SlideShare a Scribd company logo
Securing your Kubernetes cluster:
Your step-by-step guide to success!
25/04/2024
Katia HIMEUR
2
Who am I?
Who am I?
• 🪪 Katia HIMEUR
• 💻 Computer scientist
• ☁ CTO & co-founder of Cockpit io, cloud & DevOps specialist
• 󰟲 SRE/Cloud/DevOps consultant for several years
❤ #Cloud #DevOps #Containers #Serverless #GitOps #IaC #CICD ❤
Securing your Kubernetes cluster: a step-by-step guide to success! 3 25/04/2024
4
Introduction
Kubernetes, the leading container orchestrator
25/04/2024
Source : https://marketsnresearch.com/report/1649/global-kubernetes-market
5
Securing your Kubernetes cluster: a step-by-step guide to success!
The new cloud OS
25/04/2024
Source : https://www.dynatrace.com/news/blog/kubernetes-in-the-wild-2023/
6
Securing your Kubernetes cluster: a step-by-step guide to success!
25/04/2024
Attackers on the lookout
7
Securing your Kubernetes cluster: a step-by-step guide to success!
Safety not always a priority
25/04/2024
8
Securing your Kubernetes cluster: a step-by-step guide to success!
9
Why is it important to
secure your cluster?
K8s's popularity increases attacker interest
25/04/2024
10
Securing your Kubernetes cluster: a step-by-step guide to success!
Flexibility ⥤ Complexity ⥤ Errors
25/04/2024
Configuration errors are
a security risk
Complexity can lead to
configuration errors
Its flexibility leads to
complex configurations
Kubernetes is extremely
flexible
11
Securing your Kubernetes cluster: a step-by-step guide to success!
Extended attack surface
25/04/2024
https://kubernetes.io/docs/concepts/overview/components/
12
Securing your Kubernetes cluster: a step-by-step guide to success!
Scalability and resilience can be a vector for
vulnerability propagation
25/04/2024
13
Securing your Kubernetes cluster: a step-by-step guide to success!
Company background
Need :
● Compliance with specific standards and regulations
● Protect sensitive and critical applications and infrastructure
● Secure the sensitive data that may pass through
25/04/2024
14
Securing your Kubernetes cluster: a step-by-step guide to success!
15
Community and
ecosystem support
Community and ecosystem support
● Strong focus on safety
● Continuous improvement and disclosure of vulnerabilities
● Goals :
○ Share security best practices
○ Encouraging corrective action
○ Stay ahead of potential threats
25/04/2024
16
Securing your Kubernetes cluster: a step-by-step guide to success!
17
What will we see during
this talk?
What will we see during this talk?
● Understand the different types of attackers and attack vectors
● A non-exhaustive list of concrete actions you can take to secure your
cluster
● Focus on managed Kubernetes clusters
● The list of tools provided is for information only.
25/04/2024
18
Securing your Kubernetes cluster: a step-by-step guide to success!
19
Attacker types
Attacker types
External
attackers
Compromised
users
Internal
attackers
Compromised
containers
25/04/2024
20
Securing your Kubernetes cluster: a step-by-step guide to success!
21
Main attack vectors
Main attack vectors
25/04/2024
Insecure Server API
Misconfigured access
controls
Compromised
containers
Exposed dashboards
Incorrect network
configuration
Compromised nodes
Compromised secrets
Supply chain
(dependencies...)
…
22
Securing your Kubernetes cluster: a step-by-step guide to success!
23
API server focus
API server focus
● Critical cluster component
● External and internal communications gateway
● Manage
○ authentication and authorization
○ Data validation and storage in etcd
○ Orchestration and resource management
○ Scalability and performance
25/04/2024
24
Securing your Kubernetes cluster: a step-by-step guide to success!
25
How do you secure your
Kubernetes cluster?
Zero trust architecture
26 25/04/2024
Securing your Kubernetes cluster: a step-by-step guide to success!
Zero trust architecture
● Approach to designing and implementing IT systems where trust is
totally eliminated
● Never trust, always verify
25/04/2024
27
Securing your Kubernetes cluster: a step-by-step guide to success!
Zero trust architecture
Source : https://blog.cockpitio.com/cloud/approche-zero-trust-dans-le-cloud/
25/04/2024
28
Securing your Kubernetes cluster: a step-by-step guide to success!
Limiting API Server
exposure
25/04/2024
29
Securing your Kubernetes cluster: a step-by-step guide to success!
Limit API Server exposure?
● Restrict access
● Encrypt all flows with API Server
25/04/2024
30
Private
clusters
Security
groups
Endpoint
access
control
Network ACLs
Securing your Kubernetes cluster: a step-by-step guide to success!
Authentication
25/04/2024
31
Securing your Kubernetes cluster: a step-by-step guide to success!
Authentication
● Use a strong authentication mechanism to control access to
Kubernetes
● Use an SSO portal to connect to your clusters (oAuth2, OpenID
Connect or LDAP).
● Enable multifactor authentication
25/04/2024
32
Securing your Kubernetes cluster: a step-by-step guide to success!
Authentication
25/04/2024
33
Securing your Kubernetes cluster: a step-by-step guide to success!
Using RBAC
34 25/04/2024
Securing your Kubernetes cluster: a step-by-step guide to success!
Using RBAC
● What is it?
○ RBAC: Role-Based Access Control
○ Resource access control based on user roles and service accounts
○ Defines who can do what
35 25/04/2024
Securing your Kubernetes cluster: a step-by-step guide to success!
Using RBAC
● Good practice
○ Apply the principle of least privilege to users and service accounts
36 25/04/2024
Securing your Kubernetes cluster: a step-by-step guide to success!
Example of an RBAC role
37 25/04/2024
Securing your Kubernetes cluster: a step-by-step guide to success!
Pod Security Admission
25/04/2024
38
Securing your Kubernetes cluster: a step-by-step guide to success!
Pod Security Standards Policies
39
Restricted
● Very restrictive policy
● Follows good curing
practices
Privileged
● No restrictions
● Climbing possibilities
Baseline
● Minimum restriction
policy
● Prevents the most
common climbs
25/04/2024
Securing your Kubernetes cluster: a step-by-step guide to success!
Pod Security Admission
● Kubernetes native admission controller to enforce Pod Security
standards policies
● Pod security restrictions are applied at the namespace level
● Enabled by default in the latest versions of Kubernetes
40 25/04/2024
Securing your Kubernetes cluster: a step-by-step guide to success!
Apply a safety policy
41 25/04/2024
Securing your Kubernetes cluster: a step-by-step guide to success!
Alternatives
42 25/04/2024
Securing your Kubernetes cluster: a step-by-step guide to success!
Using network policies
43 25/04/2024
Securing your Kubernetes cluster: a step-by-step guide to success!
Network status report
● Default : pods are not isolated, all traffic flows are allowed (ingress and
egress).
● Best practice: Restrict pod-to-pod communication to the strict
minimum
44 25/04/2024
Securing your Kubernetes cluster: a step-by-step guide to success!
What are network policies?
● Allows you to define how pods are authorized to communicate with :
○ Other pods
○ Other namespaces
○ IP blocks
45 25/04/2024
Securing your Kubernetes cluster: a step-by-step guide to success!
Example of a policy that prohibits all outbound flow
46 25/04/2024
Securing your Kubernetes cluster: a step-by-step guide to success!
Alternatives
47 25/04/2024
Network
policies
Security Network
Observability
Performance
Securing your Kubernetes cluster: a step-by-step guide to success!
Securing your secrets
48 25/04/2024
Securing your Kubernetes cluster: a step-by-step guide to success!
Secrets... Not very secret 😱
● A Kubernetes secret is an object used to store sensitive data
(passwords, tokens, SSH keys, etc.).
● Default :
○ No encryption
○ Stored unencrypted
○ Base64 encoded value
49 25/04/2024
Securing your Kubernetes cluster: a step-by-step guide to success!
Securing your secrets
● Use RBAC to secure access
● Rotate secret
● Audit access to secrets
● Regularly review and update access policies
● Prevent secrets from ending up in logs
● Don't hard code secrets
50 25/04/2024
Securing your Kubernetes cluster: a step-by-step guide to success!
Gitleaks
Enable encryption
at REST
51 25/04/2024
Securing your Kubernetes cluster: a step-by-step guide to success!
Turn secrets into volume 👍
Exposing them as environment variables👎
52 25/04/2024
ServiceAccount secrets can
only be mounted on
specific resource types.
Securing your Kubernetes cluster: a step-by-step guide to success!
Use external secret management tools
53
AWS Secrets Manager
Azure Key Vault Google Cloud Secret
Manager
25/04/2024
Securing your Kubernetes cluster: a step-by-step guide to success!
Securing your secrets
● The Secrets Store CSI Driver enables integration of external secrets
managers with Kubernetes
● Integration is via a CSI (Container Storage Interface) volume.
● This driver allows you to mount several secrets, keys, certificates, etc.
stored in these external secret managers.
● Once the volume has been attached, the data is mounted in the
container's file system.
54 25/04/2024
Securing your Kubernetes cluster: a step-by-step guide to success!
Audit logging
55 25/04/2024
Securing your Kubernetes cluster: a step-by-step guide to success!
Audit logging
● Record every request made to the API server
● Analyze logs to detect suspicious and unusual activity
● Use security tools to analyze and react to logs in real time
● Define audit policies to fine-tune the configuration of events to be
recorded
25/04/2024
56
Securing your Kubernetes cluster: a step-by-step guide to success!
Example of an audit policy
25/04/2024
57
Securing your Kubernetes cluster: a step-by-step guide to success!
Update and patch management
25/04/2024
58
Securing your Kubernetes cluster: a step-by-step guide to success!
Update and patch management
● Apply update and security patches, automatically if possible, and
quickly :
○ Kubernetes clusters
○ all components deployed on clusters
○ nodes
● Use tools that scan all Kubernetes cluster components, including
images
● Respect best operating system practices
25/04/2024
59
Securing your Kubernetes cluster: a step-by-step guide to success!
Securing containers
25/04/2024
60
Securing your Kubernetes cluster: a step-by-step guide to success!
Securing containers
● Use only trusted images
● Reduce image size to reduce attack surface
● Use immutable containers to avoid runtime changes
25/04/2024
61
Securing your Kubernetes cluster: a step-by-step guide to success!
Securing containers
● Scanning your container images: before and after deployment
● Sign your container images
● Secure and protect your containers using tools that react to the
detection of abnormal events
25/04/2024
62
Securing your Kubernetes cluster: a step-by-step guide to success!
Securing containers
25/04/2024
63
Securing your Kubernetes cluster: a step-by-step guide to success!
Securing containers
25/04/2024
64
Securing your Kubernetes cluster: a step-by-step guide to success!
Admission controllers
25/04/2024
65
Securing your Kubernetes cluster: a step-by-step guide to success!
Admission controllers
● Controllers that intercept requests to the API server before objects are
persisted in the etcd database
● Two types of controller :
○ Validating admission controller : Validates or rejects requests
○ Mutating admission controller : Modifies the requests it accepts
25/04/2024
66
Securing your Kubernetes cluster: a step-by-step guide to success!
Configuration example
25/04/2024
67
This admission controller
prevents the API server
from being overloaded by
requests applying rate
limiting.
Securing your Kubernetes cluster: a step-by-step guide to success!
68
Service mesh
What is a service
mesh?
25/04/2024
69
Securing your Kubernetes cluster: a step-by-step guide to success!
● Dedicated infrastructure layer added to applications
● Designates both the tools and the network domain created
● Allow us to :
○ understand traffic
○ make decisions based on traffic type or origin
○ reduce the complexity of network management in a
microservice context
What is a service mesh?
25/04/2024
70
Securing your Kubernetes cluster: a step-by-step guide to success!
Service Mesh
functionalities
25/04/2024
71
Securing your Kubernetes cluster: a step-by-step guide to success!
Service mesh functionalities
25/04/2024
72
Securing your Kubernetes cluster: a step-by-step guide to success!
● Observability
● Traffic management
● Security
● A/B testing
● Canary deployment
● Rate limiting
● Access control
● Encryption (including mTLS)
● End-to-end authentication
● Service discovery
25/04/2024
73
Securing your Kubernetes cluster: a step-by-step guide to success!
Some services mesh
Using services mesh
25/04/2024
74
Securing your Kubernetes cluster: a step-by-step guide to success!
75
Container-specific operating
systems for Kubernetes
Container-specific operating systems for
Kubernetes
25/04/2024
76
Securing your Kubernetes cluster: a step-by-step guide to success!
● Operating systems optimized for running containers and Kubernetes
● Minimize attack surfaces
● Increase cluster security
● Based on READ-ONLY systems
Container-specific operating systems for
Kubernetes
Talos Linux
Elemental
25/04/2024
77
Securing your Kubernetes cluster: a step-by-step guide to success!
78
Requests & limits
Requests & limits
25/04/2024
79
Securing your Kubernetes cluster: a step-by-step guide to success!
● Best practices
○ Set memory requests lower than or equal to limits
○ Limit CPU on sensitive workloads
Requests & limits
25/04/2024
80
Securing your Kubernetes cluster: a step-by-step guide to success!
● Why?
○ Restrict resources used by pods on nodes
○ Avoid the effects of a denial-of-service attack
81
Linux kernel security
modules
Linux kernel security modules (1/3)
25/04/2024
82
● Defining security profiles
● Mechanisms for controlling access and limiting the functionality of
processes running on the host system
● Damage limitation for compromised accounts
Securing your Kubernetes cluster: a step-by-step guide to success!
Linux kernel security modules (2/3)
25/04/2024
83
Securing your Kubernetes cluster: a step-by-step guide to success!
● Increase insulation between containers
● Defense in depth
● Audit and ensure compliance of our environments
Linux kernel security modules (3/3)
SELinux AppArmor
25/04/2024
84
Securing your Kubernetes cluster: a step-by-step guide to success!
85
Seccomp
(Linux only)
Seccomp
25/04/2024
86
Securing your Kubernetes cluster: a step-by-step guide to success!
● Abbreviation for Secure computing mode
● Linux kernel security features
● Limits the number of system calls (Syscalls) containers can make
● Reduces attack surface
● Kubernetes automatically applies seccomp profiles loaded on a node
to pods and containers
Seccomp - Example
25/04/2024
87
Securing your Kubernetes cluster: a step-by-step guide to success!
88
Real-time protection
Real-time protection
25/04/2024
89
Securing your Kubernetes cluster: a step-by-step guide to success!
● Detect abnormal behavior, security threats and compliance violations
● Be alerted in real time.
● Some tools rely on kernel events, enriched with container and
Kubernetes metadata, to succeed in their protection missions.
Real-time protection
25/04/2024
90
Securing your Kubernetes cluster: a step-by-step guide to success!
91
Further information
Follow best practices and
recommendations
25/04/2024
92
Securing your Kubernetes cluster: a step-by-step guide to success!
Follow best practices and recommendations
25/04/2024
93
Securing your Kubernetes cluster: a step-by-step guide to success!
● Follow recommendations and best practices
○ Security Checklist from the Kubernetes community:
https://kubernetes.io/docs/concepts/security/security-checklist/
○ CIS (Center for Internet Security (CIS) ) Kubernetes Benchmark
○ Recommendations from cloud providers
○ Keeping up to date
94
Some resources
● Introduction to Vault (FR)
○ https://blog.cockpitio.com/devops/vault-overview/
● Managing secrets in Kubernetes with Vault Agents (FR)
○ https://blog.cockpitio.com/devops/vault-agent-kubernetes/
● Securing the API server in Kubernetes with Keycloak(FR)
○ https://blog.cockpitio.com/devops/kubernetes-secure-access-using-keycloak-oidc/
● Introduction to the zero trust approach (FR)
○ https://blog.cockpitio.com/cloud/approche-zero-trust-dans-le-cloud/
● Right-sizing your Kubernetes deployments (FR)
○ https://presentations.verchere.fr/Requests_Limits_OSXP_2023/
● Kubernetes security checklist
○ https://kubernetes.io/docs/concepts/security/security-checklist/
25/04/2024
95
Some resources
Securing your Kubernetes cluster: a step-by-step guide to success!
96
Conclusion
Conclusion
● Securing Kubernetes environments is fundamental to protecting your
company's interests, ensuring compliance and maintaining trust.
● As Kubernetes continues to evolve, so will security strategies, requiring
constant attention and adaptation.
● Today's list is not exhaustive. No list can be, as attackers show their creativity.
● Safety is a matter of continuous improvement and constant attention
25/04/2024
97
Securing your Kubernetes cluster: a step-by-step guide to success!
Thank you
@katia_tal
/in/katiahimeur
/
🔗 blog.cockpitio.com
🔗 www.cockpitio.com
@cockpitio42
/company/cockpit-io/
Keep in touch
17/04/2024
98
Securing your Kubernetes cluster: a step-by-step guide to success!
A team of enthusiasts,
guided by DevOps
culture,
to bring you the best of
the Cloud!

More Related Content

Similar to Securing your Kubernetes cluster_ a step-by-step guide to success !

Cloud Native Engineering with SRE and GitOps
Cloud Native Engineering with SRE and GitOpsCloud Native Engineering with SRE and GitOps
Cloud Native Engineering with SRE and GitOps
Weaveworks
 
Kubernetes security with AWS
Kubernetes security with AWSKubernetes security with AWS
Kubernetes security with AWS
Kasun Madura Rathnayaka
 
Moving a Monolith to Kubernetes
Moving a Monolith to KubernetesMoving a Monolith to Kubernetes
Moving a Monolith to Kubernetes
M. Scott Ford
 
Securing Kubernetes Workloads
Securing Kubernetes WorkloadsSecuring Kubernetes Workloads
Securing Kubernetes Workloads
Jim Bugwadia
 
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
Mirantis
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
Karthik Gaekwad
 
Container Days: Hijack a Kubernetes Cluster - a Walkthrough
Container Days: Hijack a Kubernetes Cluster - a WalkthroughContainer Days: Hijack a Kubernetes Cluster - a Walkthrough
Container Days: Hijack a Kubernetes Cluster - a Walkthrough
Nico Meisenzahl
 
ThousandEyes New Product Features and Release Highlights: June 2024
ThousandEyes New Product Features and Release Highlights: June 2024ThousandEyes New Product Features and Release Highlights: June 2024
ThousandEyes New Product Features and Release Highlights: June 2024
ThousandEyes
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
Best online kubernetes course in H2KInfosys.pdf
Best online kubernetes course in H2KInfosys.pdfBest online kubernetes course in H2KInfosys.pdf
Best online kubernetes course in H2KInfosys.pdf
abhayah2k
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native Security
Karthik Gaekwad
 
Dynatrace - Red Hat workshop : Monolith to Microservices
Dynatrace - Red Hat workshop : Monolith to MicroservicesDynatrace - Red Hat workshop : Monolith to Microservices
Dynatrace - Red Hat workshop : Monolith to Microservices
Steve Caron
 
Supply chain security with Kubeclarity.pptx
Supply chain security with Kubeclarity.pptxSupply chain security with Kubeclarity.pptx
Supply chain security with Kubeclarity.pptx
Knoldus Inc.
 
Introduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang NguyenIntroduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang Nguyen
Trang Nguyen
 
Introduction to Kubernetes Security (Aqua & Weaveworks)
Introduction to Kubernetes Security (Aqua & Weaveworks)Introduction to Kubernetes Security (Aqua & Weaveworks)
Introduction to Kubernetes Security (Aqua & Weaveworks)
Weaveworks
 
Kovair DevOps - Overview Presentation
Kovair DevOps - Overview PresentationKovair DevOps - Overview Presentation
Kovair DevOps - Overview Presentation
Kovair
 
Kubernetes Learning Path_Version 2.0.pdf
Kubernetes Learning Path_Version 2.0.pdfKubernetes Learning Path_Version 2.0.pdf
Kubernetes Learning Path_Version 2.0.pdf
Mohammed Asim
 
MongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise Kubernetes
MongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise KubernetesMongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise Kubernetes
MongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise Kubernetes
MongoDB
 
New ThousandEyes Product Features and Release Highlights: February 2024
New ThousandEyes Product Features and Release Highlights: February 2024New ThousandEyes Product Features and Release Highlights: February 2024
New ThousandEyes Product Features and Release Highlights: February 2024
ThousandEyes
 
Meetup Geneva - 25th nov 2020
Meetup Geneva - 25th nov 2020Meetup Geneva - 25th nov 2020
Meetup Geneva - 25th nov 2020
Loic Avenel
 

Similar to Securing your Kubernetes cluster_ a step-by-step guide to success ! (20)

Cloud Native Engineering with SRE and GitOps
Cloud Native Engineering with SRE and GitOpsCloud Native Engineering with SRE and GitOps
Cloud Native Engineering with SRE and GitOps
 
Kubernetes security with AWS
Kubernetes security with AWSKubernetes security with AWS
Kubernetes security with AWS
 
Moving a Monolith to Kubernetes
Moving a Monolith to KubernetesMoving a Monolith to Kubernetes
Moving a Monolith to Kubernetes
 
Securing Kubernetes Workloads
Securing Kubernetes WorkloadsSecuring Kubernetes Workloads
Securing Kubernetes Workloads
 
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
 
Container Days: Hijack a Kubernetes Cluster - a Walkthrough
Container Days: Hijack a Kubernetes Cluster - a WalkthroughContainer Days: Hijack a Kubernetes Cluster - a Walkthrough
Container Days: Hijack a Kubernetes Cluster - a Walkthrough
 
ThousandEyes New Product Features and Release Highlights: June 2024
ThousandEyes New Product Features and Release Highlights: June 2024ThousandEyes New Product Features and Release Highlights: June 2024
ThousandEyes New Product Features and Release Highlights: June 2024
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Best online kubernetes course in H2KInfosys.pdf
Best online kubernetes course in H2KInfosys.pdfBest online kubernetes course in H2KInfosys.pdf
Best online kubernetes course in H2KInfosys.pdf
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native Security
 
Dynatrace - Red Hat workshop : Monolith to Microservices
Dynatrace - Red Hat workshop : Monolith to MicroservicesDynatrace - Red Hat workshop : Monolith to Microservices
Dynatrace - Red Hat workshop : Monolith to Microservices
 
Supply chain security with Kubeclarity.pptx
Supply chain security with Kubeclarity.pptxSupply chain security with Kubeclarity.pptx
Supply chain security with Kubeclarity.pptx
 
Introduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang NguyenIntroduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang Nguyen
 
Introduction to Kubernetes Security (Aqua & Weaveworks)
Introduction to Kubernetes Security (Aqua & Weaveworks)Introduction to Kubernetes Security (Aqua & Weaveworks)
Introduction to Kubernetes Security (Aqua & Weaveworks)
 
Kovair DevOps - Overview Presentation
Kovair DevOps - Overview PresentationKovair DevOps - Overview Presentation
Kovair DevOps - Overview Presentation
 
Kubernetes Learning Path_Version 2.0.pdf
Kubernetes Learning Path_Version 2.0.pdfKubernetes Learning Path_Version 2.0.pdf
Kubernetes Learning Path_Version 2.0.pdf
 
MongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise Kubernetes
MongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise KubernetesMongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise Kubernetes
MongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise Kubernetes
 
New ThousandEyes Product Features and Release Highlights: February 2024
New ThousandEyes Product Features and Release Highlights: February 2024New ThousandEyes Product Features and Release Highlights: February 2024
New ThousandEyes Product Features and Release Highlights: February 2024
 
Meetup Geneva - 25th nov 2020
Meetup Geneva - 25th nov 2020Meetup Geneva - 25th nov 2020
Meetup Geneva - 25th nov 2020
 

Recently uploaded

Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
BrainSell Technologies
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
SAI KAILASH R
 
Figma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdfFigma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdf
Management Institute of Skills Development
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
alexjohnson7307
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
shanihomely
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
HackersList
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
Adam Dunkels
 
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
Neo4j
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
Kief Morris
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
bhumivarma35300
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
Priyanka Aash
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
Matthias Neugebauer
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
Brian Pichman
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Torry Harris
 
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
aslasdfmkhan4750
 
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes..."Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
Anant Gupta
 
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
digitalxplive
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
Tatiana Al-Chueyr
 
The Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF GuideThe Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF Guide
Shiv Technolabs
 

Recently uploaded (20)

Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
 
Figma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdfFigma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdf
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
 
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
 
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
 
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes..."Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
 
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
 
The Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF GuideThe Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF Guide
 

Securing your Kubernetes cluster_ a step-by-step guide to success !

  • 1. Securing your Kubernetes cluster: Your step-by-step guide to success! 25/04/2024 Katia HIMEUR
  • 3. Who am I? • 🪪 Katia HIMEUR • 💻 Computer scientist • ☁ CTO & co-founder of Cockpit io, cloud & DevOps specialist • 󰟲 SRE/Cloud/DevOps consultant for several years ❤ #Cloud #DevOps #Containers #Serverless #GitOps #IaC #CICD ❤ Securing your Kubernetes cluster: a step-by-step guide to success! 3 25/04/2024
  • 5. Kubernetes, the leading container orchestrator 25/04/2024 Source : https://marketsnresearch.com/report/1649/global-kubernetes-market 5 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 6. The new cloud OS 25/04/2024 Source : https://www.dynatrace.com/news/blog/kubernetes-in-the-wild-2023/ 6 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 7. 25/04/2024 Attackers on the lookout 7 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 8. Safety not always a priority 25/04/2024 8 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 9. 9 Why is it important to secure your cluster?
  • 10. K8s's popularity increases attacker interest 25/04/2024 10 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 11. Flexibility ⥤ Complexity ⥤ Errors 25/04/2024 Configuration errors are a security risk Complexity can lead to configuration errors Its flexibility leads to complex configurations Kubernetes is extremely flexible 11 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 13. Scalability and resilience can be a vector for vulnerability propagation 25/04/2024 13 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 14. Company background Need : ● Compliance with specific standards and regulations ● Protect sensitive and critical applications and infrastructure ● Secure the sensitive data that may pass through 25/04/2024 14 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 16. Community and ecosystem support ● Strong focus on safety ● Continuous improvement and disclosure of vulnerabilities ● Goals : ○ Share security best practices ○ Encouraging corrective action ○ Stay ahead of potential threats 25/04/2024 16 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 17. 17 What will we see during this talk?
  • 18. What will we see during this talk? ● Understand the different types of attackers and attack vectors ● A non-exhaustive list of concrete actions you can take to secure your cluster ● Focus on managed Kubernetes clusters ● The list of tools provided is for information only. 25/04/2024 18 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 22. Main attack vectors 25/04/2024 Insecure Server API Misconfigured access controls Compromised containers Exposed dashboards Incorrect network configuration Compromised nodes Compromised secrets Supply chain (dependencies...) … 22 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 24. API server focus ● Critical cluster component ● External and internal communications gateway ● Manage ○ authentication and authorization ○ Data validation and storage in etcd ○ Orchestration and resource management ○ Scalability and performance 25/04/2024 24 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 25. 25 How do you secure your Kubernetes cluster?
  • 26. Zero trust architecture 26 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 27. Zero trust architecture ● Approach to designing and implementing IT systems where trust is totally eliminated ● Never trust, always verify 25/04/2024 27 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 28. Zero trust architecture Source : https://blog.cockpitio.com/cloud/approche-zero-trust-dans-le-cloud/ 25/04/2024 28 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 29. Limiting API Server exposure 25/04/2024 29 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 30. Limit API Server exposure? ● Restrict access ● Encrypt all flows with API Server 25/04/2024 30 Private clusters Security groups Endpoint access control Network ACLs Securing your Kubernetes cluster: a step-by-step guide to success!
  • 31. Authentication 25/04/2024 31 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 32. Authentication ● Use a strong authentication mechanism to control access to Kubernetes ● Use an SSO portal to connect to your clusters (oAuth2, OpenID Connect or LDAP). ● Enable multifactor authentication 25/04/2024 32 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 33. Authentication 25/04/2024 33 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 34. Using RBAC 34 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 35. Using RBAC ● What is it? ○ RBAC: Role-Based Access Control ○ Resource access control based on user roles and service accounts ○ Defines who can do what 35 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 36. Using RBAC ● Good practice ○ Apply the principle of least privilege to users and service accounts 36 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 37. Example of an RBAC role 37 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 38. Pod Security Admission 25/04/2024 38 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 39. Pod Security Standards Policies 39 Restricted ● Very restrictive policy ● Follows good curing practices Privileged ● No restrictions ● Climbing possibilities Baseline ● Minimum restriction policy ● Prevents the most common climbs 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 40. Pod Security Admission ● Kubernetes native admission controller to enforce Pod Security standards policies ● Pod security restrictions are applied at the namespace level ● Enabled by default in the latest versions of Kubernetes 40 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 41. Apply a safety policy 41 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 42. Alternatives 42 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 43. Using network policies 43 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 44. Network status report ● Default : pods are not isolated, all traffic flows are allowed (ingress and egress). ● Best practice: Restrict pod-to-pod communication to the strict minimum 44 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 45. What are network policies? ● Allows you to define how pods are authorized to communicate with : ○ Other pods ○ Other namespaces ○ IP blocks 45 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 46. Example of a policy that prohibits all outbound flow 46 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 48. Securing your secrets 48 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 49. Secrets... Not very secret 😱 ● A Kubernetes secret is an object used to store sensitive data (passwords, tokens, SSH keys, etc.). ● Default : ○ No encryption ○ Stored unencrypted ○ Base64 encoded value 49 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 50. Securing your secrets ● Use RBAC to secure access ● Rotate secret ● Audit access to secrets ● Regularly review and update access policies ● Prevent secrets from ending up in logs ● Don't hard code secrets 50 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success! Gitleaks
  • 51. Enable encryption at REST 51 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 52. Turn secrets into volume 👍 Exposing them as environment variables👎 52 25/04/2024 ServiceAccount secrets can only be mounted on specific resource types. Securing your Kubernetes cluster: a step-by-step guide to success!
  • 53. Use external secret management tools 53 AWS Secrets Manager Azure Key Vault Google Cloud Secret Manager 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 54. Securing your secrets ● The Secrets Store CSI Driver enables integration of external secrets managers with Kubernetes ● Integration is via a CSI (Container Storage Interface) volume. ● This driver allows you to mount several secrets, keys, certificates, etc. stored in these external secret managers. ● Once the volume has been attached, the data is mounted in the container's file system. 54 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 55. Audit logging 55 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 56. Audit logging ● Record every request made to the API server ● Analyze logs to detect suspicious and unusual activity ● Use security tools to analyze and react to logs in real time ● Define audit policies to fine-tune the configuration of events to be recorded 25/04/2024 56 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 57. Example of an audit policy 25/04/2024 57 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 58. Update and patch management 25/04/2024 58 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 59. Update and patch management ● Apply update and security patches, automatically if possible, and quickly : ○ Kubernetes clusters ○ all components deployed on clusters ○ nodes ● Use tools that scan all Kubernetes cluster components, including images ● Respect best operating system practices 25/04/2024 59 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 60. Securing containers 25/04/2024 60 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 61. Securing containers ● Use only trusted images ● Reduce image size to reduce attack surface ● Use immutable containers to avoid runtime changes 25/04/2024 61 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 62. Securing containers ● Scanning your container images: before and after deployment ● Sign your container images ● Secure and protect your containers using tools that react to the detection of abnormal events 25/04/2024 62 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 63. Securing containers 25/04/2024 63 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 64. Securing containers 25/04/2024 64 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 65. Admission controllers 25/04/2024 65 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 66. Admission controllers ● Controllers that intercept requests to the API server before objects are persisted in the etcd database ● Two types of controller : ○ Validating admission controller : Validates or rejects requests ○ Mutating admission controller : Modifies the requests it accepts 25/04/2024 66 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 67. Configuration example 25/04/2024 67 This admission controller prevents the API server from being overloaded by requests applying rate limiting. Securing your Kubernetes cluster: a step-by-step guide to success!
  • 69. What is a service mesh? 25/04/2024 69 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 70. ● Dedicated infrastructure layer added to applications ● Designates both the tools and the network domain created ● Allow us to : ○ understand traffic ○ make decisions based on traffic type or origin ○ reduce the complexity of network management in a microservice context What is a service mesh? 25/04/2024 70 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 71. Service Mesh functionalities 25/04/2024 71 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 72. Service mesh functionalities 25/04/2024 72 Securing your Kubernetes cluster: a step-by-step guide to success! ● Observability ● Traffic management ● Security ● A/B testing ● Canary deployment ● Rate limiting ● Access control ● Encryption (including mTLS) ● End-to-end authentication ● Service discovery
  • 73. 25/04/2024 73 Securing your Kubernetes cluster: a step-by-step guide to success! Some services mesh
  • 74. Using services mesh 25/04/2024 74 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 76. Container-specific operating systems for Kubernetes 25/04/2024 76 Securing your Kubernetes cluster: a step-by-step guide to success! ● Operating systems optimized for running containers and Kubernetes ● Minimize attack surfaces ● Increase cluster security ● Based on READ-ONLY systems
  • 77. Container-specific operating systems for Kubernetes Talos Linux Elemental 25/04/2024 77 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 79. Requests & limits 25/04/2024 79 Securing your Kubernetes cluster: a step-by-step guide to success! ● Best practices ○ Set memory requests lower than or equal to limits ○ Limit CPU on sensitive workloads
  • 80. Requests & limits 25/04/2024 80 Securing your Kubernetes cluster: a step-by-step guide to success! ● Why? ○ Restrict resources used by pods on nodes ○ Avoid the effects of a denial-of-service attack
  • 82. Linux kernel security modules (1/3) 25/04/2024 82 ● Defining security profiles ● Mechanisms for controlling access and limiting the functionality of processes running on the host system ● Damage limitation for compromised accounts Securing your Kubernetes cluster: a step-by-step guide to success!
  • 83. Linux kernel security modules (2/3) 25/04/2024 83 Securing your Kubernetes cluster: a step-by-step guide to success! ● Increase insulation between containers ● Defense in depth ● Audit and ensure compliance of our environments
  • 84. Linux kernel security modules (3/3) SELinux AppArmor 25/04/2024 84 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 86. Seccomp 25/04/2024 86 Securing your Kubernetes cluster: a step-by-step guide to success! ● Abbreviation for Secure computing mode ● Linux kernel security features ● Limits the number of system calls (Syscalls) containers can make ● Reduces attack surface ● Kubernetes automatically applies seccomp profiles loaded on a node to pods and containers
  • 87. Seccomp - Example 25/04/2024 87 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 89. Real-time protection 25/04/2024 89 Securing your Kubernetes cluster: a step-by-step guide to success! ● Detect abnormal behavior, security threats and compliance violations ● Be alerted in real time. ● Some tools rely on kernel events, enriched with container and Kubernetes metadata, to succeed in their protection missions.
  • 90. Real-time protection 25/04/2024 90 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 92. Follow best practices and recommendations 25/04/2024 92 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 93. Follow best practices and recommendations 25/04/2024 93 Securing your Kubernetes cluster: a step-by-step guide to success! ● Follow recommendations and best practices ○ Security Checklist from the Kubernetes community: https://kubernetes.io/docs/concepts/security/security-checklist/ ○ CIS (Center for Internet Security (CIS) ) Kubernetes Benchmark ○ Recommendations from cloud providers ○ Keeping up to date
  • 95. ● Introduction to Vault (FR) ○ https://blog.cockpitio.com/devops/vault-overview/ ● Managing secrets in Kubernetes with Vault Agents (FR) ○ https://blog.cockpitio.com/devops/vault-agent-kubernetes/ ● Securing the API server in Kubernetes with Keycloak(FR) ○ https://blog.cockpitio.com/devops/kubernetes-secure-access-using-keycloak-oidc/ ● Introduction to the zero trust approach (FR) ○ https://blog.cockpitio.com/cloud/approche-zero-trust-dans-le-cloud/ ● Right-sizing your Kubernetes deployments (FR) ○ https://presentations.verchere.fr/Requests_Limits_OSXP_2023/ ● Kubernetes security checklist ○ https://kubernetes.io/docs/concepts/security/security-checklist/ 25/04/2024 95 Some resources Securing your Kubernetes cluster: a step-by-step guide to success!
  • 97. Conclusion ● Securing Kubernetes environments is fundamental to protecting your company's interests, ensuring compliance and maintaining trust. ● As Kubernetes continues to evolve, so will security strategies, requiring constant attention and adaptation. ● Today's list is not exhaustive. No list can be, as attackers show their creativity. ● Safety is a matter of continuous improvement and constant attention 25/04/2024 97 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 98. Thank you @katia_tal /in/katiahimeur / 🔗 blog.cockpitio.com 🔗 www.cockpitio.com @cockpitio42 /company/cockpit-io/ Keep in touch 17/04/2024 98 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 99. A team of enthusiasts, guided by DevOps culture, to bring you the best of the Cloud!