Karthik Gaekwad, profile picture
Uploaded byKarthik Gaekwad
PPTX, PDF429 views

DevSecOps in a cloudnative world

This document provides an overview of 10 tips for cloud native security when using Kubernetes. It discusses reducing the attack surface by securing hosts, container images, and the Kubernetes cluster. It also covers security features in Kubernetes like secrets, authentication and authorization, audit logging, network policies, and pod security policies. Finally, it recommends several open source tools for assessing security like Clair, Kube-bench, Kubesec, and Kubeaudit. The overall message is that security needs to be an ongoing process of evaluating risks and hardening the environment over time.

Embed presentation

Downloaded 24 times
1 10 Tips for Cloud Native Security Karthik Gaekwad Austin Developer Week 2018 DevSecOps in a Cloud Native World Karthik Gaekwad @iteration1 Devnet Create 2019
•I’m Karthik Gaekwad •NOT a DBA •Cloud Native Evangelist at Oracle Cloud •https://cloudnative.oracle.com/ •Past: Developer on the Oracle Managed Kubernetes Team Hello @iteration1 @iteration1
Hello • Been in Industry 15 years. • In general, I like building stuff with friends. • Maintainer for Gauntlt- Open source security scanner. • Love Teaching and building community. • Run Devopsdays Austin, Container Days, Cloud Austin. • Chair All Day Devops Cloud Native track. • LinkedIn Learning Author for Learning Kubernetes (and more). @iteration1
The Cloud Native Journey 4 Phase I Developer Focus Phase II DevOps Focus Phase III Business Focus (end-to-end) Container Adoption Application Deployment Intelligent Operations SpeedEfficiencyAgility Docker Kubernetes Core to Edge Developer adoption Dev/Test apps Simple orchestration Individual developers DevOps deployment Production apps Advanced orchestration Teams & lines of business End-to-end integration Digital business apps Serverless, DevSecOps, & ML Cloud native enterprises Focus Applications Automation Community @iteration1
CNCF Survey: August 2018 How Does Your Company Use Containers and Where? Lots of adoption on dev/staging Continued production increase @iteration1
CNCF Survey: August 2018 How Does Your Company Use Containers and Where? Adoption over public and on-prem @iteration1
Kubernetes Dominates Container Management Your company/organization manages containers with: Winner! Kubernetes @iteration1
Top 5 challenges to cloud native adoption… 0 5 10 15 20 25 30 35 40 45 Complexity Cultural Challenges Lack of Training Security Monitoring Percentages @iteration1
• Managing, maintaining, upgrading Kubernetes Control Plane • API Server, etcd, scheduler etc…. • Managing, maintaining, upgrading Kubernetes Data Plane • In place upgrades, deploy parallel cluster etc…. • Figuring out container networking & storage • Overlays, persistent storage etc… - it should just work • Managing Teams • How do I manage & control team access to my clusters? • Security, security, security 9 Kubernetes & Cloud Native Challenges Source: Oracle Customer Survey 2018 @iteration1
How Are Teams Addressing Complexity, Training Issues? App Management Upgrades & Patching Platform Backup & Recovery High Availability Scaling App Deployment Power, HVAC Rack and Stack Server Provisioning Software Installation Customer Managed Fully-Managed App Management Upgrades & Patching Platform Backup & Recovery High Availability Scaling App Deployment Power, HVAC Rack and Stack Server Provisioning Software Installation  Faster Time to Deploy  Lower Risk  Accelerate Innovation Fully managed Benefits YOU @iteration1
Which brings us to security…
Where no news, is good news!
Unsecured K8s dashboards • Unsecured Kubernetes Dashboard with account creds. • Used this to mine cryptocurrency. • 2017: Aviva • 2018: Tesla, Weight Watchers • https://redlock.io/blog/cryptojacking- tesla @iteration1
Kubelet credentials hack • Shopify: Server Side request Forgery • Get kubelet certs/private key • Root access to any container in part of infrastructure. • https://hackerone.com/reports/341876 @iteration1
CVE’s Happen… Even more relevant with increased production usage of containers… @iteration1
CVE’s Happen… Container Escaping Privilege Escalation @iteration1
@iteration1
@iteration1
@iteration1
How did we get here?
“Kubernetes is too complicated”
“Kubernetes is too complicated” “We hope it’ll get easier”
What is your strate
Let’s look at: •Attack Surface • More importantly, how to limit damage •Security related features in K8s • The more you know, the better you build •Opensource Tooling to help • Because we all need help
Attack Surface
Attack Surface Goal: Reduce the attack surface •Analysis for: •Host(s) •Container (Images and running) •Kubernetes Cluster @iteration1
Attack Surface: Host • These are the machines you’re running Kubernetes on. • Age old principles of Linux still apply: • Enable SELinux • AppArmor • Seccomp • Hardened Images • Goal: Minimize privilege to applications running on the host • Good news: Already a wealth of information on this subject! • http://lmgtfy.com/?q=how+to+reduce+attack+surface+linux @iteration1
Attack Surface: Container Images GOAL: Know your base image when building containers @iteration1
Attack Surface: Container Images GOAL: Know your base image when building containers **BTW, this is just a ruby helloworld app @iteration1
Attack Surface: Container Images GOAL: Know your base image when building containers Full disclosure: I’m karthequian; I created this as a ruby 101 container for learning purposes only @iteration1
Attack Surface: Container Images GOAL: Know your base image when building containers • When in doubt, stick to an official images! • Or start from a sane base image (example: alpine linux) @iteration1
Attack Surface: Container Images GOAL: Smaller the image, the better • Less things for an attacker to exploit. • Quicker to push, quicker to pull. @iteration1
Attack Surface: Container Images GOAL: Don’t rely on :latest tag • :latest image yesterday might not be :latest image tomorrow • Instead, you’d want to know what specific version you’re operating with. • Side benefit: If there is a new vulnerability announced for OS version x.y.z, you know immediately whether you’re running that version! @iteration1
Attack Surface: Container Images GOAL: Check for vulnerabilities periodically • Plenty of ways to do this in registries. We’ll cover more in the tooling section @iteration1
Attack Surface: Running Containers GOAL: Don’t run as root • Containers running as root might be completely unnecessary for the actual application. • If compromised, attacker can do a lot more things.. • Pod security policies can help (we’ll see how later). @iteration1
Attack Surface: Running Containers GOAL: Limit host mounts • Be wary of images that require broad access to paths on the host. • Limit your host mount to a smaller subset of directories. • Reduces blast radius on compromise. @iteration1
Attack Surface: Kubernetes Cluster
Kubernetes Cluster- TLS TLS ALL THE THINGS @iteration1
Kubernetes Cluster- TLS @iteration1
Kubernetes Cluster- TLS • TLS Checklist: 1. User and Master 2. Nodes and Master 3. Everything etcd @iteration1
CVE’s 41 GOAL: Have an upgrade strategy • Because…CVE’s are fixed in new minor versions. • Don’t treat K8s as “install once, run all the time”. • Make your K8s install repeatable for different versions. • ..Or use a Managed Provider. • Either automatically patch for you, or tell you what to do. @iteration1
We’re a little better off now. But what else to do?
K8s Features How can the platform help me make secure choices? @iteration1
K8s Features • Kubernetes Secrets • Authentication • Authorization • Audit Logging • Network Policies • Pod security policies • Open Policy Agent @iteration1
Kubernetes Secrets • GOAL: Use Kubernetes secrets to store sensitive data instead of config maps. • Also look at: secrets encryption provider. • Controls how etcd encrypts API data • --experimental-encryption-provider-config • https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/ @iteration1
Authentication and Authorization • Do you know how you are authenticating with Kubernetes? • Many ways to Authenticate • Client Certs • Static token file • Service Account tokens • OpenID • Webhook Mode • And more (https://kubernetes.io/docs/reference/access-authn-authz/authentication/) @iteration1
Whatever you do, DO NOT YOLO! Goal: Pick a strategy that fits your use case
You can pick an authz strategy.. If you DO NOT YOLO…
Authentication and Authorization https://kubernetes.io/docs/reference/acc ess-authn-authz/authorization/ @iteration1
Authentication and Authorization • Pro tip: Nobody uses ABAC anymore. Don’t be that guy…. • RBAC is the defacto standard • Based on roles and role bindings • Good set of defaults: https://github.com/uruddarraju/kubernetes-rbac-policies • Can use multiple authorizers together, but can get confusing. • 1st authorizer to authorize passes authz @iteration1
Kubernetes Cluster- Audit Logs • Wat? • “Kubernetes auditing provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators or other components of the system.” • Answers: What/when/who/where information on security events. • Your job: Periodically watch Kubernetes Audit logs • https://kubernetes.io/docs/tasks/debug-application-cluster/audit/ @iteration1
Kubernetes Cluster- Network Policies • Consider adding a network policy to the cluster… • Default Policy: All pods can talk to all other pods. • Consider limiting this with a Network Policy • https://kubernetes.io/docs/concepts/services-networking/network-policies/ @iteration1
Kubernetes Cluster- Pod Security Policies • Consider adding Pod Security policies • PodSecurityPolicy: A Defined set of conditions a pod must run with. • Think of this as authorization for pods. @iteration1
Kubernetes Cluster: Pod Security Policies https://kubernetes.io/docs/concepts/policy/pod-security-policy/#what-is-a-pod-security-policy Capability for an admin to control specific actions @iteration1
Open Policy Agent • Policy based control for your whole environment. • Full featured Policy Engine to offload policy decisions from each application/service. • Deploy OPA alongside your service • Add policy data to OPA’s store • Query OPA on decisions. • Great idea, still early, watch this space… • Standardize policies for all clusters • https://www.openpolicyagent.org/ 56@iteration1
ToolingOpensource Tooling
Keep tabs on the CNCF Security landscape https://landscape.cncf.io/landscape=security-complia
CNCF Projects • “The Update Framework” • Is a framework or a methodology. • Used for secure software updates. • Based on ideas surrounding trust and integrity. • Is a project. • Based on TUF. • A solution to secure software updates and distribution. • Used in Docker Trusted Registry. @iteration1
Clair • Open source project for the static analysis of vulnerabilities in containers. • Find vulnerable images in your repo. • Built into quay.io, but you can add to your own repo. • https://github.com/coreos/clair @iteration1
@iteration1
Harbor • Newer! CNCF Project • Registry product • Supports vulnerability scanning, image signing and identity control • Scope is larger than clair @iteration1
Harbor
Kube-bench • Checks whether a Kubernetes cluster is deployed according to security best practices. • Run this after creating your K8s cluster. • https://github.com/aquasecurity/kube-bench • Defined by the CIS Benchmarks Docs: https://www.cisecurity.org/cis- benchmarks/ • Run it against your Kubernetes Master, or Kubernetes node. @iteration1
Kube-bench example @iteration1
Kubesec • Helps you quantify risk for Kubernetes resources. • Run against your K8s applications (deployments/pods/daemonsets etc) • https://kubesec.io/ from controlplane • Can be used standalone, or as a kubectl plugin (https://github.com/stefanprodan/kubectl-kubesec) @iteration1
Kubesec example @iteration1
Kubeaudit • Opensourced from Shopify. • Auditing your applications in your K8s cluster. • https://github.com/Shopify/kubeaudit • Little more targeted than Kubesec. @iteration1
@iteration1
Kubeaudit example @iteration1
Put it all together… 71 @iteration1
Apply It! 72 • Day 1: • Know what version of Docker and Kubernetes you use. • Understand if your control and data plane nodes are hardened. • Understand how your Docker containers are built. • Find out how you authenticate and authorize for your clusters. @iteration1
Apply It! 73 •Week 1: •Build an Automation Pipeline: • To build Docker images on code pushes • Versioning strategy for code • To build your Kubernetes clusters @iteration1
Apply It! 74 •1st Month •Sanitize your code: • Know your base images • Implement versioning for your containers • Invest in a registry (or tooling) that does vulnerability scanning •Kubernetes: • Have an upgrade strategy in place • Analyze secrets/sensitive cluster data • Turn on audit logging @iteration1
Apply It! 75 • 3 Months: • Continuously Monitor • Tooling like Kubesec/Kube-audit • Plan how to address vulnerabilities/CVE’s • K8s: • Strategy for Pod Security Policies • Strategy for Network Policies • Run scans (like kube-bench) on cluster creation @iteration1
Apply It! 76 •6 Months: •Re-ask day 1 questions. •Review strategies- is it working? What needs tweaking? •Review tooling- are there new tools that help? Are existing tools working? •Review CVE’s @iteration1
Couple more resources to look at: • 11 ways not to get hacked: https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked • K8s security (from Image Hygiene to Network Policy): https://speakerdeck.com/mhausenblas/kubernetes-security-from- image-hygiene-to-network-policies @iteration1
KEEP CALM AND KUBE ON @iteration1

More Related Content

PPTX
10 tips for Cloud Native Security
byKarthik Gaekwad
 
PPTX
Practical Approaches to Cloud Native Security
byKarthik Gaekwad
 
PPTX
KubeSecOps
byKarthik Gaekwad
 
PPTX
Kube Apps in action
byKarthik Gaekwad
 
PPTX
Kubernetes Security
byKarthik Gaekwad
 
PPTX
Docker and Devops
byDocker, Inc.
 
PDF
DCSF 19 How Entergy is Mitigating Legacy Windows Operating System Vulnerabili...
byDocker, Inc.
 
PPTX
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
byDocker, Inc.
 
10 tips for Cloud Native Security
byKarthik Gaekwad
 
Practical Approaches to Cloud Native Security
byKarthik Gaekwad
 
KubeSecOps
byKarthik Gaekwad
 
Kube Apps in action
byKarthik Gaekwad
 
Kubernetes Security
byKarthik Gaekwad
 
Docker and Devops
byDocker, Inc.
 
DCSF 19 How Entergy is Mitigating Legacy Windows Operating System Vulnerabili...
byDocker, Inc.
 
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
byDocker, Inc.
 

What's hot

PDF
Immutable Awesomeness by John Willis and Josh Corman
byDocker, Inc.
 
PPTX
20 mins to Faking the DevOps Unicorn by Matt williams, Datadog
byDocker, Inc.
 
PDF
MJC 2021: "Debugging Java Microservices Running on Kubernetes with Telepresence"
byDaniel Bryant
 
PDF
LJC 4/21"Easy Debugging of Java Microservices Running on Kubernetes with Tele...
byDaniel Bryant
 
PDF
Moving a Monolith to Kubernetes
byM. Scott Ford
 
PDF
ADDO 2020: "The past, present, and future of cloud native API gateways"
byDaniel Bryant
 
PPTX
All Things Open : Crash Course in Open Source Cloud Computing
byMark Hinkle
 
PPTX
Docker Cap Gemini CloudXperience 2017 - la revolution des conteneurs logiciels
byPatrick Chanezon
 
PDF
Containers and microservices for realists
byKarthik Gaekwad
 
PDF
Using Rancher and Docker with RightScale at Industrie IT
byRightScale
 
PPTX
OSCON 2014 - Crash Course in Open Source Cloud Computing
byMark Hinkle
 
PDF
Evénement Docker Paris: Anticipez les nouveaux business model et réduisez vos...
byDocker, Inc.
 
PDF
Containers - Transforming the data centre as we know it 2016
byKeith Lynch
 
PDF
Docker Meetup at Docker HQ: Docker Cloud
byDocker, Inc.
 
PPTX
Neo4j for Cloud Management at Scale
byNeo4j
 
PDF
Hands-on Helm
byDocker, Inc.
 
PDF
Data protection in a kubernetes-native world
byLibbySchulze
 
PDF
Kubernetes DevOps - Atul - Microsoft - CC18
byCodeOps Technologies LLP
 
PDF
Introduction to Kubernetes Security (Aqua & Weaveworks)
byWeaveworks
 
PDF
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
byJosef Adersberger
 
Immutable Awesomeness by John Willis and Josh Corman
byDocker, Inc.
 
20 mins to Faking the DevOps Unicorn by Matt williams, Datadog
byDocker, Inc.
 
MJC 2021: "Debugging Java Microservices Running on Kubernetes with Telepresence"
byDaniel Bryant
 
LJC 4/21"Easy Debugging of Java Microservices Running on Kubernetes with Tele...
byDaniel Bryant
 
Moving a Monolith to Kubernetes
byM. Scott Ford
 
ADDO 2020: "The past, present, and future of cloud native API gateways"
byDaniel Bryant
 
All Things Open : Crash Course in Open Source Cloud Computing
byMark Hinkle
 
Docker Cap Gemini CloudXperience 2017 - la revolution des conteneurs logiciels
byPatrick Chanezon
 
Containers and microservices for realists
byKarthik Gaekwad
 
Using Rancher and Docker with RightScale at Industrie IT
byRightScale
 
OSCON 2014 - Crash Course in Open Source Cloud Computing
byMark Hinkle
 
Evénement Docker Paris: Anticipez les nouveaux business model et réduisez vos...
byDocker, Inc.
 
Containers - Transforming the data centre as we know it 2016
byKeith Lynch
 
Docker Meetup at Docker HQ: Docker Cloud
byDocker, Inc.
 
Neo4j for Cloud Management at Scale
byNeo4j
 
Hands-on Helm
byDocker, Inc.
 
Data protection in a kubernetes-native world
byLibbySchulze
 
Kubernetes DevOps - Atul - Microsoft - CC18
byCodeOps Technologies LLP
 
Introduction to Kubernetes Security (Aqua & Weaveworks)
byWeaveworks
 
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
byJosef Adersberger
 

Similar to DevSecOps in a cloudnative world

PPTX
Kubernetes Security Act Now Before It’s Too Late
byMichael Furman
 
PPTX
12 Ways Not to get 'Hacked' your Kubernetes Cluster
bySuman Chakraborty
 
PDF
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
byNoNameCon
 
PPTX
Kubernetes_Security_In_Depth_Practical r
byCseManit
 
PDF
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
byJames Anderson
 
PPTX
Security for cloud native workloads
byRuncy Oommen
 
PDF
Practical Guide to Securing Kubernetes
byLacework
 
PDF
Hacking Kubernetes Threat Driven Analysis and Defense 1st Edition Andrew Martin
bynoniqclarah
 
PDF
Hacking into your containers, and how to stop it!
byEric Smalling
 
PPTX
Kubernetes and container security
byVolodymyr Shynkar
 
PDF
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
byEric Smalling
 
PPTX
Hybrid - Seguridad en Contenedores v3.pptx
byHansFarroCastillo1
 
PDF
GDG SLK - Why should devs care about container security.pdf
byJames Anderson
 
PDF
Cloud-Native Security
byVMware Tanzu
 
PDF
Cloud Native Security: New Approach for a New Reality
byCarlos Andrés García
 
PDF
The Hacker's Guide to Kubernetes
byPatrycja Wegrzynowicz
 
PDF
Why should developers care about container security?
byEric Smalling
 
PPTX
Intro to Container & Kubernetes Hardening.pptx
bymalaahmad1
 
PDF
Kubernetes - Security Journey
byJerry Jalava
 
PDF
ATO 2022 - Why should devs care about container security.pdf
byEric Smalling
 
Kubernetes Security Act Now Before It’s Too Late
byMichael Furman
 
12 Ways Not to get 'Hacked' your Kubernetes Cluster
bySuman Chakraborty
 
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
byNoNameCon
 
Kubernetes_Security_In_Depth_Practical r
byCseManit
 
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
byJames Anderson
 
Security for cloud native workloads
byRuncy Oommen
 
Practical Guide to Securing Kubernetes
byLacework
 
Hacking Kubernetes Threat Driven Analysis and Defense 1st Edition Andrew Martin
bynoniqclarah
 
Hacking into your containers, and how to stop it!
byEric Smalling
 
Kubernetes and container security
byVolodymyr Shynkar
 
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
byEric Smalling
 
Hybrid - Seguridad en Contenedores v3.pptx
byHansFarroCastillo1
 
GDG SLK - Why should devs care about container security.pdf
byJames Anderson
 
Cloud-Native Security
byVMware Tanzu
 
Cloud Native Security: New Approach for a New Reality
byCarlos Andrés García
 
The Hacker's Guide to Kubernetes
byPatrycja Wegrzynowicz
 
Why should developers care about container security?
byEric Smalling
 
Intro to Container & Kubernetes Hardening.pptx
bymalaahmad1
 
Kubernetes - Security Journey
byJerry Jalava
 
ATO 2022 - Why should devs care about container security.pdf
byEric Smalling
 

More from Karthik Gaekwad

PPTX
Why to Cloud Native
byKarthik Gaekwad
 
PDF
Mental Health studies and devops
byKarthik Gaekwad
 
PPTX
This is your community
byKarthik Gaekwad
 
PDF
Kubernetes security and you
byKarthik Gaekwad
 
PPTX
Kube applications in action
byKarthik Gaekwad
 
PDF
Devops and Dadops
byKarthik Gaekwad
 
PDF
Containers, microservices and serverless for realists
byKarthik Gaekwad
 
PDF
13 practical tips for writing secure golang applications
byKarthik Gaekwad
 
PPTX
Why to docker
byKarthik Gaekwad
 
PDF
Docker management
byKarthik Gaekwad
 
PDF
Agile 2014- Metrics driven development and devops
byKarthik Gaekwad
 
PDF
Devopsdays Austin 2014 Ignite: Keep devops weird
byKarthik Gaekwad
 
PDF
Cloud Austin 2013: Conferenced2013
byKarthik Gaekwad
 
PDF
LASCON 2013 Talk: User Auth for Winners, how to get it right the first time!
byKarthik Gaekwad
 
PDF
Agile 2013 Talk: How DevOps Changes Everything
byKarthik Gaekwad
 
PDF
DevOps at the CIA
byKarthik Gaekwad
 
PDF
Sexy HTML with Twitter Bootstrap
byKarthik Gaekwad
 
PPTX
12 Clouds of Christmas 2012- Stormpath
byKarthik Gaekwad
 
PPTX
We built this city on Dev and Ops
byKarthik Gaekwad
 
PPTX
30 days or less: New Features to Production
byKarthik Gaekwad
 
Why to Cloud Native
byKarthik Gaekwad
 
Mental Health studies and devops
byKarthik Gaekwad
 
This is your community
byKarthik Gaekwad
 
Kubernetes security and you
byKarthik Gaekwad
 
Kube applications in action
byKarthik Gaekwad
 
Devops and Dadops
byKarthik Gaekwad
 
Containers, microservices and serverless for realists
byKarthik Gaekwad
 
13 practical tips for writing secure golang applications
byKarthik Gaekwad
 
Why to docker
byKarthik Gaekwad
 
Docker management
byKarthik Gaekwad
 
Agile 2014- Metrics driven development and devops
byKarthik Gaekwad
 
Devopsdays Austin 2014 Ignite: Keep devops weird
byKarthik Gaekwad
 
Cloud Austin 2013: Conferenced2013
byKarthik Gaekwad
 
LASCON 2013 Talk: User Auth for Winners, how to get it right the first time!
byKarthik Gaekwad
 
Agile 2013 Talk: How DevOps Changes Everything
byKarthik Gaekwad
 
DevOps at the CIA
byKarthik Gaekwad
 
Sexy HTML with Twitter Bootstrap
byKarthik Gaekwad
 
12 Clouds of Christmas 2012- Stormpath
byKarthik Gaekwad
 
We built this city on Dev and Ops
byKarthik Gaekwad
 
30 days or less: New Features to Production
byKarthik Gaekwad
 

Recently uploaded

PDF
Shear Strength of Soil (Direct shear test).pdf
byMahmoodKhalid11
 
PDF
Model QP 2025 scheme Q &A- Module 1 and 2.pdf
bySURESHA V
 
PDF
Chemical Hazards at Workplace – Types, Properties & Exposure Routes, CORE-EHS
byCORE EHS
 
PDF
engineering management chapter 5 ppt presentation
byericaangelatoledo06
 
PDF
PROBLEM SLOVING AND PYTHON PROGRAMMING UNIT 3.pdf
byA R SIVANESH M.E., QIP-PG (Cyber Security)., (Ph.D)
 
PPT
Cloud computing-1.ppt presentation preview
byMohanaPriya780617
 
PPTX
Day 3 Module 5_Optical fiber Network (operation and management).pptx
bySachayaG
 
PPTX
Batch-1(End Semester) Student Of Shree Durga Tech. PPT.pptx
byrashesw1122s
 
PDF
Rajesh Prasad- Brief Profile with educational, professional highlights
byRajesh Prasad
 
PDF
Decision-Support-Systems-and-Decision-Making-Processes.pdf
byPatankarNikhil
 
PPTX
GET 211- Computing and Software Engineering (1).pptx
byfestusdaniel142
 
PPTX
What Green Hydrogen Is Definition: Hydrogen produced via electrolysis of wate...
byThit57
 
PPTX
Presentation-WPS Office.pptx afgouvhyhgfccf
byEndaleTimerga
 
PPT
Momentum and collisions in physics or engineering
byazizrahmanhakimi
 
PDF
Ericsson 6230 Training Module Document.pdf
byMd Bellal Hossain
 
PDF
Chad Ayach - An Accomplished Mechanical Engineer
byChad Ayach
 
PDF
Plasticity and Structure of Soil/Atterberg Limits.pdf
byMahmoodKhalid11
 
PPT
Ceramic Matrix Composites Slide from Composite Materials
byUsman635773
 
PDF
NS unit wise unit wise 1 -5 so prepare,.
bykumaransudhan1512
 
PPTX
A professional presentation on Cosmos Bank Heist
byssuser7f0075
 
Shear Strength of Soil (Direct shear test).pdf
byMahmoodKhalid11
 
Model QP 2025 scheme Q &A- Module 1 and 2.pdf
bySURESHA V
 
Chemical Hazards at Workplace – Types, Properties & Exposure Routes, CORE-EHS
byCORE EHS
 
engineering management chapter 5 ppt presentation
byericaangelatoledo06
 
PROBLEM SLOVING AND PYTHON PROGRAMMING UNIT 3.pdf
byA R SIVANESH M.E., QIP-PG (Cyber Security)., (Ph.D)
 
Cloud computing-1.ppt presentation preview
byMohanaPriya780617
 
Day 3 Module 5_Optical fiber Network (operation and management).pptx
bySachayaG
 
Batch-1(End Semester) Student Of Shree Durga Tech. PPT.pptx
byrashesw1122s
 
Rajesh Prasad- Brief Profile with educational, professional highlights
byRajesh Prasad
 
Decision-Support-Systems-and-Decision-Making-Processes.pdf
byPatankarNikhil
 
GET 211- Computing and Software Engineering (1).pptx
byfestusdaniel142
 
What Green Hydrogen Is Definition: Hydrogen produced via electrolysis of wate...
byThit57
 
Presentation-WPS Office.pptx afgouvhyhgfccf
byEndaleTimerga
 
Momentum and collisions in physics or engineering
byazizrahmanhakimi
 
Ericsson 6230 Training Module Document.pdf
byMd Bellal Hossain
 
Chad Ayach - An Accomplished Mechanical Engineer
byChad Ayach
 
Plasticity and Structure of Soil/Atterberg Limits.pdf
byMahmoodKhalid11
 
Ceramic Matrix Composites Slide from Composite Materials
byUsman635773
 
NS unit wise unit wise 1 -5 so prepare,.
bykumaransudhan1512
 
A professional presentation on Cosmos Bank Heist
byssuser7f0075
 

DevSecOps in a cloudnative world

  • 1.
    1 10 Tips for CloudNative Security Karthik Gaekwad Austin Developer Week 2018 DevSecOps in a Cloud Native World Karthik Gaekwad @iteration1 Devnet Create 2019
  • 2.
    •I’m Karthik Gaekwad •NOTa DBA •Cloud Native Evangelist at Oracle Cloud •https://cloudnative.oracle.com/ •Past: Developer on the Oracle Managed Kubernetes Team Hello @iteration1 @iteration1
  • 3.
    Hello • Been inIndustry 15 years. • In general, I like building stuff with friends. • Maintainer for Gauntlt- Open source security scanner. • Love Teaching and building community. • Run Devopsdays Austin, Container Days, Cloud Austin. • Chair All Day Devops Cloud Native track. • LinkedIn Learning Author for Learning Kubernetes (and more). @iteration1
  • 4.
    The Cloud NativeJourney 4 Phase I Developer Focus Phase II DevOps Focus Phase III Business Focus (end-to-end) Container Adoption Application Deployment Intelligent Operations SpeedEfficiencyAgility Docker Kubernetes Core to Edge Developer adoption Dev/Test apps Simple orchestration Individual developers DevOps deployment Production apps Advanced orchestration Teams & lines of business End-to-end integration Digital business apps Serverless, DevSecOps, & ML Cloud native enterprises Focus Applications Automation Community @iteration1
  • 5.
    CNCF Survey: August2018 How Does Your Company Use Containers and Where? Lots of adoption on dev/staging Continued production increase @iteration1
  • 6.
    CNCF Survey: August2018 How Does Your Company Use Containers and Where? Adoption over public and on-prem @iteration1
  • 7.
    Kubernetes Dominates Container Management Yourcompany/organization manages containers with: Winner! Kubernetes @iteration1
  • 8.
    Top 5 challengesto cloud native adoption… 0 5 10 15 20 25 30 35 40 45 Complexity Cultural Challenges Lack of Training Security Monitoring Percentages @iteration1
  • 9.
    • Managing, maintaining,upgrading Kubernetes Control Plane • API Server, etcd, scheduler etc…. • Managing, maintaining, upgrading Kubernetes Data Plane • In place upgrades, deploy parallel cluster etc…. • Figuring out container networking & storage • Overlays, persistent storage etc… - it should just work • Managing Teams • How do I manage & control team access to my clusters? • Security, security, security 9 Kubernetes & Cloud Native Challenges Source: Oracle Customer Survey 2018 @iteration1
  • 10.
    How Are TeamsAddressing Complexity, Training Issues? App Management Upgrades & Patching Platform Backup & Recovery High Availability Scaling App Deployment Power, HVAC Rack and Stack Server Provisioning Software Installation Customer Managed Fully-Managed App Management Upgrades & Patching Platform Backup & Recovery High Availability Scaling App Deployment Power, HVAC Rack and Stack Server Provisioning Software Installation  Faster Time to Deploy  Lower Risk  Accelerate Innovation Fully managed Benefits YOU @iteration1
  • 11.
    Which brings usto security…
  • 12.
    Where no news,is good news!
  • 13.
    Unsecured K8s dashboards •Unsecured Kubernetes Dashboard with account creds. • Used this to mine cryptocurrency. • 2017: Aviva • 2018: Tesla, Weight Watchers • https://redlock.io/blog/cryptojacking- tesla @iteration1
  • 14.
    Kubelet credentials hack •Shopify: Server Side request Forgery • Get kubelet certs/private key • Root access to any container in part of infrastructure. • https://hackerone.com/reports/341876 @iteration1
  • 15.
    CVE’s Happen… Even morerelevant with increased production usage of containers… @iteration1
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
    How did weget here?
  • 21.
    “Kubernetes is toocomplicated”
  • 22.
    “Kubernetes is toocomplicated” “We hope it’ll get easier”
  • 23.
  • 24.
    Let’s look at: •AttackSurface • More importantly, how to limit damage •Security related features in K8s • The more you know, the better you build •Opensource Tooling to help • Because we all need help
  • 25.
  • 26.
    Attack Surface Goal: Reducethe attack surface •Analysis for: •Host(s) •Container (Images and running) •Kubernetes Cluster @iteration1
  • 27.
    Attack Surface: Host •These are the machines you’re running Kubernetes on. • Age old principles of Linux still apply: • Enable SELinux • AppArmor • Seccomp • Hardened Images • Goal: Minimize privilege to applications running on the host • Good news: Already a wealth of information on this subject! • http://lmgtfy.com/?q=how+to+reduce+attack+surface+linux @iteration1
  • 28.
    Attack Surface: ContainerImages GOAL: Know your base image when building containers @iteration1
  • 29.
    Attack Surface: ContainerImages GOAL: Know your base image when building containers **BTW, this is just a ruby helloworld app @iteration1
  • 30.
    Attack Surface: ContainerImages GOAL: Know your base image when building containers Full disclosure: I’m karthequian; I created this as a ruby 101 container for learning purposes only @iteration1
  • 31.
    Attack Surface: ContainerImages GOAL: Know your base image when building containers • When in doubt, stick to an official images! • Or start from a sane base image (example: alpine linux) @iteration1
  • 32.
    Attack Surface: ContainerImages GOAL: Smaller the image, the better • Less things for an attacker to exploit. • Quicker to push, quicker to pull. @iteration1
  • 33.
    Attack Surface: ContainerImages GOAL: Don’t rely on :latest tag • :latest image yesterday might not be :latest image tomorrow • Instead, you’d want to know what specific version you’re operating with. • Side benefit: If there is a new vulnerability announced for OS version x.y.z, you know immediately whether you’re running that version! @iteration1
  • 34.
    Attack Surface: ContainerImages GOAL: Check for vulnerabilities periodically • Plenty of ways to do this in registries. We’ll cover more in the tooling section @iteration1
  • 35.
    Attack Surface: RunningContainers GOAL: Don’t run as root • Containers running as root might be completely unnecessary for the actual application. • If compromised, attacker can do a lot more things.. • Pod security policies can help (we’ll see how later). @iteration1
  • 36.
    Attack Surface: RunningContainers GOAL: Limit host mounts • Be wary of images that require broad access to paths on the host. • Limit your host mount to a smaller subset of directories. • Reduces blast radius on compromise. @iteration1
  • 37.
  • 38.
    Kubernetes Cluster- TLS TLSALL THE THINGS @iteration1
  • 39.
  • 40.
    Kubernetes Cluster- TLS •TLS Checklist: 1. User and Master 2. Nodes and Master 3. Everything etcd @iteration1
  • 41.
    CVE’s 41 GOAL: Have anupgrade strategy • Because…CVE’s are fixed in new minor versions. • Don’t treat K8s as “install once, run all the time”. • Make your K8s install repeatable for different versions. • ..Or use a Managed Provider. • Either automatically patch for you, or tell you what to do. @iteration1
  • 42.
    We’re a little betteroff now. But what else to do?
  • 43.
    K8s Features How canthe platform help me make secure choices? @iteration1
  • 44.
    K8s Features • KubernetesSecrets • Authentication • Authorization • Audit Logging • Network Policies • Pod security policies • Open Policy Agent @iteration1
  • 45.
    Kubernetes Secrets • GOAL:Use Kubernetes secrets to store sensitive data instead of config maps. • Also look at: secrets encryption provider. • Controls how etcd encrypts API data • --experimental-encryption-provider-config • https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/ @iteration1
  • 46.
    Authentication and Authorization •Do you know how you are authenticating with Kubernetes? • Many ways to Authenticate • Client Certs • Static token file • Service Account tokens • OpenID • Webhook Mode • And more (https://kubernetes.io/docs/reference/access-authn-authz/authentication/) @iteration1
  • 47.
    Whatever you do, DONOT YOLO! Goal: Pick a strategy that fits your use case
  • 48.
    You can pickan authz strategy.. If you DO NOT YOLO…
  • 49.
  • 50.
    Authentication and Authorization •Pro tip: Nobody uses ABAC anymore. Don’t be that guy…. • RBAC is the defacto standard • Based on roles and role bindings • Good set of defaults: https://github.com/uruddarraju/kubernetes-rbac-policies • Can use multiple authorizers together, but can get confusing. • 1st authorizer to authorize passes authz @iteration1
  • 51.
    Kubernetes Cluster- AuditLogs • Wat? • “Kubernetes auditing provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators or other components of the system.” • Answers: What/when/who/where information on security events. • Your job: Periodically watch Kubernetes Audit logs • https://kubernetes.io/docs/tasks/debug-application-cluster/audit/ @iteration1
  • 53.
    Kubernetes Cluster- NetworkPolicies • Consider adding a network policy to the cluster… • Default Policy: All pods can talk to all other pods. • Consider limiting this with a Network Policy • https://kubernetes.io/docs/concepts/services-networking/network-policies/ @iteration1
  • 54.
    Kubernetes Cluster- PodSecurity Policies • Consider adding Pod Security policies • PodSecurityPolicy: A Defined set of conditions a pod must run with. • Think of this as authorization for pods. @iteration1
  • 55.
    Kubernetes Cluster: PodSecurity Policies https://kubernetes.io/docs/concepts/policy/pod-security-policy/#what-is-a-pod-security-policy Capability for an admin to control specific actions @iteration1
  • 56.
    Open Policy Agent •Policy based control for your whole environment. • Full featured Policy Engine to offload policy decisions from each application/service. • Deploy OPA alongside your service • Add policy data to OPA’s store • Query OPA on decisions. • Great idea, still early, watch this space… • Standardize policies for all clusters • https://www.openpolicyagent.org/ 56@iteration1
  • 57.
  • 58.
    Keep tabs onthe CNCF Security landscape https://landscape.cncf.io/landscape=security-complia
  • 59.
    CNCF Projects • “TheUpdate Framework” • Is a framework or a methodology. • Used for secure software updates. • Based on ideas surrounding trust and integrity. • Is a project. • Based on TUF. • A solution to secure software updates and distribution. • Used in Docker Trusted Registry. @iteration1
  • 60.
    Clair • Open sourceproject for the static analysis of vulnerabilities in containers. • Find vulnerable images in your repo. • Built into quay.io, but you can add to your own repo. • https://github.com/coreos/clair @iteration1
  • 61.
  • 62.
    Harbor • Newer! CNCFProject • Registry product • Supports vulnerability scanning, image signing and identity control • Scope is larger than clair @iteration1
  • 63.
  • 64.
    Kube-bench • Checks whethera Kubernetes cluster is deployed according to security best practices. • Run this after creating your K8s cluster. • https://github.com/aquasecurity/kube-bench • Defined by the CIS Benchmarks Docs: https://www.cisecurity.org/cis- benchmarks/ • Run it against your Kubernetes Master, or Kubernetes node. @iteration1
  • 65.
  • 66.
    Kubesec • Helps youquantify risk for Kubernetes resources. • Run against your K8s applications (deployments/pods/daemonsets etc) • https://kubesec.io/ from controlplane • Can be used standalone, or as a kubectl plugin (https://github.com/stefanprodan/kubectl-kubesec) @iteration1
  • 67.
  • 68.
    Kubeaudit • Opensourced fromShopify. • Auditing your applications in your K8s cluster. • https://github.com/Shopify/kubeaudit • Little more targeted than Kubesec. @iteration1
  • 69.
  • 70.
  • 71.
    Put it alltogether… 71 @iteration1
  • 72.
    Apply It! 72 • Day1: • Know what version of Docker and Kubernetes you use. • Understand if your control and data plane nodes are hardened. • Understand how your Docker containers are built. • Find out how you authenticate and authorize for your clusters. @iteration1
  • 73.
    Apply It! 73 •Week 1: •Buildan Automation Pipeline: • To build Docker images on code pushes • Versioning strategy for code • To build your Kubernetes clusters @iteration1
  • 74.
    Apply It! 74 •1st Month •Sanitizeyour code: • Know your base images • Implement versioning for your containers • Invest in a registry (or tooling) that does vulnerability scanning •Kubernetes: • Have an upgrade strategy in place • Analyze secrets/sensitive cluster data • Turn on audit logging @iteration1
  • 75.
    Apply It! 75 • 3Months: • Continuously Monitor • Tooling like Kubesec/Kube-audit • Plan how to address vulnerabilities/CVE’s • K8s: • Strategy for Pod Security Policies • Strategy for Network Policies • Run scans (like kube-bench) on cluster creation @iteration1
  • 76.
    Apply It! 76 •6 Months: •Re-askday 1 questions. •Review strategies- is it working? What needs tweaking? •Review tooling- are there new tools that help? Are existing tools working? •Review CVE’s @iteration1
  • 77.
    Couple more resourcesto look at: • 11 ways not to get hacked: https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked • K8s security (from Image Hygiene to Network Policy): https://speakerdeck.com/mhausenblas/kubernetes-security-from- image-hygiene-to-network-policies @iteration1
  • 78.

Editor's Notes

  • #2 Photo by Piotr Chrobot on Unsplash
  • #10 However, customers face challenges along the way.  As we have spoken to customers, many have agreed with the challenges presented on this slide.
  • #11 Faster Time to Deploy No need to provision and maintain Operating System and Platforms (Linux, Kubernetes, Docker Registry, Continuous Integration Systems) Lower Risk Oracle is committed to SLAs on Performance and Manageability, in addition to Availability Accelerate Innovation Develop new Container Native apps quickly, and port existing apps faster
  • #16 Photo by rawpixel on Unsplash
  • #17 Photo by rawpixel on Unsplash
  • #22 Photo by Byron Sterk on Unsplash
  • #23 Photo by Byron Sterk on Unsplash
  • #24 Photo by rawpixel on Unsplash
  • #26 Photo by rawpixel on Unsplash
  • #38 Photo by rawpixel on Unsplash
  • #40 Diagram from https://docs.google.com/presentation/d/1Gp-2blk5WExI_QR59EUZdwfO2BWLJqa626mK2ej-huo/edit#slide=id.g1e639c415b_0_56. Thanks @Lucas Käldström
  • #48 Photo by Mikhail Vasilyev on Unsplash
  • #49 Photo by Mikhail Vasilyev on Unsplash
  • #57 https://www.openpolicyagent.org/docs/how-does-opa-work.html#overview
  • #58 Photo by Barn Images on Unsplash
  • #72 Photo by Damon Lam on Unsplash
  • #73 Photo by Damon Lam on Unsplash
  • #74 Photo by Damon Lam on Unsplash
  • #75 Photo by Damon Lam on Unsplash
  • #76 Photo by Damon Lam on Unsplash
  • #77 Photo by Damon Lam on Unsplash