SlideShare a Scribd company logo

Security considerations while deploying Containerized Applications by Neependra Khare at #AgileIndia2019

Agile India
Agile India

This document discusses various security considerations for containerized applications running on Kubernetes, including: - Scanning container images for vulnerabilities during the build process and signing images. - Ensuring container images are minimal in size by using smaller base images like Alpine Linux, running as a non-root user, and mounting the filesystem read-only. - Implementing role-based access control (RBAC) in Kubernetes using roles and role bindings to control access at the namespace and cluster level. - Auditing Kubernetes API access for security and compliance purposes. - Managing secrets securely using Kubernetes secrets rather than environment variables or volumes.

Presentations & Public Speaking
1 of 24
Download to read offline
Security Considerations For Containerized Applications Neependra Khare, CloudYuga @neependra
About Me - Neependra Khare ● Founder and Principal Consultant at CloudYuga ● Authored Introduction to Kubernetes MOOC on Edx for the CNCF, which is taken by more than 63,000 people worldwide ● CNCF Ambassador ● Certified Kubernetes Administrator ● More than 15 years of IT experience ● Authored Docker Cookbook ISBN: 9781783984862 in 2015 ● Ran Docker Meetup in Bangalore for more than 5 years
Application Container Image Base Container Image Runtime/Libraries Application
Application Container Base Container Image Runtime/Libraries Application Host Container Runtime Container
Container Orchestration Host Container Runtime Container Container Host Container Runtime Container Container Host Container Runtime Container Container Container Orchestrator - K8s
Security Consideration for Application Imgaes ● Image Scanning ● Image Signing ● Audit and Compliance Base Container Image Runtime/Libraries Application
Keep the Image size Minimal FROM node:10/node:10-alpine EXPOSE 8080 COPY server.js . CMD node server.js REPOSITORY TAG IMAGE ID CREATED SIZE node-app node-10 fcd053e2141e 11 minutes ago 673MB node-app node-10-alpine b93e5ada9a6f 11 minutes ago 70.6MB
Run program as Non-root User FROM python:3.7-alpine RUN addgroup -S apprunner RUN adduser -G apprunner -S apprunner USER apprunner COPY . /opt/app WORKDIR /opt/app RUN pip install -r requirements.txt --user EXPOSE 8080 ENTRYPOINT ["python", "hello.py"]
Run as Non-root apiVersion: v1 kind: Pod metadata: name: security-context-uid spec: securityContext: runAsUser: 1000 runAsGroup: 1000 volumes: - name: sec-ctx-vol emptyDir: {} containers: - name: sec-ctx-userid image: gcr.io/google-samples/node-hello:1.0
Mount the File-System in Read-Only apiVersion: v1 kind: Pod metadata: name: security-context-read-only-fs spec: securityContext: runAsUser: 1000 runAsGroup: 1000 volumes: - name: sec-ctx-vol emptyDir: {} containers: - name: sec-ctx-userid image: gcr.io/google-samples/node-hello:1.0 securityContext: readOnlyRootFilesystem: true
Avoid Privilege Escalation apiVersion: v1 kind: Pod metadata: name: no-privilege-escaltion-container spec: securityContext: runAsUser: 1000 containers: - name: sec-ctx-privilege-container image: busybox:1.29 command: ['sh', '-c', 'sleep 300'] securityContext: allowPrivilegeEscalation: false
Linux Capabilities “Linux divides the supersuer privileges into distinct units, which we refer as capabilities” CAP_CHOWN Make arbitrary changes to file UIDs and GIDs CAP_NET_RAW * Use RAW and PACKET sockets * bind to any address for transparent proxying. ………...
Partition with Namespace Namespace Kubernetes Cluster Namespace QA Namespace PROD Pod A Pod B Pod C SVC QA Pod A Pod B Pod C SVC PROD
Control Pod-to-Pod Communication via Netwok Policies Namespace Kubernetes Cluster Namespace default Namespace prod Pod A app=cache Pod B app=back Pod X app=front Allow when, app=back namespace == default
Control Pod-to-Pod Communication via Netwok Policies Namespace Kubernetes Cluster Namespace default Namespace prod Pod A app=cache Pod B app=back Pod X app=front Allow when, app==back namespace == default
Authentication and Authorization Authenticaion Can a user to login to the cluster ? Authorization Can a user do requested action ? Admission Control Is it a valid request ? K8s objects
Kubernetes Users Normal Users Service Account Kubernetes API Server Roles and RoleBindings
Role Based Access Control (RBAC) - Roles Role “Applicable to a given namespace only.” kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: cloudyuga name: deployment-manager rules: - apiGroups: ["", "apps"] resources: ["deployments", "replicasets", "pods"] verbs: ["get", "list", "watch", "create", "update"] ClusterRole “Applicable Cluster Wide.” kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: deployment-manager-cluster rules: - apiGroups: ["", "apps"] resources: ["deployments", "replicasets", "pods"] verbs: ["get", "list", "watch", "create", "update"]
Role Based Access Control (RBAC) - Role Bindings RoleBinding “Applicable to a given namespace only.” ClusterRoleBinding “Applicable Cluster Wide.” Role Subjects - Normal Users - Service Accounts - Groups ClusterRole Subjects - Normal Users - Service Accounts - Groups
Role Based Access Control (RBAC) - Role Bindings RoleBinding kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: deployment-manager-binding namespace: cloudyuga subjects: - kind: User name: nkhare apiGroup: "rbac.authorization.k8s.io" roleRef: kind: Role name: deployment-manager apiGroup: "rbac.authorization.k8s.io" ClusterRoleBinding kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cluster-manager-binding subjects: - kind: User name: nkhare apiGroup: "rbac.authorization.k8s.io" roleRef: kind: ClusterRole name: deployment-manager-cluster apiGroup: "rbac.authorization.k8s.io"
Auditing “Kubernetes audit.k8s.io API Group helps us answer following questions” ● what happened? ● when did it happen? ● who initiated it? ● on what did it happen? ● where was it observed? ● from where was it initiated? ● to where was it going?
Secret Management “Secrets are used for passing the credentials like Passwords, TLS Certificates.” Types of Secrets ● Generic ● TLS ● Docker Registry
Benchmarks Center of Internet Sercuity (CIS) Benchmarks
Thank You!! @neependra

Recommended

Introduction to Kubernetes and GKE
Introduction to Kubernetes and GKEIntroduction to Kubernetes and GKE
Introduction to Kubernetes and GKE
Opsta
 
How we can do Multi-Tenancy on Kubernetes
How we can do Multi-Tenancy on KubernetesHow we can do Multi-Tenancy on Kubernetes
How we can do Multi-Tenancy on Kubernetes
Opsta
 
Real World CI/CD with Kubernetes
Real World CI/CD with KubernetesReal World CI/CD with Kubernetes
Real World CI/CD with Kubernetes
Opsta
 
Scaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for EnterpriseScaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for Enterprise
Opsta
 
Journey of Kubernetes Scaling
Journey of Kubernetes ScalingJourney of Kubernetes Scaling
Journey of Kubernetes Scaling
Opsta
 
What you have to know about Certified Kubernetes Administrator (CKA)
What you have to know about Certified Kubernetes Administrator (CKA)What you have to know about Certified Kubernetes Administrator (CKA)
What you have to know about Certified Kubernetes Administrator (CKA)
Opsta
 
Kubernetes: one cluster or many
Kubernetes: one cluster or many Kubernetes: one cluster or many
Kubernetes: one cluster or many
cornelia davis
 
Canary Releases on Kubernetes with Spinnaker, Istio, & Prometheus (2020)
Canary Releases on Kubernetes with Spinnaker, Istio, & Prometheus (2020)Canary Releases on Kubernetes with Spinnaker, Istio, & Prometheus (2020)
Canary Releases on Kubernetes with Spinnaker, Istio, & Prometheus (2020)
Kublr
 

Recommended

Introduction to Kubernetes and GKE
Introduction to Kubernetes and GKEIntroduction to Kubernetes and GKE
Introduction to Kubernetes and GKE
Opsta
 
How we can do Multi-Tenancy on Kubernetes
How we can do Multi-Tenancy on KubernetesHow we can do Multi-Tenancy on Kubernetes
How we can do Multi-Tenancy on Kubernetes
Opsta
 
Real World CI/CD with Kubernetes
Real World CI/CD with KubernetesReal World CI/CD with Kubernetes
Real World CI/CD with Kubernetes
Opsta
 
Scaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for EnterpriseScaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for Enterprise
Opsta
 
Journey of Kubernetes Scaling
Journey of Kubernetes ScalingJourney of Kubernetes Scaling
Journey of Kubernetes Scaling
Opsta
 
What you have to know about Certified Kubernetes Administrator (CKA)
What you have to know about Certified Kubernetes Administrator (CKA)What you have to know about Certified Kubernetes Administrator (CKA)
What you have to know about Certified Kubernetes Administrator (CKA)
Opsta
 
Kubernetes: one cluster or many
Kubernetes: one cluster or many Kubernetes: one cluster or many
Kubernetes: one cluster or many
cornelia davis
 
Canary Releases on Kubernetes with Spinnaker, Istio, & Prometheus (2020)
Canary Releases on Kubernetes with Spinnaker, Istio, & Prometheus (2020)Canary Releases on Kubernetes with Spinnaker, Istio, & Prometheus (2020)
Canary Releases on Kubernetes with Spinnaker, Istio, & Prometheus (2020)
Kublr
 
Centralizing Kubernetes Management in Restrictive Environments
Centralizing Kubernetes Management in Restrictive EnvironmentsCentralizing Kubernetes Management in Restrictive Environments
Centralizing Kubernetes Management in Restrictive Environments
Kublr
 
Is your kubernetes negative or positive
Is your kubernetes negative or positive Is your kubernetes negative or positive
Is your kubernetes negative or positive
LibbySchulze
 
How to Run Kubernetes in Restrictive Environments
How to Run Kubernetes in Restrictive EnvironmentsHow to Run Kubernetes in Restrictive Environments
How to Run Kubernetes in Restrictive Environments
Kublr
 
Kubernetes Multi-cluster without Federation - Kubecon EU 2018
Kubernetes Multi-cluster without Federation - Kubecon EU 2018Kubernetes Multi-cluster without Federation - Kubecon EU 2018
Kubernetes Multi-cluster without Federation - Kubecon EU 2018
Rob Szumski
 
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBAC
Kublr
 
How to Become DevOps
How to Become DevOpsHow to Become DevOps
How to Become DevOps
Opsta
 
Kubernetes as Infrastructure Abstraction
Kubernetes as Infrastructure AbstractionKubernetes as Infrastructure Abstraction
Kubernetes as Infrastructure Abstraction
Kublr
 
Cloud Native Apps with GitOps
Cloud Native Apps with GitOps Cloud Native Apps with GitOps
Cloud Native Apps with GitOps
Weaveworks
 
Enterprise Cloud Native is the New Normal
Enterprise Cloud Native is the New NormalEnterprise Cloud Native is the New Normal
Enterprise Cloud Native is the New Normal
QAware GmbH
 
Kubernetes Controller for Pull Request Based Environment
Kubernetes Controller for Pull Request Based EnvironmentKubernetes Controller for Pull Request Based Environment
Kubernetes Controller for Pull Request Based Environment
Vishal Banthia
 
Beyond OpenStack | OpenStack in Real Life
Beyond OpenStack | OpenStack in Real LifeBeyond OpenStack | OpenStack in Real Life
Beyond OpenStack | OpenStack in Real Life
Opsta
 
Zero-downtime deployment of Micro-services with Kubernetes
Zero-downtime deployment of Micro-services with KubernetesZero-downtime deployment of Micro-services with Kubernetes
Zero-downtime deployment of Micro-services with Kubernetes
Wojciech Barczyński
 
Go for Operations
Go for OperationsGo for Operations
Go for Operations
QAware GmbH
 
Okteto For Kubernetes Developer :- Container Camp 2020
Okteto For Kubernetes Developer :- Container Camp 2020 Okteto For Kubernetes Developer :- Container Camp 2020
Okteto For Kubernetes Developer :- Container Camp 2020
sangam biradar
 
betterCode Workshop: Effizientes DevOps-Tooling mit Go
betterCode Workshop: Effizientes DevOps-Tooling mit GobetterCode Workshop: Effizientes DevOps-Tooling mit Go
betterCode Workshop: Effizientes DevOps-Tooling mit Go
QAware GmbH
 
Knative goes
 beyond serverless | Alexandre Roman
Knative goes
 beyond serverless | Alexandre RomanKnative goes
 beyond serverless | Alexandre Roman
Knative goes
 beyond serverless | Alexandre Roman
KCDItaly
 
GitOps - Operation By Pull Request
GitOps - Operation By Pull RequestGitOps - Operation By Pull Request
GitOps - Operation By Pull Request
Kasper Nissen
 
Openshift argo cd_v1_2
Openshift argo cd_v1_2Openshift argo cd_v1_2
Openshift argo cd_v1_2
RastinKenarsari
 
Running Kubernetes in Kubernetes
Running Kubernetes in KubernetesRunning Kubernetes in Kubernetes
Running Kubernetes in Kubernetes
QAware GmbH
 
The path to a serverless-native era with Kubernetes
The path to a serverless-native era with KubernetesThe path to a serverless-native era with Kubernetes
The path to a serverless-native era with Kubernetes
sparkfabrik
 
User authentication and authorizarion in Kubernetes
User authentication and authorizarion in KubernetesUser authentication and authorizarion in Kubernetes
User authentication and authorizarion in Kubernetes
Neependra Khare
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
Rishabh Indoria
 

More Related Content

What's hot

Centralizing Kubernetes Management in Restrictive Environments
Centralizing Kubernetes Management in Restrictive EnvironmentsCentralizing Kubernetes Management in Restrictive Environments
Centralizing Kubernetes Management in Restrictive Environments
Kublr
 
How to Run Kubernetes in Restrictive Environments
How to Run Kubernetes in Restrictive EnvironmentsHow to Run Kubernetes in Restrictive Environments
How to Run Kubernetes in Restrictive Environments
Kublr
 
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBAC
Kublr
 
Kubernetes as Infrastructure Abstraction
Kubernetes as Infrastructure AbstractionKubernetes as Infrastructure Abstraction
Kubernetes as Infrastructure Abstraction
Kublr
 
Cloud Native Apps with GitOps
Cloud Native Apps with GitOps Cloud Native Apps with GitOps
Cloud Native Apps with GitOps
Weaveworks
 
Enterprise Cloud Native is the New Normal
Enterprise Cloud Native is the New NormalEnterprise Cloud Native is the New Normal
Enterprise Cloud Native is the New Normal
QAware GmbH
 

What's hot (20)

Centralizing Kubernetes Management in Restrictive Environments
Centralizing Kubernetes Management in Restrictive EnvironmentsCentralizing Kubernetes Management in Restrictive Environments
Centralizing Kubernetes Management in Restrictive Environments
 
Is your kubernetes negative or positive
Is your kubernetes negative or positive Is your kubernetes negative or positive
Is your kubernetes negative or positive
 
How to Run Kubernetes in Restrictive Environments
How to Run Kubernetes in Restrictive EnvironmentsHow to Run Kubernetes in Restrictive Environments
How to Run Kubernetes in Restrictive Environments
 
Kubernetes Multi-cluster without Federation - Kubecon EU 2018
Kubernetes Multi-cluster without Federation - Kubecon EU 2018Kubernetes Multi-cluster without Federation - Kubecon EU 2018
Kubernetes Multi-cluster without Federation - Kubecon EU 2018
 
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBAC
 
How to Become DevOps
How to Become DevOpsHow to Become DevOps
How to Become DevOps
 
Kubernetes as Infrastructure Abstraction
Kubernetes as Infrastructure AbstractionKubernetes as Infrastructure Abstraction
Kubernetes as Infrastructure Abstraction
 
Cloud Native Apps with GitOps
Cloud Native Apps with GitOps Cloud Native Apps with GitOps
Cloud Native Apps with GitOps
 
Enterprise Cloud Native is the New Normal
Enterprise Cloud Native is the New NormalEnterprise Cloud Native is the New Normal
Enterprise Cloud Native is the New Normal
 
Kubernetes Controller for Pull Request Based Environment
Kubernetes Controller for Pull Request Based EnvironmentKubernetes Controller for Pull Request Based Environment
Kubernetes Controller for Pull Request Based Environment
 
Beyond OpenStack | OpenStack in Real Life
Beyond OpenStack | OpenStack in Real LifeBeyond OpenStack | OpenStack in Real Life
Beyond OpenStack | OpenStack in Real Life
 
Zero-downtime deployment of Micro-services with Kubernetes
Zero-downtime deployment of Micro-services with KubernetesZero-downtime deployment of Micro-services with Kubernetes
Zero-downtime deployment of Micro-services with Kubernetes
 
Go for Operations
Go for OperationsGo for Operations
Go for Operations
 
Okteto For Kubernetes Developer :- Container Camp 2020
Okteto For Kubernetes Developer :- Container Camp 2020 Okteto For Kubernetes Developer :- Container Camp 2020
Okteto For Kubernetes Developer :- Container Camp 2020
 
betterCode Workshop: Effizientes DevOps-Tooling mit Go
betterCode Workshop: Effizientes DevOps-Tooling mit GobetterCode Workshop: Effizientes DevOps-Tooling mit Go
betterCode Workshop: Effizientes DevOps-Tooling mit Go
 
Knative goes
 beyond serverless | Alexandre Roman
Knative goes
 beyond serverless | Alexandre RomanKnative goes
 beyond serverless | Alexandre Roman
Knative goes
 beyond serverless | Alexandre Roman
 
GitOps - Operation By Pull Request
GitOps - Operation By Pull RequestGitOps - Operation By Pull Request
GitOps - Operation By Pull Request
 
Openshift argo cd_v1_2
Openshift argo cd_v1_2Openshift argo cd_v1_2
Openshift argo cd_v1_2
 
Running Kubernetes in Kubernetes
Running Kubernetes in KubernetesRunning Kubernetes in Kubernetes
Running Kubernetes in Kubernetes
 
The path to a serverless-native era with Kubernetes
The path to a serverless-native era with KubernetesThe path to a serverless-native era with Kubernetes
The path to a serverless-native era with Kubernetes
 

Similar to Security considerations while deploying Containerized Applications by Neependra Khare at #AgileIndia2019

Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
QAware GmbH
 
DCEU 18: Docker Container Networking
DCEU 18: Docker Container NetworkingDCEU 18: Docker Container Networking
DCEU 18: Docker Container Networking
Docker, Inc.
 
Kubernetes: від знайомства до використання у CI/CD
Kubernetes: від знайомства до використання у CI/CDKubernetes: від знайомства до використання у CI/CD
Kubernetes: від знайомства до використання у CI/CD
Stfalcon Meetups
 
La sécurité avec Kubernetes et les conteneurs Docker (June 19th, 2019)
La sécurité avec Kubernetes et les conteneurs Docker (June 19th, 2019)La sécurité avec Kubernetes et les conteneurs Docker (June 19th, 2019)
La sécurité avec Kubernetes et les conteneurs Docker (June 19th, 2019)
Alexandre Roman
 
Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops
Jose Manuel Ortega Candel
 
Accelerate Application Innovation Journey with Azure Kubernetes Service
Accelerate Application Innovation Journey with Azure Kubernetes Service Accelerate Application Innovation Journey with Azure Kubernetes Service
Accelerate Application Innovation Journey with Azure Kubernetes Service
WinWire Technologies Inc
 
Implementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdf
Implementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdfImplementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdf
Implementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdf
ssuserf4844f
 

Similar to Security considerations while deploying Containerized Applications by Neependra Khare at #AgileIndia2019 (20)

User authentication and authorizarion in Kubernetes
User authentication and authorizarion in KubernetesUser authentication and authorizarion in Kubernetes
User authentication and authorizarion in Kubernetes
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
Deploy Application on Kubernetes
Deploy Application on KubernetesDeploy Application on Kubernetes
Deploy Application on Kubernetes
 
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
 
MongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise Kubernetes
MongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise KubernetesMongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise Kubernetes
MongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise Kubernetes
 
DCEU 18: Docker Container Networking
DCEU 18: Docker Container NetworkingDCEU 18: Docker Container Networking
DCEU 18: Docker Container Networking
 
Continuous Delivery to Kubernetes Using Helm
Continuous Delivery to Kubernetes Using HelmContinuous Delivery to Kubernetes Using Helm
Continuous Delivery to Kubernetes Using Helm
 
Kubernetes: від знайомства до використання у CI/CD
Kubernetes: від знайомства до використання у CI/CDKubernetes: від знайомства до використання у CI/CD
Kubernetes: від знайомства до використання у CI/CD
 
Getting started with kubernetes
Getting started with kubernetesGetting started with kubernetes
Getting started with kubernetes
 
La sécurité avec Kubernetes et les conteneurs Docker (June 19th, 2019)
La sécurité avec Kubernetes et les conteneurs Docker (June 19th, 2019)La sécurité avec Kubernetes et les conteneurs Docker (June 19th, 2019)
La sécurité avec Kubernetes et les conteneurs Docker (June 19th, 2019)
 
Introduction to Kubernetes with demo
Introduction to Kubernetes with demoIntroduction to Kubernetes with demo
Introduction to Kubernetes with demo
 
Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops
 
Kubernetes basics and hands on exercise
Kubernetes basics and hands on exerciseKubernetes basics and hands on exercise
Kubernetes basics and hands on exercise
 
Kubernetes - training micro-dragons without getting burnt
Kubernetes - training micro-dragons without getting burntKubernetes - training micro-dragons without getting burnt
Kubernetes - training micro-dragons without getting burnt
 
VMware Tanzu Introduction- June 11, 2020
VMware Tanzu Introduction- June 11, 2020VMware Tanzu Introduction- June 11, 2020
VMware Tanzu Introduction- June 11, 2020
 
K8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals TrainingK8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals Training
 
Accelerate Application Innovation Journey with Azure Kubernetes Service
Accelerate Application Innovation Journey with Azure Kubernetes Service Accelerate Application Innovation Journey with Azure Kubernetes Service
Accelerate Application Innovation Journey with Azure Kubernetes Service
 
What's new in Kubernetes
What's new in KubernetesWhat's new in Kubernetes
What's new in Kubernetes
 
What's New in Docker - February 2017
What's New in Docker - February 2017What's New in Docker - February 2017
What's New in Docker - February 2017
 
Implementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdf
Implementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdfImplementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdf
Implementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdf
 

More from Agile India

Design Teams are a Design Exercise by Phillip Joe at #AgileIndia2019
Design Teams are a Design Exercise by Phillip Joe at #AgileIndia2019Design Teams are a Design Exercise by Phillip Joe at #AgileIndia2019
Design Teams are a Design Exercise by Phillip Joe at #AgileIndia2019
Agile India
 
Keeping hundreds of code repositories consistent, and staying sane by Vincent...
Keeping hundreds of code repositories consistent, and staying sane by Vincent...Keeping hundreds of code repositories consistent, and staying sane by Vincent...
Keeping hundreds of code repositories consistent, and staying sane by Vincent...
Agile India
 
The End is Nigh! Signs of Transformation Apocalypse by Alex Sloley at #AgileI...
The End is Nigh! Signs of Transformation Apocalypse by Alex Sloley at #AgileI...The End is Nigh! Signs of Transformation Apocalypse by Alex Sloley at #AgileI...
The End is Nigh! Signs of Transformation Apocalypse by Alex Sloley at #AgileI...
Agile India
 
Strategic Domain-Driven Design by Nick Tune at #AgileIndia2019
Strategic Domain-Driven Design by Nick Tune at #AgileIndia2019Strategic Domain-Driven Design by Nick Tune at #AgileIndia2019
Strategic Domain-Driven Design by Nick Tune at #AgileIndia2019
Agile India
 
Acceptance Testing for Continuous Delivery by Dave Farley at #AgileIndia2019
Acceptance Testing for Continuous Delivery by Dave Farley at #AgileIndia2019Acceptance Testing for Continuous Delivery by Dave Farley at #AgileIndia2019
Acceptance Testing for Continuous Delivery by Dave Farley at #AgileIndia2019
Agile India
 
All track development - (or how we dropped the collective ego and created a p...
All track development - (or how we dropped the collective ego and created a p...All track development - (or how we dropped the collective ego and created a p...
All track development - (or how we dropped the collective ego and created a p...
Agile India
 
Open Salaries: from employees to managing partners by Alexey Voronin at #Agil...
Open Salaries: from employees to managing partners by Alexey Voronin at #Agil...Open Salaries: from employees to managing partners by Alexey Voronin at #Agil...
Open Salaries: from employees to managing partners by Alexey Voronin at #Agil...
Agile India
 
Scaling Enterprise Agility amidst Cross Border Merger by Rocky Woestenborghs ...
Scaling Enterprise Agility amidst Cross Border Merger by Rocky Woestenborghs ...Scaling Enterprise Agility amidst Cross Border Merger by Rocky Woestenborghs ...
Scaling Enterprise Agility amidst Cross Border Merger by Rocky Woestenborghs ...
Agile India
 
InfraOps Agility - A Sysad's Perspective by Dushyanth Harinath at #AgileIndia...
InfraOps Agility - A Sysad's Perspective by Dushyanth Harinath at #AgileIndia...InfraOps Agility - A Sysad's Perspective by Dushyanth Harinath at #AgileIndia...
InfraOps Agility - A Sysad's Perspective by Dushyanth Harinath at #AgileIndia...
Agile India
 
Going for 10X: Building teams in a Hyper-Competitive Market by Jacob Singh at...
Going for 10X: Building teams in a Hyper-Competitive Market by Jacob Singh at...Going for 10X: Building teams in a Hyper-Competitive Market by Jacob Singh at...
Going for 10X: Building teams in a Hyper-Competitive Market by Jacob Singh at...
Agile India
 
Principle 11 needs to go! by Ken France at #AgileIndia2019
Principle 11 needs to go! by Ken France at #AgileIndia2019Principle 11 needs to go! by Ken France at #AgileIndia2019
Principle 11 needs to go! by Ken France at #AgileIndia2019
Agile India
 
Becoming the Catalyst - The Spark of Change that Will Move Your Team Forward ...
Becoming the Catalyst - The Spark of Change that Will Move Your Team Forward ...Becoming the Catalyst - The Spark of Change that Will Move Your Team Forward ...
Becoming the Catalyst - The Spark of Change that Will Move Your Team Forward ...
Agile India
 
Branding within your UX: The secret to creating loyal customers by Bill Beard...
Branding within your UX: The secret to creating loyal customers by Bill Beard...Branding within your UX: The secret to creating loyal customers by Bill Beard...
Branding within your UX: The secret to creating loyal customers by Bill Beard...
Agile India
 
Build Agile Organization: Lessons Learned from Aikido by Marc Gong at #AgileI...
Build Agile Organization: Lessons Learned from Aikido by Marc Gong at #AgileI...Build Agile Organization: Lessons Learned from Aikido by Marc Gong at #AgileI...
Build Agile Organization: Lessons Learned from Aikido by Marc Gong at #AgileI...
Agile India
 
Building and Scaling High Performing Technology Organizations by Jez Humble a...
Building and Scaling High Performing Technology Organizations by Jez Humble a...Building and Scaling High Performing Technology Organizations by Jez Humble a...
Building and Scaling High Performing Technology Organizations by Jez Humble a...
Agile India
 
Reactive Systems by Dave Farley at #AgileIndia2019
Reactive Systems by Dave Farley at #AgileIndia2019Reactive Systems by Dave Farley at #AgileIndia2019
Reactive Systems by Dave Farley at #AgileIndia2019
Agile India
 
Collaboration Contracts by Diane Zajac & Doc Norton at #AgileIndia2019
Collaboration Contracts by Diane Zajac & Doc Norton at #AgileIndia2019Collaboration Contracts by Diane Zajac & Doc Norton at #AgileIndia2019
Collaboration Contracts by Diane Zajac & Doc Norton at #AgileIndia2019
Agile India
 
7 Steps to Design, Build, and Scale an AI Product by Allie Miller at #AgileIn...
7 Steps to Design, Build, and Scale an AI Product by Allie Miller at #AgileIn...7 Steps to Design, Build, and Scale an AI Product by Allie Miller at #AgileIn...
7 Steps to Design, Build, and Scale an AI Product by Allie Miller at #AgileIn...
Agile India
 

More from Agile India (20)

Design Teams are a Design Exercise by Phillip Joe at #AgileIndia2019
Design Teams are a Design Exercise by Phillip Joe at #AgileIndia2019Design Teams are a Design Exercise by Phillip Joe at #AgileIndia2019
Design Teams are a Design Exercise by Phillip Joe at #AgileIndia2019
 
Keeping hundreds of code repositories consistent, and staying sane by Vincent...
Keeping hundreds of code repositories consistent, and staying sane by Vincent...Keeping hundreds of code repositories consistent, and staying sane by Vincent...
Keeping hundreds of code repositories consistent, and staying sane by Vincent...
 
The End is Nigh! Signs of Transformation Apocalypse by Alex Sloley at #AgileI...
The End is Nigh! Signs of Transformation Apocalypse by Alex Sloley at #AgileI...The End is Nigh! Signs of Transformation Apocalypse by Alex Sloley at #AgileI...
The End is Nigh! Signs of Transformation Apocalypse by Alex Sloley at #AgileI...
 
Strategic Domain-Driven Design by Nick Tune at #AgileIndia2019
Strategic Domain-Driven Design by Nick Tune at #AgileIndia2019Strategic Domain-Driven Design by Nick Tune at #AgileIndia2019
Strategic Domain-Driven Design by Nick Tune at #AgileIndia2019
 
Acceptance Testing for Continuous Delivery by Dave Farley at #AgileIndia2019
Acceptance Testing for Continuous Delivery by Dave Farley at #AgileIndia2019Acceptance Testing for Continuous Delivery by Dave Farley at #AgileIndia2019
Acceptance Testing for Continuous Delivery by Dave Farley at #AgileIndia2019
 
All track development - (or how we dropped the collective ego and created a p...
All track development - (or how we dropped the collective ego and created a p...All track development - (or how we dropped the collective ego and created a p...
All track development - (or how we dropped the collective ego and created a p...
 
Open Salaries: from employees to managing partners by Alexey Voronin at #Agil...
Open Salaries: from employees to managing partners by Alexey Voronin at #Agil...Open Salaries: from employees to managing partners by Alexey Voronin at #Agil...
Open Salaries: from employees to managing partners by Alexey Voronin at #Agil...
 
Scaling Enterprise Agility amidst Cross Border Merger by Rocky Woestenborghs ...
Scaling Enterprise Agility amidst Cross Border Merger by Rocky Woestenborghs ...Scaling Enterprise Agility amidst Cross Border Merger by Rocky Woestenborghs ...
Scaling Enterprise Agility amidst Cross Border Merger by Rocky Woestenborghs ...
 
InfraOps Agility - A Sysad's Perspective by Dushyanth Harinath at #AgileIndia...
InfraOps Agility - A Sysad's Perspective by Dushyanth Harinath at #AgileIndia...InfraOps Agility - A Sysad's Perspective by Dushyanth Harinath at #AgileIndia...
InfraOps Agility - A Sysad's Perspective by Dushyanth Harinath at #AgileIndia...
 
Going for 10X: Building teams in a Hyper-Competitive Market by Jacob Singh at...
Going for 10X: Building teams in a Hyper-Competitive Market by Jacob Singh at...Going for 10X: Building teams in a Hyper-Competitive Market by Jacob Singh at...
Going for 10X: Building teams in a Hyper-Competitive Market by Jacob Singh at...
 
Principle 11 needs to go! by Ken France at #AgileIndia2019
Principle 11 needs to go! by Ken France at #AgileIndia2019Principle 11 needs to go! by Ken France at #AgileIndia2019
Principle 11 needs to go! by Ken France at #AgileIndia2019
 
Becoming the Catalyst - The Spark of Change that Will Move Your Team Forward ...
Becoming the Catalyst - The Spark of Change that Will Move Your Team Forward ...Becoming the Catalyst - The Spark of Change that Will Move Your Team Forward ...
Becoming the Catalyst - The Spark of Change that Will Move Your Team Forward ...
 
Branding within your UX: The secret to creating loyal customers by Bill Beard...
Branding within your UX: The secret to creating loyal customers by Bill Beard...Branding within your UX: The secret to creating loyal customers by Bill Beard...
Branding within your UX: The secret to creating loyal customers by Bill Beard...
 
Build Agile Organization: Lessons Learned from Aikido by Marc Gong at #AgileI...
Build Agile Organization: Lessons Learned from Aikido by Marc Gong at #AgileI...Build Agile Organization: Lessons Learned from Aikido by Marc Gong at #AgileI...
Build Agile Organization: Lessons Learned from Aikido by Marc Gong at #AgileI...
 
Cloud Native in the US Federal Government by Jez Humble at #AgileIndia2019
Cloud Native in the US Federal Government by Jez Humble at #AgileIndia2019Cloud Native in the US Federal Government by Jez Humble at #AgileIndia2019
Cloud Native in the US Federal Government by Jez Humble at #AgileIndia2019
 
Building and Scaling High Performing Technology Organizations by Jez Humble a...
Building and Scaling High Performing Technology Organizations by Jez Humble a...Building and Scaling High Performing Technology Organizations by Jez Humble a...
Building and Scaling High Performing Technology Organizations by Jez Humble a...
 
Reactive Systems by Dave Farley at #AgileIndia2019
Reactive Systems by Dave Farley at #AgileIndia2019Reactive Systems by Dave Farley at #AgileIndia2019
Reactive Systems by Dave Farley at #AgileIndia2019
 
Collaboration Contracts by Diane Zajac & Doc Norton at #AgileIndia2019
Collaboration Contracts by Diane Zajac & Doc Norton at #AgileIndia2019Collaboration Contracts by Diane Zajac & Doc Norton at #AgileIndia2019
Collaboration Contracts by Diane Zajac & Doc Norton at #AgileIndia2019
 
Tuckman was wrong by Doc Norton at #AgileIndia2019
Tuckman was wrong by Doc Norton at #AgileIndia2019Tuckman was wrong by Doc Norton at #AgileIndia2019
Tuckman was wrong by Doc Norton at #AgileIndia2019
 
7 Steps to Design, Build, and Scale an AI Product by Allie Miller at #AgileIn...
7 Steps to Design, Build, and Scale an AI Product by Allie Miller at #AgileIn...7 Steps to Design, Build, and Scale an AI Product by Allie Miller at #AgileIn...
7 Steps to Design, Build, and Scale an AI Product by Allie Miller at #AgileIn...
 

Recently uploaded

Introduction of Biology in living organisms
Introduction of Biology in living organismsIntroduction of Biology in living organisms
Introduction of Biology in living organisms
soumyapottola
 
Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...
Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...
Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...
Rahsaan L. Browne
 
527598851-ppc-due-to-various-govt-policies.pdf
527598851-ppc-due-to-various-govt-policies.pdf527598851-ppc-due-to-various-govt-policies.pdf
527598851-ppc-due-to-various-govt-policies.pdf
rajpreetkaur75080
 

Recently uploaded (14)

05232024 Joint Meeting - Community Networking
05232024 Joint Meeting - Community Networking05232024 Joint Meeting - Community Networking
05232024 Joint Meeting - Community Networking
 
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
 
The Canoga Gardens Development Project. PDF
The Canoga Gardens Development Project. PDFThe Canoga Gardens Development Project. PDF
The Canoga Gardens Development Project. PDF
 
Hi-Tech Industry 2024-25 Prospective.pptx
Hi-Tech Industry 2024-25 Prospective.pptxHi-Tech Industry 2024-25 Prospective.pptx
Hi-Tech Industry 2024-25 Prospective.pptx
 
Acorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutesAcorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutes
 
Introduction of Biology in living organisms
Introduction of Biology in living organismsIntroduction of Biology in living organisms
Introduction of Biology in living organisms
 
Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...
Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...
Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...
 
Eureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 PresentationEureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 Presentation
 
123445566544333222333444dxcvbcvcvharsh.pptx
123445566544333222333444dxcvbcvcvharsh.pptx123445566544333222333444dxcvbcvcvharsh.pptx
123445566544333222333444dxcvbcvcvharsh.pptx
 
Pollinator Ambassador Earth Steward Day Presentation 2024-05-22
Pollinator Ambassador Earth Steward Day Presentation 2024-05-22Pollinator Ambassador Earth Steward Day Presentation 2024-05-22
Pollinator Ambassador Earth Steward Day Presentation 2024-05-22
 
527598851-ppc-due-to-various-govt-policies.pdf
527598851-ppc-due-to-various-govt-policies.pdf527598851-ppc-due-to-various-govt-policies.pdf
527598851-ppc-due-to-various-govt-policies.pdf
 
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
 
Oracle Database Administration I (1Z0-082) Exam Dumps 2024.pdf
Oracle Database Administration I (1Z0-082) Exam Dumps 2024.pdfOracle Database Administration I (1Z0-082) Exam Dumps 2024.pdf
Oracle Database Administration I (1Z0-082) Exam Dumps 2024.pdf
 
Getting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control TowerGetting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control Tower
 

Security considerations while deploying Containerized Applications by Neependra Khare at #AgileIndia2019

  • 2. About Me - Neependra Khare ● Founder and Principal Consultant at CloudYuga ● Authored Introduction to Kubernetes MOOC on Edx for the CNCF, which is taken by more than 63,000 people worldwide ● CNCF Ambassador ● Certified Kubernetes Administrator ● More than 15 years of IT experience ● Authored Docker Cookbook ISBN: 9781783984862 in 2015 ● Ran Docker Meetup in Bangalore for more than 5 years
  • 3. Application Container Image Base Container Image Runtime/Libraries Application
  • 4. Application Container Base Container Image Runtime/Libraries Application Host Container Runtime Container
  • 5. Container Orchestration Host Container Runtime Container Container Host Container Runtime Container Container Host Container Runtime Container Container Container Orchestrator - K8s
  • 6. Security Consideration for Application Imgaes ● Image Scanning ● Image Signing ● Audit and Compliance Base Container Image Runtime/Libraries Application
  • 7. Keep the Image size Minimal FROM node:10/node:10-alpine EXPOSE 8080 COPY server.js . CMD node server.js REPOSITORY TAG IMAGE ID CREATED SIZE node-app node-10 fcd053e2141e 11 minutes ago 673MB node-app node-10-alpine b93e5ada9a6f 11 minutes ago 70.6MB
  • 8. Run program as Non-root User FROM python:3.7-alpine RUN addgroup -S apprunner RUN adduser -G apprunner -S apprunner USER apprunner COPY . /opt/app WORKDIR /opt/app RUN pip install -r requirements.txt --user EXPOSE 8080 ENTRYPOINT ["python", "hello.py"]
  • 9. Run as Non-root apiVersion: v1 kind: Pod metadata: name: security-context-uid spec: securityContext: runAsUser: 1000 runAsGroup: 1000 volumes: - name: sec-ctx-vol emptyDir: {} containers: - name: sec-ctx-userid image: gcr.io/google-samples/node-hello:1.0
  • 10. Mount the File-System in Read-Only apiVersion: v1 kind: Pod metadata: name: security-context-read-only-fs spec: securityContext: runAsUser: 1000 runAsGroup: 1000 volumes: - name: sec-ctx-vol emptyDir: {} containers: - name: sec-ctx-userid image: gcr.io/google-samples/node-hello:1.0 securityContext: readOnlyRootFilesystem: true
  • 11. Avoid Privilege Escalation apiVersion: v1 kind: Pod metadata: name: no-privilege-escaltion-container spec: securityContext: runAsUser: 1000 containers: - name: sec-ctx-privilege-container image: busybox:1.29 command: ['sh', '-c', 'sleep 300'] securityContext: allowPrivilegeEscalation: false
  • 12. Linux Capabilities “Linux divides the supersuer privileges into distinct units, which we refer as capabilities” CAP_CHOWN Make arbitrary changes to file UIDs and GIDs CAP_NET_RAW * Use RAW and PACKET sockets * bind to any address for transparent proxying. ………...
  • 13. Partition with Namespace Namespace Kubernetes Cluster Namespace QA Namespace PROD Pod A Pod B Pod C SVC QA Pod A Pod B Pod C SVC PROD
  • 14. Control Pod-to-Pod Communication via Netwok Policies Namespace Kubernetes Cluster Namespace default Namespace prod Pod A app=cache Pod B app=back Pod X app=front Allow when, app=back namespace == default
  • 15. Control Pod-to-Pod Communication via Netwok Policies Namespace Kubernetes Cluster Namespace default Namespace prod Pod A app=cache Pod B app=back Pod X app=front Allow when, app==back namespace == default
  • 16. Authentication and Authorization Authenticaion Can a user to login to the cluster ? Authorization Can a user do requested action ? Admission Control Is it a valid request ? K8s objects
  • 17. Kubernetes Users Normal Users Service Account Kubernetes API Server Roles and RoleBindings
  • 18. Role Based Access Control (RBAC) - Roles Role “Applicable to a given namespace only.” kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: cloudyuga name: deployment-manager rules: - apiGroups: ["", "apps"] resources: ["deployments", "replicasets", "pods"] verbs: ["get", "list", "watch", "create", "update"] ClusterRole “Applicable Cluster Wide.” kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: deployment-manager-cluster rules: - apiGroups: ["", "apps"] resources: ["deployments", "replicasets", "pods"] verbs: ["get", "list", "watch", "create", "update"]
  • 19. Role Based Access Control (RBAC) - Role Bindings RoleBinding “Applicable to a given namespace only.” ClusterRoleBinding “Applicable Cluster Wide.” Role Subjects - Normal Users - Service Accounts - Groups ClusterRole Subjects - Normal Users - Service Accounts - Groups
  • 20. Role Based Access Control (RBAC) - Role Bindings RoleBinding kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: deployment-manager-binding namespace: cloudyuga subjects: - kind: User name: nkhare apiGroup: "rbac.authorization.k8s.io" roleRef: kind: Role name: deployment-manager apiGroup: "rbac.authorization.k8s.io" ClusterRoleBinding kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cluster-manager-binding subjects: - kind: User name: nkhare apiGroup: "rbac.authorization.k8s.io" roleRef: kind: ClusterRole name: deployment-manager-cluster apiGroup: "rbac.authorization.k8s.io"
  • 21. Auditing “Kubernetes audit.k8s.io API Group helps us answer following questions” ● what happened? ● when did it happen? ● who initiated it? ● on what did it happen? ● where was it observed? ● from where was it initiated? ● to where was it going?
  • 22. Secret Management “Secrets are used for passing the credentials like Passwords, TLS Certificates.” Types of Secrets ● Generic ● TLS ● Docker Registry
  • 23. Benchmarks Center of Internet Sercuity (CIS) Benchmarks