Krishna-Kumar , profile picture
Uploaded byKrishna-Kumar
526 views

Google Cloud Container Security Quick Overview

This document provides an overview of Google Cloud's container security features and best practices. It covers key aspects such as IAM policies, workload protection, vulnerability scanning, and components of Google Kubernetes Engine security, including control plane management and node security. Additionally, it highlights integration with third-party security solutions and emphasizes the importance of compliance and security across hybrid cloud environments.

Embed presentation

Downloaded 52 times
Google Cloud Container Security QuickView Lightning talk of 5-10 minutes.... Krishna Kumar – CNCF Ambassador
Google Cloud Security – Console View – First Look https://console.cloud.google.com/
Google Compute Engine Security  Google cloud Identity service - IAM  IAM Policies & Organization level policies  Effectively design the hierarchy  Apply Leave privileaged access policy mode  Create security groups with conceptual roles instead randiomly creating users and groups  Like One top account create/set polciies & service acconts only and the other accounts apply it.  Unmanaged credentials night mare! Key Management Services (KMS)  VPC network can be managed/deleted as needed  Rootkits & Bootkits for VM hardening  Tools – AuditLogs, CSCC, KMS Resource Hierarchy in general
Google Container Security Infrastructure Security Software Supply Chain Security Run time Security Cloud IAM, RBAC Google container Registry Stackdriver – monitoring, Attack profiles Compliance Certifications Security Vulnerability Scanning Anomolous detection by third party products like Twistlocks, acqua, sysdig Cloud Audit Logging Secure base images Cloud SCC Container Optimized minimal OS, Node auto upgrade Regular builds Isolation gVisor sandbox Network policy, Private clusters, Shared VPC Deployment policies, Binary authorization Runtime detection – host, network, workload, Boot
Google Kubernetes Engine Security Managed Security by Google ● Control plane security – Google does the control plane management (Mater VM, Scheduler, Cntroll manager, API server, etcd, CA, IAM, logging to stackdriver,) & Patching the contol plane. ● Node security – Google handles K8s comoponents, COS (Chromium OS), logging & monitoring. Autoupgarde & security patches automatically rolled out. Manage base images. – Live migration: Node auto upgrade is like adding new node and drain the work from old. ● Workloads: User need to secure workloads. Protect the secret with Cloud KMS or KMS plugin (Vault).
Hardening GKE ● Disable the Kubernetes web UI (Dashboard) ● Restrict Cluster discovery RBAC permission & binary authentication ● Restrict Traffic Among Pods with a Network Policy & Pod security policy ● Use Least Privilege Service Accounts for your Nodes ● Restrict your Node Service Account Scopes & Client Authentication Methods ● Protect node metadata & Automatically upgrade nodes ● Authorized networks & meta data concealment ● Google Container Registry (GCR) Vulnerability Scanning ● Third party container security. ● Read secuity bulletins – Vulnerabilties and solutiond
GKE Istio Security Istio, a service mesh implementation, on GKE is an add-on. ● The version of Istio installed is tied to the GKE version, and you will not be able to update them independently. ● Pilot: ● Istio Auth ensures that services with sensitive data can only be accessed ● Istio RBAC provides namespace-level, service-level, and method-level access control ● Mixer: ● Istio config policy on server side not client side. ● Citadel: ● MutualTLS authentication - both service-to-service and end-user-to-service ● Automates key and certificate generation, distribution, rotation, and revocation.
Anthos Security ● Single pane of glass visibility across all clusters ● Service-centric view of your infrastructure ● Configuration management & Compliance centralized ● Istio providing in-cluster mTLS and certificate management. ● 3rd party marketplace Hybrid cloud solutions: Anthos relies on Google Kubernetes Engine (GKE) and GKE On-Prem to manage Kubernetes installations in the environments
Google Cloud Partner Security ● Splunk ● Palo alto Networks ● Checkpoint ● F5 ● Brocade ● Nginx ● Symantec ● Cisco ● Hashicorp ● Acqua ● Blackduck ● Twistlock ● Stackrox ● & more...... With 3rd party providers, GCP Protects a wide variety of hybrid cloud solutions and data.
References ● https://cloud.google.com/containers/security/ ● https://cloud.google.com/kubernetes-engine/docs/security-bulletins ● https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster ● https://cloud.google.com/kubernetes-engine/docs/concepts/security-overview ● https://cloud.withgoogle.com/next/19/sf/sessions?session=SEC110 ● https://console.cloud.google.com/security/command-center/welcome ● https://cloud.google.com/security/partners/ ● https://cloud.google.com/anthos/docs/concepts/overview ● https://cloud.google.com/istio/#security ● https://youtu.be/PfXZovlblJc

More Related Content

PPTX
Containers and workload security an overview
byKrishna-Kumar
 
PDF
Power of Choice in Docker EE 2.0 - Anoop - Docker - CC18
byCodeOps Technologies LLP
 
PDF
Service Mesh For Beginner
byMien Dinh
 
PDF
Multi-Container Apps spanning Docker, Mesos and OpenStack
byDocker, Inc.
 
PPTX
Global Persistence for Docker
byDocker, Inc.
 
PDF
Virtualized Containers - How Good is it - Ananth - Siemens - CC18
byCodeOps Technologies LLP
 
PDF
Kubernetes - Security Journey
byJerry Jalava
 
PDF
Kubernetes Networking - Sreenivas Makam - Google - CC18
byCodeOps Technologies LLP
 
Containers and workload security an overview
byKrishna-Kumar
 
Power of Choice in Docker EE 2.0 - Anoop - Docker - CC18
byCodeOps Technologies LLP
 
Service Mesh For Beginner
byMien Dinh
 
Multi-Container Apps spanning Docker, Mesos and OpenStack
byDocker, Inc.
 
Global Persistence for Docker
byDocker, Inc.
 
Virtualized Containers - How Good is it - Ananth - Siemens - CC18
byCodeOps Technologies LLP
 
Kubernetes - Security Journey
byJerry Jalava
 
Kubernetes Networking - Sreenivas Makam - Google - CC18
byCodeOps Technologies LLP
 

What's hot

PPTX
Csa container-security-in-aws-dw
byCloud Security Alliance, UK chapter
 
PDF
Kubecon seattle 2018 recap - Application Deployment aspects
byKrishna-Kumar
 
PPTX
Kubernetes security with AWS
byKasun Madura Rathnayaka
 
PDF
Kubernetes - how to orchestrate containers
byinovex GmbH
 
PDF
Extending Kubernetes
byJohannes Rudolph
 
PDF
Introduction to kubernetes
byGabriel Carro
 
PDF
How Kubernetes helps Devops
bySreenivas Makam
 
PDF
Container Security Essentials
byDNIF
 
PDF
Gentle introduction to containers and kubernetes
byNills Franssens
 
PDF
Kubernetes Multitenancy - KubeSec Enterprise Security Summit
bySanjeev Rampal
 
PDF
OpenStack 101 update
byKamesh Pemmaraju
 
PDF
Why kubernetes for Serverless (FaaS)
byKrishna-Kumar
 
PPTX
Working with kubernetes
byNagaraj Shenoy
 
PDF
The Containers Ecosystem, the OpenStack Magnum Project, the Open Container In...
byDaniel Krook
 
PDF
Kubernetes: https://youtu.be/KnjnQj-FvfQ
byRahul Malhotra
 
PPTX
Openstack architure part 1
byNhan Cao Thanh
 
PDF
Admission controllers - PSP, OPA, Kyverno and more!
bySebastienSEYMARC
 
PDF
DockerCon EU 2015: Monitoring Docker
byDocker, Inc.
 
PDF
Getting started with OpenStack
byKnoldus Inc.
 
PDF
OpenStack Architecture
byMirantis
 
Csa container-security-in-aws-dw
byCloud Security Alliance, UK chapter
 
Kubecon seattle 2018 recap - Application Deployment aspects
byKrishna-Kumar
 
Kubernetes security with AWS
byKasun Madura Rathnayaka
 
Kubernetes - how to orchestrate containers
byinovex GmbH
 
Extending Kubernetes
byJohannes Rudolph
 
Introduction to kubernetes
byGabriel Carro
 
How Kubernetes helps Devops
bySreenivas Makam
 
Container Security Essentials
byDNIF
 
Gentle introduction to containers and kubernetes
byNills Franssens
 
Kubernetes Multitenancy - KubeSec Enterprise Security Summit
bySanjeev Rampal
 
OpenStack 101 update
byKamesh Pemmaraju
 
Why kubernetes for Serverless (FaaS)
byKrishna-Kumar
 
Working with kubernetes
byNagaraj Shenoy
 
The Containers Ecosystem, the OpenStack Magnum Project, the Open Container In...
byDaniel Krook
 
Kubernetes: https://youtu.be/KnjnQj-FvfQ
byRahul Malhotra
 
Openstack architure part 1
byNhan Cao Thanh
 
Admission controllers - PSP, OPA, Kyverno and more!
bySebastienSEYMARC
 
DockerCon EU 2015: Monitoring Docker
byDocker, Inc.
 
Getting started with OpenStack
byKnoldus Inc.
 
OpenStack Architecture
byMirantis
 

Similar to Google Cloud Container Security Quick Overview

PDF
Top 3 reasons why you should run your Enterprise workloads on GKE
bySreenivas Makam
 
PPTX
Anton Grishko "Multi-cloud with Google Anthos, Kubernetes and Istio. How to s...
byFwdays
 
PDF
Powerup & GCP | Workshop on Google Kubernetes Engine
byPowerup
 
PDF
GCP Security Refresher and GKE Enterprise In Action
byStacy Véronneau
 
PDF
Implementing zero trust in IBM Cloud Pak for Integration
byKim Clark
 
PDF
Security threats with Kubernetes - Igor Khoroshchenko
byKuberton
 
PPTX
GCCP-Session 2
byGDSCIIITDHARWAD
 
PPTX
Kubernetes best practices with GKE
byGDG Cloud Bengaluru
 
PPTX
Hybrid - Seguridad en Contenedores v3.pptx
byHansFarroCastillo1
 
PDF
Anthos Security: modernize your security posture for cloud native applications
byGreg Castle
 
PPTX
Google Cloud Study Jam | GDSC NCU
byShivam254129
 
PDF
All Your Containers Are Belong To Us
byLacework
 
PDF
Hacking GCP For Fun by Agnibha Dutta.pdf
bynull - The Open Security Community
 
PDF
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
byNoNameCon
 
PDF
Skip the anxiety attack when building secure containerized apps
byHaidee McMahon
 
PDF
Anthos Application Modernization Platform
byGDG Cloud Bengaluru
 
PPTX
GCCP Session 2.pptx
byDSCIITPatna
 
PDF
Google Cloud Security Engineer Exam Prep sheet.pdf
byssuser9d32e2
 
PPTX
Istio - A Service Mesh for Microservices as Scale
byRam Vennam
 
PPTX
CSJ4.pptx
byGDSCAESB
 
Top 3 reasons why you should run your Enterprise workloads on GKE
bySreenivas Makam
 
Anton Grishko "Multi-cloud with Google Anthos, Kubernetes and Istio. How to s...
byFwdays
 
Powerup & GCP | Workshop on Google Kubernetes Engine
byPowerup
 
GCP Security Refresher and GKE Enterprise In Action
byStacy Véronneau
 
Implementing zero trust in IBM Cloud Pak for Integration
byKim Clark
 
Security threats with Kubernetes - Igor Khoroshchenko
byKuberton
 
GCCP-Session 2
byGDSCIIITDHARWAD
 
Kubernetes best practices with GKE
byGDG Cloud Bengaluru
 
Hybrid - Seguridad en Contenedores v3.pptx
byHansFarroCastillo1
 
Anthos Security: modernize your security posture for cloud native applications
byGreg Castle
 
Google Cloud Study Jam | GDSC NCU
byShivam254129
 
All Your Containers Are Belong To Us
byLacework
 
Hacking GCP For Fun by Agnibha Dutta.pdf
bynull - The Open Security Community
 
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
byNoNameCon
 
Skip the anxiety attack when building secure containerized apps
byHaidee McMahon
 
Anthos Application Modernization Platform
byGDG Cloud Bengaluru
 
GCCP Session 2.pptx
byDSCIITPatna
 
Google Cloud Security Engineer Exam Prep sheet.pdf
byssuser9d32e2
 
Istio - A Service Mesh for Microservices as Scale
byRam Vennam
 
CSJ4.pptx
byGDSCAESB
 

More from Krishna-Kumar

PDF
SODA Ambassadors & Community Ecosystem
byKrishna-Kumar
 
PDF
Open Source Building Career and Competency
byKrishna-Kumar
 
PDF
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
byKrishna-Kumar
 
PDF
Google Anthos - Azure Stack - AWS Outposts :Comparison
byKrishna-Kumar
 
PDF
Cloud Native Use Cases / Case Studies - KubeCon 2019 San Diego - RECAP
byKrishna-Kumar
 
PDF
Cloud interoperability and open standards for digital india open infrasummit
byKrishna-Kumar
 
PDF
Kubernetes Application Deployment with Helm - A beginner Guide!
byKrishna-Kumar
 
PDF
KubeCon + CloudNativeCon Barcelona and Shanghai 2019 - Highlights
byKrishna-Kumar
 
PDF
Introduction to ieee standards development - Bangalore Section
byKrishna-Kumar
 
PDF
IEEE Standards Association - Introduction
byKrishna-Kumar
 
PDF
IoTShow.in Bangalore 2019 - a Recap on 'IoT and Edge' Talk.
byKrishna-Kumar
 
PPTX
Open Source Edge Computing Platforms - Overview
byKrishna-Kumar
 
PDF
cncf overview and building edge computing using kubernetes
byKrishna-Kumar
 
PDF
Evolution of containers to kubernetes
byKrishna-Kumar
 
PDF
My Ladakh Marathon Run 2018
byKrishna-Kumar
 
PDF
Now yoga - a study on where why what how
byKrishna-Kumar
 
PPTX
CNCF Introduction - Feb 2018
byKrishna-Kumar
 
PPTX
KubeCon USA 2017 brief Overview - from Kubernetes meetup Bangalore
byKrishna-Kumar
 
PPTX
Yoga for confused IT engineer
byKrishna-Kumar
 
PDF
Cloud, Big Data, IoT, ML - together to build a real world use case!
byKrishna-Kumar
 
SODA Ambassadors & Community Ecosystem
byKrishna-Kumar
 
Open Source Building Career and Competency
byKrishna-Kumar
 
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
byKrishna-Kumar
 
Google Anthos - Azure Stack - AWS Outposts :Comparison
byKrishna-Kumar
 
Cloud Native Use Cases / Case Studies - KubeCon 2019 San Diego - RECAP
byKrishna-Kumar
 
Cloud interoperability and open standards for digital india open infrasummit
byKrishna-Kumar
 
Kubernetes Application Deployment with Helm - A beginner Guide!
byKrishna-Kumar
 
KubeCon + CloudNativeCon Barcelona and Shanghai 2019 - Highlights
byKrishna-Kumar
 
Introduction to ieee standards development - Bangalore Section
byKrishna-Kumar
 
IEEE Standards Association - Introduction
byKrishna-Kumar
 
IoTShow.in Bangalore 2019 - a Recap on 'IoT and Edge' Talk.
byKrishna-Kumar
 
Open Source Edge Computing Platforms - Overview
byKrishna-Kumar
 
cncf overview and building edge computing using kubernetes
byKrishna-Kumar
 
Evolution of containers to kubernetes
byKrishna-Kumar
 
My Ladakh Marathon Run 2018
byKrishna-Kumar
 
Now yoga - a study on where why what how
byKrishna-Kumar
 
CNCF Introduction - Feb 2018
byKrishna-Kumar
 
KubeCon USA 2017 brief Overview - from Kubernetes meetup Bangalore
byKrishna-Kumar
 
Yoga for confused IT engineer
byKrishna-Kumar
 
Cloud, Big Data, IoT, ML - together to build a real world use case!
byKrishna-Kumar
 

Recently uploaded

PPTX
Installing Python in Visual Studio Code
bydabydcatahanibmcom
 
PDF
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
PPTX
Data Skills for Business Analysts: What You Need to Succeed
byScott W. Ambler
 
PDF
Ecommerce Website Development Services - Web Panel Solutions.pdf
byWEB PANEL SOLUTIONS
 
PDF
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
PDF
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 
PDF
Taxi App UIUX Design for Seamless Ride Booking
byV3CUBE TECHNOLABS
 
PPTX
Pitch Deck for MEVIA OS - No Apps, Infinite, Decentralized Operating System
byDr. Edwin Hernandez
 
PPTX
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
PDF
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
PDF
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
PDF
Langchain4J – An Introduction for Impatient Developers
byJuarez Junior
 
PDF
HuemanAI Platform Overview.pptx (1) (2).pdf
byAnkur Handoo
 
PPTX
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
PDF
JFokus 2026 - Please pass the salt- Serve up passwords with a side of entropy...
byOrtus Solutions, Corp
 
PDF
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
PDF
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
PPTX
Chapter Two Logic and Language - Copy.pptx
byGediyonBelay
 
PDF
Jira, Powered by Enterprise-Grade Intelligence from NeoroTalks.pdf
byNeoro Talks
 
PDF
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
Installing Python in Visual Studio Code
bydabydcatahanibmcom
 
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
Data Skills for Business Analysts: What You Need to Succeed
byScott W. Ambler
 
Ecommerce Website Development Services - Web Panel Solutions.pdf
byWEB PANEL SOLUTIONS
 
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 
Taxi App UIUX Design for Seamless Ride Booking
byV3CUBE TECHNOLABS
 
Pitch Deck for MEVIA OS - No Apps, Infinite, Decentralized Operating System
byDr. Edwin Hernandez
 
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
Langchain4J – An Introduction for Impatient Developers
byJuarez Junior
 
HuemanAI Platform Overview.pptx (1) (2).pdf
byAnkur Handoo
 
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
JFokus 2026 - Please pass the salt- Serve up passwords with a side of entropy...
byOrtus Solutions, Corp
 
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
Chapter Two Logic and Language - Copy.pptx
byGediyonBelay
 
Jira, Powered by Enterprise-Grade Intelligence from NeoroTalks.pdf
byNeoro Talks
 
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 

Google Cloud Container Security Quick Overview

  • 1.
    Google Cloud ContainerSecurity QuickView Lightning talk of 5-10 minutes.... Krishna Kumar – CNCF Ambassador
  • 2.
    Google Cloud Security– Console View – First Look https://console.cloud.google.com/
  • 3.
    Google Compute EngineSecurity  Google cloud Identity service - IAM  IAM Policies & Organization level policies  Effectively design the hierarchy  Apply Leave privileaged access policy mode  Create security groups with conceptual roles instead randiomly creating users and groups  Like One top account create/set polciies & service acconts only and the other accounts apply it.  Unmanaged credentials night mare! Key Management Services (KMS)  VPC network can be managed/deleted as needed  Rootkits & Bootkits for VM hardening  Tools – AuditLogs, CSCC, KMS Resource Hierarchy in general
  • 4.
    Google Container Security InfrastructureSecurity Software Supply Chain Security Run time Security Cloud IAM, RBAC Google container Registry Stackdriver – monitoring, Attack profiles Compliance Certifications Security Vulnerability Scanning Anomolous detection by third party products like Twistlocks, acqua, sysdig Cloud Audit Logging Secure base images Cloud SCC Container Optimized minimal OS, Node auto upgrade Regular builds Isolation gVisor sandbox Network policy, Private clusters, Shared VPC Deployment policies, Binary authorization Runtime detection – host, network, workload, Boot
  • 5.
    Google Kubernetes EngineSecurity Managed Security by Google ● Control plane security – Google does the control plane management (Mater VM, Scheduler, Cntroll manager, API server, etcd, CA, IAM, logging to stackdriver,) & Patching the contol plane. ● Node security – Google handles K8s comoponents, COS (Chromium OS), logging & monitoring. Autoupgarde & security patches automatically rolled out. Manage base images. – Live migration: Node auto upgrade is like adding new node and drain the work from old. ● Workloads: User need to secure workloads. Protect the secret with Cloud KMS or KMS plugin (Vault).
  • 6.
    Hardening GKE ● Disablethe Kubernetes web UI (Dashboard) ● Restrict Cluster discovery RBAC permission & binary authentication ● Restrict Traffic Among Pods with a Network Policy & Pod security policy ● Use Least Privilege Service Accounts for your Nodes ● Restrict your Node Service Account Scopes & Client Authentication Methods ● Protect node metadata & Automatically upgrade nodes ● Authorized networks & meta data concealment ● Google Container Registry (GCR) Vulnerability Scanning ● Third party container security. ● Read secuity bulletins – Vulnerabilties and solutiond
  • 7.
    GKE Istio Security Istio,a service mesh implementation, on GKE is an add-on. ● The version of Istio installed is tied to the GKE version, and you will not be able to update them independently. ● Pilot: ● Istio Auth ensures that services with sensitive data can only be accessed ● Istio RBAC provides namespace-level, service-level, and method-level access control ● Mixer: ● Istio config policy on server side not client side. ● Citadel: ● MutualTLS authentication - both service-to-service and end-user-to-service ● Automates key and certificate generation, distribution, rotation, and revocation.
  • 8.
    Anthos Security ● Single paneof glass visibility across all clusters ● Service-centric view of your infrastructure ● Configuration management & Compliance centralized ● Istio providing in-cluster mTLS and certificate management. ● 3rd party marketplace Hybrid cloud solutions: Anthos relies on Google Kubernetes Engine (GKE) and GKE On-Prem to manage Kubernetes installations in the environments
  • 9.
    Google Cloud PartnerSecurity ● Splunk ● Palo alto Networks ● Checkpoint ● F5 ● Brocade ● Nginx ● Symantec ● Cisco ● Hashicorp ● Acqua ● Blackduck ● Twistlock ● Stackrox ● & more...... With 3rd party providers, GCP Protects a wide variety of hybrid cloud solutions and data.
  • 10.