This document summarizes steps for securing an NGINX deployment on Kubernetes. It begins by outlining the challenge of securing a website hosted on NGINX without vulnerabilities. The plan is then described in three steps: 1) Use NGINX and get example code, 2) Wrap the code in a Kubernetes Deployment, and 3) Check for security issues using Checkov. Key aspects of securing the deployment discussed are applying the principle of least privilege through profiles, capabilities, and users, ensuring immutability with read-only filesystems and unmounting service account tokens, and increasing resilience with liveness/readiness probes and resource limits. The importance of using secure defaults, open source scanning tools, and an overall Dev
5. T H E C H A L L E N G E
● NEED WEBSITE FOR TWITCH SHOW
● HOST ON RASPBERRY PI
● CREATED WITH HUGO
● USE NGINX
TRY NOT TO L O O K L I KE TOTAL IDIOT WO R KI N G F O R A N IAC
SECURITY COMPAN Y BY DEPLOYI NG A N NGINX W E B S I T E
F O R A TWITCH S H O W A B O U T C L O U D NATIVE SECURITY
THAT DOESN’ T PA S S O U R C H E C KO V YAML S C A N
6. ● A01:2021-Broken A cce ss Control
● A02:2021-Cryptographic Failures
● A03:2021-Injection
● A04:2021-Insecure De sig n
● A05:2021-Security Misconfiguration
● A06:2021-Vulnerable a n d Outdated C omponents
● A07:2021-Identification and Authentication Failures
● A08:2021-Software and Data Integrity Failures
● A09:2021-Security L o g g i n g and Monitoring Failures
● A10:2021-Server-Side Request Forgery
Coding issues like input
sanitization have been
replaced by
misconfigurations and
dependency (supply
chain) risks
7. The Problem
Defaults are bad!
Misconfigurations are bad!
● Unintended behaviour
● Outage
● Data Breach
● Lateral movement
● Supply Chain
Compromise
● PII Exposure
Security best practices are
important!
8. IF COMPROMISED
● T HE NGINX DEFAULT IMAGE HAS…
○ NSENTER
○ CURL
○ APT
○ And much much more!!
● T HE NGINX IMAGE CAN...
○ Enumerate the network
○ Breakout to the host
■ EG. CVE-2021-22555
○ Serve malicious content
12. S T E P 2 - W R A P IT IN A K8s D E P L O Y M E N T
● Get the code (from somebody else)
○ SEARCH GOOGLE/DUCKDUCKGO?
● Go to the source (kubernetes.io)
13. S T E P 3 - C H E C K IT IS S E C U R E
● Checkov
○ DEPLOYMENT
■ Are my defaults secure and what happens when they
are not?
○ IMAGE
■ Can I use the default image or should I make
changes?
15. W H A T D O E S S E C U R E MEAN
● CIA
○ Confidentiality
■ Least Privilege
○ Integrity
■ Immutability
○ Availability
■ Resilience
16. What is
?
Open source (Apache 2.0)
misconfiguration scanner for IaC,
intended to be used in CI/CD pipelines
1.1000+ built in checks
2. Supports extensions
3. Built in best practices and security
17. W h a t is Checkov
● Open source
● Analyze infrastructure as code (IaC)
● Terraform, CloudFormation,
Kubernetes, Helm, ARM Templates
and Serverless framework
● > 500 rules
● VSCode Plugin
● Optional config file
○ .checkov.yaml
*
19. Add S e c c o m p Profile
● Disables > 44 system calls
○ Expelliarmus
● Eg.
○ Mount (host filesystems)
○ Ptrace (watch everything)
○ Reboot (the host!)
○ Setns (change linux
namespace)
○ Quotactl (mess with cpu limits)
● Default defence in depth
○ Many of these overlap with
blocking CAP_SYS_ADMIN
20. Set allowPrivilegeEscalation to false
setuid
● Prevents binaries from changing
the effective user ID
○ Blocks enabling of extra capabilities,
○ Even blocks the use of ping.
21. D o not run as root (the default)
● Seems obvious but
● Assign a UID and GID > 10000 to avoid conflict
I a m root!
28. Liveness/Readiness Probes
● Let kubernetes know you’re there
and it will keep you alive and kicking
Can be difficult to come up with methods
to determine a ready and live state. Not
the case for NGINX however.
29. C P U / Memory Requests and Limits
● Prevents self induced DoS
● Ensures weighted scheduling of pods
● Limits losses from crypto-mining attacks
Can be difficult to determine up front but
defaults can be quickly derived from the K8s
metrics server.
MO RE P OWE R!
30. Key Takeaways
● Finding Secure Examples Is Difficult
● Basic Best Practices Can Be Easy
● Tools are Available To Help
● Many Defaults Aren’t Secure
Checkov: https://www.checkov.io/
Our blog: https://bridgecrew.io/blog
T H A N KS !
DEPLOYMENTS
SERVICES
JOBS
DEFAULTS
OUR BATTERED POD
COMES FROM A
SECURE SUPPLY
CHAIN
32. Survey Form
We hope you’ve found our session beneficial.
Please help us in answering a short 5 questions survey.
A small INR200,000 Grab thank you token awaits.
https://forms.gle/bGzk2ntgCmuHCuRg7
Please scan the Q R code or use clickable link in Chatbox
33. Stay Connected With Us!
t.me/iddevops
DevOps Indonesia
DevOps Indonesia
DevOps Indonesia
@iddevops
@iddevops
DevOps Indonesia
Scan here