SlideShare a Scribd company logo

Security best practices for kubernetes deployment

Download as PPTX, PDF
Aqua Security
Aqua Security

This document provides best practices for securing a Kubernetes deployment. It recommends integrating security into the CI/CD pipeline by only using vetted code for builds, scanning images for vulnerabilities, and using private registries to store and push only approved images. It also suggests limiting direct access to Kubernetes nodes, implementing fine-grained role-based access control and quotas, securely managing secrets, implementing network segmentation and "least privilege" controls. Finally, it stresses the importance of logging all activity and integrating logs with monitoring systems for visibility.

Technology
1 of 34
Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. Security Best Practices for Kubernetes Deployment Michael Cherny Head of Research, Aqua Security
2 WHO AM I  Head of Security Research at Aqua Security, a leader in container security  20 years of building security products, development and research  Held senior security research positions at Microsoft, Aorato and Imperva.  Presented at security conferences, among them, BlackHat Europe, RSA Europe and Virus Bulleting.
3 BUILD SECURITY ALIGNED WITH DEVOPS Build Ship Cluster Environment Networking and Runtime Monitoring Productio n Dev. / Testing  
BUILD AND SHIP
5 BUILD AND SHIP  Ensure That Only Authorized Images are Used in Your Environment  Ensure That Images Are Free of Vulnerabilities  Integrate Security into your CI/CD pipeline
6 SECURITY INTEGRATED WITH CI/CD Build • Only vetted code (approved for production) is used for building the images ShipTest  
7 SECURITY INTEGRATED WITH CI/CD Build • Implement Continuous Security Vulnerability Scanning • Regularly Apply Security Updates to Your Environment ShipTest  
8 SECURITY INTEGRATED WITH CI/CD Build • Use private registries to store your approved images - make sure you only push approved images to these registries ShipTest  
CLUSTER ENVIRONMENT
10 SSH LIMIT DIRECT ACCESS TO KUBERNETES NODES  Limit SSH access to Kubernetes nodes  Ask users to use “kubectl exec”
11 CONSIDER KUBERNETES AUTHORIZATION PLUGINS  Enables define fine-grained-access control rules  Namespaces  Containers  Operations  ABAC mode  RBAC mode  Webhook mode  Custom mode
12 CREATE ADMINISTRATIVE BOUNDARIES BETWEEN RESOURCES  Limits the damage of mistake or malicious intent  Partition resources into logical groups  Use Kubernetes namespaces to facilitate resource segregation  Kubernetes Authorization plugins to segregate user’s access to namespace resources
13 CREATE ADMINISTRATIVE BOUNDARIES BETWEEN RESOURCES  Example: allow ‘alice’ to read pods from namespace ‘fronto’ { "apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": { "user": "alice", "namespace": "fronto", "resource": "pods", "readonly": true } }
14 DEFINE RESOURCE QUOTA  Resource-unbound containers in shared cluster are bad practice  Create resource quota policies  Pods  CPUs  Memory  Etc.  Assigned to namespace
15 DEFINE RESOURCE QUOTA EXAMPLE  computer-resource.yaml apiVersion: v1 kind: ResourceQuota metadata: name: compute-resources spec: hard: pods: "4“ requests.cpu: "1“ requests.memory: 1Gi limits.cpu: "2“ limits.memory: 2Gi  kubectl create -f ./compute-resources.yaml -- namespace=myspace
16 SAFELY DISTRIBUTE YOUR SECRETS  Storing sensitive data in docker file, POD definition etc. is not safe  Centrally and securely stored secrets  Manage user access  Manage containers/pods access  Store securely  Facilitate secrets expiry and rotation  Etc.
17 KUBERNETES SECRETS  Secret object  As file  As Environment variable  Risks  Secrets stored in plain text  Is at rest  No separation of duties: operator can see secret value  Secrets are available, even if there is no container using it
18 KUBERNETES SECRETS - EXAMPLE  echo -n "admin" > ./username.txt echo -n "1f2d1e2e67df" > ./password.txt  kubectl create secret generic db-user-pass --from- file=./username.txt --from-file=./password.txt secret "db-user-pass" created  kubectl get secrets  Kubectl describe secrets/db-user-pass
19 KUBERNETES SECRETS - EXAMPLE  It call also be done manually  echo -n "admin" | base64 YWRtaW4=  echo -n "1f2d1e2e67df" | base64 MWYyZDFlMmU2N2Rm apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: username: YWRtaW4= password: MWYyZDFlMmU2N2Rm  kubectl create -f ./secret.yaml
NETWORKING
21 IMPLEMENT NETWORK SEGMENTATION  “Good neighbor” compromised application is a door open into cluster  Network segmentation  Ensures that container can communicate only with whom it must
22 IMPLEMENT NETWORK SEGMENTATION  Cross-cluster segmentation can be achieved using firewall rules  “dynamic” nature of container network identities makes container network segmentation a true challenge  Kubernetes Network SIG works on pod-to-pod network policies  Currently only ingress policies can be defined
23 IMPLEMENT NETWORK SEGMENTATION: EXAMPLE  Enable using an annotation on the Namespace kind: Namespace apiVersion: v1 metadata: annotations: net.beta.kubernetes.io/network-policy: | { "ingress": { "isolation": "DefaultDeny" } } kubectl annotate ns <namespace> "net.beta.kubernetes.io/network-policy={"ingress": {"isolation": "DefaultDeny"}}"
24 IMPLEMENT NETWORK SEGMENTATION: EXAMPLE apiVersion: extensions/v1beta1 kind: NetworkPolicy metadata: name: test-network-policy namespace: default spec: podSelector: matchLabels: role: db ingress: - from: - namespaceSelector: matchLabels: project: myproject - podSelector: matchLabels: role: frontend ports: - protocol: tcp port: 6379 kubectl create -f policy.yaml
RUNTIME
26 RUNTIME  Implement “least privileges” principal  Security Context control security parameters to be assigned  Pod  Containers  Pod Security Policy  Consider Kubernetes admission controllers:  “DenyEscalatingExec” – for containers/pods with elevated privileges  “ImagePolicyWebhook” – Kubernetes support to plug external image reviewer  “AlwaysPullImages” – in multitenant cluster
27 SECURITY CONTEXT Security Context Setting Description SecurityContext->runAsNonRoot Indicates that containers should run as non-root user SecurityContext->Capabilities Controls the Linux capabilities assigned to the container. SecurityContext->readOnlyRootFilesystem Controls whether a container will be able to write into the root filesystem. PodSecurityContext->runAsNonRoot Prevents running a container with ‘root’ user as part of the pod
28 SECURITY CONTEXT: EXAMPLE apiVersion: v1 kind: Pod metadata: name: hello-world spec: containers: # specification of the pod’s containers # ... securityContext: readOnlyRootFilesystem: true runAsNonRoot: true
29 IMAGE POLICY WEBHOOK  api.imagepolicy.v1alpha1.ImageReview object describing the action  Fields describing the containers being admitted, as well as any pod annotations that match *.image- policy.k8s.io/*
30 IMAGE POLICY WEBHOOK: EXAMPLE { "apiVersion":"imagepolicy.k8s.io/v1alpha1", "kind":"ImageReview", "spec":{ "containers":[ { "image":"myrepo/myimage:v1“ }, { "image":"myrepo/myimage@sha256:beb6bd6a68f114c1dc2ea4b28db81bdf91de202a9014972bec5e4d9171d 90ed“ } ], "annotations":[ "mycluster.image-policy.k8s.io/ticket-1234": "break-glass“ ], "namespace":"mynamespace“ } }
31 MONITORING AND VISIBILITY  Log everything  Cluster-based logging  Log container activity into a central log hub.  Use Fluentd agent on each node  Ingested logs using  Google Stackdriver Logging  Elasticsearch  Viewed with Kibana.
SUMMARY
33 SECURITY ALIGNED WITH DEVOPS Build Ship Cluster Environment Networking and Runtime Monitoring Productio n Dev. / Testing Only vetted code can be used for build Scan images against known vulnerabilities Use private registries Only approved images are pushed Only use kubectl Fine-grained-access control to resources Create administrative boundaries and assign resource quotas Manage your secrets Implement “least privileges” principal Isolate container networks in logical application groups Log everything Integrates with SIEM and monitoring systems  
THANK YOU Michael Cherny cherny@aquasec.com @chernymi https://www.aquasec.com

Recommended

How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...
Aqua Security
 
Kubernetes deployment on bare metal with container linux
Kubernetes deployment on bare metal with container linuxKubernetes deployment on bare metal with container linux
Kubernetes deployment on bare metal with container linux
macchiang
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
Aqua Security
 
Container Security
Container SecurityContainer Security
Container Security
Jie Liau
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practices
Sharon Vendrov
 
Security best practices for kubernetes deployment
Security best practices for kubernetes deploymentSecurity best practices for kubernetes deployment
Security best practices for kubernetes deployment
Michael Cherny
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
Phil Estes
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
John Kinsella
 

Recommended

How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...
Aqua Security
 
Kubernetes deployment on bare metal with container linux
Kubernetes deployment on bare metal with container linuxKubernetes deployment on bare metal with container linux
Kubernetes deployment on bare metal with container linux
macchiang
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
Aqua Security
 
Container Security
Container SecurityContainer Security
Container Security
Jie Liau
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practices
Sharon Vendrov
 
Security best practices for kubernetes deployment
Security best practices for kubernetes deploymentSecurity best practices for kubernetes deployment
Security best practices for kubernetes deployment
Michael Cherny
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
Phil Estes
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
John Kinsella
 
Docker Security - Continuous Container Security
Docker Security - Continuous Container SecurityDocker Security - Continuous Container Security
Docker Security - Continuous Container Security
Dieter Reuter
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDays Riga
 
Docker Container Security - A Network View
Docker Container Security - A Network ViewDocker Container Security - A Network View
Docker Container Security - A Network View
NeuVector
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Zach Hill
 
Container Security
Container SecurityContainer Security
Container Security
Salman Baset
 
Container Security Essentials
Container Security EssentialsContainer Security Essentials
Container Security Essentials
DNIF
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container Security
Jim Barlow
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container Security
Suraj Khetani
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
Csa container-security-in-aws-dw
Csa container-security-in-aws-dwCsa container-security-in-aws-dw
Csa container-security-in-aws-dw
Cloud Security Alliance, UK chapter
 
Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor Volkov Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor Volkov
Kuberton
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
Jerry Jalava
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container Security
Shea Stewart
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practices
Sharon Vendrov
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
Michael Ducy
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
Michael Boelen
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker Security
Docker, Inc.
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in Kubernetes
Sysdig
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
Evolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfEvolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdf
Jose Manuel Ortega Candel
 
2015 DockerCon Using Docker in production at bity.com
2015 DockerCon Using Docker in production at bity.com2015 DockerCon Using Docker in production at bity.com
2015 DockerCon Using Docker in production at bity.com
Mathieu Buffenoir
 

More Related Content

What's hot

Docker Security - Continuous Container Security
Docker Security - Continuous Container SecurityDocker Security - Continuous Container Security
Docker Security - Continuous Container Security
Dieter Reuter
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDays Riga
 
Docker Container Security - A Network View
Docker Container Security - A Network ViewDocker Container Security - A Network View
Docker Container Security - A Network View
NeuVector
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Zach Hill
 
Container Security
Container SecurityContainer Security
Container Security
Salman Baset
 
Container Security Essentials
Container Security EssentialsContainer Security Essentials
Container Security Essentials
DNIF
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container Security
Jim Barlow
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container Security
Suraj Khetani
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
Csa container-security-in-aws-dw
Csa container-security-in-aws-dwCsa container-security-in-aws-dw
Csa container-security-in-aws-dw
Cloud Security Alliance, UK chapter
 
Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor Volkov Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor Volkov
Kuberton
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
Jerry Jalava
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container Security
Shea Stewart
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practices
Sharon Vendrov
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
Michael Ducy
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
Michael Boelen
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker Security
Docker, Inc.
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in Kubernetes
Sysdig
 
Container security
Container securityContainer security
Container security
Anthony Chow
 

What's hot (20)

Docker Security - Continuous Container Security
Docker Security - Continuous Container SecurityDocker Security - Continuous Container Security
Docker Security - Continuous Container Security
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
 
Docker Container Security - A Network View
Docker Container Security - A Network ViewDocker Container Security - A Network View
Docker Container Security - A Network View
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
 
Container Security
Container SecurityContainer Security
Container Security
 
Container Security Essentials
Container Security EssentialsContainer Security Essentials
Container Security Essentials
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container Security
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container Security
 
Container security
Container securityContainer security
Container security
 
Csa container-security-in-aws-dw
Csa container-security-in-aws-dwCsa container-security-in-aws-dw
Csa container-security-in-aws-dw
 
Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor Volkov Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor Volkov
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container Security
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practices
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
 
Container security
Container securityContainer security
Container security
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker Security
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in Kubernetes
 
Container security
Container securityContainer security
Container security
 

Similar to Security best practices for kubernetes deployment

Evolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfEvolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdf
Jose Manuel Ortega Candel
 
2015 DockerCon Using Docker in production at bity.com
2015 DockerCon Using Docker in production at bity.com2015 DockerCon Using Docker in production at bity.com
2015 DockerCon Using Docker in production at bity.com
Mathieu Buffenoir
 
Who is afraid of privileged containers ?
Who is afraid of privileged containers ?Who is afraid of privileged containers ?
Who is afraid of privileged containers ?
Marko Bevc
 
DockerCon EU 2015: Trading Bitcoin with Docker
DockerCon EU 2015: Trading Bitcoin with DockerDockerCon EU 2015: Trading Bitcoin with Docker
DockerCon EU 2015: Trading Bitcoin with Docker
Docker, Inc.
 
Cloud Native TLV Meetup: Securing Containerized Applications Primer
Cloud Native TLV Meetup: Securing Containerized Applications PrimerCloud Native TLV Meetup: Securing Containerized Applications Primer
Cloud Native TLV Meetup: Securing Containerized Applications Primer
Phil Estes
 
Deep Dive into Kubernetes - Part 2
Deep Dive into Kubernetes - Part 2Deep Dive into Kubernetes - Part 2
Deep Dive into Kubernetes - Part 2
Imesh Gunaratne
 
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes ClusterKubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
smalltown
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
Thomas Fricke
 
K8s best practices from the field!
K8s best practices from the field!K8s best practices from the field!
K8s best practices from the field!
DoiT International
 
Integrating security testing into your container build pipeline - SDD308 - AW...
Integrating security testing into your container build pipeline - SDD308 - AW...Integrating security testing into your container build pipeline - SDD308 - AW...
Integrating security testing into your container build pipeline - SDD308 - AW...
Amazon Web Services
 
A Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container PlatformsA Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container Platforms
Salman Baset
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
n|u - The Open Security Community
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
Michael Boelen
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
Sreenivas Makam
 
Securing the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersSecuring the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux Containers
Massimiliano Mattetti
 
Docker Runtime Security
Docker Runtime SecurityDocker Runtime Security
Docker Runtime Security
Sysdig
 
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Manideep Konakandla
 
It's 2018. Are My Containers Secure Yet!?
It's 2018. Are My Containers Secure Yet!?It's 2018. Are My Containers Secure Yet!?
It's 2018. Are My Containers Secure Yet!?
Phil Estes
 
Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops
Jose Manuel Ortega Candel
 
ClickHouse on Kubernetes! By Robert Hodges, Altinity CEO
ClickHouse on Kubernetes! By Robert Hodges, Altinity CEOClickHouse on Kubernetes! By Robert Hodges, Altinity CEO
ClickHouse on Kubernetes! By Robert Hodges, Altinity CEO
Altinity Ltd
 

Similar to Security best practices for kubernetes deployment (20)

Evolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfEvolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdf
 
2015 DockerCon Using Docker in production at bity.com
2015 DockerCon Using Docker in production at bity.com2015 DockerCon Using Docker in production at bity.com
2015 DockerCon Using Docker in production at bity.com
 
Who is afraid of privileged containers ?
Who is afraid of privileged containers ?Who is afraid of privileged containers ?
Who is afraid of privileged containers ?
 
DockerCon EU 2015: Trading Bitcoin with Docker
DockerCon EU 2015: Trading Bitcoin with DockerDockerCon EU 2015: Trading Bitcoin with Docker
DockerCon EU 2015: Trading Bitcoin with Docker
 
Cloud Native TLV Meetup: Securing Containerized Applications Primer
Cloud Native TLV Meetup: Securing Containerized Applications PrimerCloud Native TLV Meetup: Securing Containerized Applications Primer
Cloud Native TLV Meetup: Securing Containerized Applications Primer
 
Deep Dive into Kubernetes - Part 2
Deep Dive into Kubernetes - Part 2Deep Dive into Kubernetes - Part 2
Deep Dive into Kubernetes - Part 2
 
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes ClusterKubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
 
K8s best practices from the field!
K8s best practices from the field!K8s best practices from the field!
K8s best practices from the field!
 
Integrating security testing into your container build pipeline - SDD308 - AW...
Integrating security testing into your container build pipeline - SDD308 - AW...Integrating security testing into your container build pipeline - SDD308 - AW...
Integrating security testing into your container build pipeline - SDD308 - AW...
 
A Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container PlatformsA Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container Platforms
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
 
Securing the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersSecuring the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux Containers
 
Docker Runtime Security
Docker Runtime SecurityDocker Runtime Security
Docker Runtime Security
 
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
 
It's 2018. Are My Containers Secure Yet!?
It's 2018. Are My Containers Secure Yet!?It's 2018. Are My Containers Secure Yet!?
It's 2018. Are My Containers Secure Yet!?
 
Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops
 
ClickHouse on Kubernetes! By Robert Hodges, Altinity CEO
ClickHouse on Kubernetes! By Robert Hodges, Altinity CEOClickHouse on Kubernetes! By Robert Hodges, Altinity CEO
ClickHouse on Kubernetes! By Robert Hodges, Altinity CEO
 

Recently uploaded

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 

Recently uploaded (20)

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 

Security best practices for kubernetes deployment

  • 1. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. Security Best Practices for Kubernetes Deployment Michael Cherny Head of Research, Aqua Security
  • 2. 2 WHO AM I  Head of Security Research at Aqua Security, a leader in container security  20 years of building security products, development and research  Held senior security research positions at Microsoft, Aorato and Imperva.  Presented at security conferences, among them, BlackHat Europe, RSA Europe and Virus Bulleting.
  • 3. 3 BUILD SECURITY ALIGNED WITH DEVOPS Build Ship Cluster Environment Networking and Runtime Monitoring Productio n Dev. / Testing  
  • 5. 5 BUILD AND SHIP  Ensure That Only Authorized Images are Used in Your Environment  Ensure That Images Are Free of Vulnerabilities  Integrate Security into your CI/CD pipeline
  • 6. 6 SECURITY INTEGRATED WITH CI/CD Build • Only vetted code (approved for production) is used for building the images ShipTest  
  • 7. 7 SECURITY INTEGRATED WITH CI/CD Build • Implement Continuous Security Vulnerability Scanning • Regularly Apply Security Updates to Your Environment ShipTest  
  • 8. 8 SECURITY INTEGRATED WITH CI/CD Build • Use private registries to store your approved images - make sure you only push approved images to these registries ShipTest  
  • 10. 10 SSH LIMIT DIRECT ACCESS TO KUBERNETES NODES  Limit SSH access to Kubernetes nodes  Ask users to use “kubectl exec”
  • 11. 11 CONSIDER KUBERNETES AUTHORIZATION PLUGINS  Enables define fine-grained-access control rules  Namespaces  Containers  Operations  ABAC mode  RBAC mode  Webhook mode  Custom mode
  • 12. 12 CREATE ADMINISTRATIVE BOUNDARIES BETWEEN RESOURCES  Limits the damage of mistake or malicious intent  Partition resources into logical groups  Use Kubernetes namespaces to facilitate resource segregation  Kubernetes Authorization plugins to segregate user’s access to namespace resources
  • 13. 13 CREATE ADMINISTRATIVE BOUNDARIES BETWEEN RESOURCES  Example: allow ‘alice’ to read pods from namespace ‘fronto’ { "apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": { "user": "alice", "namespace": "fronto", "resource": "pods", "readonly": true } }
  • 14. 14 DEFINE RESOURCE QUOTA  Resource-unbound containers in shared cluster are bad practice  Create resource quota policies  Pods  CPUs  Memory  Etc.  Assigned to namespace
  • 15. 15 DEFINE RESOURCE QUOTA EXAMPLE  computer-resource.yaml apiVersion: v1 kind: ResourceQuota metadata: name: compute-resources spec: hard: pods: "4“ requests.cpu: "1“ requests.memory: 1Gi limits.cpu: "2“ limits.memory: 2Gi  kubectl create -f ./compute-resources.yaml -- namespace=myspace
  • 16. 16 SAFELY DISTRIBUTE YOUR SECRETS  Storing sensitive data in docker file, POD definition etc. is not safe  Centrally and securely stored secrets  Manage user access  Manage containers/pods access  Store securely  Facilitate secrets expiry and rotation  Etc.
  • 17. 17 KUBERNETES SECRETS  Secret object  As file  As Environment variable  Risks  Secrets stored in plain text  Is at rest  No separation of duties: operator can see secret value  Secrets are available, even if there is no container using it
  • 18. 18 KUBERNETES SECRETS - EXAMPLE  echo -n "admin" > ./username.txt echo -n "1f2d1e2e67df" > ./password.txt  kubectl create secret generic db-user-pass --from- file=./username.txt --from-file=./password.txt secret "db-user-pass" created  kubectl get secrets  Kubectl describe secrets/db-user-pass
  • 19. 19 KUBERNETES SECRETS - EXAMPLE  It call also be done manually  echo -n "admin" | base64 YWRtaW4=  echo -n "1f2d1e2e67df" | base64 MWYyZDFlMmU2N2Rm apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: username: YWRtaW4= password: MWYyZDFlMmU2N2Rm  kubectl create -f ./secret.yaml
  • 21. 21 IMPLEMENT NETWORK SEGMENTATION  “Good neighbor” compromised application is a door open into cluster  Network segmentation  Ensures that container can communicate only with whom it must
  • 22. 22 IMPLEMENT NETWORK SEGMENTATION  Cross-cluster segmentation can be achieved using firewall rules  “dynamic” nature of container network identities makes container network segmentation a true challenge  Kubernetes Network SIG works on pod-to-pod network policies  Currently only ingress policies can be defined
  • 23. 23 IMPLEMENT NETWORK SEGMENTATION: EXAMPLE  Enable using an annotation on the Namespace kind: Namespace apiVersion: v1 metadata: annotations: net.beta.kubernetes.io/network-policy: | { "ingress": { "isolation": "DefaultDeny" } } kubectl annotate ns <namespace> "net.beta.kubernetes.io/network-policy={"ingress": {"isolation": "DefaultDeny"}}"
  • 24. 24 IMPLEMENT NETWORK SEGMENTATION: EXAMPLE apiVersion: extensions/v1beta1 kind: NetworkPolicy metadata: name: test-network-policy namespace: default spec: podSelector: matchLabels: role: db ingress: - from: - namespaceSelector: matchLabels: project: myproject - podSelector: matchLabels: role: frontend ports: - protocol: tcp port: 6379 kubectl create -f policy.yaml
  • 26. 26 RUNTIME  Implement “least privileges” principal  Security Context control security parameters to be assigned  Pod  Containers  Pod Security Policy  Consider Kubernetes admission controllers:  “DenyEscalatingExec” – for containers/pods with elevated privileges  “ImagePolicyWebhook” – Kubernetes support to plug external image reviewer  “AlwaysPullImages” – in multitenant cluster
  • 27. 27 SECURITY CONTEXT Security Context Setting Description SecurityContext->runAsNonRoot Indicates that containers should run as non-root user SecurityContext->Capabilities Controls the Linux capabilities assigned to the container. SecurityContext->readOnlyRootFilesystem Controls whether a container will be able to write into the root filesystem. PodSecurityContext->runAsNonRoot Prevents running a container with ‘root’ user as part of the pod
  • 28. 28 SECURITY CONTEXT: EXAMPLE apiVersion: v1 kind: Pod metadata: name: hello-world spec: containers: # specification of the pod’s containers # ... securityContext: readOnlyRootFilesystem: true runAsNonRoot: true
  • 29. 29 IMAGE POLICY WEBHOOK  api.imagepolicy.v1alpha1.ImageReview object describing the action  Fields describing the containers being admitted, as well as any pod annotations that match *.image- policy.k8s.io/*
  • 30. 30 IMAGE POLICY WEBHOOK: EXAMPLE { "apiVersion":"imagepolicy.k8s.io/v1alpha1", "kind":"ImageReview", "spec":{ "containers":[ { "image":"myrepo/myimage:v1“ }, { "image":"myrepo/myimage@sha256:beb6bd6a68f114c1dc2ea4b28db81bdf91de202a9014972bec5e4d9171d 90ed“ } ], "annotations":[ "mycluster.image-policy.k8s.io/ticket-1234": "break-glass“ ], "namespace":"mynamespace“ } }
  • 31. 31 MONITORING AND VISIBILITY  Log everything  Cluster-based logging  Log container activity into a central log hub.  Use Fluentd agent on each node  Ingested logs using  Google Stackdriver Logging  Elasticsearch  Viewed with Kibana.
  • 33. 33 SECURITY ALIGNED WITH DEVOPS Build Ship Cluster Environment Networking and Runtime Monitoring Productio n Dev. / Testing Only vetted code can be used for build Scan images against known vulnerabilities Use private registries Only approved images are pushed Only use kubectl Fine-grained-access control to resources Create administrative boundaries and assign resource quotas Manage your secrets Implement “least privileges” principal Isolate container networks in logical application groups Log everything Integrates with SIEM and monitoring systems  