - Laurent Ellerbach - Bot. You said bot? Let's build a bot then...
ITCamp 2017 - Laurent Ellerbach - Bot. You said bot? Let's build a bot then...
 
Micro frontend architecture_presentation_ssoni
Micro frontend architecture_presentation_ssoniMicro frontend architecture_presentation_ssoni
Micro frontend architecture_presentation_ssoni
 
Get the Exact Identity Solution You Need - In the Cloud - Overview
Get the Exact Identity Solution You Need - In the Cloud - OverviewGet the Exact Identity Solution You Need - In the Cloud - Overview
Get the Exact Identity Solution You Need - In the Cloud - Overview
 
XBOM On Hyperledger Fabric Overview
XBOM On Hyperledger Fabric OverviewXBOM On Hyperledger Fabric Overview
XBOM On Hyperledger Fabric Overview
 
Buzzwords: Microservices, containers and serverless - real life applications ...
Buzzwords: Microservices, containers and serverless - real life applications ...Buzzwords: Microservices, containers and serverless - real life applications ...
Buzzwords: Microservices, containers and serverless - real life applications ...
 
Bluemix overview with Internet of Things
Bluemix overview with Internet of ThingsBluemix overview with Internet of Things
Bluemix overview with Internet of Things
 
Monoliths, Myths, and Microservices
Monoliths, Myths, and MicroservicesMonoliths, Myths, and Microservices
Monoliths, Myths, and Microservices
 
[WSO2 API Day Dallas 2019] Cloud-native Integration for the Enterprise
[WSO2 API Day Dallas 2019] Cloud-native Integration for the Enterprise[WSO2 API Day Dallas 2019] Cloud-native Integration for the Enterprise
[WSO2 API Day Dallas 2019] Cloud-native Integration for the Enterprise
 

Similar to DevSecCon London 2019: How to Secure OpenShift Environments and What Happens If You Don’t

PRO TALK - Kubernetes Security Workshop.pdf
PRO TALK - Kubernetes Security Workshop.pdfPRO TALK - Kubernetes Security Workshop.pdf
PRO TALK - Kubernetes Security Workshop.pdfAvinashDesireddy
 
Kubernetes Security Workshop
Kubernetes Security WorkshopKubernetes Security Workshop
Kubernetes Security WorkshopMirantis
 
Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...Codemotion
 
Introducing Pico - A Deep Learning Platform using Docker & IoT - Sangam Biradar
Introducing Pico - A Deep Learning Platform using Docker & IoT - Sangam BiradarIntroducing Pico - A Deep Learning Platform using Docker & IoT - Sangam Biradar
Introducing Pico - A Deep Learning Platform using Docker & IoT - Sangam Biradarsangam biradar
 
Three Years of Lessons Running Potentially Malicious Code Inside Containers
Three Years of Lessons Running Potentially Malicious Code Inside ContainersThree Years of Lessons Running Potentially Malicious Code Inside Containers
Three Years of Lessons Running Potentially Malicious Code Inside ContainersBen Hall
 
Vbrownbag container networking for real workloads
Vbrownbag container networking for real workloadsVbrownbag container networking for real workloads
Vbrownbag container networking for real workloadsCisco DevNet
 
Join Our Party: The Cloud Native Adventure Brigade (TCSW 2019)
Join Our Party: The Cloud Native Adventure Brigade (TCSW 2019)Join Our Party: The Cloud Native Adventure Brigade (TCSW 2019)
Join Our Party: The Cloud Native Adventure Brigade (TCSW 2019)bridgetkromhout
 
Security Patterns for Microservice Architectures - Oktane20
Security Patterns for Microservice Architectures - Oktane20Security Patterns for Microservice Architectures - Oktane20
Security Patterns for Microservice Architectures - Oktane20Matt Raible
 
Technical Introduction to IBM's Open Blockchain (OBC)
Technical Introduction to IBM's Open Blockchain (OBC)Technical Introduction to IBM's Open Blockchain (OBC)
Technical Introduction to IBM's Open Blockchain (OBC)Altoros
 
Introduction to OpenDaylight and Hydrogen, Learnings from the Year, What's Ne...
Introduction to OpenDaylight and Hydrogen, Learnings from the Year, What's Ne...Introduction to OpenDaylight and Hydrogen, Learnings from the Year, What's Ne...
Introduction to OpenDaylight and Hydrogen, Learnings from the Year, What's Ne...David Meyer
 
Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Matt Raible
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Priyanka Aash
 
OpenStack Tokyo 2015: Connecting the Dots with Neutron
OpenStack Tokyo 2015: Connecting the Dots with NeutronOpenStack Tokyo 2015: Connecting the Dots with Neutron
OpenStack Tokyo 2015: Connecting the Dots with NeutronPhil Estes
 
ICS INtegration with Node-RED and Open Source
ICS INtegration with Node-RED and Open SourceICS INtegration with Node-RED and Open Source
ICS INtegration with Node-RED and Open SourceLetsConnect
 
Social Connections 14 - ICS Integration with Node-RED and Open Source
Social Connections 14 - ICS Integration with Node-RED and Open SourceSocial Connections 14 - ICS Integration with Node-RED and Open Source
Social Connections 14 - ICS Integration with Node-RED and Open SourcePaul Withers
 
Developer Day 2014 - 6 - open source iot - eclipse foundation
Developer Day 2014 - 6 - open source iot - eclipse foundationDeveloper Day 2014 - 6 - open source iot - eclipse foundation
Developer Day 2014 - 6 - open source iot - eclipse foundationThibault Cantegrel
 
CIW Lab with CoheisveFT: Get started in public cloud - Part 1 Cloud & Virtual...
CIW Lab with CoheisveFT: Get started in public cloud - Part 1 Cloud & Virtual...CIW Lab with CoheisveFT: Get started in public cloud - Part 1 Cloud & Virtual...
CIW Lab with CoheisveFT: Get started in public cloud - Part 1 Cloud & Virtual...Cohesive Networks
 

Similar to DevSecCon London 2019: How to Secure OpenShift Environments and What Happens If You Don’t (20)

PRO TALK - Kubernetes Security Workshop.pdf
PRO TALK - Kubernetes Security Workshop.pdfPRO TALK - Kubernetes Security Workshop.pdf
PRO TALK - Kubernetes Security Workshop.pdf
 
Kubernetes Security Workshop
Kubernetes Security WorkshopKubernetes Security Workshop
Kubernetes Security Workshop
 
Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...
 
Framework for IoT Interoperability
Framework for IoT InteroperabilityFramework for IoT Interoperability
Framework for IoT Interoperability
 
Introducing Pico - A Deep Learning Platform using Docker & IoT - Sangam Biradar
Introducing Pico - A Deep Learning Platform using Docker & IoT - Sangam BiradarIntroducing Pico - A Deep Learning Platform using Docker & IoT - Sangam Biradar
Introducing Pico - A Deep Learning Platform using Docker & IoT - Sangam Biradar
 
Three Years of Lessons Running Potentially Malicious Code Inside Containers
Three Years of Lessons Running Potentially Malicious Code Inside ContainersThree Years of Lessons Running Potentially Malicious Code Inside Containers
Three Years of Lessons Running Potentially Malicious Code Inside Containers
 
Vbrownbag container networking for real workloads
Vbrownbag container networking for real workloadsVbrownbag container networking for real workloads
Vbrownbag container networking for real workloads
 
Join Our Party: The Cloud Native Adventure Brigade (TCSW 2019)
Join Our Party: The Cloud Native Adventure Brigade (TCSW 2019)Join Our Party: The Cloud Native Adventure Brigade (TCSW 2019)
Join Our Party: The Cloud Native Adventure Brigade (TCSW 2019)
 
Security Patterns for Microservice Architectures - Oktane20
Security Patterns for Microservice Architectures - Oktane20Security Patterns for Microservice Architectures - Oktane20
Security Patterns for Microservice Architectures - Oktane20
 
Technical Introduction to IBM's Open Blockchain (OBC)
Technical Introduction to IBM's Open Blockchain (OBC)Technical Introduction to IBM's Open Blockchain (OBC)
Technical Introduction to IBM's Open Blockchain (OBC)
 
Introduction to OpenDaylight and Hydrogen, Learnings from the Year, What's Ne...
Introduction to OpenDaylight and Hydrogen, Learnings from the Year, What's Ne...Introduction to OpenDaylight and Hydrogen, Learnings from the Year, What's Ne...
Introduction to OpenDaylight and Hydrogen, Learnings from the Year, What's Ne...
 
Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
 
OpenStack Tokyo 2015: Connecting the Dots with Neutron
OpenStack Tokyo 2015: Connecting the Dots with NeutronOpenStack Tokyo 2015: Connecting the Dots with Neutron
OpenStack Tokyo 2015: Connecting the Dots with Neutron
 
Observability
ObservabilityObservability
Observability
 
Observability
ObservabilityObservability
Observability
 
ICS INtegration with Node-RED and Open Source
ICS INtegration with Node-RED and Open SourceICS INtegration with Node-RED and Open Source
ICS INtegration with Node-RED and Open Source
 
Social Connections 14 - ICS Integration with Node-RED and Open Source
Social Connections 14 - ICS Integration with Node-RED and Open SourceSocial Connections 14 - ICS Integration with Node-RED and Open Source
Social Connections 14 - ICS Integration with Node-RED and Open Source
 
Developer Day 2014 - 6 - open source iot - eclipse foundation
Developer Day 2014 - 6 - open source iot - eclipse foundationDeveloper Day 2014 - 6 - open source iot - eclipse foundation
Developer Day 2014 - 6 - open source iot - eclipse foundation
 
CIW Lab with CoheisveFT: Get started in public cloud - Part 1 Cloud & Virtual...
CIW Lab with CoheisveFT: Get started in public cloud - Part 1 Cloud & Virtual...CIW Lab with CoheisveFT: Get started in public cloud - Part 1 Cloud & Virtual...
CIW Lab with CoheisveFT: Get started in public cloud - Part 1 Cloud & Virtual...
 

More from DevSecCon

DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon
 
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon
 
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon
 
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon
 
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon
 
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon
 
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon
 
DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon
 
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...DevSecCon
 
DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...
DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...
DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...DevSecCon
 
DevSecCon London 2018: Lessons from the legion (the DevSecCon London Remix)
DevSecCon London 2018: Lessons from the legion (the DevSecCon London Remix)DevSecCon London 2018: Lessons from the legion (the DevSecCon London Remix)
DevSecCon London 2018: Lessons from the legion (the DevSecCon London Remix)DevSecCon
 

More from DevSecCon (20)

DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
 
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
 
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
 
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
 
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
 
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
 
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for Kubernetes
 
DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heel
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificates
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOps
 
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
 
DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...
DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...
DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...
 
DevSecCon London 2018: Lessons from the legion (the DevSecCon London Remix)
DevSecCon London 2018: Lessons from the legion (the DevSecCon London Remix)DevSecCon London 2018: Lessons from the legion (the DevSecCon London Remix)
DevSecCon London 2018: Lessons from the legion (the DevSecCon London Remix)
 

Recently uploaded

Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialJoão Esperancinha
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Nikki Chapple
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 

Recently uploaded (20)

Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorial
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 

DevSecCon London 2019: How to Secure OpenShift Environments and What Happens If You Don’t

  • 1. London | 14-15 November 2019 How to Secure OpenShift Environments and What Happens If You Don´t JAN HARRIE
  • 2. @NodyTweet London | 14-15 November 2019 $ whoami – Jan Harrie • Security Consultant @ERNW GmbH • Former Security Analyst/Pentester/WebApp- Monkey/Social-Engineer • M.Sc. IT-Security TU Darmstadt • Research // Interests: • K8s on-prem solutions • Cluster extensions • Gardening @NodyTweet
  • 3. @NodyTweet London | 14-15 November 2019 Agenda 1. OpenShift & Kubernetes – Introduction & Differences 2. Cluster Threats 3. (In-)Security of Clusters 4. Conclusion & Future Work
  • 4. @NodyTweet London | 14-15 November 2019 OpenShift & Kubernetes – Introduction & Differences
  • 5. @NodyTweet London | 14-15 November 2019 Introduction OpenShift • (On-Premise) Container Execution Platform from RedHat • First Release 05/2011 • Current Stable Release: 4.2 (11/2019) • Host Operation System is RedHat Enterprise Linux and Container Linux from CoreOS • Since Version 3 with K8s under the hood • Since Version 4 Based on CRI-O, previously Docker • OKD Community Version, e.g., CentOS • Current Stable Release (10/2018): v3.11 • Builds on K8s 1.11
  • 6. @NodyTweet London | 14-15 November 2019 OpenShift vs. K8s – Differences Kubernetes • Role Based Access Control • Namespaces • Resource Limits • Security Context • Network Policies • Pod Security Policies OpenShift • Image Streams • Application Catalogue • User Management • Templates • Revision History • Security Context Constraints
  • 7. @NodyTweet London | 14-15 November 2019 Cluster Threats
  • 8. @NodyTweet London | 14-15 November 2019 Cluster Threats What kind of threat model exist for a cluster?
  • 9. @NodyTweet London | 14-15 November 2019 Cluster Threats External Attacker • (Only) Access to Offered Services • No API Access • No Cluster-Insights Knowledge • Maybe public knowledge from DockerHub and Quay or GitHub ETCD Master Worker Container
  • 10. @NodyTweet London | 14-15 November 2019 Cluster Threats Internal Attacker • API Access • Control over Images and Deployments • Access to Code Repositories • Internal Cluster Knowledge ETCD Master Worker Container
  • 11. @NodyTweet London | 14-15 November 2019 Internal are External Attackers one Step ahead ETCD Master Worker Container
  • 12. @NodyTweet London | 14-15 November 2019 Internal are External Attackers one Step ahead Internal Attacker • API Access • Control over Images and Deployments • Access to Code Repositories • “Cluster Internal Knowledge” ETCD Master Worker Container
  • 13. @NodyTweet London | 14-15 November 2019 (In-)Security of Clusters
  • 14. @NodyTweet London | 14-15 November 2019 (In-)Security of the Cluster User management Role Based Access Control (RBAC) Service Accounts (SA’s) A dive into Security Context Constraints (SCC’s) Network Security Source: KubeCon NA 2017 by Brad Geesaman [7]
  • 15. @NodyTweet London | 14-15 November 2019 (In-)Security of the Cluster User management Role Based Access Control (RBAC) Service Accounts (SA’s) A dive into Security Context Constraints (SCC’s) Network Security Source: KubeCon NA 2017 by Brad Geesaman [7]
  • 16. @NodyTweet London | 14-15 November 2019 (In-)Security of the Cluster User Management Network Security A dive into Security Context Constraints (SCC’s)
  • 17. @NodyTweet London | 14-15 November 2019 (In-)Security of the Cluster User Management Network Security A dive into Security Context Constraints (SCC’s)
  • 18. @NodyTweet London | 14-15 November 2019 User Management in OpenShift OpenShift offers integration into multiple Identity Provider (IdP) → E.g., HTPasswd, Keystone, LDAP authentication, Basic authentication (remote), Request header, GitHub, GitLab, Google, OpenID connect ; one IdP configureable → Implicit: mappingMethod: claim, Explicit: mappingMethod: lookup Identities are Mapped to User in the Cluster → Identities are bases on the IdP, while a User is an Objects in the Cluster Users can be organized in Groups → LDAP sync and manual assignment possible “True User Removal” only possible in the IdP → Manual deleted Users and Identities are re-created on next login.
  • 19. @NodyTweet London | 14-15 November 2019 Role Based Access Control A lot of default cluster-roles are shipped with OpenShift → Introduction of new roles is recommended rather then adjustment → Modification may lead to broken functionality Authenticated User: → Implicit association with virtual group system:authenticated // system:authenticated:oauth → What does this mean? Demo 1: https://asciinema.org/a/281016
  • 20. @NodyTweet London | 14-15 November 2019 What can probably go wrong? If IdP Is wrong configured: → Users can deploy workload in the cluster and → Inspection of resolv.conf of the Pods: $ cat /etc/resolv.conf nameserver 172.30.0.2 search user1-p0.svc.cluster.local svc.cluster.local cluster.local options ndots:5 Demo 2: https://asciinema.org/a/281704
  • 21. @NodyTweet London | 14-15 November 2019 Mitigation Strategy • Patch the Cluster Role: $ oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated clusterrolebinding.rbac.authorization.k8s.io/self-provisioners patched $ oc login -u user1 $ oc new-project user1-p1 Error from server (Forbidden): You may not request a new project via this API. • Define DNS policy per Pod [12]
  • 22. @NodyTweet London | 14-15 November 2019 (In-)Security of Clusters User Management Network Security A dive into Security Context Constraints (SCC’s)
  • 23. @NodyTweet London | 14-15 November 2019 Network Security Software Defined Networking build on Open vSwitch • Master-Nodes do not participate in the Cluster Network • Each Node gets its own Class-C network for the Pods assigned • Overlay communication via VXLAN • Integration of other Hosts into the cluster network by: • Host as an OpenShift node • Creating a VXLAN tunnel Three plugins available: • Open vSwitch Subnet • Open vSwitch Multitenant • Open vSwitch Networkpolicy
  • 24. @NodyTweet London | 14-15 November 2019 Network Security – Open vSwitch Subnet Configuration of Open vSwitch Subnet is not recommended → Cross project communication is possible Demo 3: https://asciinema.org/a/280323
  • 25. @NodyTweet London | 14-15 November 2019 Network Security – Open vSwitch Multitenant Setup Plugin Open vSwitch Multitenannt to “prevent” cross-project communication • Each Project get ist own Virtual Network ID (VNID) • Communication between different projects prohibit. • Projects can be joined together BUT ! • Separation on Namespace-Level • Projects with VNID 0 are more privileged • The project default has VNID 0 Side reference: TR19 – VXLAN Security or Injection [8]
  • 26. @NodyTweet London | 14-15 November 2019 Network Security – Open vSwitch Networkpolicy Alternatively: stick to ovs-networkpolicy which allows you to deploy NetworkPolicies, and bock all ingress traffic [9] and add explicit whitelistings. Further more, the plugin allows White- an Black-Listing on Layer3 [10] with CIDR notation or DNS Configuration of Egress IP’s and Egress Proxies is possible [11] https://twitter.com/JackKleeman/status/1190354757308862468 kind: NetworkPolicy metadata: name: default-deny spec: podSelector: {} policyTypes: - Ingress
  • 27. @NodyTweet London | 14-15 November 2019 (In-)Security of Clusters User Management Network Security A dive into Security Context Constraints (SCC’s)
  • 28. @NodyTweet London | 14-15 November 2019 Security Context Constraints • Introduced by release 3.0 (05/2015) • Secure Context Constraints (SCC’s) is for Pods what RBAC is for the SAs • Restrict execution of Pods • Created by Cluster Administrator and assigned to Service Account • Default SCC is ‘restricted’
  • 29. @NodyTweet London | 14-15 November 2019 Security Context Constraints Predefines Profiles $ oc get scc NAME PRIV CAPS SELINUX RUNASUSER [...] anyuid false [] MustRunAs RunAsAny [...] hostaccess false [] MustRunAs MustRunAsRange [...] hostmount-anyuid false [] MustRunAs RunAsAny [...] hostnetwork false [] MustRunAs MustRunAsRange [...] nonroot false [] MustRunAs MustRunAsNonRoot [...] privileged true [*] RunAsAny RunAsAny [...] restricted false [] MustRunAs MustRunAsRange [...]
  • 30. @NodyTweet London | 14-15 November 2019 Security Context Constraints Predefines Profiles – that allow privileged $ oc get scc NAME PRIV CAPS SELINUX RUNASUSER [...] anyuid false [] MustRunAs RunAsAny [...] hostaccess false [] MustRunAs MustRunAsRange [...] hostmount-anyuid false [] MustRunAs RunAsAny [...] hostnetwork false [] MustRunAs MustRunAsRange [...] nonroot false [] MustRunAs MustRunAsNonRoot [...] privileged true [*] RunAsAny RunAsAny [...] restricted false [] MustRunAs MustRunAsRange [...] Demo 4: https://asciinema.org/a/280383
  • 31. @NodyTweet London | 14-15 November 2019 Security Context Constraints Predefines Profiles – that allow hostPath, hostIPC, hostPID $ oc get scc NAME PRIV CAPS SELINUX RUNASUSER [...] anyuid false [] MustRunAs RunAsAny [...] hostaccess false [] MustRunAs MustRunAsRange [...] hostmount-anyuid false [] MustRunAs RunAsAny [...] hostnetwork false [] MustRunAs MustRunAsRange [...] nonroot false [] MustRunAs MustRunAsNonRoot [...] privileged true [*] RunAsAny RunAsAny [...] restricted false [] MustRunAs MustRunAsRange [...] Demo 5: https://asciinema.org/a/280388
  • 32. @NodyTweet London | 14-15 November 2019 Security Context Constraints Predefines Profiles – that allow root in container $ oc get scc NAME PRIV CAPS SELINUX RUNASUSER [...] anyuid false [] MustRunAs RunAsAny [...] hostaccess false [] MustRunAs MustRunAsRange [...] hostmount-anyuid false [] MustRunAs RunAsAny [...] hostnetwork false [] MustRunAs MustRunAsRange [...] nonroot false [] MustRunAs MustRunAsNonRoot [...] privileged true [*] RunAsAny RunAsAny [...] restricted false [] MustRunAs MustRunAsRange [...]
  • 33. @NodyTweet London | 14-15 November 2019 Security Context Constraints Predefines Profiles – available $ oc get scc NAME PRIV CAPS SELINUX RUNASUSER [...] anyuid false [] MustRunAs RunAsAny [...] hostaccess false [] MustRunAs MustRunAsRange [...] hostmount-anyuid false [] MustRunAs RunAsAny [...] hostnetwork false [] MustRunAs MustRunAsRange [...] nonroot false [] MustRunAs MustRunAsNonRoot [...] privileged true [*] RunAsAny RunAsAny [...] restricted false [] MustRunAs MustRunAsRange [...]
  • 34. @NodyTweet London | 14-15 November 2019 Security Context Constraints Predefines Profiles – available $ oc get scc NAME PRIV CAPS SELINUX RUNASUSER [...] anyuid false [] MustRunAs RunAsAny [...] hostaccess false [] MustRunAs MustRunAsRange [...] hostmount-anyuid false [] MustRunAs RunAsAny [...] hostnetwork false [] MustRunAs MustRunAsRange [...] nonroot false [] MustRunAs MustRunAsNonRoot [...] privileged true [*] RunAsAny RunAsAny [...] restricted false [] MustRunAs MustRunAsRange [...]
  • 35. @NodyTweet London | 14-15 November 2019 Security Context Constraints – Summary • Integration of SELinux is great benefit • Do not use existing Security Context Constraints except: • restricted • nonroot • Create dedicated SCC’s with least privilege principle if necessary Demo 6: https://asciinema.org/a/280392 Source: [13]
  • 36. @NodyTweet London | 14-15 November 2019 Conclusion & Future Work
  • 37. @NodyTweet London | 14-15 November 2019 Conclusion & Future Work • OpenShift raises the bar by it’s defaults, but must be further adjusted • Quick releases with feature extension/adjustment challenges the security research • Multiple components are dedicated developed by RedHat and are not spread for the community • OpenShift 4.2 is already available and components have been refactored and, new features and concepts are available
  • 38. @NodyTweet London | 14-15 November 2019 Thanks for you Attention and take care of your defaults ;)
  • 39. @NodyTweet London | 14-15 November 2019 References [1] https://blog.openshift.com/introducing-red-hat-openshift-4-2-developers-get-an-expanded-and-improved-toolbox/ [2] https://twitter.com/bradgeesaman/status/1188541320626921473 [3] https://blog.openshift.com/red-hat-chose-kubernetes-openshift/ [4]https://kubernetes.io/blog/2015/04/borg-predecessor-to-kubernetes/ [5] https://ai.google/research/pubs/pub43438 [6] https://twitter.com/iancoldwater/status/1174793280011325456 [7] https://goo.gl/TNRxtd [8] https://troopers.de/downloads/troopers19/TROOPERS19_AR_VXLAN_Security.pdf [9] https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-ingress-traffic [10] https://docs.openshift.com/container-platform/3.11/admin_guide/managing_networking.html#admin-guide-limit-pod-access-egress [11] https://docs.openshift.com/container-platform/3.11/admin_guide/managing_networking.html#admin-guide-limit-pod-access-egress- router [12] https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy [13] https://cookbook.openshift.org/users-and-role-based-access-control/how-can-i-enable-an-image-to-run-as-a-set-user-id.html