"Secure development on Kubernetes"
With the rise of Kubernetes, the Java developer has arrived in the DevOps age as well. By the multitude of complex tasks, the necessary security is often neglected. Even in managed clusters of well-known cloud providers, there are many traps and points of attack lurking.
In this presentation, essential security-critical components of a Kubernetes cluster will be presented. Security problems and corresponding measures to mitigate these will be shown. All steps are described using live demos with an exemplary Spring Boot Java application, that is deployed as a docker container in a Kubernetes cluster, taking into account recommended security patterns.
Speaker:
Andreas Falk, Novatec Consulting
Talk language: English
About the Speaker:
*********************
Andreas Falk has been working in enterprise application development projects for more than twenty years. Currently, he is working as a managing consultant for Novatec Consulting located in Germany.
In various projects, he has since been around as consultant, architect, coach, developer, and tester. His focus is on the agile development of cloud-native enterprise java applications using the complete Spring platform. As a member of the Open Web Application Security Project (OWASP), he likes to have a closer look at all aspects of application security as well. Andreas is also a frequent speaker at conferences like Spring I/O, CloudFoundry Summit, Devoxx, and OWASP AppSec.
9. Open ETCD Portsin Kubernetes (2)
9
$ etcdctl --endpoints=http://xx.xx.xx.xx:2379
cluster-health
member b97ee4034db41d17 is healthy: got healthy
result
from http://xx.xx.xx.xx:2379
cluster is healthy
https://github.com/etcd-io/etcd/releases
17. Iteration 1: Application Security
https://github.com/andifalk/secure-development-on-kubernetes
Live Demo: Show me thecode
17
18. ▪ Input Validation for ALL types of input
▪ Output Encoding to preventXSS
▪ Use only Parameterized Queries/Prepared Statements
▪ Enforce Authentication &Authorization
▪ Never implement your own Crypto orSession-Management
▪ Check 3rd Party Dependencies for Vulnerabilities
▪ Use Static & Dynamic Application SecurityTesting
18
Application Security 101
https://cheatsheetseries.owasp.org
https://owasp.org/www-project-top-ten
https://owasp.org/www-project-proactive-controls
19. The Path for Secure Development on K8s
Application
Security
Container
Security
Kubernetes
Security
Kubernetes
Secrets
19
21. Virtual Machine (VM) Basics
Physical Hardware
Hypervisor (VMM)
Guest OS Guest OS
Guest Apps Guest Apps
Physical Hardware
Host OS
Guest OS Guest OS
Guest Apps Guest Apps
VMM
Type 1 Virtual MachineMonitor Type 2 Virtual MachineMonitor
ESXi
Workstation
21
22. Container (Security) Basics
Linux Namespaces
Control Groups (cgroups)
Capabilities
Mandatory Access Control
Secure Computing Mode
Secrets Management
Container
Linux Namespaces
Control Groups (cgroups)
Capabilities
Mandatory Access Control
Secure Computing Mode
Secrets Management
Container
LXD
Linux Host (LinuxKernel)
22
23. ▪ Process IDs
▪ Network
▪ Mount Points
▪ Inter-Process Communications (IPC)
▪ User & Group IDs
▪ Unix Timesharing System (UTS): hostname & domainnames
▪ Control groups (cgroups)
23
Linux Kernel Namespaces
$ man namespaces
$ sudo lsns
24. Linux Control Groups (cgroups)
▪ Resource Limits
− CPU
− Memory
− Devices
− Processes
− Network
24
For Java this only works with container aware
JDK versions as of OpenJDK 8u192 or above
Recommendation: Use Java 11
25. ▪ Break up privileges into smallerunits
− CAP_SYS_ADMIN
− CAP_NET_ADMIN
− CAP_NET_BIND_SERVICE
− CAP_CHOWN
− ...
25
Linux Capabilities
http://man7.org/linux/man-pages/man7/capabilities.7.html
$ man capabilities
$ docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE
26. ▪ Restrict System Calls
− Secure Computation Mode (seccomp)
− Google gVisor
26
▪ Linux Kernel Security Modules (MAC)
− AppArmor
− Security-Enhanced Linux (SELinux)
Linux Mandatory AccessControl & System Calls
https://docs.docker.com/engine/security/seccomp
https://apparmor.net
https://en.wikipedia.org/wiki/Security-Enhanced_Linux
https://gvisor.dev/docs
28. USERdirective in Dockerfile
Say No To Root (1)
FROM openjdk:11-jre-slim
COPY hello-spring-kubernetes-1.0.0-SNAPSHOT.jar app.jar
EXPOSE 8080
RUN addgroup --system --gid 1002 app && adduser
--system --uid 1002 --gid 1002 appuser
USER 1002
ENTRYPOINT java -jar /app.jar
https://opensource.com/article/18/3/just-say-no-root-containers
28
29. Use JIB and Distroless Images
29
Say No To Root (2)
https://github.com/GoogleContainerTools/jib
plugins {
id 'com.google.cloud.tools.jib' version '...'
}
jib {
container {
user = 1002
}
}
32. Iteration 2: Container Security
https://github.com/andifalk/secure-development-on-kubernetes
Live Demo: Show me thecode
32
33. ▪ Learn Linux (Security) Basics
▪ Load Images from Trusted RegistriesOnly
▪ Scan Images for Vulnerabilities (inCI/CD Pipeline)
▪ Say No To Root & Run with --security-opt=no-new-privileges
▪ Do NOT hardcode Secrets into a ContainerImage
▪ Limit resources (memory, CPU,processes, ...)
▪ Use Linux Security Module (seccomp, AppArmor,SELinux)
33
Container Security 101
https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
https://docs.docker.com/engine/security
https://blog.aquasec.com/docker-security-best-practices
https://blog.aquasec.com/devsecops-with-trivy-github-actions
34. The Path for Secure Development on K8s
Application
Security Security
Security
Container Kubernetes Kubernetes
Secrets
34
35. Kubernetes Basics
Ingress Service Deployment Replica Set
Pod
Pod
Pod
https://kubernetes.io/docs/concepts
https://www.aquasec.com/wiki/display/containers/70+Best+Kube
rnetes+Tutorials
35
41. Pod Security Policy (Still In Beta!)
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: no-root-policy
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
runAsUser:
rule: 'MustRunAsNonRoot'
...
https://kubernetes.io/docs/concepts/policy/pod-security-policy
41
42. Kubernetes Role Based AccessControl (RBAC)
ClusterRole ClusterRoleBinding
Role RoleBinding
SubjectAPI Groups
Resources
Verbs
Cluster-Wide
42
Namespace
- User
- Group
- ServiceAccount
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
45. Open Policy Agent -Kubernetes Gatekeeper
45
https://github.com/open-policy-agent/gatekeeper
46. Helm 3 Is Here!
46
https://v3.helm.sh
https://helm.sh/docs/faq/#removal-of-tiller
47. Iteration 3: Kubernetes Security
https://github.com/andifalk/secure-development-on-kubernetes
Live Demo: Show me thecode
47
48. ▪ Follow Container Security 101
▪ Use a Managed Kubernetes Cluster
▪ Enable Audit Logs
▪ Enforce Authentication & Role Based Access Control
▪ Use Pod Security Policies / Open Policy Agent
▪ Upgrade to Helm Version 3.x(Remove Tiller)
▪ Monitor your Kubernetes Cluster
48
Kubernetes Security 101
https://cheatsheetseries.owasp.org
https://owasp.org/www-project-top-ten
https://owasp.org/www-project-proactive-controls
49. The Path for Secure Development on K8s
Application
Security
Container
Security Security
Kubernetes
Kubernetes
Secrets
49