SBA Research, profile picture
Uploaded bySBA Research
PPTX, PDF182 views

Secure development on Kubernetes by Andreas Falk

The document is a comprehensive overview of secure development practices in Kubernetes, focusing on application, container, and Kubernetes security, as well as the management of Kubernetes secrets. It outlines various security vulnerabilities, offers best practices for securing applications and containers, and emphasizes the importance of encrypting secrets and avoiding hardcoding sensitive information. Resources and links for further reading and practical demonstrations are provided throughout the document.

Embed presentation

Download to read offline
Secure Development On Kubernetes Security Meetup by SBAResearch 10.06.2020 Andreas Falk
andreas.falk@novatec-gmbh.de / @andifalk https://www.novatec-gmbh.de/beratung/agile-security Introduction Andreas Falk Novatec Consulting 2
Agenda 1. What Can Go Wrong? 2. Application Security 3. Container Security 4. Kubernetes Security 5. Kubernetes Secrets 3
Look here: https://github.com/andifalk/secure-development-on-kubernetes 4 Where are the Slides and theCode?
Introduction 5 What can go wrong?
Severe Vulnerability in Kubernetes Source: https://blog.aquasec.com 6
Crypto Mining Via K8sDashboard Source: https://blog.heptio.com 7
Open ETCD Portsin Kubernetes (1) https://shodan.io 8
Open ETCD Portsin Kubernetes (2) 9 $ etcdctl --endpoints=http://xx.xx.xx.xx:2379 cluster-health member b97ee4034db41d17 is healthy: got healthy result from http://xx.xx.xx.xx:2379 cluster is healthy https://github.com/etcd-io/etcd/releases
Vulnerable Docker Images Source: The state of open source security report (snyk.io) 10
All is Root 11
Application- / Docker- /K8s-Security 12 Sowhat can WE do as Developers?
The Path for Secure Development on K8s Application Security Container Security Kubernetes Security Kubernetes Secrets 13
The Path for Secure Development on K8s Security ApplicationContainer Security Kubernetes Security Kubernetes Secrets 14
Application Security 15 WebApplication Authentication Authorization SQLInjection Cross Site Scripting (XSS) Cross Site Request Forgery (CSRF) Data Protection (Crypto) ...
Application Security 16
Iteration 1: Application Security https://github.com/andifalk/secure-development-on-kubernetes Live Demo: Show me thecode 17
▪ Input Validation for ALL types of input ▪ Output Encoding to preventXSS ▪ Use only Parameterized Queries/Prepared Statements ▪ Enforce Authentication &Authorization ▪ Never implement your own Crypto orSession-Management ▪ Check 3rd Party Dependencies for Vulnerabilities ▪ Use Static & Dynamic Application SecurityTesting 18 Application Security 101 https://cheatsheetseries.owasp.org https://owasp.org/www-project-top-ten https://owasp.org/www-project-proactive-controls
The Path for Secure Development on K8s Application Security Container Security Kubernetes Security Kubernetes Secrets 19
OWASP DockerTop 10 20 1. Secure User Mapping 2. Patch Management Strategy 3. Network Segmentation and Firewalling 4. Secure Defaults and Hardening 5. Maintain Security Contexts 6. Protect Secrets 7. Resource Protection 8. Container Image Integrity and Origin 9. Follow Immutable Paradigm 10. Logging https://github.com/OWASP/Docker-Security https://doi.org/10.6028/NIST.SP.800-190 https://github.com/OWASP/Container-Security-Verification-Standard https://www.bsi.bund.de
Virtual Machine (VM) Basics Physical Hardware Hypervisor (VMM) Guest OS Guest OS Guest Apps Guest Apps Physical Hardware Host OS Guest OS Guest OS Guest Apps Guest Apps VMM Type 1 Virtual MachineMonitor Type 2 Virtual MachineMonitor ESXi Workstation 21
Container (Security) Basics Linux Namespaces Control Groups (cgroups) Capabilities Mandatory Access Control Secure Computing Mode Secrets Management Container Linux Namespaces Control Groups (cgroups) Capabilities Mandatory Access Control Secure Computing Mode Secrets Management Container LXD Linux Host (LinuxKernel) 22
▪ Process IDs ▪ Network ▪ Mount Points ▪ Inter-Process Communications (IPC) ▪ User & Group IDs ▪ Unix Timesharing System (UTS): hostname & domainnames ▪ Control groups (cgroups) 23 Linux Kernel Namespaces $ man namespaces $ sudo lsns
Linux Control Groups (cgroups) ▪ Resource Limits − CPU − Memory − Devices − Processes − Network 24 For Java this only works with container aware JDK versions as of OpenJDK 8u192 or above Recommendation: Use Java 11
▪ Break up privileges into smallerunits − CAP_SYS_ADMIN − CAP_NET_ADMIN − CAP_NET_BIND_SERVICE − CAP_CHOWN − ... 25 Linux Capabilities http://man7.org/linux/man-pages/man7/capabilities.7.html $ man capabilities $ docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE
▪ Restrict System Calls − Secure Computation Mode (seccomp) − Google gVisor 26 ▪ Linux Kernel Security Modules (MAC) − AppArmor − Security-Enhanced Linux (SELinux) Linux Mandatory AccessControl & System Calls https://docs.docker.com/engine/security/seccomp https://apparmor.net https://en.wikipedia.org/wiki/Security-Enhanced_Linux https://gvisor.dev/docs
Docker Images Linux Host ... cgroups namespaces Base Image (Alpine, …) Dockerfile Application Container Image Base Image (Alpine, …) Dockerfile Application Container Image Container Registry docker run 27
USERdirective in Dockerfile Say No To Root (1) FROM openjdk:11-jre-slim COPY hello-spring-kubernetes-1.0.0-SNAPSHOT.jar app.jar EXPOSE 8080 RUN addgroup --system --gid 1002 app && adduser --system --uid 1002 --gid 1002 appuser USER 1002 ENTRYPOINT java -jar /app.jar https://opensource.com/article/18/3/just-say-no-root-containers 28
Use JIB and Distroless Images 29 Say No To Root (2) https://github.com/GoogleContainerTools/jib plugins { id 'com.google.cloud.tools.jib' version '...' } jib { container { user = 1002 } }
Container Image Security Dockerfile Application Container Registry Container Image Base Image (Alpine, …) Image Security Scanner Vulnerable 3rd party dependencies OSvulnerabilities OSvulnerabilities 30 https://anchore.com/opensource/ https://github.com/coreos/clair https://github.com/aquasecurity/trivy https://www.docker.com/blog/announcing-scanning-from-snyk-for-docker
https://www.docker.com/press-release/Docker-Snyk-Announce-Partnership-Container-Vulnerability-Scanning 31
Iteration 2: Container Security https://github.com/andifalk/secure-development-on-kubernetes Live Demo: Show me thecode 32
▪ Learn Linux (Security) Basics ▪ Load Images from Trusted RegistriesOnly ▪ Scan Images for Vulnerabilities (inCI/CD Pipeline) ▪ Say No To Root & Run with --security-opt=no-new-privileges ▪ Do NOT hardcode Secrets into a ContainerImage ▪ Limit resources (memory, CPU,processes, ...) ▪ Use Linux Security Module (seccomp, AppArmor,SELinux) 33 Container Security 101 https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html https://docs.docker.com/engine/security https://blog.aquasec.com/docker-security-best-practices https://blog.aquasec.com/devsecops-with-trivy-github-actions
The Path for Secure Development on K8s Application Security Security Security Container Kubernetes Kubernetes Secrets 34
Kubernetes Basics Ingress Service Deployment Replica Set Pod Pod Pod https://kubernetes.io/docs/concepts https://www.aquasec.com/wiki/display/containers/70+Best+Kube rnetes+Tutorials 35
36 Source: Kubernetes Security, O’Reilly, 2018 Kubernetes attack vectors
Operational / Development Kubernetes Security 37 https://kubernetes.io/docs/concepts/security/overview/#the-4c-s-of-cloud-native-security https://learnk8s.io/production-best-practices/ K8s Development Security TLS Auth Authz Master Node API Server Scheduler Etcd Controller Manager TLS Auth Authz Worker Node Kubelet Container Runtime Kube Proxy K8s Operational Security
Kubernetes Security Kubernetes Auditing Network Policies Role BasedAccess Control (RBAC) Resource Limits Pod Security Context Pod Security Policy Open Policy Agent
Resource Limits 39 https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource spec: ... containers: resources: limits: cpu: "1" memory: "512Mi" requests: cpu: 500m memory: "256Mi" ...
Pod/Container Security Context spec: securityContext: runAsNonRoot: true containers: securityContext: allowPrivilegeEscalation: false privileged: false runAsNonRoot: true readOnlyRootFilesystem: true capabilities: drop: - ALL https://kubernetes.io/docs/tasks/configure-pod-container/security-context 40
Pod Security Policy (Still In Beta!) apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: no-root-policy spec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: - ALL runAsUser: rule: 'MustRunAsNonRoot' ... https://kubernetes.io/docs/concepts/policy/pod-security-policy 41
Kubernetes Role Based AccessControl (RBAC) ClusterRole ClusterRoleBinding Role RoleBinding SubjectAPI Groups Resources Verbs Cluster-Wide 42 Namespace - User - Group - ServiceAccount https://kubernetes.io/docs/reference/access-authn-authz/rbac/
Kubernetes Role Based AccessControl (RBAC) 43 https://kubernetes.io/docs/reference/access-authn-authz/rbac/ apiGroups extensions, apps, policy, ... resources pods, deployments, configmaps, secrets,nodes, services, endpoints, podsecuritypolicies, ... verbs get, list, watch, create, update, patch, delete, use,...
Open Policy Agent 44 https://www.openpolicyagent.org https://play.openpolicyagent.org
Open Policy Agent -Kubernetes Gatekeeper 45 https://github.com/open-policy-agent/gatekeeper
Helm 3 Is Here! 46 https://v3.helm.sh https://helm.sh/docs/faq/#removal-of-tiller
Iteration 3: Kubernetes Security https://github.com/andifalk/secure-development-on-kubernetes Live Demo: Show me thecode 47
▪ Follow Container Security 101 ▪ Use a Managed Kubernetes Cluster ▪ Enable Audit Logs ▪ Enforce Authentication & Role Based Access Control ▪ Use Pod Security Policies / Open Policy Agent ▪ Upgrade to Helm Version 3.x(Remove Tiller) ▪ Monitor your Kubernetes Cluster 48 Kubernetes Security 101 https://cheatsheetseries.owasp.org https://owasp.org/www-project-top-ten https://owasp.org/www-project-proactive-controls
The Path for Secure Development on K8s Application Security Container Security Security Kubernetes Kubernetes Secrets 49
Kubernetes Secrets Secrets KMS Secrets Secrets Etcd
Kubernetes Secrets 51 https://kubernetes.io/docs/concepts/configuration/secret apiVersion: v1 kind: Secret metadata: name: hello-spring-cloud-kubernetes namespace: default type: Opaque data: user.username: dXNlcg== user.password: azhzX3VzZXI= admin.username: YWRtaW4= admin.password: azhzX2FkbWlu
▪ Encrypt Secret Data at Rest & inTransit − Only Base64 encoded by default inEtcd! ▪ Restrict interactions with secretsAPI (RBAC) ▪ Mount secrets instead of ENV Mapping 52 Kubernetes Secrets - BestPractices https://kubernetes.io/docs/concepts/configuration/secret/#best-practices https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data
Encryption Layers 53
Envelope Encryption On Kubernetes 54 https://cloud.google.com/kms/docs/envelope-encryption https://kubernetes.io/docs/tasks/administer-cluster/kms-provider
Key Management System (KMS)Providers ▪ Azure Key Vault ▪ Google Cloud KMS ▪ AWS KMS ▪ Hashicorp Vault ▪ ... https://github.com/Azure/kubernetes-kms https://github.com/Azure/kubernetes-keyvault-flexvol https://cloud.google.com/kms https://aws.amazon.com/de/kms https://learn.hashicorp.com/vault/kubernetes/external-vault 55
What about Secretsin 56 ▪ Sealed Secrets ▪ Helm Secrets ▪ Kamus ▪ Sops ▪ Hashicorp Vault https://learnk8s.io/kubernetes-secrets-in-git https://github.com/bitnami-labs/sealed-secrets https://github.com/futuresimple/helm-secrets https://github.com/Soluto/kamus https://github.com/mozilla/sops https://www.vaultproject.io
Summary 57
▪ Kubernetes is Complex - CheckAlternatives! ▪ Follow Application Security 101 ▪ Follow Container & Kubernetes Security 101 ▪ Ensure your secrets are encrypted inK8s ▪ Never store secrets in Source Control(Git, …) ▪ Check out the Demos: https://github.com/andifalk/secure-development-on-kubernetes 58 Summary / KeyInsights
Books and OnlineReferences 59
▪ Kubernetes Security, O’Reilly, 2018, ISBN: 978-1-492-04600-4 ▪ Container Security, O’Reilly, 2020, ISBN: 978-1492056706 ▪ https://github.com/andifalk/secure-development-on-kubernetes ▪ Crafty Requests: Deep Dive Into Kubernetes CVE-2018-1002105 - Ian Coldwater(Video) ▪ Ship of Fools: Shoring Up Kubernetes Security - Ian Coldwater(Video) ▪ https://kubernetes.io/docs/concepts/security/overview/#the-4c-s-of-cloud-native-security ▪ https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster ▪ https://opensource.com/article/18/3/just-say-no-root-containers ▪ https://github.com/GoogleContainerTools/jib ▪ https://anchore.com/opensource/ ▪ https://github.com/coreos/clair ▪ https://github.com/aquasecurity/trivy ▪ https://www.owasp.org/index.php/OWASP_Docker_Top_10 60 Books and Online References(1)
▪ https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource ▪ https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource ▪ https://kubernetes.io/docs/tasks/configure-pod-container/security-context ▪ https://kubernetes.io/docs/concepts/policy/pod-security-policy ▪ https://kubernetes.io/docs/reference/access-authn-authz/rbac/ ▪ https://kubernetes.io/docs/concepts/configuration/secret ▪ https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data ▪ https://cloud.google.com/kms/docs/envelope-encryption ▪ https://kubernetes.io/docs/tasks/administer-cluster/kms-provider ▪ https://github.com/Azure/kubernetes-kms ▪ https://cloud.google.com/kms ▪ https://aws.amazon.com/de/kms 61 Books and Online References(2)
Andreas Falk 62 Managing Consultant Mobil: +49 151 46146778 E-Mail: andreas.falk@novatec-gmbh.de Novatec Consulting GmbH Dieselstraße 18/1 D-70771 Leinfelden-Echterdingen T. +49 711 22040-700 info@novatec-gmbh.de www.novatec-gmbh.de

More Related Content

PPT
Container security
byAnthony Chow
 
PDF
KVM_security
byFrank Caviggia
 
PDF
How Secure Is Your Container? ContainerCon Berlin 2016
byPhil Estes
 
PDF
Ten layers of container security for CloudCamp Nov 2017
byGordon Haff
 
PDF
Coscup2018 itri android-in-cloud
byTian-Jian Wu
 
PDF
Veer's Container Security
byJim Barlow
 
PDF
Open network architecture e book
byCOMSATS
 
PDF
Security on a Container Platform
byAll Things Open
 
Container security
byAnthony Chow
 
KVM_security
byFrank Caviggia
 
How Secure Is Your Container? ContainerCon Berlin 2016
byPhil Estes
 
Ten layers of container security for CloudCamp Nov 2017
byGordon Haff
 
Coscup2018 itri android-in-cloud
byTian-Jian Wu
 
Veer's Container Security
byJim Barlow
 
Open network architecture e book
byCOMSATS
 
Security on a Container Platform
byAll Things Open
 

What's hot

PPTX
Understanding container security
byJohn Kinsella
 
PDF
Continuous Security: From tins to containers - now what!
byMichael Man
 
PDF
Rooting Out Root: User namespaces in Docker
byPhil Estes
 
PPTX
Lessons Learned in Automating Compliance for Containers
byAll Things Open
 
PDF
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
byZach Hill
 
PDF
Security of Linux containers in the cloud
byDobrica Pavlinušić
 
PDF
Docker Security: Are Your Containers Tightly Secured to the Ship?
byMichael Boelen
 
PDF
Tokyo OpenStack Summit 2015: Unraveling Docker Security
byPhil Estes
 
PPT
Container security
byAnthony Chow
 
PDF
Podman rootless containers
byGiuseppe Scrivano
 
PDF
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
byDevOpsDays Riga
 
PDF
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA Architecture
byEtsuji Nakai
 
PDF
2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System z
byShawn Wells
 
PPTX
Design, Build,and Maintain the Embedded Linux Platform
bySZ Lin
 
PDF
Docker Security Paradigm
byAnis LARGUEM
 
PDF
Hardening Linux and introducing Securix Linux
bySecurity Session
 
PPTX
Open source security tools for Kubernetes.
byMichael Ducy
 
PDF
OpenSCAP Overview(security scanning for docker image and container)
byJooho Lee
 
PDF
SSL/TLS for Mortals (Devoxx FR 2018)
byMaarten Mulders
 
PDF
Rebuild presentation - IoT Israel MeetUp
byYan Vugenfirer
 
Understanding container security
byJohn Kinsella
 
Continuous Security: From tins to containers - now what!
byMichael Man
 
Rooting Out Root: User namespaces in Docker
byPhil Estes
 
Lessons Learned in Automating Compliance for Containers
byAll Things Open
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
byZach Hill
 
Security of Linux containers in the cloud
byDobrica Pavlinušić
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
byMichael Boelen
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
byPhil Estes
 
Container security
byAnthony Chow
 
Podman rootless containers
byGiuseppe Scrivano
 
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
byDevOpsDays Riga
 
Red Hat Enterprise Linux OpenStack Platform 7 - VM Instance HA Architecture
byEtsuji Nakai
 
2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System z
byShawn Wells
 
Design, Build,and Maintain the Embedded Linux Platform
bySZ Lin
 
Docker Security Paradigm
byAnis LARGUEM
 
Hardening Linux and introducing Securix Linux
bySecurity Session
 
Open source security tools for Kubernetes.
byMichael Ducy
 
OpenSCAP Overview(security scanning for docker image and container)
byJooho Lee
 
SSL/TLS for Mortals (Devoxx FR 2018)
byMaarten Mulders
 
Rebuild presentation - IoT Israel MeetUp
byYan Vugenfirer
 

Similar to Secure development on Kubernetes by Andreas Falk

PPTX
Kubernetes and container security
byVolodymyr Shynkar
 
PDF
Securing Containerized Applications: A Primer
byPhil Estes
 
PDF
Docker London: Container Security
byPhil Estes
 
PDF
Securing Containerized Applications: A Primer
byPhil Estes
 
PPTX
Kubernetes_Security_In_Depth_Practical r
byCseManit
 
PDF
The Container Security Checklist
byLibbySchulze
 
PDF
The Future of Security and Productivity in Our Newly Remote World
byDevOps.com
 
PPTX
12 Ways Not to get 'Hacked' your Kubernetes Cluster
bySuman Chakraborty
 
PPTX
Container security Familiar problems in new technology
byFrank Victory
 
PDF
Cloud Native TLV Meetup: Securing Containerized Applications Primer
byPhil Estes
 
PDF
Kubernetes 101 for_penetration_testers_-_null_mumbai
byn|u - The Open Security Community
 
PDF
Kubernetes - Security Journey
byJerry Jalava
 
PPTX
Intro to Container & Kubernetes Hardening.pptx
bymalaahmad1
 
PPTX
Security best practices for kubernetes deployment
byAqua Security
 
PPTX
Security best practices for kubernetes deployment
byMichael Cherny
 
PPTX
Docker_Security_Complete_Guide for audit
byCseManit
 
PPTX
Kubernetes Security
byKarthik Gaekwad
 
PPTX
Kubernetes Security Act Now Before It’s Too Late
byMichael Furman
 
PDF
Container Security
byJie Liau
 
PPTX
K8s security best practices
bySharon Vendrov
 
Kubernetes and container security
byVolodymyr Shynkar
 
Securing Containerized Applications: A Primer
byPhil Estes
 
Docker London: Container Security
byPhil Estes
 
Securing Containerized Applications: A Primer
byPhil Estes
 
Kubernetes_Security_In_Depth_Practical r
byCseManit
 
The Container Security Checklist
byLibbySchulze
 
The Future of Security and Productivity in Our Newly Remote World
byDevOps.com
 
12 Ways Not to get 'Hacked' your Kubernetes Cluster
bySuman Chakraborty
 
Container security Familiar problems in new technology
byFrank Victory
 
Cloud Native TLV Meetup: Securing Containerized Applications Primer
byPhil Estes
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
byn|u - The Open Security Community
 
Kubernetes - Security Journey
byJerry Jalava
 
Intro to Container & Kubernetes Hardening.pptx
bymalaahmad1
 
Security best practices for kubernetes deployment
byAqua Security
 
Security best practices for kubernetes deployment
byMichael Cherny
 
Docker_Security_Complete_Guide for audit
byCseManit
 
Kubernetes Security
byKarthik Gaekwad
 
Kubernetes Security Act Now Before It’s Too Late
byMichael Furman
 
Container Security
byJie Liau
 
K8s security best practices
bySharon Vendrov
 

More from SBA Research

PDF
CyberResilienceAct_sec4devDialogues2025pdf
bySBA Research
 
PDF
SBATop10 Vulnerabilities_sec4devDialogues2025
bySBA Research
 
PDF
Passkeys & 2FA/MFA_sec4dev_Dialogues2025
bySBA Research
 
PDF
Gefahren von Prompt-Injection Angriffen_sec4devDialogues.pdf
bySBA Research
 
PDF
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
bySBA Research
 
PDF
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
bySBA Research
 
PDF
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
bySBA Research
 
PDF
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
bySBA Research
 
PDF
SBA Security Meetup: I want to break free - The attacker inside a Container
bySBA Research
 
PDF
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
bySBA Research
 
PDF
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
bySBA Research
 
PDF
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
bySBA Research
 
PDF
SBA Live Academy, What the heck is secure computing
bySBA Research
 
PDF
Tools & techniques, building a dev secops culture at mozilla sba live a...
bySBA Research
 
PDF
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
bySBA Research
 
PDF
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
bySBA Research
 
PDF
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
bySBA Research
 
PDF
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
bySBA Research
 
PDF
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
bySBA Research
 
PDF
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
bySBA Research
 
CyberResilienceAct_sec4devDialogues2025pdf
bySBA Research
 
SBATop10 Vulnerabilities_sec4devDialogues2025
bySBA Research
 
Passkeys & 2FA/MFA_sec4dev_Dialogues2025
bySBA Research
 
Gefahren von Prompt-Injection Angriffen_sec4devDialogues.pdf
bySBA Research
 
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
bySBA Research
 
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
bySBA Research
 
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
bySBA Research
 
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
bySBA Research
 
SBA Security Meetup: I want to break free - The attacker inside a Container
bySBA Research
 
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
bySBA Research
 
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
bySBA Research
 
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
bySBA Research
 
SBA Live Academy, What the heck is secure computing
bySBA Research
 
Tools & techniques, building a dev secops culture at mozilla sba live a...
bySBA Research
 
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
bySBA Research
 
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
bySBA Research
 
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
bySBA Research
 
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
bySBA Research
 
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
bySBA Research
 
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
bySBA Research
 

Recently uploaded

PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
final.pdf
byomarbishtawi04
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
AI in the Real World: From University to Industry
byDarvan Shvan
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
PDF
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
Workflow and decision Automation with Flowable
bychakib ch
 
final.pdf
byomarbishtawi04
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
AI in the Real World: From University to Industry
byDarvan Shvan
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 

Secure development on Kubernetes by Andreas Falk

  • 1.
    Secure Development On Kubernetes SecurityMeetup by SBAResearch 10.06.2020 Andreas Falk
  • 2.
  • 3.
    Agenda 1. What CanGo Wrong? 2. Application Security 3. Container Security 4. Kubernetes Security 5. Kubernetes Secrets 3
  • 4.
  • 5.
  • 6.
    Severe Vulnerability inKubernetes Source: https://blog.aquasec.com 6
  • 7.
    Crypto Mining ViaK8sDashboard Source: https://blog.heptio.com 7
  • 8.
    Open ETCD PortsinKubernetes (1) https://shodan.io 8
  • 9.
    Open ETCD PortsinKubernetes (2) 9 $ etcdctl --endpoints=http://xx.xx.xx.xx:2379 cluster-health member b97ee4034db41d17 is healthy: got healthy result from http://xx.xx.xx.xx:2379 cluster is healthy https://github.com/etcd-io/etcd/releases
  • 10.
    Vulnerable Docker Images Source:The state of open source security report (snyk.io) 10
  • 11.
  • 12.
    Application- / Docker-/K8s-Security 12 Sowhat can WE do as Developers?
  • 13.
    The Path forSecure Development on K8s Application Security Container Security Kubernetes Security Kubernetes Secrets 13
  • 14.
    The Path forSecure Development on K8s Security ApplicationContainer Security Kubernetes Security Kubernetes Secrets 14
  • 15.
    Application Security 15 WebApplication Authentication Authorization SQLInjection Cross SiteScripting (XSS) Cross Site Request Forgery (CSRF) Data Protection (Crypto) ...
  • 16.
  • 17.
    Iteration 1: ApplicationSecurity https://github.com/andifalk/secure-development-on-kubernetes Live Demo: Show me thecode 17
  • 18.
    ▪ Input Validationfor ALL types of input ▪ Output Encoding to preventXSS ▪ Use only Parameterized Queries/Prepared Statements ▪ Enforce Authentication &Authorization ▪ Never implement your own Crypto orSession-Management ▪ Check 3rd Party Dependencies for Vulnerabilities ▪ Use Static & Dynamic Application SecurityTesting 18 Application Security 101 https://cheatsheetseries.owasp.org https://owasp.org/www-project-top-ten https://owasp.org/www-project-proactive-controls
  • 19.
    The Path forSecure Development on K8s Application Security Container Security Kubernetes Security Kubernetes Secrets 19
  • 20.
    OWASP DockerTop 10 20 1.Secure User Mapping 2. Patch Management Strategy 3. Network Segmentation and Firewalling 4. Secure Defaults and Hardening 5. Maintain Security Contexts 6. Protect Secrets 7. Resource Protection 8. Container Image Integrity and Origin 9. Follow Immutable Paradigm 10. Logging https://github.com/OWASP/Docker-Security https://doi.org/10.6028/NIST.SP.800-190 https://github.com/OWASP/Container-Security-Verification-Standard https://www.bsi.bund.de
  • 21.
    Virtual Machine (VM)Basics Physical Hardware Hypervisor (VMM) Guest OS Guest OS Guest Apps Guest Apps Physical Hardware Host OS Guest OS Guest OS Guest Apps Guest Apps VMM Type 1 Virtual MachineMonitor Type 2 Virtual MachineMonitor ESXi Workstation 21
  • 22.
    Container (Security) Basics LinuxNamespaces Control Groups (cgroups) Capabilities Mandatory Access Control Secure Computing Mode Secrets Management Container Linux Namespaces Control Groups (cgroups) Capabilities Mandatory Access Control Secure Computing Mode Secrets Management Container LXD Linux Host (LinuxKernel) 22
  • 23.
    ▪ Process IDs ▪Network ▪ Mount Points ▪ Inter-Process Communications (IPC) ▪ User & Group IDs ▪ Unix Timesharing System (UTS): hostname & domainnames ▪ Control groups (cgroups) 23 Linux Kernel Namespaces $ man namespaces $ sudo lsns
  • 24.
    Linux Control Groups(cgroups) ▪ Resource Limits − CPU − Memory − Devices − Processes − Network 24 For Java this only works with container aware JDK versions as of OpenJDK 8u192 or above Recommendation: Use Java 11
  • 25.
    ▪ Break upprivileges into smallerunits − CAP_SYS_ADMIN − CAP_NET_ADMIN − CAP_NET_BIND_SERVICE − CAP_CHOWN − ... 25 Linux Capabilities http://man7.org/linux/man-pages/man7/capabilities.7.html $ man capabilities $ docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE
  • 26.
    ▪ Restrict SystemCalls − Secure Computation Mode (seccomp) − Google gVisor 26 ▪ Linux Kernel Security Modules (MAC) − AppArmor − Security-Enhanced Linux (SELinux) Linux Mandatory AccessControl & System Calls https://docs.docker.com/engine/security/seccomp https://apparmor.net https://en.wikipedia.org/wiki/Security-Enhanced_Linux https://gvisor.dev/docs
  • 27.
    Docker Images Linux Host ... cgroups namespaces BaseImage (Alpine, …) Dockerfile Application Container Image Base Image (Alpine, …) Dockerfile Application Container Image Container Registry docker run 27
  • 28.
    USERdirective in Dockerfile SayNo To Root (1) FROM openjdk:11-jre-slim COPY hello-spring-kubernetes-1.0.0-SNAPSHOT.jar app.jar EXPOSE 8080 RUN addgroup --system --gid 1002 app && adduser --system --uid 1002 --gid 1002 appuser USER 1002 ENTRYPOINT java -jar /app.jar https://opensource.com/article/18/3/just-say-no-root-containers 28
  • 29.
    Use JIB andDistroless Images 29 Say No To Root (2) https://github.com/GoogleContainerTools/jib plugins { id 'com.google.cloud.tools.jib' version '...' } jib { container { user = 1002 } }
  • 30.
    Container Image Security Dockerfile Application ContainerRegistry Container Image Base Image (Alpine, …) Image Security Scanner Vulnerable 3rd party dependencies OSvulnerabilities OSvulnerabilities 30 https://anchore.com/opensource/ https://github.com/coreos/clair https://github.com/aquasecurity/trivy https://www.docker.com/blog/announcing-scanning-from-snyk-for-docker
  • 31.
  • 32.
    Iteration 2: ContainerSecurity https://github.com/andifalk/secure-development-on-kubernetes Live Demo: Show me thecode 32
  • 33.
    ▪ Learn Linux(Security) Basics ▪ Load Images from Trusted RegistriesOnly ▪ Scan Images for Vulnerabilities (inCI/CD Pipeline) ▪ Say No To Root & Run with --security-opt=no-new-privileges ▪ Do NOT hardcode Secrets into a ContainerImage ▪ Limit resources (memory, CPU,processes, ...) ▪ Use Linux Security Module (seccomp, AppArmor,SELinux) 33 Container Security 101 https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html https://docs.docker.com/engine/security https://blog.aquasec.com/docker-security-best-practices https://blog.aquasec.com/devsecops-with-trivy-github-actions
  • 34.
    The Path forSecure Development on K8s Application Security Security Security Container Kubernetes Kubernetes Secrets 34
  • 35.
    Kubernetes Basics Ingress ServiceDeployment Replica Set Pod Pod Pod https://kubernetes.io/docs/concepts https://www.aquasec.com/wiki/display/containers/70+Best+Kube rnetes+Tutorials 35
  • 36.
    36 Source: Kubernetes Security, O’Reilly,2018 Kubernetes attack vectors
  • 37.
    Operational / DevelopmentKubernetes Security 37 https://kubernetes.io/docs/concepts/security/overview/#the-4c-s-of-cloud-native-security https://learnk8s.io/production-best-practices/ K8s Development Security TLS Auth Authz Master Node API Server Scheduler Etcd Controller Manager TLS Auth Authz Worker Node Kubelet Container Runtime Kube Proxy K8s Operational Security
  • 38.
    Kubernetes Security Kubernetes Auditing NetworkPolicies Role BasedAccess Control (RBAC) Resource Limits Pod Security Context Pod Security Policy Open Policy Agent
  • 39.
  • 40.
    Pod/Container Security Context spec: securityContext: runAsNonRoot:true containers: securityContext: allowPrivilegeEscalation: false privileged: false runAsNonRoot: true readOnlyRootFilesystem: true capabilities: drop: - ALL https://kubernetes.io/docs/tasks/configure-pod-container/security-context 40
  • 41.
    Pod Security Policy(Still In Beta!) apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: no-root-policy spec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: - ALL runAsUser: rule: 'MustRunAsNonRoot' ... https://kubernetes.io/docs/concepts/policy/pod-security-policy 41
  • 42.
    Kubernetes Role BasedAccessControl (RBAC) ClusterRole ClusterRoleBinding Role RoleBinding SubjectAPI Groups Resources Verbs Cluster-Wide 42 Namespace - User - Group - ServiceAccount https://kubernetes.io/docs/reference/access-authn-authz/rbac/
  • 43.
    Kubernetes Role BasedAccessControl (RBAC) 43 https://kubernetes.io/docs/reference/access-authn-authz/rbac/ apiGroups extensions, apps, policy, ... resources pods, deployments, configmaps, secrets,nodes, services, endpoints, podsecuritypolicies, ... verbs get, list, watch, create, update, patch, delete, use,...
  • 44.
  • 45.
    Open Policy Agent-Kubernetes Gatekeeper 45 https://github.com/open-policy-agent/gatekeeper
  • 46.
    Helm 3 IsHere! 46 https://v3.helm.sh https://helm.sh/docs/faq/#removal-of-tiller
  • 47.
    Iteration 3: KubernetesSecurity https://github.com/andifalk/secure-development-on-kubernetes Live Demo: Show me thecode 47
  • 48.
    ▪ Follow ContainerSecurity 101 ▪ Use a Managed Kubernetes Cluster ▪ Enable Audit Logs ▪ Enforce Authentication & Role Based Access Control ▪ Use Pod Security Policies / Open Policy Agent ▪ Upgrade to Helm Version 3.x(Remove Tiller) ▪ Monitor your Kubernetes Cluster 48 Kubernetes Security 101 https://cheatsheetseries.owasp.org https://owasp.org/www-project-top-ten https://owasp.org/www-project-proactive-controls
  • 49.
    The Path forSecure Development on K8s Application Security Container Security Security Kubernetes Kubernetes Secrets 49
  • 50.
  • 51.
    Kubernetes Secrets 51 https://kubernetes.io/docs/concepts/configuration/secret apiVersion: v1 kind:Secret metadata: name: hello-spring-cloud-kubernetes namespace: default type: Opaque data: user.username: dXNlcg== user.password: azhzX3VzZXI= admin.username: YWRtaW4= admin.password: azhzX2FkbWlu
  • 52.
    ▪ Encrypt SecretData at Rest & inTransit − Only Base64 encoded by default inEtcd! ▪ Restrict interactions with secretsAPI (RBAC) ▪ Mount secrets instead of ENV Mapping 52 Kubernetes Secrets - BestPractices https://kubernetes.io/docs/concepts/configuration/secret/#best-practices https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data
  • 53.
  • 54.
    Envelope Encryption OnKubernetes 54 https://cloud.google.com/kms/docs/envelope-encryption https://kubernetes.io/docs/tasks/administer-cluster/kms-provider
  • 55.
    Key Management System(KMS)Providers ▪ Azure Key Vault ▪ Google Cloud KMS ▪ AWS KMS ▪ Hashicorp Vault ▪ ... https://github.com/Azure/kubernetes-kms https://github.com/Azure/kubernetes-keyvault-flexvol https://cloud.google.com/kms https://aws.amazon.com/de/kms https://learn.hashicorp.com/vault/kubernetes/external-vault 55
  • 56.
    What about Secretsin 56 ▪Sealed Secrets ▪ Helm Secrets ▪ Kamus ▪ Sops ▪ Hashicorp Vault https://learnk8s.io/kubernetes-secrets-in-git https://github.com/bitnami-labs/sealed-secrets https://github.com/futuresimple/helm-secrets https://github.com/Soluto/kamus https://github.com/mozilla/sops https://www.vaultproject.io
  • 57.
  • 58.
    ▪ Kubernetes isComplex - CheckAlternatives! ▪ Follow Application Security 101 ▪ Follow Container & Kubernetes Security 101 ▪ Ensure your secrets are encrypted inK8s ▪ Never store secrets in Source Control(Git, …) ▪ Check out the Demos: https://github.com/andifalk/secure-development-on-kubernetes 58 Summary / KeyInsights
  • 59.
  • 60.
    ▪ Kubernetes Security,O’Reilly, 2018, ISBN: 978-1-492-04600-4 ▪ Container Security, O’Reilly, 2020, ISBN: 978-1492056706 ▪ https://github.com/andifalk/secure-development-on-kubernetes ▪ Crafty Requests: Deep Dive Into Kubernetes CVE-2018-1002105 - Ian Coldwater(Video) ▪ Ship of Fools: Shoring Up Kubernetes Security - Ian Coldwater(Video) ▪ https://kubernetes.io/docs/concepts/security/overview/#the-4c-s-of-cloud-native-security ▪ https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster ▪ https://opensource.com/article/18/3/just-say-no-root-containers ▪ https://github.com/GoogleContainerTools/jib ▪ https://anchore.com/opensource/ ▪ https://github.com/coreos/clair ▪ https://github.com/aquasecurity/trivy ▪ https://www.owasp.org/index.php/OWASP_Docker_Top_10 60 Books and Online References(1)
  • 61.
    ▪ https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource ▪ https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource ▪https://kubernetes.io/docs/tasks/configure-pod-container/security-context ▪ https://kubernetes.io/docs/concepts/policy/pod-security-policy ▪ https://kubernetes.io/docs/reference/access-authn-authz/rbac/ ▪ https://kubernetes.io/docs/concepts/configuration/secret ▪ https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data ▪ https://cloud.google.com/kms/docs/envelope-encryption ▪ https://kubernetes.io/docs/tasks/administer-cluster/kms-provider ▪ https://github.com/Azure/kubernetes-kms ▪ https://cloud.google.com/kms ▪ https://aws.amazon.com/de/kms 61 Books and Online References(2)
  • 62.
    Andreas Falk 62 Managing Consultant Mobil:+49 151 46146778 E-Mail: andreas.falk@novatec-gmbh.de Novatec Consulting GmbH Dieselstraße 18/1 D-70771 Leinfelden-Echterdingen T. +49 711 22040-700 info@novatec-gmbh.de www.novatec-gmbh.de