Everyone heard about Kubernetes. Everyone wants to use this tool. However, sometimes we forget about security, which is essential throughout the container lifecycle.
Therefore, our journey with Kubernetes security should begin in the build stage when writing the code becomes the container image.
Kubernetes provides innate security advantages, and together with solid container protection, it will be invincible.
During the sessions, we will review all those features and highlight which are mandatory to use. We will discuss the main vulnerabilities which may cause compromising your system.
Contacts:
LinkedIn - https://www.linkedin.com/in/vshynkar/
GitHub - https://github.com/sqerison
-------------------------------------------------------------------------------------
Materials from the video:
The policies and docker files examples:
https://gist.github.com/sqerison/43365e30ee62298d9757deeab7643a90
The repo with the helm chart used in a demo:
https://github.com/sqerison/argo-rollouts-demo
Tools that showed in the last section:
https://github.com/armosec/kubescape
https://github.com/aquasecurity/kube-bench
https://github.com/controlplaneio/kubectl-kubesec
https://github.com/Shopify/kubeaudit#installation
https://github.com/eldadru/ksniff
Further learning.
A book released by CISA (Cybersecurity and Infrastructure Security Agency):
https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF
O`REILLY Kubernetes Security:
https://kubernetes-security.info/
O`REILLY Container Security:
https://info.aquasec.com/container-security-book
Thanks for watching!
This talk explains what what Pod Security Policy is and it's importance in Kubernetes Security. The talk also takes a look at the current situation of docker hub's popular images and helm charts repository.
This talk stresses on the fact that having PSP enabled the right way is absolutely necessary for the real security of the cluster.
Link to the demos:
What is Pod Security Policy? https://www.youtube.com/watch?v=nrWRMP94vqc
Kubernetes Hostpath exploit thrawted with Pod Security Policy https://www.youtube.com/watch?v=APS0CfD6DsE
Unique course notes for the Certified Kubernetes Administrator (CKA) for each section of the exam. Designed to be engaging and used as a reference in the future for kubernetes concepts.
This talk explains what what Pod Security Policy is and it's importance in Kubernetes Security. The talk also takes a look at the current situation of docker hub's popular images and helm charts repository.
This talk stresses on the fact that having PSP enabled the right way is absolutely necessary for the real security of the cluster.
Link to the demos:
What is Pod Security Policy? https://www.youtube.com/watch?v=nrWRMP94vqc
Kubernetes Hostpath exploit thrawted with Pod Security Policy https://www.youtube.com/watch?v=APS0CfD6DsE
Unique course notes for the Certified Kubernetes Administrator (CKA) for each section of the exam. Designed to be engaging and used as a reference in the future for kubernetes concepts.
My cloud native security talk I gave at Innotech Austin 2018. I cover container and Kubernetes security topics, security features in Kubernetes, including opensource projects you will want to consider while building and maintaining cloud native applications.
Kubernetes for Beginners: An Introductory GuideBytemark
An introduction to Kubernetes for beginners. Includes the definition, architecture, benefits and misconceptions of Kubernetes. Written in plain English, ideal for both developers and non-developers who are new to Kubernetes.
Find out more about Kubernetes at Bytemark here: https://www.bytemark.co.uk/managed-kubernetes/
WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...Brian Grant
Kubernetes can run application containers on clusters of physical or virtual machines.
It can also do much more than that.
Kubernetes satisfies a number of common needs of applications running in production, such as co-locating helper processes, mounting storage systems, distributing secrets, application health checking, replicating application instances, horizontal auto-scaling, load balancing, rolling updates, and resource monitoring.
However, even though Kubernetes provides a lot of functionality, there are always new scenarios that would benefit from new features. Ad hoc orchestration that is acceptable initially often requires robust automation at scale. Application-specific workflows can be streamlined to accelerate developer velocity.
This is why Kubernetes was also designed to serve as a platform for building an ecosystem of components and tools to make it easier to deploy, scale, and manage applications. The Kubernetes control plane is built upon the same APIs that are available to developers and users, implementing resilient control loops that continuously drive the current state towards the desired state. This design has enabled Apache Stratos and a number of other Platform as a Service and Continuous Integration and Deployment systems to build atop Kubernetes.
This presentation introduces Kubernetes’s core primitives, shows how some of its better known features are built on them, and introduces some of the new capabilities that are being added.
Author: Oleg Chunikhin, www.eastbanctech.com
Kubernetes is a portable open source system for managing and orchestrating containerized cluster applications. Kubernetes solves a number of DevOps related problems out of the box in a simple and unified way – rolling updates and update rollback, canary deployment and other complicated deployment scenarios, scaling, load balancing, service discovery, logging, monitoring, persistent storage management, and much more. You will learn how in less than 30 minutes a reliable self-healing production-ready Kubernetes cluster may be deployed on AWS and used to host and operate multiple environments and applications.
Join us to learn the concepts and terminology of Kubernetes such as Nodes, Labels, Pods, Replication Controllers, Services. After taking a closer look at the Kubernetes master and the nodes, we will walk you through the process of building, deploying, and scaling microservices applications. Each attendee gets $100 credit to start using Google Container Engine. The source code is available at https://github.com/janakiramm/kubernetes-101
This slide is the speech provided by me for InfoSec2020 (https://2020.infosec.org.tw/) conference in Taiwan. It describes the container security, what issues is. how to exploit it and how to defense it.
Kubernetes Webinar - Using ConfigMaps & Secrets Janakiram MSV
Many applications require configuration using some combination of configuration files, command line arguments, and environment variables. ConfigMaps in Kubernetes provide mechanisms to inject containers with configuration data while keeping them portable. Secrets decouple sensitive content from the pods using a volume plug-in. This webinar will discuss the use cases and scenarios for using ConfigMaps and Secrets.
** Kubernetes Certification Training: https://www.edureka.co/kubernetes-cer... **
This Edureka tutorial on "Kubernetes Networking" will give you an introduction to popular DevOps tool - Kubernetes, and will deep dive into Kubernetes Networking concepts. The following topics are covered in this training session:
1. What is Kubernetes?
2. Kubernetes Cluster
3. Pods, Services & Ingress Networks
4. Case Study of Wealth Wizards
5. Hands-On
DevOps Tutorial Blog Series: https://goo.gl/P0zAfF
** Kubernetes Certification Training: https://www.edureka.co/kubernetes-certification **
This Edureka tutorial on "Kubernetes Architecture" will give you an introduction to popular DevOps tool - Kubernetes, and will deep dive into Kubernetes Architecture and its working. The following topics are covered in this training session:
1. What is Kubernetes
2. Features of Kubernetes
3. Kubernetes Architecture and Its Components
4. Components of Master Node and Worker Node
5. ETCD
6. Network Setup Requirements
DevOps Tutorial Blog Series: https://goo.gl/P0zAfF
Helm - Application deployment management for KubernetesAlexei Ledenev
Use Helm to package and deploy a composed application to any Kubernetes cluster. Manage your releases easily over time and across multiple K8s clusters.
History and Basics of containers, LXC, Docker and Kubernetes. This presentation is given to Engineering colleage students at VIT DevFest 2018. Beginner to Intermediate level.
Container Days: Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl
Nico will show how to hijack a Kubernetes cluster based on common attack vectors. You'll also learn why it's important to implement zero-trust to prevent data leaks and malicious workloads from being executed on a hijacked cluster.
Furthermore, he will show you how to protect your cluster from being taken over by sharing useful insights, configurations, and toolsets.
This talk is not intended to be an in-depth security talk, but to provide you with best practices and also make you aware of certain attack vectors and how to prevent them.
Aleksei Dremin - Application Security Pipeline - phdays9Alexey Dremin
Presented at Phdays 9 2019 Moskow.The real model of an Application Security Pipeline based on Jenkins. The talk covers the key principles how to build and scale up the AppSec program using automation, orchestration. Giving samples of useful tools for security scans such as Snyk, DefectDojo, Retire.js, Node audit, Owasp Dependency check, Safety.
My cloud native security talk I gave at Innotech Austin 2018. I cover container and Kubernetes security topics, security features in Kubernetes, including opensource projects you will want to consider while building and maintaining cloud native applications.
Kubernetes for Beginners: An Introductory GuideBytemark
An introduction to Kubernetes for beginners. Includes the definition, architecture, benefits and misconceptions of Kubernetes. Written in plain English, ideal for both developers and non-developers who are new to Kubernetes.
Find out more about Kubernetes at Bytemark here: https://www.bytemark.co.uk/managed-kubernetes/
WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...Brian Grant
Kubernetes can run application containers on clusters of physical or virtual machines.
It can also do much more than that.
Kubernetes satisfies a number of common needs of applications running in production, such as co-locating helper processes, mounting storage systems, distributing secrets, application health checking, replicating application instances, horizontal auto-scaling, load balancing, rolling updates, and resource monitoring.
However, even though Kubernetes provides a lot of functionality, there are always new scenarios that would benefit from new features. Ad hoc orchestration that is acceptable initially often requires robust automation at scale. Application-specific workflows can be streamlined to accelerate developer velocity.
This is why Kubernetes was also designed to serve as a platform for building an ecosystem of components and tools to make it easier to deploy, scale, and manage applications. The Kubernetes control plane is built upon the same APIs that are available to developers and users, implementing resilient control loops that continuously drive the current state towards the desired state. This design has enabled Apache Stratos and a number of other Platform as a Service and Continuous Integration and Deployment systems to build atop Kubernetes.
This presentation introduces Kubernetes’s core primitives, shows how some of its better known features are built on them, and introduces some of the new capabilities that are being added.
Author: Oleg Chunikhin, www.eastbanctech.com
Kubernetes is a portable open source system for managing and orchestrating containerized cluster applications. Kubernetes solves a number of DevOps related problems out of the box in a simple and unified way – rolling updates and update rollback, canary deployment and other complicated deployment scenarios, scaling, load balancing, service discovery, logging, monitoring, persistent storage management, and much more. You will learn how in less than 30 minutes a reliable self-healing production-ready Kubernetes cluster may be deployed on AWS and used to host and operate multiple environments and applications.
Join us to learn the concepts and terminology of Kubernetes such as Nodes, Labels, Pods, Replication Controllers, Services. After taking a closer look at the Kubernetes master and the nodes, we will walk you through the process of building, deploying, and scaling microservices applications. Each attendee gets $100 credit to start using Google Container Engine. The source code is available at https://github.com/janakiramm/kubernetes-101
This slide is the speech provided by me for InfoSec2020 (https://2020.infosec.org.tw/) conference in Taiwan. It describes the container security, what issues is. how to exploit it and how to defense it.
Kubernetes Webinar - Using ConfigMaps & Secrets Janakiram MSV
Many applications require configuration using some combination of configuration files, command line arguments, and environment variables. ConfigMaps in Kubernetes provide mechanisms to inject containers with configuration data while keeping them portable. Secrets decouple sensitive content from the pods using a volume plug-in. This webinar will discuss the use cases and scenarios for using ConfigMaps and Secrets.
** Kubernetes Certification Training: https://www.edureka.co/kubernetes-cer... **
This Edureka tutorial on "Kubernetes Networking" will give you an introduction to popular DevOps tool - Kubernetes, and will deep dive into Kubernetes Networking concepts. The following topics are covered in this training session:
1. What is Kubernetes?
2. Kubernetes Cluster
3. Pods, Services & Ingress Networks
4. Case Study of Wealth Wizards
5. Hands-On
DevOps Tutorial Blog Series: https://goo.gl/P0zAfF
** Kubernetes Certification Training: https://www.edureka.co/kubernetes-certification **
This Edureka tutorial on "Kubernetes Architecture" will give you an introduction to popular DevOps tool - Kubernetes, and will deep dive into Kubernetes Architecture and its working. The following topics are covered in this training session:
1. What is Kubernetes
2. Features of Kubernetes
3. Kubernetes Architecture and Its Components
4. Components of Master Node and Worker Node
5. ETCD
6. Network Setup Requirements
DevOps Tutorial Blog Series: https://goo.gl/P0zAfF
Helm - Application deployment management for KubernetesAlexei Ledenev
Use Helm to package and deploy a composed application to any Kubernetes cluster. Manage your releases easily over time and across multiple K8s clusters.
History and Basics of containers, LXC, Docker and Kubernetes. This presentation is given to Engineering colleage students at VIT DevFest 2018. Beginner to Intermediate level.
Container Days: Hijack a Kubernetes Cluster - a WalkthroughNico Meisenzahl
Nico will show how to hijack a Kubernetes cluster based on common attack vectors. You'll also learn why it's important to implement zero-trust to prevent data leaks and malicious workloads from being executed on a hijacked cluster.
Furthermore, he will show you how to protect your cluster from being taken over by sharing useful insights, configurations, and toolsets.
This talk is not intended to be an in-depth security talk, but to provide you with best practices and also make you aware of certain attack vectors and how to prevent them.
Aleksei Dremin - Application Security Pipeline - phdays9Alexey Dremin
Presented at Phdays 9 2019 Moskow.The real model of an Application Security Pipeline based on Jenkins. The talk covers the key principles how to build and scale up the AppSec program using automation, orchestration. Giving samples of useful tools for security scans such as Snyk, DefectDojo, Retire.js, Node audit, Owasp Dependency check, Safety.
Nico will show how to hijack a Kubernetes cluster based on common attack vectors. You'll also learn why it's important to implement zero-trust to prevent data leaks and malicious workloads from being executed on a hijacked cluster.
Furthermore, he will show you how to protect your cluster from being taken over by sharing useful insights, configurations, and toolsets.
This talk is not intended to be an in-depth security talk, but to provide you with best practices and also make you aware of certain attack vectors and how to prevent them.
Presented by Tim Mackey, Senior Technology Evangelist, Black Duck Software on August 17.
To use containers safely, you need to be aware of potential security issues and the tools you need for securing container-based systems. Secure production use of containers requires an understanding of how attackers might seek to compromise the container, and what you should be aware of to minimize that potential risk.
Tim Mackey, Senior Technical Evangelist at Black Duck Software, provides guidance for developing container security policies and procedures around threats such as:
1. Network security
2. Access control
3. Tamper management and trust
4. Denial of service and SLAs
5. Vulnerabilities
Register today to learn about the biggest security challenges you face when deploying containers, and how you can effectively deal with those threats.
Watch the webinar on BrightTalk: http://bit.ly/2bpdswg
Nico will show how to hijack a Kubernetes cluster based on common attack vectors. You'll also learn why it's important to implement zero-trust to prevent data leaks and malicious workloads from being executed on a hijacked cluster.
Furthermore, he will show you how to protect your cluster from being taken over by sharing useful insights, configurations, and toolsets.
This talk is not intended to be an in-depth security talk, but to provide you with best practices and also make you aware of certain attack vectors and how to prevent them.
A list of action items you want to keep in mind when you're devsecops'ing for your cloudnative environments. Given as a part of a talk on the Modern Security series (
https://info.signalsciences.com/securing-cloud-native-ten-tips-better-container-security).
Why should developers care about container security?Eric Smalling
Slides from my talk at SF Bay Cloud Native Containers Meetup Feb 2022 and SnykLive Stranger Danger on April 27, 2022.
https://www.meetup.com/cloudnativecontainers/events/283721735/
How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
Nico and Philip will show how to prevent your Kubernetes cluster from being hijacked by introducing you to best practices as well as useful open source projects based on real-world examples.You’ll learn everything you need to know to build and run secure Kubernetes clusters.
Open Source License Compliance with AGLPaul Barker
If you distribute a product that runs an open source software stack such as Automotive Grade Linux (AGL) then you have obligations to fulfill under the GPL and other open source licenses. Thankfully, AGL is built upon the Yocto Project which provides tooling to help you achieve this.
Paul will present an overview of the license compliance tools available to users of AGL and show how they can be used. Paul will highlight best practices to follow and potential pitfalls to avoid. Paul will discuss how to handle modern programming languages such as Go, Javascript, and Rust and how to deal with common concerns such as commercially licensed media codecs and GPLv3 licensed software components. He will also bring the audience up to date with the latest developments and ongoing upstream work in Yocto Project which will be available to AGL users in the future. This talk will not give legal advice.
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
Samsung’s first Tizen-based devices are set to launch in the middle of 2015. This paper presents the research outcome on the security analysis of Tizen OS and it’s underlying security architecture. The paper begins with a quick introduction to Tizen architecture and explains the various components of Tizen OS. This will be followed by Tizen’s security model where application sandboxing and resource access control will be explained. Moving on, an overview of Tizen’s Content Security Framework which acts as an in-built malware detection API will be covered.
Various vulnerabilities in Tizen will be discussed including issues like Tizen WebKit2 address spoofing and content injection, Tizen WebKit CSP bypass and issues in Tizen’s memory protection (ASLR and DEP).
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
Andy has made mistakes. He's seen even more. And in this talk he details the best and the worst of the container and Kubernetes security problems he's experienced, exploited, and remediated.
This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks.
See how to bypass security controls and exploit insecure defaults in this technical appraisal of the container and cluster security landscape.
Numerous packaging & delivering applications are available in the global market, and out of all, Docker has created its prominent reputation amongst countless organizations around the globe.
Why Should Developers Care About Container Security?All Things Open
Presenting at All Things Open 2022
Presented by Eric Smalling
Title: Why Should Developers Care About Container Security?
Abstract: Container scanning tools, industry publications, and application security experts are constantly telling us about best practices for how to build our images and run our containers. Often these non-functional requirements seem abstract and are not described well enough for those of us that don’t have an appsec background to fully understand why they are important.
In this session, we will:
- go over several of the most common practices to best containerize applications
- show examples of how your application can be exploited in a container
- and most importantly, how to easily spot issues and fix your Dockerfiles and deployment manifests before you commit your code
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Kubernetes and container security
1. Kubernetes & Container Security
by Volodymyr Shynkar
Senior Lead DevOps Engineer
2021 | intellias.com
2. [devops@stage ~]$ cat ABOUT_ME.md
• 6+ years of commercial DevOps experience. Overall 8+ years of
Engineering
• Member of Technology Office
• Member of the Center of Excellence
• Successfully migrated, rolled out, consulted over 15 projects in
the healthcare, gambling, automotive, e-commerce industries
• Certified SAFe Agile Software Engineer
• Addicted to IoT and Smart Home
• Cyclist, promoter of a healthy lifestyle
Volodymyr Shynkar
Senior Lead DevOps Engineer at Intellias
[devops@stage ~]$
5. Will talk about:
• Scan containers and Pods for vulnerabilities or misconfigurations.
• Run containers and Pods with the least privileges possible.
• Use network separation to control the amount of damage a
compromise can cause.
• Use firewalls to limit unneeded network connectivity and
encryption to protect confidentiality.
• Use strong authentication and authorization to limit user and
administrator access as well as to limit the attack surface.
• Periodically review all Kubernetes settings and use vulnerability
scans to help ensure risks are appropriately accounted for and
security patches are applied.
6. Attack Surface
Analysis for:
• Cloud and Host
• Kubernetes Cluster
• Container (images and running)
Goal: Reduce the attack surface
7. Attack Surface – Cloud & Host
There are at least few things that you do yo achive base
security level:
• Run instances in private network
• Expose services only through external services like LB or Proxy
• Block all external traffic except exposed ports, like 80, 443
• Do not expose SSH. Try to use SSM instead.
• Minimize privilege to applications running on the host
• Optional: for HTTP traffic, use WAF if posiable
Goal: Follow “Principle of least privilege”
Managed K8s services already goes with most of this features enabled
9. Dockerfile best practices
1.Avoid unnecessary privileges.
1. Avoid running containers as root.
2. Don’t bind to a specific UID.
3. Make executables owned by root and not writable.
2.Reduce attack surface.
1. Leverage multistage builds.
2. Use distroless images, or build your own from scratch.
3. Update your images frequently.
4. Watch out for exposed ports.
3.Prevent confidential data leaks.
1. Never put secrets or credentials in Dockerfile instructions.
2. Prefer COPY over ADD.
3. Be aware of the Docker context, and use .dockerignore.
4.Others.
1. Reduce the number of layers, and order them intelligently.
2. Add metadata and labels.
3. Leverage linters to automatize checks.
4. Scan your images locally during development.
5.Beyond image building.
1. Protect the docker socket and TCP connections.
2. Sign your images, and verify them on runtime.
3. Avoid tag mutability.
4. Don’t run your environment as root.
5. Include a health check.
6. Restrict your application capabilities. Source: https://sysdig.com/blog/dockerfile-best-practices/
10. Let’s start from scratch
First steps
Start from your app
• unprivileged user (rootless)
• read-only
• no shell, cat, grep, less, tail, echo, etc
• focus on fewer data stored inside the container - only
app, no source code, and build dependencies
• no backed secrets or bind through volume or
encrypted
Seriously :)
11. Let’s start from scratch
First steps
Start from your app
• unprivileged user (rootless)
• read-only
• no shell, cat, grep, less, tail, echo, etc
• focus on fewer data stored inside the container - only
app, no source code, and build dependencies
• no backed secrets or bind through volume or
encrypted
Serious :)
12. Let’s start from scratch
First steps
Start from your app
• unprivileged user (rootless)
• read-only
• no shell, cat, grep, less, tail, echo, etc
• focus on fewer data stored inside the container - only
app, no source code, and build dependencies
• no backed secrets or bind through volume or
encrypted
Seriously :)
13. Let’s start from scratch
First steps
Start from your app
• unprivileged user (rootless)
• read-only
• no shell, cat, grep, less, tail, echo, etc
• focus on fewer data stored inside the container - only
app, no source code, and build dependencies
• no backed secrets or bind through volume or
encrypted
Seriously :)
More examples:
https://github.com/GoogleContainerTools/distroless
14. Let’s start from scratch
First steps
Start from your app
• unprivileged user (rootless)
• read-only
• no shell, cat, grep, less, tail, echo, etc
• focus on fewer data stored inside the
container - only app, no source code, and
build dependencies
• no backed secrets or bind through volume or
encrypted
Seriously :)
15. Let’s start from scratch
First steps
Start from your app
• unprivileged user (rootless)
• read-only
• no shell, cat, grep, less, tail, echo, etc
• focus on fewer data stored inside the container - only
app, no source code, and build dependencies
• no backed secrets or bind through volume or
encrypted
Seriously :)
16. Scan your image
Docker and Snyk recently entered into a partnership to
provide container vulnerability scanning.
Alternative
Source: https://www.docker.com/blog/bringing-docker-scan-to-linux/
18. Next to discuss:
• Deployment to the cluster
• Pod Security Policy
• Open Policy Agent
• Network Policy
• Secrets
• Securing the Cluster
Kubernetes Hardening
Remember: follow the “Principle of least privilege”
19. Deployment to the cluster
kubectl apply –f my_app.yaml
helm install my_app charts/my_app
20. How to automate deploy?
There are two approaches:
• Push-based
• Regular CI (Jenkins, Gitlab, GitHub, CircleCI)
21. How to automate deploy?
There are two approaches:
• Pull-based
• GitOps strategy (ArgoCD, Flux)
22. How to manage manage
By only two resources: AppProject and Application
23. By only two resources: AppProject and Application
How to manage manage
24. How to grant access
ArgoCD provided with powerful UI
• Embedded security features
• Support of SAML/OKTA.
• Enhanced experience
• Role-based
• Easy to use
25. Pod Security Policy
PSP are one way to control the security-related attributes of pods,
including container privilege levels.
• Do not run application processes as root
• Do not allow privilege escalation
• Use a read-only root filesystem
• Use the default (masked) /proc filesystem mount
• Do not use the host network or process space
• Drop unused and unnecessary Linux capabilities
• Service Account control
26. Pod Security Policy
When a PSP resource is created, it does nothing. You need to
authorize using RBAC!
27. Pod Security Policies is going to be marked as
deprecated since v1.21 and will be removed in v1.25
The PSP Replacement Policy is the new enhancement:
https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2579-psp-replacement
PSP Replacement Policy
The way PSPs are applied
to Pods has proven
confusing to nearly everyone
that has attempted to use
them.
28. Open Policy Agent (Gatekeeper)
Gatekeeper controller provides you ability to:
• Required labels
• Required resources section
• Mutate container images to always point to the corporate image registry.
• Set node and pod affinity and anti-affinity selectors to Deployments
• You can enforce anything that you want to see or not to see in configs
I need to control other pod fields or
any fields in other resource? How
can I achieve that?
The answer is:
29. Open Policy Agent (Gatekeeper)
Example: enforce to use only allowed container registries
30. Open Policy Agent (Gatekeeper)
Example: enforce to use only allowed container registries
The other examples can be found here:
https://github.com/open-policy-agent/gatekeeper/tree/master/demo
31. Network Policy
By default, namespaces are not automatically isolated.
For that we have networking policies and RBAC.
With this simple config you will
isolate NS from other NS
32. Network Policy
Network policy will not work with default CNI from
AWS EKS. You need to install Calico.
With this simple config you will allow
traffic from specific namespace
33. Network Policy
With AWS EKS CNI you can use different security
groups per pod which makes network policy redundant
With this simple config you will allow
traffic to a specific port
You can also specify protocol.
34. Secrets
Where do I version control my secrets?
What is solution for this?
• Paper/USB/CDR two fireproof safes?
• Vault (or actually Consul)?
35. Secrets
Where do I version control my secrets?
What is solution for this?
• Sealed Secrets (a Kubernetes controller and a tool for
one-way encrypted Secrets):
https://github.com/bitnami-labs/sealed-secrets
• Git Crypt - transparent file encryption in git:
https://www.agwa.name/projects/git-crypt/
38. Securing the Cluster
API Server
By default, the API server will listen on what is rightfully
port 8080
• Close the insecure port by arg in API server’s --insecure-port flag to 0
• And --insecure-bind-address is not set.
Any requests to this port bypass authentication and authorization
checks.
39. Securing the Cluster
etcd
The etcd backend database is a critical component and the
to secure within the cluster.
Close the insecure port by arg in API server’s --insecure-port flag to
0
• And --insecure-bind-address is not set.
etcd server should be configured to only trust certificates assigned to API
servers
40. Securing the Cluster
Kubelet
The kubelet is the agent that is responsible launching pods (not
Check this parameters:
• Disable anonymous access with --anonymous-auth=false
• Ensure that requests are authorized by setting --
other than AlwaysAllow
41. Securing the Cluster
Kubernetes Dashboard
The Dashboard has historically been used by attackers to gain
Kubernetes clusters.
Check this parameters:
• Allow only authenticated access. Only known users should be able
Dashboard.
• Use RBAC. Limit the privileges that users have so they can
they need to.
• Don’t expose your Dashboard to the public internet
• Unless you really know what you’re doing.
42. Securing the Cluster
Protocol Direction Port Range Purpose
TCP Inbound 6443 or 8080 if not disabled Kubernetes API server
TCP Inbound 2379-2380 etcd server client API
TCP Inbound 10250 kubelet API
TCP Inbound 10251 kube-scheduler
TCP Inbound 10252 kube-controller-manager
TCP Inbound 10258 cloud-controller-manager (optional)
The following table lists the control plane ports and services.
You can try to curl on each port to check if it’s secured.
44. Kubescape
Kubescape is the first tool for testing if Kubernetes deployed securely
Source: https://github.com/armosec/kubescape
45. Kube-bench
The same tool as Kubescape but could be deployed as CronJob and executed
on regular bases
Source: https://github.com/aquasecurity/kube-bench
46. Kubesec
kubectl plugin for scanning Kubernetes pods,
deployments, daemonsets and statefulsets
Source: https://github.com/controlplaneio/kubectl-kubesec
Suggests what should be improved or changed
47. Kubeaudit
kubeaudit is a command line tool to audit Kubernetes clusters for various security
concerns, such as:
• run as non-root
• use a read-only root filesystem
• drop scary capabilities, don't add new ones
• don't run privileged
Source: https://github.com/Shopify/kubeaudit
48. Ksniff
A kubectl plugin that utilize tcpdump and Wireshark to start a remote capture
on any pod in your Kubernetes cluster.
Source: https://github.com/eldadru/ksniff