SlideShare a Scribd company logo

The Art of Cloud Native Defense on Kubernetes

Jacopo Nardiello
Jacopo Nardiello

In this session, we'll unravel the core and essential pillars of any 'secure' Kubernetes cluster, that you absolutely can't ignore if you are running Kubernetes in production (or plan to). You'll discover the key concepts and strategies pivotal to safeguarding your Kubernetes environments. Our focus will be on practical, real-world applications, demystifying complex security challenges. Regardless if you are from a large organisation or from a small start-up, a seasoned DevOps professiyou will walk away with foundational knowledge and actionable insights, ready to implement stronger security measures in their Kubernetes deployments. Whether you're a seasoned DevOps professional or new to the cloud native arena, this talk will enhance your understanding of Kubernetes security, ensuring you're prepared for the evolving landscape of cloud native security.

Engineering
1 of 35
Download to read offline
The Art of Cloud Native Defense PILLARS OF KUBERNETES SECURITY
Intro
About Me - Jacopo Nardiello How to get in touch with me: @jnardiello Reach out if you want to talk about: - Infrastructure Automation & Cloud Native stuff (not just Kubernetes) - Practices, TDD, Testing - How to structure teams and your organization (Thanks! Stockholm Syndrome) Feedback, feedback, feedback & I love to discuss. Find me around conference venue and let’s talk! Founder & CEO SIGHUP - CNCF Ambassador - Linux Foundation Europe Founding Advisory Board - Infra engineer, automation freak, cowboy entrepreneur - Dad of 2 kiddos
About us SIGHUP IS AN ENGINEERING FIRM AND ENTERPRISE OPEN SOURCE COMPANY FOCUSED AND SPECIALIZED IN KUBERNETES AND INFRASTRUCTURE AUTOMATION. We help enterprises and organizations during their Cloud Native journey towards software-defined infrastructures and DevOps, leveraging the competitive advantage provided by automation. We have been crazy enough, since 2017, to create Kubernetes Fury Distribution - a maintained Kubernetes-based platform providing Enterprise-grade support on upstream CNCF technologies. In March 2024, we have been fully acquired by ReeVo - Secure Cloud & CyberSecurity
First thing first… Thank you for surviving the day (and for attending this session) Please: - Rate my talk - Provide constructive feedback - Don’t be a*hole - I love human interactions (I’m a devops weirdo!), if you have questions or there’s anything you want to discuss, reach out after the talk!
https://community.cncf.io/kcd-italy/ KCD Italy
What you will learn in this session - Understand exactly what “Security” means in the context of Cloud Native and Kubernetes - What matters, what doesn’t and where to focus - Provide you with an high-level, yet actionable framework and learning topics - We will try to keep it open and simple - I will not sell you anything - I will not position any paid enterprise tool - I will focus on open standards and avoid all confusing or exotic solutions/tools
The state of Cloud Native - The great orchestration war (2016 a.c.) - Kubernetes as a new standard and the rise of a new foundation: CNCF (2017 a.c.) - CNCF landscape and a new ecosystem of emerging standards (2018-2019 a.c.) - The mighty landscape consolidation (2019-2021 a.c.) This brings us today…
The state of Cloud Native 2022/2023, the year of Platforms - IDPs - A natural evolution of all the things we called devops for the past 10y - Fueled by remote work, supposedly leaner processes and digital accelerationism demanded by management - Kubernetes-as-a-silver-bullet for digital transformation (whatever that means) The good news: we are in prod! The bad news: we are in prod. Kubernetes is reaching maturity. Question is..
The maturity: Credits: someone on linkedin
Kubernetes is reaching maturity But there’s one thing that didn’t change… WHAT NOW? Credits: someone on linkedin
Sidenote: 💩 is hitting the fan - World is getting at war 😔 - New regulatory push 󰎾 We (the infra people) can’t ignore anymore security as a key component of the architectures we deliver and maintain.
2024: Chaos is now expanding to Security teams Standard security practices: - Threat modeling - Red/Blue/Purple/Whatever teams - Threat analysis and response Welcome to hell: - Ephemeral elastic workloads - Api-driven architectures - New paradigms that didn’t exist before (IaC, PaC, Operators & CRDs) - Microservice architectures pushed to the extreme These new challenges drifts significantly from the standard set of skills of traditional security teams.
What is Cloud Native Security?
A GPT Definition
A Definition Key Ideas: - Incorporate security practices into SDLC - Security as a FOUNDATIONAL component - Beyond securing cloud infrastructure
Identifying Key Macro Groups There are 3 macro areas to cover when it comes to Kubernetes Security: - Artefacts and dependencies management How to track your dependencies (both application and system) and vulnerabilities. How to patch them and reduce the probability of shipping compromised software. - SDLC & pipelines How to engineer your CI/CD pipelines so that they respect both your business and regulatory requirements, while reducing the probability of shipping compromised software to production. - Security of Kubernetes workloads at runtime Secure your productive and non-productive environments at runtime Each macro-area have its own unique set of challenges and solutions. Supply Chain
Pillars of Cloud Native Security
A description of the Golden Pillars of Cloud Native Security Follow the value chain While we won’t deep dive on each pillar, we will focus on the key aspects and provide a checklist of important stuff you need to address.
By definition your docker images isolate all the dependencies into a single, standardized, artefact. There are three set of dependencies you must be aware of: - Your application dependencies (software) - Your system dependencies - The dependencies you don’t know you have, embedded into your base images Key critical facts to handle the security around your artefacts and dependencies: - Ensure you have your SBOM (Software Bill of Material) Correctly track all your application and system container dependencies - Use secure base images and invest in your own Ensure that your standard base image catalog meets your security requirements (community images might not be enough). https://github.com/wolfi-dev https://sighup.io/secure-containers/ https://www.chainguard.dev/chainguard-images - Sign your images Use technologies like cosign, notary, or more recently openpubkey to sign your own artefacts and prevent tampering by malicious actors. Artefacts & Dependencies Management Investigating Pillar 1 and 2
Safe builds & pipelines Pillar 3 Secure pipelines have been for a long time the holy grail of anything devops/devsecops/secdevops/whateverops. At @SIGHUP we have our own reference architecture (pictured left) and implementation, vendor and technology agnostic. The key universal role of cicd pipelines is one of gatekeeping and ensuring quality and regulatory compliance. Key Architectural aspects: - Vulnerability checks on both your code and dependencies https://trivy.dev - Artifacts build and signing (see Pillars 1 & 2) - Push to safe, certified, registries - Linting, validation and other quality gatekeeping - Policy enforcing, our tools of choice for this are OPA and Kyverno, having a look at otterize as a new point-of-view on policies management in Kubernetes https://www.openpolicyagent.org https://kyverno.io
In-cluster Security Pillars 5-7, Starting from the basics Basic security in Kubernetes can be achieved using the native components present in any conformant Kubernetes cluster, more specifically you must put great effort in correctly using the following primitives: - RBAC Set of permissions on Kubernetes objects about “who can do what” on which namespace. - A CNI plugin that will introduce support to Network Policies Regulating in-cluster network interactions and packet flow. - Namespaces and quotas Namespaces introduce segmentation on your cluster, introducing base configurations, quotas and rbac access to resources - Pod Security Standards & Admission These define isolation policies for pods running into your cluster at namespace level - Ingress tuning and exposure Ingresses are meant to expose your service to the outside world. Depending on which ingress-controller you are working with, you can enforce rules, validation and much more on incoming requests. - ETCD data encryption and backups (self-managed Kubernetes only) As ETCD holds the state of your cluster, it gets mandatory to make sure data is encrypted whenever stored. RTFM: https://kubernetes.io/docs/concepts/security/
Not-so-good-defaults - Stored in base64 (basically plaintext) within Kubernetes etcd - Lack of automated rotation mechanisms, increasing the risk of credential misuse or compromise over time. - Insufficient access controls and auditing - Difficulty in managing secrets at scale, especially in distributed and complex environments. Pay attention to your secrets
Pay attention to your secrets What you really want: A secret manager! - Management of all secrets (tokens, certificates, passwords) through a dedicated solution. - Secrets stored at rest using strong symmetric cryptography. - Granular access controls, allowing only authorized users or services to access specific secrets. - Native integration with CI/CD pipelines and deployment workflows to securely provision and manage secrets throughout the application lifecycle. - Automated rotation, rollback, versioning and expiration policies to regularly update secrets and mitigate the risk of long-term exposure. - Integration with external identity providers and authentication mechanisms for enhanced security and identity management.
In-cluster Security: Advanced Topics - Advanced runtime security - Secure Container runtimes - Tools to monitor privilege escalation, Storage and files exfiltration - Anomaly detection on kubernetes audit logs, processes syscalls, PID monitoring (to mention a few) - Advanced dynamic secrets managements Secrets are a first-class citizen in Kubernetes and while It’s not within the scope of this presentation if you should use Kubernetes Secrets or not, running secured workloads in production requires you to integrate your cluster secrets management with external ad-hoc advanced tools. https://www.conjur.org https://secrets-store-csi-driver.sigs.k8s.io - Policy controllers and admission webhooks Kubernetes policies can become a super powerful tool to enforce security and compliance checks, with several comprehensive ecosystems. Relevant projects for this: https://github.com/open-policy-agent/gatekeeper https://github.com/sighupio/gatekeeper-policy-manager https://kyverno.io https://otterize.com - Securing north-south / east-west network traffic This can be achieved in different ways or different set of technologies, ranging from traditional service meshes or newer ebpf-based CNIs. - IAM and Identities Both user identities and workloads identities are crucial in ensuring correct validation of workloads. SPIFFE and SPIRE to the rescue. https://spiffe.io - Workloads Isolation, multi-tenancy and cluster isolation Let’s dive into the key aspects of in-cluster security to highlight the main things we should pay attention to when hardening any Kubernetes-based infrastructure: https://falco.org https://katacontainers.io
The case for multi-tenancy, workloads and cluster isolation - Soft multi-tenancy - Virtualized control planes - Dedicated clusters (managed or self-hosted) Credits to pineapple pizza on unsplash
- Kubernetes is NOT multi-tenant - You must/can implement soft-multitenancy using native k8s primitives PRO - Can be a great choice for partitioning clusters on teams and tenants - Can be leveraged within both self-hosted and managed Kubernetes - Great for platform engineering CONS - You can still (and likely will) be bitten by noisy neighbours in weird ways - From a security standpoint, there’s no workload isolation beyond logical isolation implemented with policies, rbac and namespaces - Not particularly recommended for mission critical environments https://github.com/clastix/capsule The case for multi-tenancy, workloads and cluster isolation - Multi-tenancy - Virtualized control planes - Dedicated clusters (managed or self-hosted)
Meta-clusters of control planes, leveraging CAPI or virtual kubeletes to automate cluster-creation PRO - It’s a really cool concept - It leverages open standards with profuse efforts from the community - It ensures workload isolation and a high degree of automation on multi-cluster management - Stands on the shoulders of giants CONS - I feel like adoption is still in its infancy - Not battle-tested - Does not guarantee full cluster isolation Promising technology, under heavy development and hence not recommended if you MUST ensure full cluster isolation in regulated environments. If you want to play around: - vclusters by loft - Kamaji by Clastix The case for multi-tenancy, workloads and cluster isolation - Multi-tenancy - Virtualized control planes - Dedicated clusters (managed or self-hosted)
Fully dedicated clusters (self-hosted or managed) are the only solution, to date, that I feel like recommending if you need full isolation for workloads and infrastructure. PRO - Full isolation - Full complaints and strong security can be applied - Full configurability and customization of the solution CONS - You need operators knowing what they are doing - High operational burden - You can automate, to a certain extent This is where we (SIGHUP) shine, let me promote a bit our own KFD and furyctl: https://docs.kubernetesfury.com/docs/quickstart/quickstart The case for multi-tenancy, workloads and cluster isolation - Multi-tenancy - Virtualized control planes - Dedicated clusters
Infrastructure Security Infra hardening & Cloud configurations Key recommendations: - Private control planes - Ensure as much as possible OS immutability - Verify signatures on Kubernetes executables - Make sure that your network configurations allow for data encryption for both traffic and storage consumption - If you are on cloud, managed services and integrations might be a good idea Don’t know where to start? Here is a practical IaC example with sane configurations: https://github.com/sighupio/fury-eks-installer
The ugly duckling of Cloud Native Security Pillar 8 - Compliance & Regulation There are currently no standardised solutions enabling human operators to monitor and validate cluster resources state, violations and ensure compliance. We have been therefore developing over the past few months Permission Monitor, soon available with KFD or standalone on any cncf-compliant distro. If you are interested, ping me to test it out.
Conclusions
It’s a wrap What we have learnt: - We have shared with you our core set of guiding pillars and principles when it comes to securing Kubernetes-based infrastructures. - You now know what matters and what to focus on as a starting learning point - You have an actionable list of items, projects, or sets of technologies to get started with, for each core pillar we have explored. - I’m aware that this is just scratching the surface, let’s talk beer (or spritz) & talk 🍻
PS: It’s a 💩ton of work, I know. Imagine, we do all this stuff for a living..
@jnardiello https://sighup.io

Recommended

Tales of the mythical cloud-native platform - Container day 2022
Tales of the mythical cloud-native platform - Container day 2022Tales of the mythical cloud-native platform - Container day 2022
Tales of the mythical cloud-native platform - Container day 2022Jacopo Nardiello
 
Git Tutorial | Git Basics - Branching, Merging, Rebasing | Learn Git | DevOps...
Git Tutorial | Git Basics - Branching, Merging, Rebasing | Learn Git | DevOps...Git Tutorial | Git Basics - Branching, Merging, Rebasing | Learn Git | DevOps...
Git Tutorial | Git Basics - Branching, Merging, Rebasing | Learn Git | DevOps...Edureka!
 
Clean Infrastructure as Code
Clean Infrastructure as Code Clean Infrastructure as Code
Clean Infrastructure as Code QAware GmbH
 
CI/CD Overview
CI/CD OverviewCI/CD Overview
CI/CD OverviewAn Nguyen
 
DevOps 101 - an Introduction to DevOps
DevOps 101 - an Introduction to DevOpsDevOps 101 - an Introduction to DevOps
DevOps 101 - an Introduction to DevOpsRed Gate Software
 
DevOps
DevOps DevOps
DevOps Hakan Yüksel
 
CICD with Jenkins
CICD with JenkinsCICD with Jenkins
CICD with JenkinsVietnam Open Infrastructure User Group
 
DevOps
DevOpsDevOps
DevOpsGehad Elsayed
 

Recommended

Tales of the mythical cloud-native platform - Container day 2022
Tales of the mythical cloud-native platform - Container day 2022Tales of the mythical cloud-native platform - Container day 2022
Tales of the mythical cloud-native platform - Container day 2022Jacopo Nardiello
 
Git Tutorial | Git Basics - Branching, Merging, Rebasing | Learn Git | DevOps...
Git Tutorial | Git Basics - Branching, Merging, Rebasing | Learn Git | DevOps...Git Tutorial | Git Basics - Branching, Merging, Rebasing | Learn Git | DevOps...
Git Tutorial | Git Basics - Branching, Merging, Rebasing | Learn Git | DevOps...Edureka!
 
Clean Infrastructure as Code
Clean Infrastructure as Code Clean Infrastructure as Code
Clean Infrastructure as Code QAware GmbH
 
CI/CD Overview
CI/CD OverviewCI/CD Overview
CI/CD OverviewAn Nguyen
 
DevOps 101 - an Introduction to DevOps
DevOps 101 - an Introduction to DevOpsDevOps 101 - an Introduction to DevOps
DevOps 101 - an Introduction to DevOpsRed Gate Software
 
DevOps
DevOps DevOps
DevOps Hakan Yüksel
 
CICD with Jenkins
CICD with JenkinsCICD with Jenkins
CICD with JenkinsVietnam Open Infrastructure User Group
 
DevOps
DevOpsDevOps
DevOpsGehad Elsayed
 
DevOps overview 2019-04-13 Nelkinda April Meetup
DevOps overview 2019-04-13 Nelkinda April MeetupDevOps overview 2019-04-13 Nelkinda April Meetup
DevOps overview 2019-04-13 Nelkinda April MeetupShweta Sadawarte
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOpsHawkman Academy
 
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...Edureka!
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101Jacopo Nardiello
 
DevOps Introduction
DevOps IntroductionDevOps Introduction
DevOps IntroductionRobert Sell
 
Introduction to CICD
Introduction to CICDIntroduction to CICD
Introduction to CICDKnoldus Inc.
 
DevOps Approach (Point of View by Ravi Tadwalkar)
DevOps Approach (Point of View by Ravi Tadwalkar)DevOps Approach (Point of View by Ravi Tadwalkar)
DevOps Approach (Point of View by Ravi Tadwalkar)Ravi Tadwalkar
 
Gitlab CI/CD
Gitlab CI/CDGitlab CI/CD
Gitlab CI/CDJEMLI Fathi
 
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...Simplilearn
 
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...Simplilearn
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOpsRavindu Fernando
 
Getting Started with Kubernetes
Getting Started with Kubernetes Getting Started with Kubernetes
Getting Started with Kubernetes VMware Tanzu
 
DevOps introduction
DevOps introductionDevOps introduction
DevOps introductionMettje Heegstra
 
Azure DevOps Presentation
Azure DevOps PresentationAzure DevOps Presentation
Azure DevOps PresentationInCycleSoftware
 
ThinClient
ThinClientThinClient
ThinClientnishikanth_podduturi
 
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...Edureka!
 
DevOps seminar ppt
DevOps seminar ppt DevOps seminar ppt
DevOps seminar ppt DurgashambaviAmarnen
 
Dev ops != Dev+Ops
Dev ops != Dev+OpsDev ops != Dev+Ops
Dev ops != Dev+OpsShalu Ahuja
 
Introduction to DevOps | Edureka
Introduction to DevOps | EdurekaIntroduction to DevOps | Edureka
Introduction to DevOps | EdurekaEdureka!
 
Gitlab ci-cd
Gitlab ci-cdGitlab ci-cd
Gitlab ci-cdDan MAGIER
 
AWS TechConnect 2018 - Container Adoption
AWS TechConnect 2018 - Container AdoptionAWS TechConnect 2018 - Container Adoption
AWS TechConnect 2018 - Container AdoptionAlex Rhea
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 

More Related Content

What's hot

DevOps overview 2019-04-13 Nelkinda April Meetup
DevOps overview 2019-04-13 Nelkinda April MeetupDevOps overview 2019-04-13 Nelkinda April Meetup
DevOps overview 2019-04-13 Nelkinda April MeetupShweta Sadawarte
 
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...Edureka!
 
DevOps Introduction
DevOps IntroductionDevOps Introduction
DevOps IntroductionRobert Sell
 
Introduction to CICD
Introduction to CICDIntroduction to CICD
Introduction to CICDKnoldus Inc.
 
DevOps Approach (Point of View by Ravi Tadwalkar)
DevOps Approach (Point of View by Ravi Tadwalkar)DevOps Approach (Point of View by Ravi Tadwalkar)
DevOps Approach (Point of View by Ravi Tadwalkar)Ravi Tadwalkar
 
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...Simplilearn
 
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...Simplilearn
 
Getting Started with Kubernetes
Getting Started with Kubernetes Getting Started with Kubernetes
Getting Started with Kubernetes VMware Tanzu
 
Azure DevOps Presentation
Azure DevOps PresentationAzure DevOps Presentation
Azure DevOps PresentationInCycleSoftware
 
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...Edureka!
 
Dev ops != Dev+Ops
Dev ops != Dev+OpsDev ops != Dev+Ops
Dev ops != Dev+OpsShalu Ahuja
 
Introduction to DevOps | Edureka
Introduction to DevOps | EdurekaIntroduction to DevOps | Edureka
Introduction to DevOps | EdurekaEdureka!
 

What's hot (20)

DevOps overview 2019-04-13 Nelkinda April Meetup
DevOps overview 2019-04-13 Nelkinda April MeetupDevOps overview 2019-04-13 Nelkinda April Meetup
DevOps overview 2019-04-13 Nelkinda April Meetup
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
 
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
 
DevOps Introduction
DevOps IntroductionDevOps Introduction
DevOps Introduction
 
Introduction to CICD
Introduction to CICDIntroduction to CICD
Introduction to CICD
 
DevOps Approach (Point of View by Ravi Tadwalkar)
DevOps Approach (Point of View by Ravi Tadwalkar)DevOps Approach (Point of View by Ravi Tadwalkar)
DevOps Approach (Point of View by Ravi Tadwalkar)
 
Gitlab CI/CD
Gitlab CI/CDGitlab CI/CD
Gitlab CI/CD
 
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
 
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
 
Getting Started with Kubernetes
Getting Started with Kubernetes Getting Started with Kubernetes
Getting Started with Kubernetes
 
DevOps introduction
DevOps introductionDevOps introduction
DevOps introduction
 
Azure DevOps Presentation
Azure DevOps PresentationAzure DevOps Presentation
Azure DevOps Presentation
 
ThinClient
ThinClientThinClient
ThinClient
 
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...
 
DevOps seminar ppt
DevOps seminar ppt DevOps seminar ppt
DevOps seminar ppt
 
Dev ops != Dev+Ops
Dev ops != Dev+OpsDev ops != Dev+Ops
Dev ops != Dev+Ops
 
Introduction to DevOps | Edureka
Introduction to DevOps | EdurekaIntroduction to DevOps | Edureka
Introduction to DevOps | Edureka
 
Gitlab ci-cd
Gitlab ci-cdGitlab ci-cd
Gitlab ci-cd
 

Similar to The Art of Cloud Native Defense on Kubernetes

AWS TechConnect 2018 - Container Adoption
AWS TechConnect 2018 - Container AdoptionAWS TechConnect 2018 - Container Adoption
AWS TechConnect 2018 - Container AdoptionAlex Rhea
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
Kube Security Shifting left | Scanners & OPA
Kube Security Shifting left | Scanners & OPAKube Security Shifting left | Scanners & OPA
Kube Security Shifting left | Scanners & OPAHaggai Philip Zagury
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSEric Smalling
 
Scalable full-stack development at the edge - Pascal Wolkotte - Codemotion Am...
Scalable full-stack development at the edge - Pascal Wolkotte - Codemotion Am...Scalable full-stack development at the edge - Pascal Wolkotte - Codemotion Am...
Scalable full-stack development at the edge - Pascal Wolkotte - Codemotion Am...Codemotion
 
Cybersecurity model and top cloud security controls for product development e...
Cybersecurity model and top cloud security controls for product development e...Cybersecurity model and top cloud security controls for product development e...
Cybersecurity model and top cloud security controls for product development e...James DeLuccia IV
 
The Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdfThe Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdfSavinder Puri
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxTurja Narayan Chaudhuri
 
Owasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chainOwasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chainMichele Chubirka
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling
 
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...Mirantis
 
Kernel Con 2022: Securing Cloud Native Workloads
Kernel Con 2022: Securing Cloud Native WorkloadsKernel Con 2022: Securing Cloud Native Workloads
Kernel Con 2022: Securing Cloud Native WorkloadsGabriel Schuyler
 
(SEC320) Leveraging the Power of AWS to Automate Security & Compliance
(SEC320) Leveraging the Power of AWS to Automate Security & Compliance(SEC320) Leveraging the Power of AWS to Automate Security & Compliance
(SEC320) Leveraging the Power of AWS to Automate Security & ComplianceAmazon Web Services
 
Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!Ken Owens
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices Hendri Karisma
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure SecurityRicky Sanders
 
CNCF Introduction - Feb 2018
CNCF Introduction - Feb 2018CNCF Introduction - Feb 2018
CNCF Introduction - Feb 2018Krishna-Kumar
 
Addressing the 8 Key Pain Points of Kubernetes Cluster Management
Addressing the 8 Key Pain Points of Kubernetes Cluster ManagementAddressing the 8 Key Pain Points of Kubernetes Cluster Management
Addressing the 8 Key Pain Points of Kubernetes Cluster ManagementEnterprise Management Associates
 

Similar to The Art of Cloud Native Defense on Kubernetes (20)

AWS TechConnect 2018 - Container Adoption
AWS TechConnect 2018 - Container AdoptionAWS TechConnect 2018 - Container Adoption
AWS TechConnect 2018 - Container Adoption
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
Kube Security Shifting left | Scanners & OPA
Kube Security Shifting left | Scanners & OPAKube Security Shifting left | Scanners & OPA
Kube Security Shifting left | Scanners & OPA
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
 
Scalable full-stack development at the edge - Pascal Wolkotte - Codemotion Am...
Scalable full-stack development at the edge - Pascal Wolkotte - Codemotion Am...Scalable full-stack development at the edge - Pascal Wolkotte - Codemotion Am...
Scalable full-stack development at the edge - Pascal Wolkotte - Codemotion Am...
 
Cybersecurity model and top cloud security controls for product development e...
Cybersecurity model and top cloud security controls for product development e...Cybersecurity model and top cloud security controls for product development e...
Cybersecurity model and top cloud security controls for product development e...
 
The Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdfThe Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdf
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
 
Owasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chainOwasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chain
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
 
Kernel Con 2022: Securing Cloud Native Workloads
Kernel Con 2022: Securing Cloud Native WorkloadsKernel Con 2022: Securing Cloud Native Workloads
Kernel Con 2022: Securing Cloud Native Workloads
 
(SEC320) Leveraging the Power of AWS to Automate Security & Compliance
(SEC320) Leveraging the Power of AWS to Automate Security & Compliance(SEC320) Leveraging the Power of AWS to Automate Security & Compliance
(SEC320) Leveraging the Power of AWS to Automate Security & Compliance
 
Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!
 
Código Seguro
Código SeguroCódigo Seguro
Código Seguro
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure Security
 
CNCF Introduction - Feb 2018
CNCF Introduction - Feb 2018CNCF Introduction - Feb 2018
CNCF Introduction - Feb 2018
 
Addressing the 8 Key Pain Points of Kubernetes Cluster Management
Addressing the 8 Key Pain Points of Kubernetes Cluster ManagementAddressing the 8 Key Pain Points of Kubernetes Cluster Management
Addressing the 8 Key Pain Points of Kubernetes Cluster Management
 

More from Jacopo Nardiello

Monitoring Cloud Native Applications with Prometheus
Monitoring Cloud Native Applications with PrometheusMonitoring Cloud Native Applications with Prometheus
Monitoring Cloud Native Applications with PrometheusJacopo Nardiello
 
Eventsourcing with PHP and MongoDB
Eventsourcing with PHP and MongoDBEventsourcing with PHP and MongoDB
Eventsourcing with PHP and MongoDBJacopo Nardiello
 
Ultimate Introduction To AngularJS
Ultimate Introduction To AngularJSUltimate Introduction To AngularJS
Ultimate Introduction To AngularJSJacopo Nardiello
 

More from Jacopo Nardiello (6)

Breaking the monolith
Breaking the monolithBreaking the monolith
Breaking the monolith
 
Monitoring Cloud Native Applications with Prometheus
Monitoring Cloud Native Applications with PrometheusMonitoring Cloud Native Applications with Prometheus
Monitoring Cloud Native Applications with Prometheus
 
Becoming a developer
Becoming a developerBecoming a developer
Becoming a developer
 
Eventsourcing with PHP and MongoDB
Eventsourcing with PHP and MongoDBEventsourcing with PHP and MongoDB
Eventsourcing with PHP and MongoDB
 
Ultimate Introduction To AngularJS
Ultimate Introduction To AngularJSUltimate Introduction To AngularJS
Ultimate Introduction To AngularJS
 
Testing AngularJS
Testing AngularJSTesting AngularJS
Testing AngularJS
 

Recently uploaded

VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130Suhani Kapoor
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Dr.Costas Sachpazis
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxJoão Esperancinha
 
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130Suhani Kapoor
 
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).pptssuser5c9d4b1
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝soniya singh
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxupamatechverse
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations120cr0395
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escortsranjana rawat
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxupamatechverse
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVRajaP95
 
High Profile Call Girls Dahisar Arpita 9907093804 Independent Escort Service ...
High Profile Call Girls Dahisar Arpita 9907093804 Independent Escort Service ...High Profile Call Girls Dahisar Arpita 9907093804 Independent Escort Service ...
High Profile Call Girls Dahisar Arpita 9907093804 Independent Escort Service ...Call girls in Ahmedabad High profile
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 

Recently uploaded (20)

VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
 
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
 
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
 
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
 
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
 
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINEDJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptx
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptx
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
 
High Profile Call Girls Dahisar Arpita 9907093804 Independent Escort Service ...
High Profile Call Girls Dahisar Arpita 9907093804 Independent Escort Service ...High Profile Call Girls Dahisar Arpita 9907093804 Independent Escort Service ...
High Profile Call Girls Dahisar Arpita 9907093804 Independent Escort Service ...
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCRCall Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
 

The Art of Cloud Native Defense on Kubernetes

  • 1. The Art of Cloud Native Defense PILLARS OF KUBERNETES SECURITY
  • 3. About Me - Jacopo Nardiello How to get in touch with me: @jnardiello Reach out if you want to talk about: - Infrastructure Automation & Cloud Native stuff (not just Kubernetes) - Practices, TDD, Testing - How to structure teams and your organization (Thanks! Stockholm Syndrome) Feedback, feedback, feedback & I love to discuss. Find me around conference venue and let’s talk! Founder & CEO SIGHUP - CNCF Ambassador - Linux Foundation Europe Founding Advisory Board - Infra engineer, automation freak, cowboy entrepreneur - Dad of 2 kiddos
  • 4. About us SIGHUP IS AN ENGINEERING FIRM AND ENTERPRISE OPEN SOURCE COMPANY FOCUSED AND SPECIALIZED IN KUBERNETES AND INFRASTRUCTURE AUTOMATION. We help enterprises and organizations during their Cloud Native journey towards software-defined infrastructures and DevOps, leveraging the competitive advantage provided by automation. We have been crazy enough, since 2017, to create Kubernetes Fury Distribution - a maintained Kubernetes-based platform providing Enterprise-grade support on upstream CNCF technologies. In March 2024, we have been fully acquired by ReeVo - Secure Cloud & CyberSecurity
  • 5. First thing first… Thank you for surviving the day (and for attending this session) Please: - Rate my talk - Provide constructive feedback - Don’t be a*hole - I love human interactions (I’m a devops weirdo!), if you have questions or there’s anything you want to discuss, reach out after the talk!
  • 7. What you will learn in this session - Understand exactly what “Security” means in the context of Cloud Native and Kubernetes - What matters, what doesn’t and where to focus - Provide you with an high-level, yet actionable framework and learning topics - We will try to keep it open and simple - I will not sell you anything - I will not position any paid enterprise tool - I will focus on open standards and avoid all confusing or exotic solutions/tools
  • 8. The state of Cloud Native - The great orchestration war (2016 a.c.) - Kubernetes as a new standard and the rise of a new foundation: CNCF (2017 a.c.) - CNCF landscape and a new ecosystem of emerging standards (2018-2019 a.c.) - The mighty landscape consolidation (2019-2021 a.c.) This brings us today…
  • 9. The state of Cloud Native 2022/2023, the year of Platforms - IDPs - A natural evolution of all the things we called devops for the past 10y - Fueled by remote work, supposedly leaner processes and digital accelerationism demanded by management - Kubernetes-as-a-silver-bullet for digital transformation (whatever that means) The good news: we are in prod! The bad news: we are in prod. Kubernetes is reaching maturity. Question is..
  • 11. Kubernetes is reaching maturity But there’s one thing that didn’t change… WHAT NOW? Credits: someone on linkedin
  • 12. Sidenote: 💩 is hitting the fan - World is getting at war 😔 - New regulatory push 󰎾 We (the infra people) can’t ignore anymore security as a key component of the architectures we deliver and maintain.
  • 13. 2024: Chaos is now expanding to Security teams Standard security practices: - Threat modeling - Red/Blue/Purple/Whatever teams - Threat analysis and response Welcome to hell: - Ephemeral elastic workloads - Api-driven architectures - New paradigms that didn’t exist before (IaC, PaC, Operators & CRDs) - Microservice architectures pushed to the extreme These new challenges drifts significantly from the standard set of skills of traditional security teams.
  • 14. What is Cloud Native Security?
  • 16. A Definition Key Ideas: - Incorporate security practices into SDLC - Security as a FOUNDATIONAL component - Beyond securing cloud infrastructure
  • 17. Identifying Key Macro Groups There are 3 macro areas to cover when it comes to Kubernetes Security: - Artefacts and dependencies management How to track your dependencies (both application and system) and vulnerabilities. How to patch them and reduce the probability of shipping compromised software. - SDLC & pipelines How to engineer your CI/CD pipelines so that they respect both your business and regulatory requirements, while reducing the probability of shipping compromised software to production. - Security of Kubernetes workloads at runtime Secure your productive and non-productive environments at runtime Each macro-area have its own unique set of challenges and solutions. Supply Chain
  • 18. Pillars of Cloud Native Security
  • 19. A description of the Golden Pillars of Cloud Native Security Follow the value chain While we won’t deep dive on each pillar, we will focus on the key aspects and provide a checklist of important stuff you need to address.
  • 20. By definition your docker images isolate all the dependencies into a single, standardized, artefact. There are three set of dependencies you must be aware of: - Your application dependencies (software) - Your system dependencies - The dependencies you don’t know you have, embedded into your base images Key critical facts to handle the security around your artefacts and dependencies: - Ensure you have your SBOM (Software Bill of Material) Correctly track all your application and system container dependencies - Use secure base images and invest in your own Ensure that your standard base image catalog meets your security requirements (community images might not be enough). https://github.com/wolfi-dev https://sighup.io/secure-containers/ https://www.chainguard.dev/chainguard-images - Sign your images Use technologies like cosign, notary, or more recently openpubkey to sign your own artefacts and prevent tampering by malicious actors. Artefacts & Dependencies Management Investigating Pillar 1 and 2
  • 21. Safe builds & pipelines Pillar 3 Secure pipelines have been for a long time the holy grail of anything devops/devsecops/secdevops/whateverops. At @SIGHUP we have our own reference architecture (pictured left) and implementation, vendor and technology agnostic. The key universal role of cicd pipelines is one of gatekeeping and ensuring quality and regulatory compliance. Key Architectural aspects: - Vulnerability checks on both your code and dependencies https://trivy.dev - Artifacts build and signing (see Pillars 1 & 2) - Push to safe, certified, registries - Linting, validation and other quality gatekeeping - Policy enforcing, our tools of choice for this are OPA and Kyverno, having a look at otterize as a new point-of-view on policies management in Kubernetes https://www.openpolicyagent.org https://kyverno.io
  • 22. In-cluster Security Pillars 5-7, Starting from the basics Basic security in Kubernetes can be achieved using the native components present in any conformant Kubernetes cluster, more specifically you must put great effort in correctly using the following primitives: - RBAC Set of permissions on Kubernetes objects about “who can do what” on which namespace. - A CNI plugin that will introduce support to Network Policies Regulating in-cluster network interactions and packet flow. - Namespaces and quotas Namespaces introduce segmentation on your cluster, introducing base configurations, quotas and rbac access to resources - Pod Security Standards & Admission These define isolation policies for pods running into your cluster at namespace level - Ingress tuning and exposure Ingresses are meant to expose your service to the outside world. Depending on which ingress-controller you are working with, you can enforce rules, validation and much more on incoming requests. - ETCD data encryption and backups (self-managed Kubernetes only) As ETCD holds the state of your cluster, it gets mandatory to make sure data is encrypted whenever stored. RTFM: https://kubernetes.io/docs/concepts/security/
  • 23. Not-so-good-defaults - Stored in base64 (basically plaintext) within Kubernetes etcd - Lack of automated rotation mechanisms, increasing the risk of credential misuse or compromise over time. - Insufficient access controls and auditing - Difficulty in managing secrets at scale, especially in distributed and complex environments. Pay attention to your secrets
  • 24. Pay attention to your secrets What you really want: A secret manager! - Management of all secrets (tokens, certificates, passwords) through a dedicated solution. - Secrets stored at rest using strong symmetric cryptography. - Granular access controls, allowing only authorized users or services to access specific secrets. - Native integration with CI/CD pipelines and deployment workflows to securely provision and manage secrets throughout the application lifecycle. - Automated rotation, rollback, versioning and expiration policies to regularly update secrets and mitigate the risk of long-term exposure. - Integration with external identity providers and authentication mechanisms for enhanced security and identity management.
  • 25. In-cluster Security: Advanced Topics - Advanced runtime security - Secure Container runtimes - Tools to monitor privilege escalation, Storage and files exfiltration - Anomaly detection on kubernetes audit logs, processes syscalls, PID monitoring (to mention a few) - Advanced dynamic secrets managements Secrets are a first-class citizen in Kubernetes and while It’s not within the scope of this presentation if you should use Kubernetes Secrets or not, running secured workloads in production requires you to integrate your cluster secrets management with external ad-hoc advanced tools. https://www.conjur.org https://secrets-store-csi-driver.sigs.k8s.io - Policy controllers and admission webhooks Kubernetes policies can become a super powerful tool to enforce security and compliance checks, with several comprehensive ecosystems. Relevant projects for this: https://github.com/open-policy-agent/gatekeeper https://github.com/sighupio/gatekeeper-policy-manager https://kyverno.io https://otterize.com - Securing north-south / east-west network traffic This can be achieved in different ways or different set of technologies, ranging from traditional service meshes or newer ebpf-based CNIs. - IAM and Identities Both user identities and workloads identities are crucial in ensuring correct validation of workloads. SPIFFE and SPIRE to the rescue. https://spiffe.io - Workloads Isolation, multi-tenancy and cluster isolation Let’s dive into the key aspects of in-cluster security to highlight the main things we should pay attention to when hardening any Kubernetes-based infrastructure: https://falco.org https://katacontainers.io
  • 26. The case for multi-tenancy, workloads and cluster isolation - Soft multi-tenancy - Virtualized control planes - Dedicated clusters (managed or self-hosted) Credits to pineapple pizza on unsplash
  • 27. - Kubernetes is NOT multi-tenant - You must/can implement soft-multitenancy using native k8s primitives PRO - Can be a great choice for partitioning clusters on teams and tenants - Can be leveraged within both self-hosted and managed Kubernetes - Great for platform engineering CONS - You can still (and likely will) be bitten by noisy neighbours in weird ways - From a security standpoint, there’s no workload isolation beyond logical isolation implemented with policies, rbac and namespaces - Not particularly recommended for mission critical environments https://github.com/clastix/capsule The case for multi-tenancy, workloads and cluster isolation - Multi-tenancy - Virtualized control planes - Dedicated clusters (managed or self-hosted)
  • 28. Meta-clusters of control planes, leveraging CAPI or virtual kubeletes to automate cluster-creation PRO - It’s a really cool concept - It leverages open standards with profuse efforts from the community - It ensures workload isolation and a high degree of automation on multi-cluster management - Stands on the shoulders of giants CONS - I feel like adoption is still in its infancy - Not battle-tested - Does not guarantee full cluster isolation Promising technology, under heavy development and hence not recommended if you MUST ensure full cluster isolation in regulated environments. If you want to play around: - vclusters by loft - Kamaji by Clastix The case for multi-tenancy, workloads and cluster isolation - Multi-tenancy - Virtualized control planes - Dedicated clusters (managed or self-hosted)
  • 29. Fully dedicated clusters (self-hosted or managed) are the only solution, to date, that I feel like recommending if you need full isolation for workloads and infrastructure. PRO - Full isolation - Full complaints and strong security can be applied - Full configurability and customization of the solution CONS - You need operators knowing what they are doing - High operational burden - You can automate, to a certain extent This is where we (SIGHUP) shine, let me promote a bit our own KFD and furyctl: https://docs.kubernetesfury.com/docs/quickstart/quickstart The case for multi-tenancy, workloads and cluster isolation - Multi-tenancy - Virtualized control planes - Dedicated clusters
  • 30. Infrastructure Security Infra hardening & Cloud configurations Key recommendations: - Private control planes - Ensure as much as possible OS immutability - Verify signatures on Kubernetes executables - Make sure that your network configurations allow for data encryption for both traffic and storage consumption - If you are on cloud, managed services and integrations might be a good idea Don’t know where to start? Here is a practical IaC example with sane configurations: https://github.com/sighupio/fury-eks-installer
  • 31. The ugly duckling of Cloud Native Security Pillar 8 - Compliance & Regulation There are currently no standardised solutions enabling human operators to monitor and validate cluster resources state, violations and ensure compliance. We have been therefore developing over the past few months Permission Monitor, soon available with KFD or standalone on any cncf-compliant distro. If you are interested, ping me to test it out.
  • 33. It’s a wrap What we have learnt: - We have shared with you our core set of guiding pillars and principles when it comes to securing Kubernetes-based infrastructures. - You now know what matters and what to focus on as a starting learning point - You have an actionable list of items, projects, or sets of technologies to get started with, for each core pillar we have explored. - I’m aware that this is just scratching the surface, let’s talk beer (or spritz) & talk 🍻
  • 34. PS: It’s a 💩ton of work, I know. Imagine, we do all this stuff for a living..