How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl

•

0 likes•2 views

ContainerDay Security 2023

Session at ContainerDay Security 2023 on the 8th of March in Hamburg. Nico will show how to prevent your Kubernetes cluster from being hijacked by introducing you to best practices as well as useful open-source projects based on real-world examples. You’ll learn everything you need to know to build and run secure Kubernetes clusters including: - basics like shift left and container image security - ensure supply chain security - implement Kubernetes policies - introduce Kubernetes network security - rely on Container Runtime Security - many more… Don't miss this session to learn everything you need to know to securely run your Kubernetes-based workloads.

Technology

How to Prevent Your Kubernetes Cluster
From Being Hacked
ContainerDay Security 2023

Nico Meisenzahl
• Head of DevOps Consulting & Operations
at white duck
• Microsoft MVP, GitLab Hero
• Cloud Native, Kubernetes & Azure
© white duck GmbH 2023
Email: nico.meisenzahl@whiteduck.de
Twitter: @nmeisenzahl
LinkedIn: https://www.linkedin.com/in/nicomeisenzahl
Blog: https://meisenzahl.org

Why do we need to care about security?
https://www.redhat.com/en/resources/state-kubernetes-security-report
© white duck GmbH 2023

It can be quite simple …
• you don't think so?
• check out my “Hijack Kubernetes” talk
• https://github.com/nmeisenzahl/hijack-kubernetes
• recordings on Youtube
© white duck GmbH 2023

Security quick wins through the DevOps cycle
© white duck GmbH 2023

You should think about
• rely on best practices and quick wins to get started
• ensure secure application & deployment code
• build secure container images
• implement Kubernetes policies
• introduce Kubernetes network policies
• many more …
© white duck GmbH 2023

Things we will focus on today
• build secure images with Wolfi
• image verification with Cosign
• container runtime security with Tetragon
© white duck GmbH 2023

Build secure images with Wolfi
• “the first Linux (Un)distro designed for securing the
software supply chain”
• Undistro what? à Distroless v2
• provides a high-quality, build-time SBOM as standard for
all packages
• packages (based on apk) are designed to be independent
• fully declarative and reproducible build system (if you like)
© white duck GmbH 2023

Demo: Wolfi in Action
• we will build a Wolfi as base image
• compare against others (size, vulnerabilities, …)
• then build an image declarative and reproducible with
apok & melange
• more details
• https://edu.chainguard.dev/open-source/wolfi
• https://github.com/wolfi-dev
• https://github.com/chainguard-dev/melange
• https://github.com/chainguard-dev/apko
• https://github.com/chainguard-images/images/tree/main/images/node
© white duck GmbH 2023

Image verification with Cosign
• “Cosign signs OCI containers using Sigstore”
• integrated with K8s policies Cosign allows validating the
source of images
• verifying third-party images
• signing and validating your own images
• integrations are available with OPA Gatekeeper and
Kyverno
© white duck GmbH 2023

Demo: Cosign and Kyverno in Action
• we will deploy a policy
• then run signed images & sign our own
• more details
• https://kyverno.io
• https://github.com/sigstore/cosign
• https://www.sigstore.dev
© white duck GmbH 2023

Container Runtime Security with Tetragon
• “eBPF-based Security Observability and Runtime
Enforcement”
• gives you awareness into your cluster
• without that you won't know what is going on
• alerts you on malicious events and workloads
• real-time enforcement
© white duck GmbH 2023

Demo: Tetragon in Action
• we will inject into a Pod via Log4Shell
• then observe the process execution and block it
• more details
• https://github.com/cilium/tetragon
• don’t miss the workshops later today!
© white duck GmbH 2023

Questions?
• Slides
• https://www.slideshare.net/nmeisenzahl
• Demo
• https://github.com/nmeisenzahl/prevent-your-k8s-from-being-hacked
© white duck GmbH 2023
Email: nico.meisenzahl@whiteduck.de
Twitter: @nmeisenzahl
LinkedIn: https://www.linkedin.com/in/nicomeisenzahl
Blog: https://meisenzahl.org

Nico will show how to hijack a Kubernetes cluster based on common attack vectors. You'll also learn why it's important to implement zero-trust to prevent data leaks and malicious workloads from being executed on a hijacked cluster. Furthermore, he will show you how to protect your cluster from being taken over by sharing useful insights, configurations, and toolsets. This talk is not intended to be an in-depth security talk, but to provide you with best practices and also make you aware of certain attack vectors and how to prevent them.

Hijack a Kubernetes Cluster - a Walkthrough

Nico Meisenzahl

Container Days: Hijack a Kubernetes Cluster - a Walkthrough

Nico Meisenzahl

ContainerConf 2022: Hijack Kubernetes

Nico Meisenzahl

azdevcom - Hijack a Kubernetes Cluster

Nico Meisenzahl

Join Nico to learn how to enhance your Kubernetes CI/CD pipelines with GitLab FOSS/CE features as well as Open Source projects. Learn how GitLab can help you to better integrate your CI/CD pipelines with Kubernetes. Nico will talk about newer GitLab FOSS/CE features like the Web Application Firewall for Kubernetes Ingress, Monitoring and Logging as well as Serverless with Knative. Besides this, you will also learn how Open Source projects like Kaniko and Kustomize can help you to streamline your pipelines. Walk away with knowledge and best practices that will help you to enhance your own Kubernetes CI/CD Pipelines with Gitlab and Open Source!

GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & ...

Nico Meisenzahl

Azure Service Operator - Provision Your Resources in a Cloud-Native Way

Nico Meisenzahl

In this talk, Nico will introduce you to the Azure Service Operator project. The Azure Service Operator allows you to manage your Azure resources with a cloud-native approach using a Kubernetes Controllers and Custom Resource Definitions (CRDs). We will show you how Azure Service Operator works and share how customers and partners use it to take their Azure infrastructure management to the next level. Get insights into how Azure Service Operator can help you to package your application with its infrastructure dependencies, how you can use a GitOps approach to manage your Azure infrastructure, or how Azure Service Operator allows you to create your own composable abstraction to build your own implementations and self-service solutions. Walk away and know everything you need to know to successfully provision your Azure resources with Azure Service Operator.

The Future of Workflow Automation Is Now- Hassle-Free ARM Template Deploymen...

Nico Meisenzahl

FestiveTechCalendar2021 - Have Yourself An Azure Container Registry

Philip Welz

Virtual GitLab Meetup: How Containerized Pipelines and Kubernetes Can Boost Y...

Nico Meisenzahl

Learn how to eliminate any dependencies on your CI/CD build nodes and don’t bother yourself with multiple versions of your toolchain and any corresponding constraints. Walk away with knowledge and best practices that will help you to optimize your builds and deployments with containerized pipelines! Use containerized GitLab CI/CD pipelines and Kaniko to move your build and deployment workloads into your Kubernetes cluster. Build your apps and infrastructure without any external dependencies and constraints. If you are building a Go project, deploying an app to Kubernetes or just building your infrastructure. It doesn’t matter, anything is possible! Join Nico on a deep dive into the secrets of building hassle-free containerized build and deployment pipelines with GitLab CI/CD, Kubernetes and Kaniko.

GitLab London Meetup: How Containerized Pipelines and Kubernetes Can Boost Yo...

Nico Meisenzahl

DevOps Gathering - How Containerized Pipelines Can Boost Your CI/CD

Nico Meisenzahl

Learn how to eliminate any dependencies on your CI/CD build nodes and don’t bother yourself with multiple versions of your toolchain and any corresponding constraints. Walk away with knowledge and best practices that will help you to optimize your builds and deployments with containerized pipelines! Use containerized Gitlab CI/CD pipelines and Kaniko to move your build and deployment workloads into your Kubernetes cluster. Build your apps and infrastructure without any external dependencies and constraints. You are building a Go project, deploying an app to Kubernetes or building your infrastructure. It doesn’t matter. Anything is possible! Nico will also introduce you to Tekton - an open source project which helps you building a cloud native toolchain by moving your whole CI/CD into Kubernetes. Join Nico on a deep dive into the secrets of building hassle-free containerized build and deployment pipelines with Gitlab CI/CD, Kaniko and Tekton.

Die Evolution von Container Image Builds

Nico Meisenzahl

Containerisierte Anwendungen sind zu einem wesentlichen Bestandteil unseres täglichen Lebens geworden. Wir bauen diese mehrmals täglich, sowohl innerhalb unserer CI-Pipelines als auch lokal zu Debugging- und Testzwecken. Vor einigen Jahren konnten wir hierzu nur auf "docker build" zurückgreifen. Inzwischen gibt es jedoch viele alternative Projekte, die verschiedene Funktionen und Vorteile bieten. Nico führt Sie in diesem Vortrag in die Evolution der Container-Builds ein. Sie erhalten Einblicke in Werkzeuge wie BuildKit, buildx, Kaniko, buildah, img und weitere. Neben den Unterschieden werden Sie auch die Vor- und Nachteile der einzelnen Tools kennenlernen. Nach diesem Vortrag wissen Sie alles, was Sie benötigen, um Ihre Container Builds auf die nächsten Level zu heben.

GitHub Actions 101

Nico Meisenzahl

Secure Your Code Implement DevSecOps in Azure

kloia

DevOpsCon London: How containerized Pipelines can boost your CI/CD

Nico Meisenzahl

Learn how to eliminate any dependencies on your CI/CD build nodes and don’t bother yourself with multiple versions of your toolchain and any corresponding constraints. Walk away with knowledge and best practices that will help you to optimize your builds and deployments with containerized pipelines Use containerized Gitlab CI/CD pipelines and Kaniko to move your build and deployment workloads into your Kubernetes cluster. Build your apps and infrastructure without any external dependencies and constraints. You are building a Go project, deploying an app to Kubernetes or building your infrastructure. It doesn’t matter. Anything is possible! Nico will also introduce you to Tekton – an open source project which helps you building a cloud native toolchain by moving your whole CI/CD into Kubernetes. Join Nico on a deep dive into the secrets of building hassle-free containerized build and deployment pipelines with Gitlab CI/CD, Kaniko and Tekton.

Containerized Build & Deployment Pipelines

Nico Meisenzahl

Containerized Workloads sind mittlerweile nicht mehr aus unserem Alltag wegzudenken. Warum also nicht auch Container und deren Vorteile als Grundlage unserer Build- und Deployment-Pipelines nutzen? Nico wird in seinem Talk über die Grundlagen und Vorteile von Containerized Pipelines sprechen sowie nützliche Best Practices vorstellen, die sich direkt umsetzen lassen. Darüber hinaus wird Nico die folgenden Themen anhand von Demos präsentieren und vertiefen: * Pipeline Workload auf Kubernetes mit Hilfe von Gitlab Runner * Docker Image Builds mit Kaniko * Ausblick auf Kubernetes-native Pipelines mit Tekton

Docker Rosenheim Meetup: Policy & Governance for Kubernetes

Nico Meisenzahl

Effiziente CI/CD-Pipelines – mit den richtigen Tools klappt das

Nico Meisenzahl

Lernen Sie, wie Sie mit containerisierten Pipelines Abhängigkeiten in Ihren CI/CD-Umgebung eliminieren, um sich nicht mit verschiedenen Versionen Ihrer Toolchain und Abhängigkeiten herumschlagen zu müssen. Nutzen Sie die containerisierten Gitlab CI/CD-Pipelines und Kaniko, um Build- und Deployment-Workloads in Ihrem Kubernetes-Cluster zu verlagern. Stellen Sie Ihre Microservices und/oder Infrastruktur ohne externe Abhängigkeiten und Einschränkungen bereit. Nico wird Sie auch in Tekton einführen - ein Open-Source-Projekt, das Ihnen hilft, eine Cloud-native Toolchain aufzubauen, indem Sie Ihr gesamtes CI/CD (Workload sowie Konfiguration) in Kubernetes verlagern. Begleiten Sie Nico auf einem Deep Dive in die Geheimnisse von containerisierten Build und Deployment Pipelines mit Gitlab CI/CD, Kaniko und Tekton.

AzDevCom 2022 - YAMLize your infrastructure with the Azure Service Operator a...

Philip Welz

Join this talk to learn about Azure Service Operator v2. In the first part, we will introduce Azure technologies like Azure Service Operator v2, Azure Workload Identity, and GitOps for Azure Kubernetes Service. We will explain how they are linked together to provision Azure resources from Kubernetes. In the second part, we will then show step-by-step how to deploy an application to Kubernetes together with the needed Azure resources only using Git. So don't miss joining us!

Constellation - The first always encrypted Kubernetes by Moritz Eckert

ContainerDay Security 2023

Session at ContainerDay Security 2023 on the 8th of March in Hamburg. Confidential computing is a relatively new technology that allows one to keep workloads encrypted and isolated in memory during processing. If used correctly, confidential computing can shield workloads from the underlying cloud. It's the first technology that effectively prevents data access from the cloud provider and its employees, co-tenants, and hackers coming through the infrastructure. Constellation (https://github.com/edgelesssys/constellation) is an open-source K8s distro/engine that applies the confidential-computing concept to entire K8s clusters. Constellation ensures that all data in the cluster is always encrypted - at rest, in transit, and at runtime. Constellation also provides hardware-rooted "whole cluster" attestation with which the integrity of a cluster can be verified remotely. (This process partly relies on the amazing Sigstore project.) Operations-wise, Constellation is very much vanilla K8s and should work with existing tooling. It's easy to set up and the security features are largely transparent to the DevOps engineer. To run, Constellation requires the availability of "Confidential VMs", which are available in Azure, GCP and elsewhere. In this talk, I'll give an introduction to confidential computing, discuss the motivation behind Constellation, discuss the exciting use cases, give an overview over its architecture, and show a demo.

Container Security Scanning by Timo Pagel

ContainerDay Security 2023

Session at ContainerDay Security 2023 on the 8th of March in Hamburg. The ClusterImageScanner detects images in Kubernetes clusters and provides fast feedback based on security scans. Security scans are for example image lifetime or detection of known vulnerabilities. This talk will give insights into: - The use cases of the ClusterImageScanner - The different scans - The architecture - A live demo The ClusterImageScannerScanner is OpenSource, get it from https://github.com/SDA-SE/cluster-image-scanner/.

Similar to How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl

Continuous Lifecycle: Hijack Kubernetes

Nico Meisenzahl

Microsoft DevOps Forum 2021 – DevOps & Security

Nico Meisenzahl

Azure Rosenheim Meetup: Azure Service Operator

Nico Meisenzahl

Hijack a Kubernetes Cluster - a Walkthrough

Nico Meisenzahl

GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & O...

Cloud Native Rosenheim Meetup

GitLab Remote Meetup: Enhance Your Kubernetes CI/CD Pipelines with GitLab & ...

Nico Meisenzahl

Azure Service Operator - Provision Your Resources in a Cloud-Native Way

Nico Meisenzahl

The Future of Workflow Automation Is Now- Hassle-Free ARM Template Deploymen...

Nico Meisenzahl

FestiveTechCalendar2021 - Have Yourself An Azure Container Registry

Philip Welz

Virtual GitLab Meetup: How Containerized Pipelines and Kubernetes Can Boost Y...

Nico Meisenzahl

GitLab London Meetup: How Containerized Pipelines and Kubernetes Can Boost Yo...

Nico Meisenzahl

DevOps Gathering - How Containerized Pipelines Can Boost Your CI/CD

Nico Meisenzahl

Learn how to eliminate any dependencies on your CI/CD build nodes and don’t bother yourself with multiple versions of your toolchain and any corresponding constraints. Walk away with knowledge and best practices that will help you to optimize your builds and deployments with containerized pipelines! Use containerized Gitlab CI/CD pipelines and Kaniko to move your build and deployment workloads into your Kubernetes cluster. Build your apps and infrastructure without any external dependencies and constraints. You are building a Go project, deploying an app to Kubernetes or building your infrastructure. It doesn’t matter. Anything is possible! Nico will also introduce you to Tekton - an open source project which helps you building a cloud native toolchain by moving your whole CI/CD into Kubernetes. Join Nico on a deep dive into the secrets of building hassle-free containerized build and deployment pipelines with Gitlab CI/CD, Kaniko and Tekton.

Die Evolution von Container Image Builds

Nico Meisenzahl

GitHub Actions 101

Nico Meisenzahl

Secure Your Code Implement DevSecOps in Azure

kloia

DevOpsCon London: How containerized Pipelines can boost your CI/CD

Nico Meisenzahl

Learn how to eliminate any dependencies on your CI/CD build nodes and don’t bother yourself with multiple versions of your toolchain and any corresponding constraints. Walk away with knowledge and best practices that will help you to optimize your builds and deployments with containerized pipelines Use containerized Gitlab CI/CD pipelines and Kaniko to move your build and deployment workloads into your Kubernetes cluster. Build your apps and infrastructure without any external dependencies and constraints. You are building a Go project, deploying an app to Kubernetes or building your infrastructure. It doesn’t matter. Anything is possible! Nico will also introduce you to Tekton – an open source project which helps you building a cloud native toolchain by moving your whole CI/CD into Kubernetes. Join Nico on a deep dive into the secrets of building hassle-free containerized build and deployment pipelines with Gitlab CI/CD, Kaniko and Tekton.

Containerized Build & Deployment Pipelines

Nico Meisenzahl

Docker Rosenheim Meetup: Policy & Governance for Kubernetes

Nico Meisenzahl

Effiziente CI/CD-Pipelines – mit den richtigen Tools klappt das

Nico Meisenzahl

AzDevCom 2022 - YAMLize your infrastructure with the Azure Service Operator a...

Philip Welz

Similar to How to Prevent Your Kubernetes Cluster From Being Hacked by Nico Meisenzahl (20)