SlideShare a Scribd company logo

Keeping Your Kubernetes Cluster Secure

Download as PPTX, PDF
Gene Gotimer
Gene Gotimer

Many organizations are shifting to containers and Kubernetes, and that move means learning new ways to secure their environments. Kubernetes clusters have to be hardened at different levels. We have to consider the nodes where the Kubernetes control plane is running. We also need to secure the Kubernetes workloads and check the code that creates them. And we need to inspect the containers we are using for vulnerabilities and watch for unusual behavior. Gene will show you some open-source tools that can find issues and vulnerabilities at each layer. You will see how they can be used to build your Kubernetes cluster safely and keep it secure.

Software
1 of 33
@OtherDevOpsGene #AllThingsOpen Keeping your Kubernetes Cluster Secure Gene Gotimer @OtherDevOpsGene WEDNESDAY, NOVEMBER 2, 2022
Define and Design the Optimal Survey Experience KUBERNETES SECURITY Layers • Infrastructure • Hosts • Cluster • Build • Application • Container images • Deployment code • Runtime • Policies • Resources • Network • System calls and interaction @OtherDevOpsGene #AllThingsOpen 2
Infrastructure Build Runtime Wrap-up @OtherDevOpsGene #AllThingsOpen 3
Define and Design the Optimal Survey Experience INFRASTRUCTURE Hardening Kubernetes Hardening Guidance, National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA). • Start with the kubernetes.io article Kubernetes Security Technical Implementation Guide, Cybersecurity and Infrastructure Security Agency (CISA). • Start with the stigviewer.com client. CIS Kubernetes Benchmark, Center for Internet Security (CIS), non-government, non-profit. https://www.cisecurity.org/benchmark/kubernetes/ @OtherDevOpsGene #AllThingsOpen 4
Cluster configuration INFRASTRUCTURE @OtherDevOpsGene #AllThingsOpen 5 Is my Kubernetes cluster installed and configured properly? • Use Aqua kube-bench • May not apply to master nodes
INFRASTRUCTURE @OtherDevOpsGene #AllThingsOpen 6 Cluster configuration $ kubectl logs kube-bench-kc82n [INFO] 3 Worker Node Security Configuration [INFO] 3.1 Worker Node Configuration Files [PASS] 3.1.1 Ensure that the kubeconfig file permissions are set to 644 or more restrictive (Manual) [PASS] 3.1.2 Ensure that the kubelet kubeconfig file ownership is set to root:root (Manual) [PASS] 3.1.3 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Manual) [PASS] 3.1.4 Ensure that the kubelet configuration file ownership is set to root:root (Manual) [INFO] 3.2 Kubelet [PASS] 3.2.1 Ensure that the --anonymous-auth argument is set to false (Automated) [PASS] 3.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated) [PASS] 3.2.3 Ensure that the --client-ca-file argument is set as appropriate (Manual) [PASS] 3.2.4 Ensure that the --read-only-port argument is set to 0 (Manual) [PASS] 3.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual) [PASS] 3.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated) [PASS] 3.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated) [PASS] 3.2.8 Ensure that the --hostname-override argument is not set (Manual) [WARN] 3.2.9 Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture (Automated) [PASS] 3.2.10 Ensure that the --rotate-certificates argument is not set to false (Manual) [PASS] 3.2.11 Ensure that the RotateKubeletServerCertificate argument is set to true (Manual) [INFO] 3.3 Container Optimized OS [WARN] 3.3.1 Prefer using Container-Optimized OS when possible (Manual)
Infrastructure Build Runtime Wrap-up @OtherDevOpsGene #AllThingsOpen 7
Static code analysis BUILD @OtherDevOpsGene #AllThingsOpen 8 Are resources configured properly? • Use Checkov by Bridgecrew • Scans source code for • Dockerfiles • Kubernetes manifests • Terraform
Static code analysis BUILD @OtherDevOpsGene #AllThingsOpen 9 $ checkov -d manifests --quiet --compact kubernetes scan results: Passed checks: 1066, Failed checks: 166, Skipped checks: 0 Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation" FAILED for resource: Deployment.sock-shop.carts File: /manifests/01-carts-dep.yaml:2-51 Check: CKV_K8S_43: "Image should use digest" FAILED for resource: Deployment.sock-shop.carts File: /manifests/01-carts-dep.yaml:2-51 Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary" FAILED for resource: Deployment.sock-shop.carts File: /manifests/01-carts-dep.yaml:2-51 Check: CKV_K8S_29: "Apply security context to your pods and containers" FAILED for resource: Deployment.sock-shop.carts File: /manifests/01-carts-dep.yaml:2-51 Check: CKV_K8S_8: "Liveness Probe Should be Configured" FAILED for resource: Deployment.sock-shop.carts File: /manifests/01-carts-dep.yaml:2-51 Check: CKV_K8S_9: "Readiness Probe Should be Configured" FAILED for resource: Deployment.sock-shop.carts File: /manifests/01-carts-dep.yaml:2-51 Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default" FAILED for resource: Deployment.sock-shop.carts File: /manifests/01-carts-dep.yaml:2-51
Container image scanning BUILD @OtherDevOpsGene #AllThingsOpen 10 Are there vulnerabilities or misconfigurations on the container image? • Use Aqua Security Trivy • Scan images for vulnerable packages • Scan infrastructure-as-code for misconfigurations
Container image scanning BUILD @OtherDevOpsGene #AllThingsOpen 11 $ trivy config manifests/01-carts-dep.yaml 2022-10-22T15:55:21.615Z INFO Misconfiguration scanning is enabled 2022-10-22T15:55:21.806Z INFO Detected config files: 1 01-carts-dep.yaml (kubernetes) ============================== Tests: 79 (SUCCESSES: 74, FAILURES: 5, EXCEPTIONS: 0) Failures: 5 (UNKNOWN: 0, LOW: 3, MEDIUM: 2, HIGH: 0, CRITICAL: 0) MEDIUM: Container 'carts' of Deployment 'carts' should set 'securityContext.allowPrivilegeEscalation' to false ════════════════════════════════════════ A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node. See https://avd.aquasec.com/misconfig/ksv001 ──────────────────────────────────────── 01-carts-dep.yaml:20-45 ──────────────────────────────────────── 20 ┌ - name: carts 21 │ image: weaveworksdemos/carts:0.4.8 22 │ env: 23 │ - name: JAVA_OPTS 24 │ value: -Xms64m -Xmx128m -XX:+UseG1GC -Djava.security.egd=file:/dev/urandom -Dspring.zipkin.enabled=false 25 │ resources: 26 │ limits: 27 │ cpu: 300m 28 └ memory: 500Mi .. ────────────────────────────────────────
Container image scanning BUILD @OtherDevOpsGene #AllThingsOpen 12 $ trivy image weaveworksdemos/carts:0.4.8 --no-progress 2022-10-22T15:48:40.726Z WARN This OS version is no longer supported by the distribution: alpine 3.4.6 2022-10-22T15:48:40.726Z WARN The vulnerability detection may be insufficient because security updates are not provided weaveworksdemos/carts:0.4.8 (alpine 3.4.6) ========================================== Total: 40 (UNKNOWN: 0, LOW: 0, MEDIUM: 23, HIGH: 13, CRITICAL: 4) ┌──────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ busybox │ CVE-2017-16544 │ HIGH │ 1.24.2-r12 │ 1.24.2-r13 │ busybox: Insufficient sanitization of filenames when │ │ │ │ │ │ │ autocompleting │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-16544 │ │ ├────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2017-15873 │ MEDIUM │ │ │ busybox: Integer overflow in the get_next_block function │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-15873 │ ├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ freetype │ CVE-2017-8105 │ CRITICAL │ 2.6.3-r0 │ 2.6.3-r1 │ freetype: heap-based buffer overflow related to the │ │ │ │ │ │ │ t1_decoder_parse_charstrings │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-8105 │ │ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2017-8287 │ │ │ │ freetype: heap-based buffer overflow related to the │ │ │ │ │ │ │ t1_builder_close_contour function │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-8287 │ │ ├────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2016-10244 │ HIGH │ │ │ freetype: parse_charstrings function in type1/t1load.c does │ │ │ │ │ │ │ not ensure that a font contains... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-10244 │
Container image scanning BUILD @OtherDevOpsGene #AllThingsOpen 13 Are there vulnerabilities on the container image? • Use Anchore Grype • Scan images for vulnerable packages • Finds some different vulnerabilities than Aqua Trivy
Container image scanning BUILD @OtherDevOpsGene #AllThingsOpen 14 $ grype weaveworksdemos/carts:0.4.8 NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY busybox 1.24.2-r12 apk CVE-2021-42386 High busybox 1.24.2-r12 apk CVE-2018-1000500 High busybox 1.24.2-r12 apk CVE-2021-42379 High busybox 1.24.2-r12 apk CVE-2021-42381 High busybox 1.24.2-r12 apk CVE-2021-42384 High busybox 1.24.2-r12 1.24.2-r13 apk CVE-2017-15873 Medium busybox 1.24.2-r12 apk CVE-2018-1000517 Critical busybox 1.24.2-r12 apk CVE-2022-28391 High busybox 1.24.2-r12 apk CVE-2021-42385 High busybox 1.24.2-r12 apk CVE-2018-20679 High busybox 1.24.2-r12 apk CVE-2021-42378 High busybox 1.24.2-r12 apk CVE-2021-42376 Medium busybox 1.24.2-r12 1.24.2-r13 apk CVE-2017-16544 High busybox 1.24.2-r12 apk CVE-2019-5747 High busybox 1.24.2-r12 apk CVE-2015-9261 Medium freetype 2.6.3-r0 2.6.3-r1 apk CVE-2016-10244 High freetype 2.6.3-r0 apk CVE-2022-27404 Critical freetype 2.6.3-r0 apk CVE-2016-10328 Critical freetype 2.6.3-r0 apk CVE-2022-27405 High freetype 2.6.3-r0 apk CVE-2017-7857 Critical freetype 2.6.3-r0 2.6.3-r1 apk CVE-2017-8287 Critical freetype 2.6.3-r0 apk CVE-2017-7858 Critical freetype 2.6.3-r0 2.6.3-r1 apk CVE-2017-8105 Critical freetype 2.6.3-r0 apk CVE-2020-15999 Medium
Software bill of materials (SBOM) BUILD @OtherDevOpsGene #AllThingsOpen 15 What components are in my application and container image? • Use Anchore Syft • OS packages • Libraries • Frameworks
Software bill of materials (SBOM) BUILD @OtherDevOpsGene #AllThingsOpen 16 $ syft weaveworksdemos/carts:0.4.8 --output json --file carts-0.4.8.json $ grype sbom:carts-0.4.8.json NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY busybox 1.24.2-r12 apk CVE-2018-20679 High busybox 1.24.2-r12 apk CVE-2018-1000517 Critical busybox 1.24.2-r12 apk CVE-2021-42381 High busybox 1.24.2-r12 1.24.2-r13 apk CVE-2017-16544 High busybox 1.24.2-r12 1.24.2-r13 apk CVE-2017-15873 Medium busybox 1.24.2-r12 apk CVE-2021-42386 High busybox 1.24.2-r12 apk CVE-2021-42385 High busybox 1.24.2-r12 apk CVE-2019-5747 High busybox 1.24.2-r12 apk CVE-2021-42376 Medium busybox 1.24.2-r12 apk CVE-2018-1000500 High busybox 1.24.2-r12 apk CVE-2022-28391 High busybox 1.24.2-r12 apk CVE-2021-42378 High busybox 1.24.2-r12 apk CVE-2015-9261 Medium busybox 1.24.2-r12 apk CVE-2021-42384 High busybox 1.24.2-r12 apk CVE-2021-42379 High freetype 2.6.3-r0 2.6.3-r1 apk CVE-2016-10244 High freetype 2.6.3-r0 apk CVE-2022-27404 Critical freetype 2.6.3-r0 apk CVE-2016-10328 Critical freetype 2.6.3-r0 apk CVE-2022-27405 High freetype 2.6.3-r0 apk CVE-2017-7857 Critical freetype 2.6.3-r0 2.6.3-r1 apk CVE-2017-8287 Critical ... $ syft weaveworksdemos/carts:0.4.8 --output cyclonedx-json --file carts-0.4.8-dx.json
SBOM monitoring BUILD @OtherDevOpsGene #AllThingsOpen 17 Do any components have newly identified vulnerabilities? • Use OWASP Dependency-Track • Track SBOMs • Identify vulnerabilities • Notifications
SBOM monitoring BUILD @OtherDevOpsGene #AllThingsOpen 18
Infrastructure Build Runtime Wrap-up @OtherDevOpsGene #AllThingsOpen 19
Policy enforcement RUNTIME @OtherDevOpsGene #AllThingsOpen 20 Are my Kubernetes workloads and resources following my rules? • Use Open Policy Agent • Admissions controller • Compliance rules
Policy enforcement RUNTIME @OtherDevOpsGene #AllThingsOpen 21 $ cat allowed.yaml apiVersion: v1 kind: Pod metadata: name: opa-allowed spec: containers: - name: opa image: openpolicyagent/opa:0.9.2@sha256:04ff8fce2afd1a3bc26260348e5b290e8d945b1fad4b4c16d22834c2f3a1814a args: - "run" - "--server" - "--addr=localhost:8080“ $ kubectl apply -f allowed.yaml pod/opa-allowed created
Policy enforcement RUNTIME @OtherDevOpsGene #AllThingsOpen 22 $ cat disallowed.yaml apiVersion: v1 kind: Pod metadata: name: opa-disallowed spec: initContainers: - name: opainit image: openpolicyagent/opa:0.9.2 args: - "run" - "--server" - "--addr=localhost:8080" containers: - name: opa image: openpolicyagent/opa:0.9.2 args: - "run" - "--server" - "--addr=localhost:8080“ $ kubectl apply -f disallowed.yaml Error from server (Forbidden): error when creating "disallowed.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [container-image-must-have-digest] container <opa> uses an image without a digest <openpolicyagent/opa:0.9.2> [container-image-must-have-digest] initContainer <opainit> uses an image without a digest <openpolicyagent/opa:0.9.2>
Resource limits RUNTIME @OtherDevOpsGene #AllThingsOpen 23 Can a few containers hog too much memory or CPU? • Set the resource requests and limits for memory and CPU • Use Fairwinds Goldilocks • Watches loads • Makes request and limit recommendations
Resource limits RUNTIME @OtherDevOpsGene #AllThingsOpen 24
Define and Design the Optimal Survey Experience RUNTIME Network isolation Can Kubernetes resources reach others they don’t need to? • Use a service mesh or CNI • Build a network policy • Network Policy editor • https://networkpolicy.io @OtherDevOpsGene #AllThingsOpen 25
Define and Design the Optimal Survey Experience RUNTIME Network isolation @OtherDevOpsGene #AllThingsOpen 26
Monitor behavior RUNTIME @OtherDevOpsGene #AllThingsOpen 27 Are any workloads doing something unexpected on the system? • Use Falco • Watches system calls • Privilege escalation • Ownership and mode changes • Unexpected network connections
Monitor behavior RUNTIME @OtherDevOpsGene #AllThingsOpen 28 $ kubectl logs -n falco falco-zplnz Sat Oct 22 19:53:03 2022: Falco version: 0.33.0 (x86_64) Sat Oct 22 19:53:03 2022: Falco initialized with configuration file: /etc/falco/falco.yaml Sat Oct 22 19:53:03 2022: Loading rules from file /etc/falco/falco_rules.yaml Sat Oct 22 19:53:03 2022: Loading rules from file /etc/falco/falco_rules.local.yaml Sat Oct 22 19:53:03 2022: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs) Sat Oct 22 19:53:03 2022: Starting health webserver with threadiness 2, listening on port 8765 Sat Oct 22 19:53:03 2022: Enabled event sources: syscall Sat Oct 22 19:53:03 2022: Opening capture with Kernel module 19:53:09.668585724: Warning Docker or kubernetes client executed in container (user=<NA> user_loginuid=-1 k8s.ns=gatekeeper-system k8s.pod=gatekeeper-update-crds-hook-l5zr2 container=006eacc6d95b parent=<NA> cmdline=kubectl apply -f crds/ pid=13671 image=openpolicyagent/gatekeeper-crds:v3.10.0) 19:53:09.739647377: Notice Unexpected connection to K8s API Server from container (command=kubectl apply -f crds/ pid=13671 k8s.ns=gatekeeper-system k8s.pod=gatekeeper-update-crds-hook-l5zr2 container=006eacc6d95b image=openpolicyagent/gatekeeper-crds:v3.10.0 connection=192.168.34.30:45214->10.100.0.1:443) 19:53:21.068878529: Notice Unexpected connection to K8s API Server from container (command=manager --port=8443 -- health-addr=:9090 --prometheus-port=8888 --logtostderr --log-denies=false --emit-admission-events=false --log- level=INFO --exempt-namespace=gatekeeper-system --operation=webhook --enable-external-data=false --enable-generator- resource-expansion=false --log-mutations=false --mutation-annotations=false --disable-cert-rotation=false --max- serving-threads=-1 --tls-min-version=1.3 --metrics-backend=prometheus --operation=mutation-webhook --disable-opa- builtin={http.send} pid=14628 k8s.ns=gatekeeper-system k8s.pod=gatekeeper-controller-manager-78b8774b7c-wknwm container=bb34633b4f13 image=openpolicyagent/gatekeeper:v3.10.0 connection=192.168.60.49:34346->10.100.0.1:443) 19:53:21.133021316: Notice Unexpected connection to K8s API Server from container (command=manager --audit- interval=60 --log-level=INFO --constraint-violations-limit=20 --audit-from-cache=false --audit-chunk-size=500 -- audit-match-kind-only=false --emit-audit-events=false --operation=audit --operation=status --operation=mutation- status --logtostderr --health-addr=:9090 --prometheus-port=8888 --enable-external-data=false --enable-generator- resource-expansion=false --metrics-backend=prometheus --disable-cert-rotation=true pid=14691 k8s.ns=gatekeeper-system k8s.pod=gatekeeper-audit-9b7795dcf-tff44 container=c603d5981dea image=openpolicyagent/gatekeeper:v3.10.0 connection=192.168.62.41:58520->10.100.0.1:443)
Infrastructure Build Runtime Wrap-up @OtherDevOpsGene #AllThingsOpen 29
Define and Design the Optimal Survey Experience WRAP-UP Key takeaways • Enforce the principle of least privilege. • Keep everything up to date. • Scan your container images frequently, before and after deployment. • Monitor your systems for expected and unexpected behavior. • And disk space. @OtherDevOpsGene #AllThingsOpen 30
Define and Design the Optimal Survey Experience WRAP-UP Reading list Kubernetes Hardening Guidance, National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA). https://media.defense.gov/2021/Aug/03/2002820425/-1/- 1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF A Closer Look at NSA/CISA Kubernetes Hardening Guidance, Jim Angel, Pushkar Joglekar, and Savitha Raghunathan. https://kubernetes.io/blog/2021/10/05/nsa-cisa- kubernetes-hardening-guidance/ Kubernetes Security Technical Implementation Guide, Cybersecurity and Infrastructure Security Agency (CISA). https://public.cyber.mil/stigs/downloads/ CIS Kubernetes Benchmark, Center for Internet Security (CIS), https://www.cisecurity.org/benchmark/kubernetes/ @OtherDevOpsGene #AllThingsOpen 31
Define and Design the Optimal Survey Experience WRAP-UP Tools Aqua Security kube-bench: https://github.com/aquasecurity/kube-bench Checkov by Bridgecrew: https://github.com/bridgecrewio/checkov Aqua Security Trivy: https://github.com/aquasecurity/trivy Anchore Grype: https://github.com/anchore/grype Anchore Syft: https://github.com/anchore/syft OWASP Dependency-Track: https://dependencytrack.org Open Policy Agent: https://www.openpolicyagent.org Fairwinds Goldilocks: https://github.com/fairwindsops/goldilocks Network Policy Editor: https://networkpolicy.io Falco: https://falco.org @OtherDevOpsGene #AllThingsOpen 32
Questions? @OtherDevOpsGene #AllThingsOpen 33

Recommended

DevOps Best Practices
DevOps Best PracticesDevOps Best Practices
DevOps Best Practices
Giragadurai Vallirajan
 
The Need of Cloud-Native Application
The Need of Cloud-Native ApplicationThe Need of Cloud-Native Application
The Need of Cloud-Native Application
Emiliano Pecis
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep dive
Winton Winton
 
Big Data Redis Mongodb Dynamodb Sharding
Big Data Redis Mongodb Dynamodb ShardingBig Data Redis Mongodb Dynamodb Sharding
Big Data Redis Mongodb Dynamodb Sharding
Araf Karsh Hamid
 
SRE-iously! Reliability!
SRE-iously! Reliability!SRE-iously! Reliability!
SRE-iously! Reliability!
New Relic
 
Docker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker, Inc.
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes Istio
Araf Karsh Hamid
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
Jerry Jalava
 

Recommended

DevOps Best Practices
DevOps Best PracticesDevOps Best Practices
DevOps Best Practices
Giragadurai Vallirajan
 
The Need of Cloud-Native Application
The Need of Cloud-Native ApplicationThe Need of Cloud-Native Application
The Need of Cloud-Native Application
Emiliano Pecis
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep dive
Winton Winton
 
Big Data Redis Mongodb Dynamodb Sharding
Big Data Redis Mongodb Dynamodb ShardingBig Data Redis Mongodb Dynamodb Sharding
Big Data Redis Mongodb Dynamodb Sharding
Araf Karsh Hamid
 
SRE-iously! Reliability!
SRE-iously! Reliability!SRE-iously! Reliability!
SRE-iously! Reliability!
New Relic
 
Docker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker, Inc.
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes Istio
Araf Karsh Hamid
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
Jerry Jalava
 
Cloud Native Apps with GitOps
Cloud Native Apps with GitOps Cloud Native Apps with GitOps
Cloud Native Apps with GitOps
Weaveworks
 
CI-CD Jenkins, GitHub Actions, Tekton
CI-CD Jenkins, GitHub Actions, Tekton CI-CD Jenkins, GitHub Actions, Tekton
CI-CD Jenkins, GitHub Actions, Tekton
Araf Karsh Hamid
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
SlideTeam
 
Introduction to Docker - 2017
Introduction to Docker - 2017Introduction to Docker - 2017
Introduction to Docker - 2017
Docker, Inc.
 
Free GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsFree GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOps
Weaveworks
 
SOA vs Microservices vs SBA
SOA vs Microservices vs SBASOA vs Microservices vs SBA
SOA vs Microservices vs SBA
Michael Sukachev
 
Elastic-Engineering
Elastic-EngineeringElastic-Engineering
Elastic-Engineering
Araf Karsh Hamid
 
Kubernetes Networking 101
Kubernetes Networking 101Kubernetes Networking 101
Kubernetes Networking 101
Weaveworks
 
Service Mesh - Observability
Service Mesh - ObservabilityService Mesh - Observability
Service Mesh - Observability
Araf Karsh Hamid
 
Microservices
MicroservicesMicroservices
Microservices
Stephan Lindauer
 
Practical Chaos Engineering
Practical Chaos EngineeringPractical Chaos Engineering
Practical Chaos Engineering
SIGHUP
 
Containers Docker Kind Kubernetes Istio
Containers Docker Kind Kubernetes IstioContainers Docker Kind Kubernetes Istio
Containers Docker Kind Kubernetes Istio
Araf Karsh Hamid
 
Microservices, DevOps & SRE
Microservices, DevOps & SREMicroservices, DevOps & SRE
Microservices, DevOps & SRE
Araf Karsh Hamid
 
Kubernetes design principles, patterns and ecosystem
Kubernetes design principles, patterns and ecosystemKubernetes design principles, patterns and ecosystem
Kubernetes design principles, patterns and ecosystem
Sreenivas Makam
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Edureka!
 
Cloud Native Engineering with SRE and GitOps
Cloud Native Engineering with SRE and GitOpsCloud Native Engineering with SRE and GitOps
Cloud Native Engineering with SRE and GitOps
Weaveworks
 
GitHub Actions - using Free Oracle Cloud Infrastructure (OCI)
GitHub Actions - using Free Oracle Cloud Infrastructure (OCI)GitHub Actions - using Free Oracle Cloud Infrastructure (OCI)
GitHub Actions - using Free Oracle Cloud Infrastructure (OCI)
Phil Wilkins
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
Rishabh Indoria
 
Rapid Strategic SRE Assessments
Rapid Strategic SRE AssessmentsRapid Strategic SRE Assessments
Rapid Strategic SRE Assessments
Marc Hornbeek
 
Kubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the Ugly
Kubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the UglyKubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the Ugly
Kubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the Ugly
smalltown
 
Azure from scratch part 4
Azure from scratch part 4Azure from scratch part 4
Azure from scratch part 4
Girish Kalamati
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
Velocidex Enterprises
 

More Related Content

What's hot

Cloud Native Apps with GitOps
Cloud Native Apps with GitOps Cloud Native Apps with GitOps
Cloud Native Apps with GitOps
Weaveworks
 
CI-CD Jenkins, GitHub Actions, Tekton
CI-CD Jenkins, GitHub Actions, Tekton CI-CD Jenkins, GitHub Actions, Tekton
CI-CD Jenkins, GitHub Actions, Tekton
Araf Karsh Hamid
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
SlideTeam
 
Introduction to Docker - 2017
Introduction to Docker - 2017Introduction to Docker - 2017
Introduction to Docker - 2017
Docker, Inc.
 
Free GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsFree GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOps
Weaveworks
 
SOA vs Microservices vs SBA
SOA vs Microservices vs SBASOA vs Microservices vs SBA
SOA vs Microservices vs SBA
Michael Sukachev
 
Elastic-Engineering
Elastic-EngineeringElastic-Engineering
Elastic-Engineering
Araf Karsh Hamid
 
Kubernetes Networking 101
Kubernetes Networking 101Kubernetes Networking 101
Kubernetes Networking 101
Weaveworks
 
Service Mesh - Observability
Service Mesh - ObservabilityService Mesh - Observability
Service Mesh - Observability
Araf Karsh Hamid
 
Microservices
MicroservicesMicroservices
Microservices
Stephan Lindauer
 
Practical Chaos Engineering
Practical Chaos EngineeringPractical Chaos Engineering
Practical Chaos Engineering
SIGHUP
 
Containers Docker Kind Kubernetes Istio
Containers Docker Kind Kubernetes IstioContainers Docker Kind Kubernetes Istio
Containers Docker Kind Kubernetes Istio
Araf Karsh Hamid
 
Microservices, DevOps & SRE
Microservices, DevOps & SREMicroservices, DevOps & SRE
Microservices, DevOps & SRE
Araf Karsh Hamid
 
Kubernetes design principles, patterns and ecosystem
Kubernetes design principles, patterns and ecosystemKubernetes design principles, patterns and ecosystem
Kubernetes design principles, patterns and ecosystem
Sreenivas Makam
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Edureka!
 
Cloud Native Engineering with SRE and GitOps
Cloud Native Engineering with SRE and GitOpsCloud Native Engineering with SRE and GitOps
Cloud Native Engineering with SRE and GitOps
Weaveworks
 
GitHub Actions - using Free Oracle Cloud Infrastructure (OCI)
GitHub Actions - using Free Oracle Cloud Infrastructure (OCI)GitHub Actions - using Free Oracle Cloud Infrastructure (OCI)
GitHub Actions - using Free Oracle Cloud Infrastructure (OCI)
Phil Wilkins
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
Rishabh Indoria
 
Rapid Strategic SRE Assessments
Rapid Strategic SRE AssessmentsRapid Strategic SRE Assessments
Rapid Strategic SRE Assessments
Marc Hornbeek
 
Kubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the Ugly
Kubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the UglyKubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the Ugly
Kubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the Ugly
smalltown
 

What's hot (20)

Cloud Native Apps with GitOps
Cloud Native Apps with GitOps Cloud Native Apps with GitOps
Cloud Native Apps with GitOps
 
CI-CD Jenkins, GitHub Actions, Tekton
CI-CD Jenkins, GitHub Actions, Tekton CI-CD Jenkins, GitHub Actions, Tekton
CI-CD Jenkins, GitHub Actions, Tekton
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
 
Introduction to Docker - 2017
Introduction to Docker - 2017Introduction to Docker - 2017
Introduction to Docker - 2017
 
Free GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsFree GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOps
 
SOA vs Microservices vs SBA
SOA vs Microservices vs SBASOA vs Microservices vs SBA
SOA vs Microservices vs SBA
 
Elastic-Engineering
Elastic-EngineeringElastic-Engineering
Elastic-Engineering
 
Kubernetes Networking 101
Kubernetes Networking 101Kubernetes Networking 101
Kubernetes Networking 101
 
Service Mesh - Observability
Service Mesh - ObservabilityService Mesh - Observability
Service Mesh - Observability
 
Microservices
MicroservicesMicroservices
Microservices
 
Practical Chaos Engineering
Practical Chaos EngineeringPractical Chaos Engineering
Practical Chaos Engineering
 
Containers Docker Kind Kubernetes Istio
Containers Docker Kind Kubernetes IstioContainers Docker Kind Kubernetes Istio
Containers Docker Kind Kubernetes Istio
 
Microservices, DevOps & SRE
Microservices, DevOps & SREMicroservices, DevOps & SRE
Microservices, DevOps & SRE
 
Kubernetes design principles, patterns and ecosystem
Kubernetes design principles, patterns and ecosystemKubernetes design principles, patterns and ecosystem
Kubernetes design principles, patterns and ecosystem
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
 
Cloud Native Engineering with SRE and GitOps
Cloud Native Engineering with SRE and GitOpsCloud Native Engineering with SRE and GitOps
Cloud Native Engineering with SRE and GitOps
 
GitHub Actions - using Free Oracle Cloud Infrastructure (OCI)
GitHub Actions - using Free Oracle Cloud Infrastructure (OCI)GitHub Actions - using Free Oracle Cloud Infrastructure (OCI)
GitHub Actions - using Free Oracle Cloud Infrastructure (OCI)
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
Rapid Strategic SRE Assessments
Rapid Strategic SRE AssessmentsRapid Strategic SRE Assessments
Rapid Strategic SRE Assessments
 
Kubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the Ugly
Kubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the UglyKubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the Ugly
Kubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the Ugly
 

Similar to Keeping Your Kubernetes Cluster Secure

Azure from scratch part 4
Azure from scratch part 4Azure from scratch part 4
Azure from scratch part 4
Girish Kalamati
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
Velocidex Enterprises
 
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECSWeaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
Weaveworks
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDays Riga
 
Cloud-native .NET-Microservices mit Kubernetes @BASTAcon
Cloud-native .NET-Microservices mit Kubernetes @BASTAconCloud-native .NET-Microservices mit Kubernetes @BASTAcon
Cloud-native .NET-Microservices mit Kubernetes @BASTAcon
Mario-Leander Reimer
 
Testing Terraform
Testing TerraformTesting Terraform
Testing Terraform
Nathen Harvey
 
A Developer’s Guide to Kubernetes Security
A Developer’s Guide to Kubernetes SecurityA Developer’s Guide to Kubernetes Security
A Developer’s Guide to Kubernetes Security
Gene Gotimer
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
Michael Man
 
The Container Security Checklist
The Container Security Checklist The Container Security Checklist
The Container Security Checklist
LibbySchulze
 
Behind the Code 'September 2022 // by Exness
Behind the Code 'September 2022 // by ExnessBehind the Code 'September 2022 // by Exness
Behind the Code 'September 2022 // by Exness
Maxim Gaponov
 
12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster
Suman Chakraborty
 
Embacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDEmbacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CD
Nebulaworks
 
Introduction to Container Management on AWS
Introduction to Container Management on AWSIntroduction to Container Management on AWS
Introduction to Container Management on AWS
Amazon Web Services
 
Continuous Delivery: The Next Frontier
Continuous Delivery: The Next FrontierContinuous Delivery: The Next Frontier
Continuous Delivery: The Next Frontier
Carlos Sanchez
 
Cloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit KubernetesCloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit Kubernetes
QAware GmbH
 
WWCode Dallas - Kubernetes: Learning from Zero to Production
WWCode Dallas - Kubernetes: Learning from Zero to ProductionWWCode Dallas - Kubernetes: Learning from Zero to Production
WWCode Dallas - Kubernetes: Learning from Zero to Production
Rosemary Wang
 
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Jeffrey Holden
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
guest3379bd
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
n|u - The Open Security Community
 
Dive into DevOps | March, Building with Terraform, Volodymyr Tsap
Dive into DevOps | March, Building with Terraform, Volodymyr TsapDive into DevOps | March, Building with Terraform, Volodymyr Tsap
Dive into DevOps | March, Building with Terraform, Volodymyr Tsap
Provectus
 

Similar to Keeping Your Kubernetes Cluster Secure (20)

Azure from scratch part 4
Azure from scratch part 4Azure from scratch part 4
Azure from scratch part 4
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
 
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECSWeaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
 
Cloud-native .NET-Microservices mit Kubernetes @BASTAcon
Cloud-native .NET-Microservices mit Kubernetes @BASTAconCloud-native .NET-Microservices mit Kubernetes @BASTAcon
Cloud-native .NET-Microservices mit Kubernetes @BASTAcon
 
Testing Terraform
Testing TerraformTesting Terraform
Testing Terraform
 
A Developer’s Guide to Kubernetes Security
A Developer’s Guide to Kubernetes SecurityA Developer’s Guide to Kubernetes Security
A Developer’s Guide to Kubernetes Security
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
 
The Container Security Checklist
The Container Security Checklist The Container Security Checklist
The Container Security Checklist
 
Behind the Code 'September 2022 // by Exness
Behind the Code 'September 2022 // by ExnessBehind the Code 'September 2022 // by Exness
Behind the Code 'September 2022 // by Exness
 
12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster
 
Embacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDEmbacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CD
 
Introduction to Container Management on AWS
Introduction to Container Management on AWSIntroduction to Container Management on AWS
Introduction to Container Management on AWS
 
Continuous Delivery: The Next Frontier
Continuous Delivery: The Next FrontierContinuous Delivery: The Next Frontier
Continuous Delivery: The Next Frontier
 
Cloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit KubernetesCloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit Kubernetes
 
WWCode Dallas - Kubernetes: Learning from Zero to Production
WWCode Dallas - Kubernetes: Learning from Zero to ProductionWWCode Dallas - Kubernetes: Learning from Zero to Production
WWCode Dallas - Kubernetes: Learning from Zero to Production
 
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
 
Dive into DevOps | March, Building with Terraform, Volodymyr Tsap
Dive into DevOps | March, Building with Terraform, Volodymyr TsapDive into DevOps | March, Building with Terraform, Volodymyr Tsap
Dive into DevOps | March, Building with Terraform, Volodymyr Tsap
 

More from Gene Gotimer

How I Learned to Stop Worrying and Love Legacy Code
How I Learned to Stop Worrying and Love Legacy CodeHow I Learned to Stop Worrying and Love Legacy Code
How I Learned to Stop Worrying and Love Legacy Code
Gene Gotimer
 
Ten Ways To Doom Your DevOps
Ten Ways To Doom Your DevOpsTen Ways To Doom Your DevOps
Ten Ways To Doom Your DevOps
Gene Gotimer
 
Keeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster SecureKeeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster Secure
Gene Gotimer
 
Explain DevOps To Me Like I’m Five: DevOps for Managers
Explain DevOps To Me Like I’m Five: DevOps for ManagersExplain DevOps To Me Like I’m Five: DevOps for Managers
Explain DevOps To Me Like I’m Five: DevOps for Managers
Gene Gotimer
 
Keeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster SecureKeeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster Secure
Gene Gotimer
 
Creative Solutions to Already Solved Problems II
Creative Solutions to Already Solved Problems IICreative Solutions to Already Solved Problems II
Creative Solutions to Already Solved Problems II
Gene Gotimer
 
Creative Solutions to Already Solved Problems
Creative Solutions to Already Solved ProblemsCreative Solutions to Already Solved Problems
Creative Solutions to Already Solved Problems
Gene Gotimer
 
Get to Green: How to Safely Refactor Legacy Code
Get to Green: How to Safely Refactor Legacy CodeGet to Green: How to Safely Refactor Legacy Code
Get to Green: How to Safely Refactor Legacy Code
Gene Gotimer
 
DevOps for Leadership
DevOps for LeadershipDevOps for Leadership
DevOps for Leadership
Gene Gotimer
 
Pyramid Discussion: DevOps Adoption in Large, Slow Organizations
Pyramid Discussion: DevOps Adoption in Large, Slow OrganizationsPyramid Discussion: DevOps Adoption in Large, Slow Organizations
Pyramid Discussion: DevOps Adoption in Large, Slow Organizations
Gene Gotimer
 
A better faster pipeline for software delivery, even in the government
A better faster pipeline for software delivery, even in the governmentA better faster pipeline for software delivery, even in the government
A better faster pipeline for software delivery, even in the government
Gene Gotimer
 
Building the Pipeline of My Dreams
Building the Pipeline of My DreamsBuilding the Pipeline of My Dreams
Building the Pipeline of My Dreams
Gene Gotimer
 
Tests Your Pipeline Might Be Missing
Tests Your Pipeline Might Be MissingTests Your Pipeline Might Be Missing
Tests Your Pipeline Might Be Missing
Gene Gotimer
 
A Definition of Done for DevSecOps
A Definition of Done for DevSecOpsA Definition of Done for DevSecOps
A Definition of Done for DevSecOps
Gene Gotimer
 
A Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software DeliveryA Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software Delivery
Gene Gotimer
 
Open Source Security Tools for the Pipeline
Open Source Security Tools for the PipelineOpen Source Security Tools for the Pipeline
Open Source Security Tools for the Pipeline
Gene Gotimer
 
Which Development Metrics Should I Watch?
Which Development Metrics Should I Watch?Which Development Metrics Should I Watch?
Which Development Metrics Should I Watch?
Gene Gotimer
 
Add Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery PipelineAdd Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery Pipeline
Gene Gotimer
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Gene Gotimer
 
Experiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD ProjectExperiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD Project
Gene Gotimer
 

More from Gene Gotimer (20)

How I Learned to Stop Worrying and Love Legacy Code
How I Learned to Stop Worrying and Love Legacy CodeHow I Learned to Stop Worrying and Love Legacy Code
How I Learned to Stop Worrying and Love Legacy Code
 
Ten Ways To Doom Your DevOps
Ten Ways To Doom Your DevOpsTen Ways To Doom Your DevOps
Ten Ways To Doom Your DevOps
 
Keeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster SecureKeeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster Secure
 
Explain DevOps To Me Like I’m Five: DevOps for Managers
Explain DevOps To Me Like I’m Five: DevOps for ManagersExplain DevOps To Me Like I’m Five: DevOps for Managers
Explain DevOps To Me Like I’m Five: DevOps for Managers
 
Keeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster SecureKeeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster Secure
 
Creative Solutions to Already Solved Problems II
Creative Solutions to Already Solved Problems IICreative Solutions to Already Solved Problems II
Creative Solutions to Already Solved Problems II
 
Creative Solutions to Already Solved Problems
Creative Solutions to Already Solved ProblemsCreative Solutions to Already Solved Problems
Creative Solutions to Already Solved Problems
 
Get to Green: How to Safely Refactor Legacy Code
Get to Green: How to Safely Refactor Legacy CodeGet to Green: How to Safely Refactor Legacy Code
Get to Green: How to Safely Refactor Legacy Code
 
DevOps for Leadership
DevOps for LeadershipDevOps for Leadership
DevOps for Leadership
 
Pyramid Discussion: DevOps Adoption in Large, Slow Organizations
Pyramid Discussion: DevOps Adoption in Large, Slow OrganizationsPyramid Discussion: DevOps Adoption in Large, Slow Organizations
Pyramid Discussion: DevOps Adoption in Large, Slow Organizations
 
A better faster pipeline for software delivery, even in the government
A better faster pipeline for software delivery, even in the governmentA better faster pipeline for software delivery, even in the government
A better faster pipeline for software delivery, even in the government
 
Building the Pipeline of My Dreams
Building the Pipeline of My DreamsBuilding the Pipeline of My Dreams
Building the Pipeline of My Dreams
 
Tests Your Pipeline Might Be Missing
Tests Your Pipeline Might Be MissingTests Your Pipeline Might Be Missing
Tests Your Pipeline Might Be Missing
 
A Definition of Done for DevSecOps
A Definition of Done for DevSecOpsA Definition of Done for DevSecOps
A Definition of Done for DevSecOps
 
A Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software DeliveryA Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software Delivery
 
Open Source Security Tools for the Pipeline
Open Source Security Tools for the PipelineOpen Source Security Tools for the Pipeline
Open Source Security Tools for the Pipeline
 
Which Development Metrics Should I Watch?
Which Development Metrics Should I Watch?Which Development Metrics Should I Watch?
Which Development Metrics Should I Watch?
 
Add Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery PipelineAdd Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery Pipeline
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
 
Experiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD ProjectExperiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD Project
 

Recently uploaded

Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Globus
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata
 
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptxText-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
ShamsuddeenMuhammadA
 
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
Alina Yurenko
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
Globus
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
rickgrimesss22
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
Google
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
Google
 
Pro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp BookPro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp Book
abdulrafaychaudhry
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
Juraj Vysvader
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
Philip Schwarz
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
Adele Miller
 
AI Genie Review: World’s First Open AI WordPress Website Creator
AI Genie Review: World’s First Open AI WordPress Website CreatorAI Genie Review: World’s First Open AI WordPress Website Creator
AI Genie Review: World’s First Open AI WordPress Website Creator
Google
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
Boni García
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
timtebeek1
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)
abdulrafaychaudhry
 

Recently uploaded (20)

Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
 
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptxText-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
 
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
 
Pro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp BookPro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp Book
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
 
AI Genie Review: World’s First Open AI WordPress Website Creator
AI Genie Review: World’s First Open AI WordPress Website CreatorAI Genie Review: World’s First Open AI WordPress Website Creator
AI Genie Review: World’s First Open AI WordPress Website Creator
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)
 

Keeping Your Kubernetes Cluster Secure

  • 1. @OtherDevOpsGene #AllThingsOpen Keeping your Kubernetes Cluster Secure Gene Gotimer @OtherDevOpsGene WEDNESDAY, NOVEMBER 2, 2022
  • 2. Define and Design the Optimal Survey Experience KUBERNETES SECURITY Layers • Infrastructure • Hosts • Cluster • Build • Application • Container images • Deployment code • Runtime • Policies • Resources • Network • System calls and interaction @OtherDevOpsGene #AllThingsOpen 2
  • 4. Define and Design the Optimal Survey Experience INFRASTRUCTURE Hardening Kubernetes Hardening Guidance, National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA). • Start with the kubernetes.io article Kubernetes Security Technical Implementation Guide, Cybersecurity and Infrastructure Security Agency (CISA). • Start with the stigviewer.com client. CIS Kubernetes Benchmark, Center for Internet Security (CIS), non-government, non-profit. https://www.cisecurity.org/benchmark/kubernetes/ @OtherDevOpsGene #AllThingsOpen 4
  • 5. Cluster configuration INFRASTRUCTURE @OtherDevOpsGene #AllThingsOpen 5 Is my Kubernetes cluster installed and configured properly? • Use Aqua kube-bench • May not apply to master nodes
  • 6. INFRASTRUCTURE @OtherDevOpsGene #AllThingsOpen 6 Cluster configuration $ kubectl logs kube-bench-kc82n [INFO] 3 Worker Node Security Configuration [INFO] 3.1 Worker Node Configuration Files [PASS] 3.1.1 Ensure that the kubeconfig file permissions are set to 644 or more restrictive (Manual) [PASS] 3.1.2 Ensure that the kubelet kubeconfig file ownership is set to root:root (Manual) [PASS] 3.1.3 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Manual) [PASS] 3.1.4 Ensure that the kubelet configuration file ownership is set to root:root (Manual) [INFO] 3.2 Kubelet [PASS] 3.2.1 Ensure that the --anonymous-auth argument is set to false (Automated) [PASS] 3.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated) [PASS] 3.2.3 Ensure that the --client-ca-file argument is set as appropriate (Manual) [PASS] 3.2.4 Ensure that the --read-only-port argument is set to 0 (Manual) [PASS] 3.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual) [PASS] 3.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated) [PASS] 3.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated) [PASS] 3.2.8 Ensure that the --hostname-override argument is not set (Manual) [WARN] 3.2.9 Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture (Automated) [PASS] 3.2.10 Ensure that the --rotate-certificates argument is not set to false (Manual) [PASS] 3.2.11 Ensure that the RotateKubeletServerCertificate argument is set to true (Manual) [INFO] 3.3 Container Optimized OS [WARN] 3.3.1 Prefer using Container-Optimized OS when possible (Manual)
  • 8. Static code analysis BUILD @OtherDevOpsGene #AllThingsOpen 8 Are resources configured properly? • Use Checkov by Bridgecrew • Scans source code for • Dockerfiles • Kubernetes manifests • Terraform
  • 9. Static code analysis BUILD @OtherDevOpsGene #AllThingsOpen 9 $ checkov -d manifests --quiet --compact kubernetes scan results: Passed checks: 1066, Failed checks: 166, Skipped checks: 0 Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation" FAILED for resource: Deployment.sock-shop.carts File: /manifests/01-carts-dep.yaml:2-51 Check: CKV_K8S_43: "Image should use digest" FAILED for resource: Deployment.sock-shop.carts File: /manifests/01-carts-dep.yaml:2-51 Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary" FAILED for resource: Deployment.sock-shop.carts File: /manifests/01-carts-dep.yaml:2-51 Check: CKV_K8S_29: "Apply security context to your pods and containers" FAILED for resource: Deployment.sock-shop.carts File: /manifests/01-carts-dep.yaml:2-51 Check: CKV_K8S_8: "Liveness Probe Should be Configured" FAILED for resource: Deployment.sock-shop.carts File: /manifests/01-carts-dep.yaml:2-51 Check: CKV_K8S_9: "Readiness Probe Should be Configured" FAILED for resource: Deployment.sock-shop.carts File: /manifests/01-carts-dep.yaml:2-51 Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default" FAILED for resource: Deployment.sock-shop.carts File: /manifests/01-carts-dep.yaml:2-51
  • 10. Container image scanning BUILD @OtherDevOpsGene #AllThingsOpen 10 Are there vulnerabilities or misconfigurations on the container image? • Use Aqua Security Trivy • Scan images for vulnerable packages • Scan infrastructure-as-code for misconfigurations
  • 11. Container image scanning BUILD @OtherDevOpsGene #AllThingsOpen 11 $ trivy config manifests/01-carts-dep.yaml 2022-10-22T15:55:21.615Z INFO Misconfiguration scanning is enabled 2022-10-22T15:55:21.806Z INFO Detected config files: 1 01-carts-dep.yaml (kubernetes) ============================== Tests: 79 (SUCCESSES: 74, FAILURES: 5, EXCEPTIONS: 0) Failures: 5 (UNKNOWN: 0, LOW: 3, MEDIUM: 2, HIGH: 0, CRITICAL: 0) MEDIUM: Container 'carts' of Deployment 'carts' should set 'securityContext.allowPrivilegeEscalation' to false ════════════════════════════════════════ A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node. See https://avd.aquasec.com/misconfig/ksv001 ──────────────────────────────────────── 01-carts-dep.yaml:20-45 ──────────────────────────────────────── 20 ┌ - name: carts 21 │ image: weaveworksdemos/carts:0.4.8 22 │ env: 23 │ - name: JAVA_OPTS 24 │ value: -Xms64m -Xmx128m -XX:+UseG1GC -Djava.security.egd=file:/dev/urandom -Dspring.zipkin.enabled=false 25 │ resources: 26 │ limits: 27 │ cpu: 300m 28 └ memory: 500Mi .. ────────────────────────────────────────
  • 12. Container image scanning BUILD @OtherDevOpsGene #AllThingsOpen 12 $ trivy image weaveworksdemos/carts:0.4.8 --no-progress 2022-10-22T15:48:40.726Z WARN This OS version is no longer supported by the distribution: alpine 3.4.6 2022-10-22T15:48:40.726Z WARN The vulnerability detection may be insufficient because security updates are not provided weaveworksdemos/carts:0.4.8 (alpine 3.4.6) ========================================== Total: 40 (UNKNOWN: 0, LOW: 0, MEDIUM: 23, HIGH: 13, CRITICAL: 4) ┌──────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ busybox │ CVE-2017-16544 │ HIGH │ 1.24.2-r12 │ 1.24.2-r13 │ busybox: Insufficient sanitization of filenames when │ │ │ │ │ │ │ autocompleting │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-16544 │ │ ├────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2017-15873 │ MEDIUM │ │ │ busybox: Integer overflow in the get_next_block function │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-15873 │ ├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ freetype │ CVE-2017-8105 │ CRITICAL │ 2.6.3-r0 │ 2.6.3-r1 │ freetype: heap-based buffer overflow related to the │ │ │ │ │ │ │ t1_decoder_parse_charstrings │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-8105 │ │ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2017-8287 │ │ │ │ freetype: heap-based buffer overflow related to the │ │ │ │ │ │ │ t1_builder_close_contour function │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-8287 │ │ ├────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2016-10244 │ HIGH │ │ │ freetype: parse_charstrings function in type1/t1load.c does │ │ │ │ │ │ │ not ensure that a font contains... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-10244 │
  • 13. Container image scanning BUILD @OtherDevOpsGene #AllThingsOpen 13 Are there vulnerabilities on the container image? • Use Anchore Grype • Scan images for vulnerable packages • Finds some different vulnerabilities than Aqua Trivy
  • 14. Container image scanning BUILD @OtherDevOpsGene #AllThingsOpen 14 $ grype weaveworksdemos/carts:0.4.8 NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY busybox 1.24.2-r12 apk CVE-2021-42386 High busybox 1.24.2-r12 apk CVE-2018-1000500 High busybox 1.24.2-r12 apk CVE-2021-42379 High busybox 1.24.2-r12 apk CVE-2021-42381 High busybox 1.24.2-r12 apk CVE-2021-42384 High busybox 1.24.2-r12 1.24.2-r13 apk CVE-2017-15873 Medium busybox 1.24.2-r12 apk CVE-2018-1000517 Critical busybox 1.24.2-r12 apk CVE-2022-28391 High busybox 1.24.2-r12 apk CVE-2021-42385 High busybox 1.24.2-r12 apk CVE-2018-20679 High busybox 1.24.2-r12 apk CVE-2021-42378 High busybox 1.24.2-r12 apk CVE-2021-42376 Medium busybox 1.24.2-r12 1.24.2-r13 apk CVE-2017-16544 High busybox 1.24.2-r12 apk CVE-2019-5747 High busybox 1.24.2-r12 apk CVE-2015-9261 Medium freetype 2.6.3-r0 2.6.3-r1 apk CVE-2016-10244 High freetype 2.6.3-r0 apk CVE-2022-27404 Critical freetype 2.6.3-r0 apk CVE-2016-10328 Critical freetype 2.6.3-r0 apk CVE-2022-27405 High freetype 2.6.3-r0 apk CVE-2017-7857 Critical freetype 2.6.3-r0 2.6.3-r1 apk CVE-2017-8287 Critical freetype 2.6.3-r0 apk CVE-2017-7858 Critical freetype 2.6.3-r0 2.6.3-r1 apk CVE-2017-8105 Critical freetype 2.6.3-r0 apk CVE-2020-15999 Medium
  • 15. Software bill of materials (SBOM) BUILD @OtherDevOpsGene #AllThingsOpen 15 What components are in my application and container image? • Use Anchore Syft • OS packages • Libraries • Frameworks
  • 16. Software bill of materials (SBOM) BUILD @OtherDevOpsGene #AllThingsOpen 16 $ syft weaveworksdemos/carts:0.4.8 --output json --file carts-0.4.8.json $ grype sbom:carts-0.4.8.json NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY busybox 1.24.2-r12 apk CVE-2018-20679 High busybox 1.24.2-r12 apk CVE-2018-1000517 Critical busybox 1.24.2-r12 apk CVE-2021-42381 High busybox 1.24.2-r12 1.24.2-r13 apk CVE-2017-16544 High busybox 1.24.2-r12 1.24.2-r13 apk CVE-2017-15873 Medium busybox 1.24.2-r12 apk CVE-2021-42386 High busybox 1.24.2-r12 apk CVE-2021-42385 High busybox 1.24.2-r12 apk CVE-2019-5747 High busybox 1.24.2-r12 apk CVE-2021-42376 Medium busybox 1.24.2-r12 apk CVE-2018-1000500 High busybox 1.24.2-r12 apk CVE-2022-28391 High busybox 1.24.2-r12 apk CVE-2021-42378 High busybox 1.24.2-r12 apk CVE-2015-9261 Medium busybox 1.24.2-r12 apk CVE-2021-42384 High busybox 1.24.2-r12 apk CVE-2021-42379 High freetype 2.6.3-r0 2.6.3-r1 apk CVE-2016-10244 High freetype 2.6.3-r0 apk CVE-2022-27404 Critical freetype 2.6.3-r0 apk CVE-2016-10328 Critical freetype 2.6.3-r0 apk CVE-2022-27405 High freetype 2.6.3-r0 apk CVE-2017-7857 Critical freetype 2.6.3-r0 2.6.3-r1 apk CVE-2017-8287 Critical ... $ syft weaveworksdemos/carts:0.4.8 --output cyclonedx-json --file carts-0.4.8-dx.json
  • 17. SBOM monitoring BUILD @OtherDevOpsGene #AllThingsOpen 17 Do any components have newly identified vulnerabilities? • Use OWASP Dependency-Track • Track SBOMs • Identify vulnerabilities • Notifications
  • 20. Policy enforcement RUNTIME @OtherDevOpsGene #AllThingsOpen 20 Are my Kubernetes workloads and resources following my rules? • Use Open Policy Agent • Admissions controller • Compliance rules
  • 21. Policy enforcement RUNTIME @OtherDevOpsGene #AllThingsOpen 21 $ cat allowed.yaml apiVersion: v1 kind: Pod metadata: name: opa-allowed spec: containers: - name: opa image: openpolicyagent/opa:0.9.2@sha256:04ff8fce2afd1a3bc26260348e5b290e8d945b1fad4b4c16d22834c2f3a1814a args: - "run" - "--server" - "--addr=localhost:8080“ $ kubectl apply -f allowed.yaml pod/opa-allowed created
  • 22. Policy enforcement RUNTIME @OtherDevOpsGene #AllThingsOpen 22 $ cat disallowed.yaml apiVersion: v1 kind: Pod metadata: name: opa-disallowed spec: initContainers: - name: opainit image: openpolicyagent/opa:0.9.2 args: - "run" - "--server" - "--addr=localhost:8080" containers: - name: opa image: openpolicyagent/opa:0.9.2 args: - "run" - "--server" - "--addr=localhost:8080“ $ kubectl apply -f disallowed.yaml Error from server (Forbidden): error when creating "disallowed.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [container-image-must-have-digest] container <opa> uses an image without a digest <openpolicyagent/opa:0.9.2> [container-image-must-have-digest] initContainer <opainit> uses an image without a digest <openpolicyagent/opa:0.9.2>
  • 23. Resource limits RUNTIME @OtherDevOpsGene #AllThingsOpen 23 Can a few containers hog too much memory or CPU? • Set the resource requests and limits for memory and CPU • Use Fairwinds Goldilocks • Watches loads • Makes request and limit recommendations
  • 25. Define and Design the Optimal Survey Experience RUNTIME Network isolation Can Kubernetes resources reach others they don’t need to? • Use a service mesh or CNI • Build a network policy • Network Policy editor • https://networkpolicy.io @OtherDevOpsGene #AllThingsOpen 25
  • 26. Define and Design the Optimal Survey Experience RUNTIME Network isolation @OtherDevOpsGene #AllThingsOpen 26
  • 27. Monitor behavior RUNTIME @OtherDevOpsGene #AllThingsOpen 27 Are any workloads doing something unexpected on the system? • Use Falco • Watches system calls • Privilege escalation • Ownership and mode changes • Unexpected network connections
  • 28. Monitor behavior RUNTIME @OtherDevOpsGene #AllThingsOpen 28 $ kubectl logs -n falco falco-zplnz Sat Oct 22 19:53:03 2022: Falco version: 0.33.0 (x86_64) Sat Oct 22 19:53:03 2022: Falco initialized with configuration file: /etc/falco/falco.yaml Sat Oct 22 19:53:03 2022: Loading rules from file /etc/falco/falco_rules.yaml Sat Oct 22 19:53:03 2022: Loading rules from file /etc/falco/falco_rules.local.yaml Sat Oct 22 19:53:03 2022: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs) Sat Oct 22 19:53:03 2022: Starting health webserver with threadiness 2, listening on port 8765 Sat Oct 22 19:53:03 2022: Enabled event sources: syscall Sat Oct 22 19:53:03 2022: Opening capture with Kernel module 19:53:09.668585724: Warning Docker or kubernetes client executed in container (user=<NA> user_loginuid=-1 k8s.ns=gatekeeper-system k8s.pod=gatekeeper-update-crds-hook-l5zr2 container=006eacc6d95b parent=<NA> cmdline=kubectl apply -f crds/ pid=13671 image=openpolicyagent/gatekeeper-crds:v3.10.0) 19:53:09.739647377: Notice Unexpected connection to K8s API Server from container (command=kubectl apply -f crds/ pid=13671 k8s.ns=gatekeeper-system k8s.pod=gatekeeper-update-crds-hook-l5zr2 container=006eacc6d95b image=openpolicyagent/gatekeeper-crds:v3.10.0 connection=192.168.34.30:45214->10.100.0.1:443) 19:53:21.068878529: Notice Unexpected connection to K8s API Server from container (command=manager --port=8443 -- health-addr=:9090 --prometheus-port=8888 --logtostderr --log-denies=false --emit-admission-events=false --log- level=INFO --exempt-namespace=gatekeeper-system --operation=webhook --enable-external-data=false --enable-generator- resource-expansion=false --log-mutations=false --mutation-annotations=false --disable-cert-rotation=false --max- serving-threads=-1 --tls-min-version=1.3 --metrics-backend=prometheus --operation=mutation-webhook --disable-opa- builtin={http.send} pid=14628 k8s.ns=gatekeeper-system k8s.pod=gatekeeper-controller-manager-78b8774b7c-wknwm container=bb34633b4f13 image=openpolicyagent/gatekeeper:v3.10.0 connection=192.168.60.49:34346->10.100.0.1:443) 19:53:21.133021316: Notice Unexpected connection to K8s API Server from container (command=manager --audit- interval=60 --log-level=INFO --constraint-violations-limit=20 --audit-from-cache=false --audit-chunk-size=500 -- audit-match-kind-only=false --emit-audit-events=false --operation=audit --operation=status --operation=mutation- status --logtostderr --health-addr=:9090 --prometheus-port=8888 --enable-external-data=false --enable-generator- resource-expansion=false --metrics-backend=prometheus --disable-cert-rotation=true pid=14691 k8s.ns=gatekeeper-system k8s.pod=gatekeeper-audit-9b7795dcf-tff44 container=c603d5981dea image=openpolicyagent/gatekeeper:v3.10.0 connection=192.168.62.41:58520->10.100.0.1:443)
  • 30. Define and Design the Optimal Survey Experience WRAP-UP Key takeaways • Enforce the principle of least privilege. • Keep everything up to date. • Scan your container images frequently, before and after deployment. • Monitor your systems for expected and unexpected behavior. • And disk space. @OtherDevOpsGene #AllThingsOpen 30
  • 31. Define and Design the Optimal Survey Experience WRAP-UP Reading list Kubernetes Hardening Guidance, National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA). https://media.defense.gov/2021/Aug/03/2002820425/-1/- 1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF A Closer Look at NSA/CISA Kubernetes Hardening Guidance, Jim Angel, Pushkar Joglekar, and Savitha Raghunathan. https://kubernetes.io/blog/2021/10/05/nsa-cisa- kubernetes-hardening-guidance/ Kubernetes Security Technical Implementation Guide, Cybersecurity and Infrastructure Security Agency (CISA). https://public.cyber.mil/stigs/downloads/ CIS Kubernetes Benchmark, Center for Internet Security (CIS), https://www.cisecurity.org/benchmark/kubernetes/ @OtherDevOpsGene #AllThingsOpen 31
  • 32. Define and Design the Optimal Survey Experience WRAP-UP Tools Aqua Security kube-bench: https://github.com/aquasecurity/kube-bench Checkov by Bridgecrew: https://github.com/bridgecrewio/checkov Aqua Security Trivy: https://github.com/aquasecurity/trivy Anchore Grype: https://github.com/anchore/grype Anchore Syft: https://github.com/anchore/syft OWASP Dependency-Track: https://dependencytrack.org Open Policy Agent: https://www.openpolicyagent.org Fairwinds Goldilocks: https://github.com/fairwindsops/goldilocks Network Policy Editor: https://networkpolicy.io Falco: https://falco.org @OtherDevOpsGene #AllThingsOpen 32

Editor's Notes

  1. We will look at 10 tools across 3 rough layers of the Kubernetes ecosystem. All are open-source and/or freely available Also, some publicly available guidance Security is a type of quality You cannot be insecure and have high quality You cannot have low quality but high security
  2. Kubernetes clusters consist of servers acting as master nodes and worker nodes. The operating system and processes on these servers have to be secured just like any others. These are the tasks traditionally done by Ops and Security YAGNI K8s hosts need the same security as other hosts Keep the systems up-to-date Easiest to do. Just regularly run apt-get update or dnf update or yum update CISA recommends the following remediation timelines: Critical vulnerabilities should be remediated within 15 calendar days of initial detection. High vulnerabilities should be remediated within 30 calendar days of initial detection.
  3. Least privilege Ronald Reagan 1986 – The nine most terrifying words in the English language are "I'm from the Government and I'm here to help." Google both terms, See the Kubernetes.io article from Oct 2021. See the stigviewer.com link Also, not specific to k8s, but Federal, state, local, tribal and territorial governments, as well as public and private sector critical infrastructure organizations. Can request Cyber Hygiene Services at no cost from CISA. CIS is not a government agency, but it is non-profit. CIS Benchmarks are free checklists, very similar to STIGs, easier to read.
  4. "checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark." If you are running in a managed Kubernetes cluster, such as Amazon EKS or Azure AKS, kube-bench does not have access to the master nodes but can still evaluate the worker nodes.   Runs as a kubectl job
  5. Runs as a kubectl job cd ~/git/ggkube/Book/code kubectl apply -f kube-bench-job-eks.yaml kubectl get pods kubectl logs kube-bench-kc82n
  6. These tasks are typically going to fall to the development teams while they are producing their software for deployment All of this is a moot point if the application is security swiss cheese.
  7. Least privilege Checkov by Bridgecrew Frequent updates, sometimes daily I use this extensively on Terraform code
  8. Python pip install or use Docker container pushd ./microservices-demo/deploy/Kubernetes checkov -d manifests --quiet --compact
  9. Can’t just scan once, vulnerabilities can be found even in existing, previously “safe”, containers/code
  10. Installs as package, from script, container, etc. trivy config manifests/01-carts-dep.yaml
  11. trivy image weaveworksdemos/carts:0.4.8 --no-progress
  12. Other options are Clair by Red Hat Can’t just scan once, vulnerabilities can be found even in existing, previously “safe”, containers/code
  13. grype weaveworksdemos/carts:0.4.8
  14. Can feed that back to Grype
  15. Can feed that back to Grype syft weaveworksdemos/carts:0.4.8 --output json --file carts-0.4.8.json grype sbom:carts-0.4.8.json syft weaveworksdemos/carts:0.4.8 --output cyclonedx-json --file carts-0.4.8-dx.json
  16. This is the Ops piece of DevSecOps. After you deploy, the job isn’t finished. Keep monitoring. It is embarrassing how often companies that spend millions to staff a 24x7 SOC have apps go down when they run out of disk space
  17. Oh-pah
  18. https://open-policy-agent.github.io/gatekeeper-library/website/imagedigests kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/imagedigests/template.yaml kubectl describe ConstraintTemplate -A kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/imagedigests/samples/container-image-must-have-digest/constraint.yaml cat allowed.yaml kubectl apply -f allowed.yaml
  19. cat disallowed.yaml kubectl apply -f disallowed.yaml
  20. 014d4142-ca50-4f71-a9f5-a7f727c8df1f kubectl apply -f manifests kubectl label ns sock-shop goldilocks.fairwinds.com/enabled=true kubectl -n goldilocks port-forward svc/goldilocks-dashboard 8444:80& kubectl -n sock-shop port-forward svc/front-end 8555:80&
  21. Least privilege Container network interface Linkerd, Istio, Calico, Cilium mTLS
  22. Least privilege Container network interface Linkerd, Istio, Calico, Cilium mTLS
  23. Install to host so it is isolated from Kubernetes Can also install into cluster using Helm if you don’t control the host, e.g., EKS
  24. kubectl get pods -n falco -o wide kubectl logs -n falco falco-zplnz -f
  25. There are commercial versions that incorporate many of these tools and capabilities, often together in a single package.