The document outlines security approaches for Kubernetes, including configuration settings, CIS benchmarks for testing, and penetration testing methods. It emphasizes the importance of automating security in the CI/CD pipeline, enforcing immutability, and using tools like kube-bench and kube-hunter for vulnerability assessment. The authors advocate for ongoing security evaluations and adjustments to protect applications across various platforms.

1. © 2018-19 Aqua Security Software Ltd., All Rights Reserved
Preventative Security for
Kubernetes
Liz Rice
@lizrice | @aquasecteam

2. @lizrice
Agenda
■ Kubernetes configuration for security
■ CIS benchmarks – testing the configuration
■ Penetration testing – testing for vulnerabilities

3. 3
Authored by Liz Rice from Aqua Security and Michael Hausenblas from Red
Hat
https://info.aquasec.com/kubernetes-security

4. @lizrice
▪ Secure the CI/CD pipeline
▪ “Shift left” security, fix
issues early and fast
▪ Accelerate app delivery
with security automation
Aqua: our approach
▪ Enforce immutability –
no patching, no drift
▪ Whitelist good behavior,
preventing anomalies
▪ Prevent lateral movement
▪ Secure apps regardless of
platform, cloud, or OS
▪ Enable hybrid cloud and
cloud migration
▪ Avoid cloud lock-in and
security reconfiguration
Automate
DevSecOps
Modernize security
through containers
Secure once,
run anywhere

5. @lizrice
Create
software
Build Deploy
Code
quality
Security
testing
Vulnerability
scanning
Image
policies
Runtime
protection
Artifacts free of security defects Only expected
code & config
Detect anomalous
behaviour
Host
configuration
Automating Security at Every Stage

6. @lizrice
Kubernetes Host Configuration

7. @lizrice
■ Kubernetes components installed on your servers
■ Master & node components
■ Many configuration settings have a security impact
■ Example: open Kubelet port = root access
■ Defaults depend on the installer
Kubernetes configuration
What config settings
should I use?

8. @lizrice
CIS Kubernetes Benchmark

9. @lizrice
■ Open source automated tests for CIS Kubernetes Benchmark
■ Tests for Kubernetes Masters and Nodes
■ Available as a container
kube-bench
github.com/aquasecurity/kube-bench

10. @lizrice

11. @lizrice
■ Job configuration YAML
■ Run regularly to ensure no configuration drift
■ Tests defined in YAML
■ Released code follows the CIS Benchmark
■ Modify for your own purposes
kube-bench
github.com/aquasecurity/kube-bench

12. @lizrice
■ Built into the Aqua CSP
■ Provides a scored
report of the results
■ Can be scheduled to
run daily
Kubernetes & Docker CIS Benchmarks

13. @lizrice
Kubernetes penetration testing

14. @lizrice
■ Open source penetration tests for Kubernetes
■ See what an attacker would see
■ github.com/aquasecurity/kube-hunter
■ Online report viewer
■ kube-hunter.aquasec.com
kube-hunter
How do I know the
config is working to
secure my cluster?

15. @lizrice
kube-hunter.aquasec.com

16. 16

17. 17

18. @lizrice
kube-hunter with kube-bench

19. 19

20. 20

21. 21

22. @lizrice
kube-hunter inside a pod

23. @lizrice
Kubernetes cluster
pod
kube-hunter inside a pod
What if my app gets
compromised?
token
API server

24. @lizrice
■ Results depend on RBAC settings
■ and the service account you use for the pod
kube-hunter inside a pod
What if my app gets
compromised?

25. © 2018-19 Aqua Security Software Ltd., All Rights Reserved
github.com/aquasecurity/kube-bench
github.com/aquasecurity/kube-hunter
@lizrice | @aquasecteam