Karthik Gaekwad, profile picture
Uploaded byKarthik Gaekwad
PPTX, PDF1,605 views

Kubernetes Security

The document presents a comprehensive overview of Kubernetes security challenges and best practices, addressing complexities in container management, deployment, and operations in cloud-native environments. It emphasizes the importance of reducing the attack surface through various techniques, including securing cluster components, managing access controls, and utilizing Kubernetes' built-in security features. Additionally, it highlights open-source tools available for enhancing security, such as kube-bench and clair, while encouraging periodic audits and adherence to best practices.

Technology
Related topics:
cloud-native
In this document
Powered by AI

Overview of the speaker and his role in advocating Kubernetes security and building community.

Phases of cloud adoption:Developer, DevOps, Business with emphasis on container usage and the need for security.

Examples of security incidents involving unsecured Kubernetes dashboards and kubelet credentials hacks.

Strategies to reduce attack surface in Kubernetes focusing on host, container images, and security best practices.

Essential Kubernetes features including authentication, authorization, audit logging, network policies and secrets management for enhancing security.

Discussion of various open source tools like Clair, Kube-bench, and Kubesec designed to enhance Kubernetes security and monitor vulnerabilities.

Resources for further reading on Kubernetes security and encouraging ongoing efforts to improve it.

Embed presentation

Downloaded 151 times
Kubernetes Security Karthik Gaekwad INNOTECH Austin 2018
• I’m Karthik Gaekwad • NOT a DBA • https://cloudnative.oracle.com/ • Cloud Native evangelist at OCI • Used to be a developer on the OKE Team. Hello @iteration1
Hello • Been in Industry 15 years. • In general, I like building stuff with friends. • A maintainer for Gauntlt- Open source security scanner. • Love Teaching and building community. • Run Devopsdays Austin, Container Days, Cloud Austin. • Chair All Day Devops Cloud Native track. • LinkedIn Learning Author for Learning Kubernetes (and more).
Need an OCI Trial Account? http://bitly.com/ocicloud
My questions for you..
The Cloud Native Journey 6 Phase I Developer Focus Phase II DevOps Focus Phase III Business Focus (end-to-end) Container Adoption Application Deployment Intelligent Operations SpeedEfficiencyAgility Docker Kubernetes Core to Edge Developer adoption Dev/Test apps Simple orchestration Individual developers DevOps deployment Production apps Advanced orchestration Teams & lines of business End-to-end integration Digital business apps Serverless, DevSecOps, & ML Cloud native enterprises Focus Applications Automation Community
Latest CNCF Survey: August 2018 How Does Your Company Use Containers and Where?
Kubernetes Dominates Container Management Your company/organization manages containers with:
Good News, Bad News… Good: On average, CNCF project usage is up over 200% since the Dec 2017! But...
Complexity, Culture, Training, & Security Issues Remain
• Managing, maintaining, upgrading Kubernetes Control Plane • API Server, etcd, scheduler etc…. • Managing, maintaining, upgrading Kubernetes Data Plane • In place upgrades, deploy parallel cluster etc…. • Figuring out container networking & storage • Overlays, persistent storage etc… - it should just work • Managing Teams • How do I manage & control team access to my clusters? • Security, security, security Kubernetes & Cloud Native Challenges 11 Source: Oracle Customer Survey 2018
How Are Teams Addressing Complexity, Training Issues? App Management Upgrades & Patching Platform Backup & Recovery High Availability Scaling App Deployment Power, HVAC Rack and Stack Server Provisioning Software Installation Customer Managed Fully-Managed App Management Upgrades & Patching Platform Backup & Recovery High Availability Scaling App Deployment Power, HVAC Rack and Stack Server Provisioning Software Installation  Faster Time to Deploy  Lower Risk  Accelerate Innovation Benefits YOU
Which brings us to security…
Where no news, is good news!
Unsecured K8s dashboards • Unsecured Kubernetes Dashboard with account creds. • Used this to mine cryptocurrency. • 2017: Aviva • 2018: Tesla, Weight Watchers • https://redlock.io/blog/cryptoja cking-tesla
Kubelet credentials hack • Shopify: Server Side request Forgery • Get kubelet certs/private key • Root access to any container in part of infrastructure. • https://hackerone.com/reports/ 341876
WAT?
How did we get here?
“Kubernetes is too complicated”
“Kubernetes is too complicated” “We hope it’ll get easier”
What is your strate
Let’s look at: •Attack Surface • More importantly, how to limit damage •Security related features in K8s • The more you know, the better you build •Opensource Tooling to help • Because we all need help
Attack Surface
Attack Surface Goal: Reduce the attack surface •Analysis for: •Host •Container (Images and running) •Kubernetes Cluster
Attack Surface • Work on reducing the attack surface: • Analysis for: • Host • Container (Images and running) • Kubernetes Cluster
Attack Surface: Host • These are the machines you’re running Kubernetes on. • Age old principles of Linux still apply: • Enable SELinux • AppArmor • Seccomp • Goal: Minimize privilege to applications running on the host
Attack Surface: Container Images • Know your base image when building containers • Smaller the better • Don’t rely on :latest tag • Check for vulnerabilities periodically
Attack Surface: Running Containers • Don’t run as root • Limit host mounts
Attack Surface: Kubernetes Cluster • TLS • Audit Logs • Network Policies • Pod Security Policies • Secrets
Kubernetes Cluster: TLS TLS ALL THE THINGS
Attack Surface: Host • These are the machines you’re running Kubernetes on. • Age old principles of Linux still apply: • Enable SELinux • AppArmor • Seccomp • Hardened Images • Goal: Minimize privilege to applications running on the host • Good news: Already a wealth of information on this subject! • http://lmgtfy.com/?q=how+to+reduce+attack+surface+linux
Attack Surface: Container Images GOAL: Know your base image when building containers
Attack Surface: Container Images GOAL: Know your base image when building containers **BTW, this is just a ruby helloworld app
Attack Surface: Container Images GOAL: Know your base image when building containers **BTW, this is just a ruby helloworld app
Attack Surface: Container Images GOAL: Know your base image when building containers Full disclosure: I’m karthequian; I created this as a ruby 101 container for learning purposes only
Attack Surface: Container Images GOAL: Know your base image when building containers • When in doubt, stick to an official images! • Or start from a sane base image (example: alpine linux)
Attack Surface: Container Images GOAL: Smaller the image, the better • Less things for an attacker to exploit. • Quicker to push, quicker to pull.
Attack Surface: Container Images GOAL: Don’t rely on :latest tag • :latest image yesterday might not be :latest image tomorrow • Instead, you’d want to know what specific version you’re operating with. • Side benefit: If there is a new vulnerability announced for OS version x.y.z, you know immediately whether you’re running that version!
Attack Surface: Container Images GOAL: Check for vulnerabilities periodically • Plenty of ways to do this in registries. We’ll cover more in the tooling section
Attack Surface: Running Containers GOAL: Don’t run as root • Containers running as root might be completely unnecessary for the actual application. • If compromised, attacker can do a lot more things.. • Pod security policies can help (we’ll see how later).
Attack Surface: Running Containers GOAL: Limit host mounts • Be wary of images that require broad access to paths on the host • Limit your host mount to a smaller subset of directories • Reduces blast radius on compromise
Attack Surface: Kubernetes Cluster
Kubernetes Cluster- TLS TLS ALL THE THINGS
Kubernetes Cluster- TLS • TLS Checklist: 1. Nodes and Master 2. User and Master 3. Everything etcd 4. Kubelet to API Server
Kubernetes Cluster- TLS
Kubernetes Cluster- TLS • TLS Checklist: 1. User and Master 2. Nodes and Master 3. Everything etcd 4. Kubelet to API Server
We’re a little better off now. But what else to do?
K8s Features How can the platform help me make secure choices?
K8s Features • Authentication • Authorization • Audit Logging • Network Policies • Pod security policies • Kubernetes Secrets
Authentication and Authorization • Do you know how you are authenticating with Kubernetes? • Many ways to Authenticate • Client Certs • Static token file • Service Account tokens • OpenID • Webhook Mode • And more (https://kubernetes.io/docs/reference/access-authn-authz/authentication/)
Whatever you do, DO NOT YOLO! Goal: Pick a strategy that fits your use case
You can pick an authz strategy.. If you DO NOT YOLO…
Authentication and Authorization https://kubernetes.io/docs/reference/access-authn-authz/authorization/
Authentication and Authorization • Pro tip: Nobody uses ABAC anymore. Don’t be that guy…. • RBAC is the defacto standard • Based on roles and role bindings • Good set of defaults: https://github.com/uruddarraju/kubernetes-rbac-policies • Can use multiple authorizers together, but can get confusing. • 1st authorizer to authorize passes authz
Kubernetes Cluster- Audit Logs • Wat? • “Kubernetes auditing provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators or other components of the system.” • Answers: What/when/who/where information on security events. • Your job: Periodically watch Kubernetes Audit logs • https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
Kubernetes Cluster- Network Policies • Consider adding a network policy to the cluster… • Default Policy: All pods can talk to all other pods. • Consider limiting this with a Network Policy • https://kubernetes.io/docs/concepts/services-networking/network-policies/
Kubernetes Cluster- Pod Security Policies • Consider adding Pod Security policies • PodSecurityPolicy: A Defined set of conditions a pod must run with. • Think of this as authorization for pods.
Kubernetes Cluster: Pod Security Policies https://kubernetes.io/docs/concepts/policy/pod-security-policy/#what-is-a-pod-security-policy Capability for an admin to control specific actions
Kubernetes Secrets • GOAL: Use Kubernetes secrets to store sensitive data instead of config maps. • Also look at: secrets encryption provider. • Controls how etcd encrypts API data • --experimental-encryption-provider-config • https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
ToolingOpensource Tooling
Keep tabs on the CNCF Security landscape https://landscape.cncf.io/landscape=security-compliance
CNCF Projects • “The Update Framework” • Is a framework or a methodology. • Used for secure software updates. • Based on ideas surrounding trust and integrity. • Is a project. • Based on TUF. • A solution to secure software updates and distribution. • Used in Docker Trusted Registry.
Clair • Open source project for the static analysis of vulnerabilities in containers. • Find vulnerable images in your repo. • Built into quay.io, but you can add to your own repo. • https://github.com/coreos/clair
Kube-bench • Checks whether a Kubernetes cluster is deployed according to security best practices. • Run this after creating your K8s cluster. • https://github.com/aquasecurity/kube-bench • Defined by the CIS Benchmarks Docs: https://www.cisecurity.org/cis- benchmarks/ • Run it against your Kubernetes Master, or Kubernetes node.
Kube-bench example
Kubesec • Helps you quantify risk for Kubernetes resources. • Run against your K8s applications (deployments/pods/daemonsets etc) • https://kubesec.io/ from controlplane • Can be used standalone, or as a kubectl plugin (https://github.com/stefanprodan/kubectl-kubesec)
Kubesec example
Kubeaudit • Opensourced from Shopify. • Auditing your applications in your K8s cluster. • https://github.com/Shopify/kubeaudit • Little more targeted than Kubesec.
Kubeaudit example
“So much time and so little to do.”
Couple more resources to look at: • 11 ways not to get hacked: https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked • K8s security (from Image Hygiene to Network Policy): https://speakerdeck.com/mhausenblas/kubernetes-security-from- image-hygiene-to-network-policies
KEEP CALM AND KUBE ON @iteration1

More Related Content

PDF
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
byEdureka!
 
PDF
Deploy Application on Kubernetes
byOpsta
 
PDF
Kubernetes security
byThomas Fricke
 
PPTX
Kubernetes and container security
byVolodymyr Shynkar
 
PDF
NGINX Ingress Controller for Kubernetes
byNGINX, Inc.
 
PDF
Kubernetes Secrets Management on Production with Demo
byOpsta
 
PDF
Introduction to kubernetes
byRaffaele Di Fazio
 
PDF
Kubernetes extensibility: CRDs & Operators
bySIGHUP
 
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
byEdureka!
 
Deploy Application on Kubernetes
byOpsta
 
Kubernetes security
byThomas Fricke
 
Kubernetes and container security
byVolodymyr Shynkar
 
NGINX Ingress Controller for Kubernetes
byNGINX, Inc.
 
Kubernetes Secrets Management on Production with Demo
byOpsta
 
Introduction to kubernetes
byRaffaele Di Fazio
 
Kubernetes extensibility: CRDs & Operators
bySIGHUP
 

What's hot

PDF
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
byEdureka!
 
PDF
Kubernetes Architecture and Introduction
byStefan Schimanski
 
PDF
Kubernetes: A Short Introduction (2019)
byMegan O'Keefe
 
PPTX
Kubernetes Introduction
byEric Gustafson
 
PDF
Kubernetes
byMeng-Ze Lee
 
PDF
Kubernetes
byerialc_w
 
PDF
Kubernetes Security
byinovex GmbH
 
PPTX
Adopting OpenTelemetry
byVincent Behar
 
PPTX
Introduction to kubernetes
byRishabh Indoria
 
PPTX
Interop 2018 - Understanding Kubernetes - Brian Gracely
byBrian Gracely
 
PDF
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
byYevgeniy Brikman
 
PDF
Kubernetes Deployment Strategies
byAbdennour TM
 
PPTX
Securing and Automating Kubernetes with Kyverno
bySaim Safder
 
PDF
Kubernetes 101
byCrevise Technologies
 
PDF
Service Mesh on Kubernetes with Istio
byMichelle Holley
 
PPTX
A brief study on Kubernetes and its components
byRamit Surana
 
PDF
Kubernetes Security Best Practices - With tips for the CKS exam
byAhmed AbouZaid
 
PDF
An Introduction to Kubernetes
byImesh Gunaratne
 
PPSX
Docker Kubernetes Istio
byAraf Karsh Hamid
 
PDF
OpenTelemetry Introduction
byDimitrisFinas1
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
byEdureka!
 
Kubernetes Architecture and Introduction
byStefan Schimanski
 
Kubernetes: A Short Introduction (2019)
byMegan O'Keefe
 
Kubernetes Introduction
byEric Gustafson
 
Kubernetes
byMeng-Ze Lee
 
Kubernetes
byerialc_w
 
Kubernetes Security
byinovex GmbH
 
Adopting OpenTelemetry
byVincent Behar
 
Introduction to kubernetes
byRishabh Indoria
 
Interop 2018 - Understanding Kubernetes - Brian Gracely
byBrian Gracely
 
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
byYevgeniy Brikman
 
Kubernetes Deployment Strategies
byAbdennour TM
 
Securing and Automating Kubernetes with Kyverno
bySaim Safder
 
Kubernetes 101
byCrevise Technologies
 
Service Mesh on Kubernetes with Istio
byMichelle Holley
 
A brief study on Kubernetes and its components
byRamit Surana
 
Kubernetes Security Best Practices - With tips for the CKS exam
byAhmed AbouZaid
 
An Introduction to Kubernetes
byImesh Gunaratne
 
Docker Kubernetes Istio
byAraf Karsh Hamid
 
OpenTelemetry Introduction
byDimitrisFinas1
 

Similar to Kubernetes Security

PPTX
DevSecOps in a cloudnative world
byKarthik Gaekwad
 
PPTX
10 tips for Cloud Native Security
byKarthik Gaekwad
 
PPTX
KubeSecOps
byKarthik Gaekwad
 
PPTX
Kubernetes Security Act Now Before It’s Too Late
byMichael Furman
 
PDF
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
byNoNameCon
 
PPTX
Practical Approaches to Cloud Native Security
byKarthik Gaekwad
 
PDF
Kubernetes - Security Journey
byJerry Jalava
 
PPTX
12 Ways Not to get 'Hacked' your Kubernetes Cluster
bySuman Chakraborty
 
PDF
Kubernetes 101 for_penetration_testers_-_null_mumbai
byn|u - The Open Security Community
 
PDF
Hacking into your containers, and how to stop it!
byEric Smalling
 
PDF
Kubernetes - security you need to know about it
byHaydn Johnson
 
PDF
Hardening Kubernetes Cluster
byKnoldus Inc.
 
PDF
Practical Guide to Securing Kubernetes
byLacework
 
PDF
Container Security Deep Dive & Kubernetes
byAqua Security
 
PPTX
The State of Kubernetes Security
byJimmy Mesta
 
PDF
Why should developers care about container security?
byEric Smalling
 
PDF
Security threats with Kubernetes - Igor Khoroshchenko
byKuberton
 
PDF
Attacking and Defending Kubernetes - Nithin Jois
byOWASP Hacker Thursday
 
PDF
GDG SLK - Why should devs care about container security.pdf
byJames Anderson
 
PDF
The Hacker's Guide to Kubernetes
byPatrycja Wegrzynowicz
 
DevSecOps in a cloudnative world
byKarthik Gaekwad
 
10 tips for Cloud Native Security
byKarthik Gaekwad
 
KubeSecOps
byKarthik Gaekwad
 
Kubernetes Security Act Now Before It’s Too Late
byMichael Furman
 
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
byNoNameCon
 
Practical Approaches to Cloud Native Security
byKarthik Gaekwad
 
Kubernetes - Security Journey
byJerry Jalava
 
12 Ways Not to get 'Hacked' your Kubernetes Cluster
bySuman Chakraborty
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
byn|u - The Open Security Community
 
Hacking into your containers, and how to stop it!
byEric Smalling
 
Kubernetes - security you need to know about it
byHaydn Johnson
 
Hardening Kubernetes Cluster
byKnoldus Inc.
 
Practical Guide to Securing Kubernetes
byLacework
 
Container Security Deep Dive & Kubernetes
byAqua Security
 
The State of Kubernetes Security
byJimmy Mesta
 
Why should developers care about container security?
byEric Smalling
 
Security threats with Kubernetes - Igor Khoroshchenko
byKuberton
 
Attacking and Defending Kubernetes - Nithin Jois
byOWASP Hacker Thursday
 
GDG SLK - Why should devs care about container security.pdf
byJames Anderson
 
The Hacker's Guide to Kubernetes
byPatrycja Wegrzynowicz
 

More from Karthik Gaekwad

PPTX
Why to Cloud Native
byKarthik Gaekwad
 
PDF
Mental Health studies and devops
byKarthik Gaekwad
 
PPTX
This is your community
byKarthik Gaekwad
 
PPTX
Kube Apps in action
byKarthik Gaekwad
 
PDF
Kubernetes security and you
byKarthik Gaekwad
 
PPTX
Kube applications in action
byKarthik Gaekwad
 
PDF
Devops and Dadops
byKarthik Gaekwad
 
PDF
Containers, microservices and serverless for realists
byKarthik Gaekwad
 
PDF
Containers and microservices for realists
byKarthik Gaekwad
 
PDF
13 practical tips for writing secure golang applications
byKarthik Gaekwad
 
PPTX
Why to docker
byKarthik Gaekwad
 
PDF
Docker management
byKarthik Gaekwad
 
PDF
Agile 2014- Metrics driven development and devops
byKarthik Gaekwad
 
PDF
Devopsdays Austin 2014 Ignite: Keep devops weird
byKarthik Gaekwad
 
PDF
Cloud Austin 2013: Conferenced2013
byKarthik Gaekwad
 
PDF
LASCON 2013 Talk: User Auth for Winners, how to get it right the first time!
byKarthik Gaekwad
 
PDF
Agile 2013 Talk: How DevOps Changes Everything
byKarthik Gaekwad
 
PDF
DevOps at the CIA
byKarthik Gaekwad
 
PDF
Sexy HTML with Twitter Bootstrap
byKarthik Gaekwad
 
PPTX
12 Clouds of Christmas 2012- Stormpath
byKarthik Gaekwad
 
Why to Cloud Native
byKarthik Gaekwad
 
Mental Health studies and devops
byKarthik Gaekwad
 
This is your community
byKarthik Gaekwad
 
Kube Apps in action
byKarthik Gaekwad
 
Kubernetes security and you
byKarthik Gaekwad
 
Kube applications in action
byKarthik Gaekwad
 
Devops and Dadops
byKarthik Gaekwad
 
Containers, microservices and serverless for realists
byKarthik Gaekwad
 
Containers and microservices for realists
byKarthik Gaekwad
 
13 practical tips for writing secure golang applications
byKarthik Gaekwad
 
Why to docker
byKarthik Gaekwad
 
Docker management
byKarthik Gaekwad
 
Agile 2014- Metrics driven development and devops
byKarthik Gaekwad
 
Devopsdays Austin 2014 Ignite: Keep devops weird
byKarthik Gaekwad
 
Cloud Austin 2013: Conferenced2013
byKarthik Gaekwad
 
LASCON 2013 Talk: User Auth for Winners, how to get it right the first time!
byKarthik Gaekwad
 
Agile 2013 Talk: How DevOps Changes Everything
byKarthik Gaekwad
 
DevOps at the CIA
byKarthik Gaekwad
 
Sexy HTML with Twitter Bootstrap
byKarthik Gaekwad
 
12 Clouds of Christmas 2012- Stormpath
byKarthik Gaekwad
 

Recently uploaded

PDF
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
PDF
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
PPTX
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
PPTX
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
PDF
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
Incident Response Planning with a Foundation Model
byKim Hammar
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PDF
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
PDF
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Incident Response Planning with a Foundation Model
byKim Hammar
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 

Kubernetes Security

  • 1.
  • 2.
    • I’m KarthikGaekwad • NOT a DBA • https://cloudnative.oracle.com/ • Cloud Native evangelist at OCI • Used to be a developer on the OKE Team. Hello @iteration1
  • 3.
    Hello • Been inIndustry 15 years. • In general, I like building stuff with friends. • A maintainer for Gauntlt- Open source security scanner. • Love Teaching and building community. • Run Devopsdays Austin, Container Days, Cloud Austin. • Chair All Day Devops Cloud Native track. • LinkedIn Learning Author for Learning Kubernetes (and more).
  • 4.
    Need an OCITrial Account? http://bitly.com/ocicloud
  • 5.
  • 6.
    The Cloud NativeJourney 6 Phase I Developer Focus Phase II DevOps Focus Phase III Business Focus (end-to-end) Container Adoption Application Deployment Intelligent Operations SpeedEfficiencyAgility Docker Kubernetes Core to Edge Developer adoption Dev/Test apps Simple orchestration Individual developers DevOps deployment Production apps Advanced orchestration Teams & lines of business End-to-end integration Digital business apps Serverless, DevSecOps, & ML Cloud native enterprises Focus Applications Automation Community
  • 7.
    Latest CNCF Survey:August 2018 How Does Your Company Use Containers and Where?
  • 8.
    Kubernetes Dominates ContainerManagement Your company/organization manages containers with:
  • 9.
    Good News, BadNews… Good: On average, CNCF project usage is up over 200% since the Dec 2017! But...
  • 10.
    Complexity, Culture, Training,& Security Issues Remain
  • 11.
    • Managing, maintaining,upgrading Kubernetes Control Plane • API Server, etcd, scheduler etc…. • Managing, maintaining, upgrading Kubernetes Data Plane • In place upgrades, deploy parallel cluster etc…. • Figuring out container networking & storage • Overlays, persistent storage etc… - it should just work • Managing Teams • How do I manage & control team access to my clusters? • Security, security, security Kubernetes & Cloud Native Challenges 11 Source: Oracle Customer Survey 2018
  • 12.
    How Are TeamsAddressing Complexity, Training Issues? App Management Upgrades & Patching Platform Backup & Recovery High Availability Scaling App Deployment Power, HVAC Rack and Stack Server Provisioning Software Installation Customer Managed Fully-Managed App Management Upgrades & Patching Platform Backup & Recovery High Availability Scaling App Deployment Power, HVAC Rack and Stack Server Provisioning Software Installation  Faster Time to Deploy  Lower Risk  Accelerate Innovation Benefits YOU
  • 13.
    Which brings usto security…
  • 14.
    Where no news,is good news!
  • 15.
    Unsecured K8s dashboards •Unsecured Kubernetes Dashboard with account creds. • Used this to mine cryptocurrency. • 2017: Aviva • 2018: Tesla, Weight Watchers • https://redlock.io/blog/cryptoja cking-tesla
  • 16.
    Kubelet credentials hack •Shopify: Server Side request Forgery • Get kubelet certs/private key • Root access to any container in part of infrastructure. • https://hackerone.com/reports/ 341876
  • 21.
  • 22.
    How did weget here?
  • 23.
    “Kubernetes is toocomplicated”
  • 24.
    “Kubernetes is toocomplicated” “We hope it’ll get easier”
  • 25.
  • 26.
    Let’s look at: •AttackSurface • More importantly, how to limit damage •Security related features in K8s • The more you know, the better you build •Opensource Tooling to help • Because we all need help
  • 27.
  • 28.
    Attack Surface Goal: Reducethe attack surface •Analysis for: •Host •Container (Images and running) •Kubernetes Cluster
  • 29.
    Attack Surface • Workon reducing the attack surface: • Analysis for: • Host • Container (Images and running) • Kubernetes Cluster
  • 30.
    Attack Surface: Host •These are the machines you’re running Kubernetes on. • Age old principles of Linux still apply: • Enable SELinux • AppArmor • Seccomp • Goal: Minimize privilege to applications running on the host
  • 31.
    Attack Surface: ContainerImages • Know your base image when building containers • Smaller the better • Don’t rely on :latest tag • Check for vulnerabilities periodically
  • 32.
    Attack Surface: RunningContainers • Don’t run as root • Limit host mounts
  • 33.
    Attack Surface: KubernetesCluster • TLS • Audit Logs • Network Policies • Pod Security Policies • Secrets
  • 34.
  • 35.
    Attack Surface: Host •These are the machines you’re running Kubernetes on. • Age old principles of Linux still apply: • Enable SELinux • AppArmor • Seccomp • Hardened Images • Goal: Minimize privilege to applications running on the host • Good news: Already a wealth of information on this subject! • http://lmgtfy.com/?q=how+to+reduce+attack+surface+linux
  • 36.
    Attack Surface: ContainerImages GOAL: Know your base image when building containers
  • 37.
    Attack Surface: ContainerImages GOAL: Know your base image when building containers **BTW, this is just a ruby helloworld app
  • 38.
    Attack Surface: ContainerImages GOAL: Know your base image when building containers **BTW, this is just a ruby helloworld app
  • 39.
    Attack Surface: ContainerImages GOAL: Know your base image when building containers Full disclosure: I’m karthequian; I created this as a ruby 101 container for learning purposes only
  • 40.
    Attack Surface: ContainerImages GOAL: Know your base image when building containers • When in doubt, stick to an official images! • Or start from a sane base image (example: alpine linux)
  • 41.
    Attack Surface: ContainerImages GOAL: Smaller the image, the better • Less things for an attacker to exploit. • Quicker to push, quicker to pull.
  • 42.
    Attack Surface: ContainerImages GOAL: Don’t rely on :latest tag • :latest image yesterday might not be :latest image tomorrow • Instead, you’d want to know what specific version you’re operating with. • Side benefit: If there is a new vulnerability announced for OS version x.y.z, you know immediately whether you’re running that version!
  • 43.
    Attack Surface: ContainerImages GOAL: Check for vulnerabilities periodically • Plenty of ways to do this in registries. We’ll cover more in the tooling section
  • 44.
    Attack Surface: RunningContainers GOAL: Don’t run as root • Containers running as root might be completely unnecessary for the actual application. • If compromised, attacker can do a lot more things.. • Pod security policies can help (we’ll see how later).
  • 45.
    Attack Surface: RunningContainers GOAL: Limit host mounts • Be wary of images that require broad access to paths on the host • Limit your host mount to a smaller subset of directories • Reduces blast radius on compromise
  • 46.
  • 47.
  • 48.
    Kubernetes Cluster- TLS •TLS Checklist: 1. Nodes and Master 2. User and Master 3. Everything etcd 4. Kubelet to API Server
  • 49.
  • 50.
    Kubernetes Cluster- TLS •TLS Checklist: 1. User and Master 2. Nodes and Master 3. Everything etcd 4. Kubelet to API Server
  • 51.
    We’re a little betteroff now. But what else to do?
  • 52.
    K8s Features How canthe platform help me make secure choices?
  • 53.
    K8s Features • Authentication •Authorization • Audit Logging • Network Policies • Pod security policies • Kubernetes Secrets
  • 54.
    Authentication and Authorization •Do you know how you are authenticating with Kubernetes? • Many ways to Authenticate • Client Certs • Static token file • Service Account tokens • OpenID • Webhook Mode • And more (https://kubernetes.io/docs/reference/access-authn-authz/authentication/)
  • 55.
    Whatever you do, DONOT YOLO! Goal: Pick a strategy that fits your use case
  • 56.
    You can pickan authz strategy.. If you DO NOT YOLO…
  • 57.
  • 58.
    Authentication and Authorization •Pro tip: Nobody uses ABAC anymore. Don’t be that guy…. • RBAC is the defacto standard • Based on roles and role bindings • Good set of defaults: https://github.com/uruddarraju/kubernetes-rbac-policies • Can use multiple authorizers together, but can get confusing. • 1st authorizer to authorize passes authz
  • 59.
    Kubernetes Cluster- AuditLogs • Wat? • “Kubernetes auditing provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators or other components of the system.” • Answers: What/when/who/where information on security events. • Your job: Periodically watch Kubernetes Audit logs • https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
  • 61.
    Kubernetes Cluster- NetworkPolicies • Consider adding a network policy to the cluster… • Default Policy: All pods can talk to all other pods. • Consider limiting this with a Network Policy • https://kubernetes.io/docs/concepts/services-networking/network-policies/
  • 62.
    Kubernetes Cluster- PodSecurity Policies • Consider adding Pod Security policies • PodSecurityPolicy: A Defined set of conditions a pod must run with. • Think of this as authorization for pods.
  • 63.
    Kubernetes Cluster: PodSecurity Policies https://kubernetes.io/docs/concepts/policy/pod-security-policy/#what-is-a-pod-security-policy Capability for an admin to control specific actions
  • 64.
    Kubernetes Secrets • GOAL:Use Kubernetes secrets to store sensitive data instead of config maps. • Also look at: secrets encryption provider. • Controls how etcd encrypts API data • --experimental-encryption-provider-config • https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
  • 65.
  • 66.
    Keep tabs onthe CNCF Security landscape https://landscape.cncf.io/landscape=security-compliance
  • 67.
    CNCF Projects • “TheUpdate Framework” • Is a framework or a methodology. • Used for secure software updates. • Based on ideas surrounding trust and integrity. • Is a project. • Based on TUF. • A solution to secure software updates and distribution. • Used in Docker Trusted Registry.
  • 68.
    Clair • Open sourceproject for the static analysis of vulnerabilities in containers. • Find vulnerable images in your repo. • Built into quay.io, but you can add to your own repo. • https://github.com/coreos/clair
  • 70.
    Kube-bench • Checks whethera Kubernetes cluster is deployed according to security best practices. • Run this after creating your K8s cluster. • https://github.com/aquasecurity/kube-bench • Defined by the CIS Benchmarks Docs: https://www.cisecurity.org/cis- benchmarks/ • Run it against your Kubernetes Master, or Kubernetes node.
  • 71.
  • 72.
    Kubesec • Helps youquantify risk for Kubernetes resources. • Run against your K8s applications (deployments/pods/daemonsets etc) • https://kubesec.io/ from controlplane • Can be used standalone, or as a kubectl plugin (https://github.com/stefanprodan/kubectl-kubesec)
  • 73.
  • 74.
    Kubeaudit • Opensourced fromShopify. • Auditing your applications in your K8s cluster. • https://github.com/Shopify/kubeaudit • Little more targeted than Kubesec.
  • 76.
  • 77.
    “So much timeand so little to do.”
  • 78.
    Couple more resourcesto look at: • 11 ways not to get hacked: https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked • K8s security (from Image Hygiene to Network Policy): https://speakerdeck.com/mhausenblas/kubernetes-security-from- image-hygiene-to-network-policies
  • 79.

Editor's Notes

  • #12 However, customers face challenges along the way.  As we have spoken to customers, many have agreed with the challenges presented on this slide.
  • #13 Faster Time to Deploy No need to provision and maintain Operating System and Platforms (Linux, Kubernetes, Docker Registry, Continuous Integration Systems) Lower Risk Oracle is committed to SLAs on Performance and Manageability, in addition to Availability Accelerate Innovation Develop new Container Native apps quickly, and port existing apps faster
  • #24 Photo by Byron Sterk on Unsplash
  • #25 Photo by Byron Sterk on Unsplash
  • #26 Photo by rawpixel on Unsplash
  • #28 Photo by rawpixel on Unsplash
  • #47 Photo by rawpixel on Unsplash
  • #50 Diagram from https://docs.google.com/presentation/d/1Gp-2blk5WExI_QR59EUZdwfO2BWLJqa626mK2ej-huo/edit#slide=id.g1e639c415b_0_56. Thanks @Lucas Käldström
  • #56 Photo by Mikhail Vasilyev on Unsplash
  • #57 Photo by Mikhail Vasilyev on Unsplash
  • #66 Photo by Barn Images on Unsplash