SlideShare a Scribd company logo

Keeping Your Kubernetes Cluster Secure

Download as PPTX, PDF
Gene Gotimer
Gene Gotimer

Many organizations are shifting to containers and Kubernetes, and that move means learning new ways to secure their environments. Kubernetes clusters have to be hardened at different levels. We have to consider the nodes where the Kubernetes control plane is running. We also need to secure the Kubernetes workloads and check the code that creates them. And we need to inspect the containers we are using for vulnerabilities and watch for unusual behavior. Gene will show you some open-source tools that can find issues and vulnerabilities at each layer. You will see how they can be used to build your Kubernetes cluster safely and keep it secure.

1 of 33
@OtherDevOpsGene #AllThingsOpen Keeping your Kubernetes Cluster Secure Gene Gotimer @OtherDevOpsGene WEDNESDAY, NOVEMBER 2, 2022
Define and Design the Optimal Survey Experience KUBERNETES SECURITY Layers • Infrastructure • Hosts • Cluster • Build • Application • Container images • Deployment code • Runtime • Policies • Resources • Network • System calls and interaction @OtherDevOpsGene #AllThingsOpen 2
Infrastructure Build Runtime Wrap-up @OtherDevOpsGene #AllThingsOpen 3
Define and Design the Optimal Survey Experience INFRASTRUCTURE Hardening Kubernetes Hardening Guidance, National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA). • Start with the kubernetes.io article Kubernetes Security Technical Implementation Guide, Cybersecurity and Infrastructure Security Agency (CISA). • Start with the stigviewer.com client. CIS Kubernetes Benchmark, Center for Internet Security (CIS), non-government, non-profit. https://www.cisecurity.org/benchmark/kubernetes/ @OtherDevOpsGene #AllThingsOpen 4
Cluster configuration INFRASTRUCTURE @OtherDevOpsGene #AllThingsOpen 5 Is my Kubernetes cluster installed and configured properly? • Use Aqua kube-bench • May not apply to master nodes
INFRASTRUCTURE @OtherDevOpsGene #AllThingsOpen 6 Cluster configuration $ kubectl logs kube-bench-kc82n [INFO] 3 Worker Node Security Configuration [INFO] 3.1 Worker Node Configuration Files [PASS] 3.1.1 Ensure that the kubeconfig file permissions are set to 644 or more restrictive (Manual) [PASS] 3.1.2 Ensure that the kubelet kubeconfig file ownership is set to root:root (Manual) [PASS] 3.1.3 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Manual) [PASS] 3.1.4 Ensure that the kubelet configuration file ownership is set to root:root (Manual) [INFO] 3.2 Kubelet [PASS] 3.2.1 Ensure that the --anonymous-auth argument is set to false (Automated) [PASS] 3.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated) [PASS] 3.2.3 Ensure that the --client-ca-file argument is set as appropriate (Manual) [PASS] 3.2.4 Ensure that the --read-only-port argument is set to 0 (Manual) [PASS] 3.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual) [PASS] 3.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated) [PASS] 3.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated) [PASS] 3.2.8 Ensure that the --hostname-override argument is not set (Manual) [WARN] 3.2.9 Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture (Automated) [PASS] 3.2.10 Ensure that the --rotate-certificates argument is not set to false (Manual) [PASS] 3.2.11 Ensure that the RotateKubeletServerCertificate argument is set to true (Manual) [INFO] 3.3 Container Optimized OS [WARN] 3.3.1 Prefer using Container-Optimized OS when possible (Manual)
Infrastructure Build Runtime Wrap-up @OtherDevOpsGene #AllThingsOpen 7
Static code analysis BUILD @OtherDevOpsGene #AllThingsOpen 8 Are resources configured properly? • Use Checkov by Bridgecrew • Scans source code for • Dockerfiles • Kubernetes manifests • Terraform
Static code analysis BUILD @OtherDevOpsGene #AllThingsOpen 9 $ checkov -d manifests --quiet --compact kubernetes scan results: Passed checks: 1066, Failed checks: 166, Skipped checks: 0 Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation" FAILED for resource: Deployment.sock-shop.carts File: /manifests/01-carts-dep.yaml:2-51 Check: CKV_K8S_43: "Image should use digest" FAILED for resource: Deployment.sock-shop.carts File: /manifests/01-carts-dep.yaml:2-51 Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary" FAILED for resource: Deployment.sock-shop.carts File: /manifests/01-carts-dep.yaml:2-51 Check: CKV_K8S_29: "Apply security context to your pods and containers" FAILED for resource: Deployment.sock-shop.carts File: /manifests/01-carts-dep.yaml:2-51 Check: CKV_K8S_8: "Liveness Probe Should be Configured" FAILED for resource: Deployment.sock-shop.carts File: /manifests/01-carts-dep.yaml:2-51 Check: CKV_K8S_9: "Readiness Probe Should be Configured" FAILED for resource: Deployment.sock-shop.carts File: /manifests/01-carts-dep.yaml:2-51 Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default" FAILED for resource: Deployment.sock-shop.carts File: /manifests/01-carts-dep.yaml:2-51
Container image scanning BUILD @OtherDevOpsGene #AllThingsOpen 10 Are there vulnerabilities or misconfigurations on the container image? • Use Aqua Security Trivy • Scan images for vulnerable packages • Scan infrastructure-as-code for misconfigurations
Container image scanning BUILD @OtherDevOpsGene #AllThingsOpen 11 $ trivy config manifests/01-carts-dep.yaml 2022-10-22T15:55:21.615Z INFO Misconfiguration scanning is enabled 2022-10-22T15:55:21.806Z INFO Detected config files: 1 01-carts-dep.yaml (kubernetes) ============================== Tests: 79 (SUCCESSES: 74, FAILURES: 5, EXCEPTIONS: 0) Failures: 5 (UNKNOWN: 0, LOW: 3, MEDIUM: 2, HIGH: 0, CRITICAL: 0) MEDIUM: Container 'carts' of Deployment 'carts' should set 'securityContext.allowPrivilegeEscalation' to false ════════════════════════════════════════ A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node. See https://avd.aquasec.com/misconfig/ksv001 ──────────────────────────────────────── 01-carts-dep.yaml:20-45 ──────────────────────────────────────── 20 ┌ - name: carts 21 │ image: weaveworksdemos/carts:0.4.8 22 │ env: 23 │ - name: JAVA_OPTS 24 │ value: -Xms64m -Xmx128m -XX:+UseG1GC -Djava.security.egd=file:/dev/urandom -Dspring.zipkin.enabled=false 25 │ resources: 26 │ limits: 27 │ cpu: 300m 28 └ memory: 500Mi .. ────────────────────────────────────────
Container image scanning BUILD @OtherDevOpsGene #AllThingsOpen 12 $ trivy image weaveworksdemos/carts:0.4.8 --no-progress 2022-10-22T15:48:40.726Z WARN This OS version is no longer supported by the distribution: alpine 3.4.6 2022-10-22T15:48:40.726Z WARN The vulnerability detection may be insufficient because security updates are not provided weaveworksdemos/carts:0.4.8 (alpine 3.4.6) ========================================== Total: 40 (UNKNOWN: 0, LOW: 0, MEDIUM: 23, HIGH: 13, CRITICAL: 4) ┌──────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ busybox │ CVE-2017-16544 │ HIGH │ 1.24.2-r12 │ 1.24.2-r13 │ busybox: Insufficient sanitization of filenames when │ │ │ │ │ │ │ autocompleting │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-16544 │ │ ├────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2017-15873 │ MEDIUM │ │ │ busybox: Integer overflow in the get_next_block function │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-15873 │ ├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ freetype │ CVE-2017-8105 │ CRITICAL │ 2.6.3-r0 │ 2.6.3-r1 │ freetype: heap-based buffer overflow related to the │ │ │ │ │ │ │ t1_decoder_parse_charstrings │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-8105 │ │ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2017-8287 │ │ │ │ freetype: heap-based buffer overflow related to the │ │ │ │ │ │ │ t1_builder_close_contour function │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-8287 │ │ ├────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2016-10244 │ HIGH │ │ │ freetype: parse_charstrings function in type1/t1load.c does │ │ │ │ │ │ │ not ensure that a font contains... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-10244 │
Container image scanning BUILD @OtherDevOpsGene #AllThingsOpen 13 Are there vulnerabilities on the container image? • Use Anchore Grype • Scan images for vulnerable packages • Finds some different vulnerabilities than Aqua Trivy
Container image scanning BUILD @OtherDevOpsGene #AllThingsOpen 14 $ grype weaveworksdemos/carts:0.4.8 NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY busybox 1.24.2-r12 apk CVE-2021-42386 High busybox 1.24.2-r12 apk CVE-2018-1000500 High busybox 1.24.2-r12 apk CVE-2021-42379 High busybox 1.24.2-r12 apk CVE-2021-42381 High busybox 1.24.2-r12 apk CVE-2021-42384 High busybox 1.24.2-r12 1.24.2-r13 apk CVE-2017-15873 Medium busybox 1.24.2-r12 apk CVE-2018-1000517 Critical busybox 1.24.2-r12 apk CVE-2022-28391 High busybox 1.24.2-r12 apk CVE-2021-42385 High busybox 1.24.2-r12 apk CVE-2018-20679 High busybox 1.24.2-r12 apk CVE-2021-42378 High busybox 1.24.2-r12 apk CVE-2021-42376 Medium busybox 1.24.2-r12 1.24.2-r13 apk CVE-2017-16544 High busybox 1.24.2-r12 apk CVE-2019-5747 High busybox 1.24.2-r12 apk CVE-2015-9261 Medium freetype 2.6.3-r0 2.6.3-r1 apk CVE-2016-10244 High freetype 2.6.3-r0 apk CVE-2022-27404 Critical freetype 2.6.3-r0 apk CVE-2016-10328 Critical freetype 2.6.3-r0 apk CVE-2022-27405 High freetype 2.6.3-r0 apk CVE-2017-7857 Critical freetype 2.6.3-r0 2.6.3-r1 apk CVE-2017-8287 Critical freetype 2.6.3-r0 apk CVE-2017-7858 Critical freetype 2.6.3-r0 2.6.3-r1 apk CVE-2017-8105 Critical freetype 2.6.3-r0 apk CVE-2020-15999 Medium
Software bill of materials (SBOM) BUILD @OtherDevOpsGene #AllThingsOpen 15 What components are in my application and container image? • Use Anchore Syft • OS packages • Libraries • Frameworks
Software bill of materials (SBOM) BUILD @OtherDevOpsGene #AllThingsOpen 16 $ syft weaveworksdemos/carts:0.4.8 --output json --file carts-0.4.8.json $ grype sbom:carts-0.4.8.json NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY busybox 1.24.2-r12 apk CVE-2018-20679 High busybox 1.24.2-r12 apk CVE-2018-1000517 Critical busybox 1.24.2-r12 apk CVE-2021-42381 High busybox 1.24.2-r12 1.24.2-r13 apk CVE-2017-16544 High busybox 1.24.2-r12 1.24.2-r13 apk CVE-2017-15873 Medium busybox 1.24.2-r12 apk CVE-2021-42386 High busybox 1.24.2-r12 apk CVE-2021-42385 High busybox 1.24.2-r12 apk CVE-2019-5747 High busybox 1.24.2-r12 apk CVE-2021-42376 Medium busybox 1.24.2-r12 apk CVE-2018-1000500 High busybox 1.24.2-r12 apk CVE-2022-28391 High busybox 1.24.2-r12 apk CVE-2021-42378 High busybox 1.24.2-r12 apk CVE-2015-9261 Medium busybox 1.24.2-r12 apk CVE-2021-42384 High busybox 1.24.2-r12 apk CVE-2021-42379 High freetype 2.6.3-r0 2.6.3-r1 apk CVE-2016-10244 High freetype 2.6.3-r0 apk CVE-2022-27404 Critical freetype 2.6.3-r0 apk CVE-2016-10328 Critical freetype 2.6.3-r0 apk CVE-2022-27405 High freetype 2.6.3-r0 apk CVE-2017-7857 Critical freetype 2.6.3-r0 2.6.3-r1 apk CVE-2017-8287 Critical ... $ syft weaveworksdemos/carts:0.4.8 --output cyclonedx-json --file carts-0.4.8-dx.json
SBOM monitoring BUILD @OtherDevOpsGene #AllThingsOpen 17 Do any components have newly identified vulnerabilities? • Use OWASP Dependency-Track • Track SBOMs • Identify vulnerabilities • Notifications
SBOM monitoring BUILD @OtherDevOpsGene #AllThingsOpen 18
Infrastructure Build Runtime Wrap-up @OtherDevOpsGene #AllThingsOpen 19
Policy enforcement RUNTIME @OtherDevOpsGene #AllThingsOpen 20 Are my Kubernetes workloads and resources following my rules? • Use Open Policy Agent • Admissions controller • Compliance rules
Policy enforcement RUNTIME @OtherDevOpsGene #AllThingsOpen 21 $ cat allowed.yaml apiVersion: v1 kind: Pod metadata: name: opa-allowed spec: containers: - name: opa image: openpolicyagent/opa:0.9.2@sha256:04ff8fce2afd1a3bc26260348e5b290e8d945b1fad4b4c16d22834c2f3a1814a args: - "run" - "--server" - "--addr=localhost:8080“ $ kubectl apply -f allowed.yaml pod/opa-allowed created
Policy enforcement RUNTIME @OtherDevOpsGene #AllThingsOpen 22 $ cat disallowed.yaml apiVersion: v1 kind: Pod metadata: name: opa-disallowed spec: initContainers: - name: opainit image: openpolicyagent/opa:0.9.2 args: - "run" - "--server" - "--addr=localhost:8080" containers: - name: opa image: openpolicyagent/opa:0.9.2 args: - "run" - "--server" - "--addr=localhost:8080“ $ kubectl apply -f disallowed.yaml Error from server (Forbidden): error when creating "disallowed.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [container-image-must-have-digest] container <opa> uses an image without a digest <openpolicyagent/opa:0.9.2> [container-image-must-have-digest] initContainer <opainit> uses an image without a digest <openpolicyagent/opa:0.9.2>
Resource limits RUNTIME @OtherDevOpsGene #AllThingsOpen 23 Can a few containers hog too much memory or CPU? • Set the resource requests and limits for memory and CPU • Use Fairwinds Goldilocks • Watches loads • Makes request and limit recommendations
Resource limits RUNTIME @OtherDevOpsGene #AllThingsOpen 24
Define and Design the Optimal Survey Experience RUNTIME Network isolation Can Kubernetes resources reach others they don’t need to? • Use a service mesh or CNI • Build a network policy • Network Policy editor • https://networkpolicy.io @OtherDevOpsGene #AllThingsOpen 25
Define and Design the Optimal Survey Experience RUNTIME Network isolation @OtherDevOpsGene #AllThingsOpen 26
Monitor behavior RUNTIME @OtherDevOpsGene #AllThingsOpen 27 Are any workloads doing something unexpected on the system? • Use Falco • Watches system calls • Privilege escalation • Ownership and mode changes • Unexpected network connections
Monitor behavior RUNTIME @OtherDevOpsGene #AllThingsOpen 28 $ kubectl logs -n falco falco-zplnz Sat Oct 22 19:53:03 2022: Falco version: 0.33.0 (x86_64) Sat Oct 22 19:53:03 2022: Falco initialized with configuration file: /etc/falco/falco.yaml Sat Oct 22 19:53:03 2022: Loading rules from file /etc/falco/falco_rules.yaml Sat Oct 22 19:53:03 2022: Loading rules from file /etc/falco/falco_rules.local.yaml Sat Oct 22 19:53:03 2022: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs) Sat Oct 22 19:53:03 2022: Starting health webserver with threadiness 2, listening on port 8765 Sat Oct 22 19:53:03 2022: Enabled event sources: syscall Sat Oct 22 19:53:03 2022: Opening capture with Kernel module 19:53:09.668585724: Warning Docker or kubernetes client executed in container (user=<NA> user_loginuid=-1 k8s.ns=gatekeeper-system k8s.pod=gatekeeper-update-crds-hook-l5zr2 container=006eacc6d95b parent=<NA> cmdline=kubectl apply -f crds/ pid=13671 image=openpolicyagent/gatekeeper-crds:v3.10.0) 19:53:09.739647377: Notice Unexpected connection to K8s API Server from container (command=kubectl apply -f crds/ pid=13671 k8s.ns=gatekeeper-system k8s.pod=gatekeeper-update-crds-hook-l5zr2 container=006eacc6d95b image=openpolicyagent/gatekeeper-crds:v3.10.0 connection=192.168.34.30:45214->10.100.0.1:443) 19:53:21.068878529: Notice Unexpected connection to K8s API Server from container (command=manager --port=8443 -- health-addr=:9090 --prometheus-port=8888 --logtostderr --log-denies=false --emit-admission-events=false --log- level=INFO --exempt-namespace=gatekeeper-system --operation=webhook --enable-external-data=false --enable-generator- resource-expansion=false --log-mutations=false --mutation-annotations=false --disable-cert-rotation=false --max- serving-threads=-1 --tls-min-version=1.3 --metrics-backend=prometheus --operation=mutation-webhook --disable-opa- builtin={http.send} pid=14628 k8s.ns=gatekeeper-system k8s.pod=gatekeeper-controller-manager-78b8774b7c-wknwm container=bb34633b4f13 image=openpolicyagent/gatekeeper:v3.10.0 connection=192.168.60.49:34346->10.100.0.1:443) 19:53:21.133021316: Notice Unexpected connection to K8s API Server from container (command=manager --audit- interval=60 --log-level=INFO --constraint-violations-limit=20 --audit-from-cache=false --audit-chunk-size=500 -- audit-match-kind-only=false --emit-audit-events=false --operation=audit --operation=status --operation=mutation- status --logtostderr --health-addr=:9090 --prometheus-port=8888 --enable-external-data=false --enable-generator- resource-expansion=false --metrics-backend=prometheus --disable-cert-rotation=true pid=14691 k8s.ns=gatekeeper-system k8s.pod=gatekeeper-audit-9b7795dcf-tff44 container=c603d5981dea image=openpolicyagent/gatekeeper:v3.10.0 connection=192.168.62.41:58520->10.100.0.1:443)
Infrastructure Build Runtime Wrap-up @OtherDevOpsGene #AllThingsOpen 29
Define and Design the Optimal Survey Experience WRAP-UP Key takeaways • Enforce the principle of least privilege. • Keep everything up to date. • Scan your container images frequently, before and after deployment. • Monitor your systems for expected and unexpected behavior. • And disk space. @OtherDevOpsGene #AllThingsOpen 30
Define and Design the Optimal Survey Experience WRAP-UP Reading list Kubernetes Hardening Guidance, National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA). https://media.defense.gov/2021/Aug/03/2002820425/-1/- 1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF A Closer Look at NSA/CISA Kubernetes Hardening Guidance, Jim Angel, Pushkar Joglekar, and Savitha Raghunathan. https://kubernetes.io/blog/2021/10/05/nsa-cisa- kubernetes-hardening-guidance/ Kubernetes Security Technical Implementation Guide, Cybersecurity and Infrastructure Security Agency (CISA). https://public.cyber.mil/stigs/downloads/ CIS Kubernetes Benchmark, Center for Internet Security (CIS), https://www.cisecurity.org/benchmark/kubernetes/ @OtherDevOpsGene #AllThingsOpen 31
Define and Design the Optimal Survey Experience WRAP-UP Tools Aqua Security kube-bench: https://github.com/aquasecurity/kube-bench Checkov by Bridgecrew: https://github.com/bridgecrewio/checkov Aqua Security Trivy: https://github.com/aquasecurity/trivy Anchore Grype: https://github.com/anchore/grype Anchore Syft: https://github.com/anchore/syft OWASP Dependency-Track: https://dependencytrack.org Open Policy Agent: https://www.openpolicyagent.org Fairwinds Goldilocks: https://github.com/fairwindsops/goldilocks Network Policy Editor: https://networkpolicy.io Falco: https://falco.org @OtherDevOpsGene #AllThingsOpen 32
Questions? @OtherDevOpsGene #AllThingsOpen 33

More Related Content

What's hot

An overview of the Kubernetes architecture
An overview of the Kubernetes architectureAn overview of the Kubernetes architecture
An overview of the Kubernetes architecture
Igor Sfiligoi
 
Extending KEDA with External Scalers
Extending KEDA with External ScalersExtending KEDA with External Scalers
Extending KEDA with External Scalers
Baltazar Chua
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
SlideTeam
 
The Complete Guide to Service Mesh
The Complete Guide to Service MeshThe Complete Guide to Service Mesh
The Complete Guide to Service Mesh
Aspen Mesh
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
Eueung Mulyana
 
Kubernetes Deployment Strategies
Kubernetes Deployment StrategiesKubernetes Deployment Strategies
Kubernetes Deployment Strategies
Abdennour TM
 
Microservices, Kubernetes and Istio - A Great Fit!
Microservices, Kubernetes and Istio - A Great Fit!Microservices, Kubernetes and Istio - A Great Fit!
Microservices, Kubernetes and Istio - A Great Fit!
Animesh Singh
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
Crevise Technologies
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes Istio
Araf Karsh Hamid
 
Kubernetes internals (Kubernetes 해부하기)
Kubernetes internals (Kubernetes 해부하기)Kubernetes internals (Kubernetes 해부하기)
Kubernetes internals (Kubernetes 해부하기)
DongHyeon Kim
 
Istio : Service Mesh
Istio : Service MeshIstio : Service Mesh
Istio : Service Mesh
Knoldus Inc.
 
KEDA Overview
KEDA OverviewKEDA Overview
KEDA Overview
Jeff Hollan
 
Rancher 2.0 Technical Deep Dive
Rancher 2.0 Technical Deep DiveRancher 2.0 Technical Deep Dive
Rancher 2.0 Technical Deep Dive
LINE Corporation
 
Configuration management II - Terraform
Configuration management II - TerraformConfiguration management II - Terraform
Configuration management II - Terraform
Xavier Serrat Bordas
 
Deep Dive into Kubernetes - Part 1
Deep Dive into Kubernetes - Part 1Deep Dive into Kubernetes - Part 1
Deep Dive into Kubernetes - Part 1
Imesh Gunaratne
 
Kubernetes in Docker
Kubernetes in DockerKubernetes in Docker
Kubernetes in Docker
Docker, Inc.
 
What Is Helm
What Is Helm What Is Helm
What Is Helm
AMELIAOLIVIA2
 
Canary Releases on Kubernetes w/ Spinnaker, Istio, and Prometheus
Canary Releases on Kubernetes w/ Spinnaker, Istio, and PrometheusCanary Releases on Kubernetes w/ Spinnaker, Istio, and Prometheus
Canary Releases on Kubernetes w/ Spinnaker, Istio, and Prometheus
Kublr
 
Hands-on Helm
Hands-on Helm Hands-on Helm
Hands-on Helm
Docker, Inc.
 
Kubernetes and Prometheus
Kubernetes and PrometheusKubernetes and Prometheus
Kubernetes and Prometheus
Weaveworks
 

What's hot (20)

An overview of the Kubernetes architecture
An overview of the Kubernetes architectureAn overview of the Kubernetes architecture
An overview of the Kubernetes architecture
 
Extending KEDA with External Scalers
Extending KEDA with External ScalersExtending KEDA with External Scalers
Extending KEDA with External Scalers
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
 
The Complete Guide to Service Mesh
The Complete Guide to Service MeshThe Complete Guide to Service Mesh
The Complete Guide to Service Mesh
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
 
Kubernetes Deployment Strategies
Kubernetes Deployment StrategiesKubernetes Deployment Strategies
Kubernetes Deployment Strategies
 
Microservices, Kubernetes and Istio - A Great Fit!
Microservices, Kubernetes and Istio - A Great Fit!Microservices, Kubernetes and Istio - A Great Fit!
Microservices, Kubernetes and Istio - A Great Fit!
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes Istio
 
Kubernetes internals (Kubernetes 해부하기)
Kubernetes internals (Kubernetes 해부하기)Kubernetes internals (Kubernetes 해부하기)
Kubernetes internals (Kubernetes 해부하기)
 
Istio : Service Mesh
Istio : Service MeshIstio : Service Mesh
Istio : Service Mesh
 
KEDA Overview
KEDA OverviewKEDA Overview
KEDA Overview
 
Rancher 2.0 Technical Deep Dive
Rancher 2.0 Technical Deep DiveRancher 2.0 Technical Deep Dive
Rancher 2.0 Technical Deep Dive
 
Configuration management II - Terraform
Configuration management II - TerraformConfiguration management II - Terraform
Configuration management II - Terraform
 
Deep Dive into Kubernetes - Part 1
Deep Dive into Kubernetes - Part 1Deep Dive into Kubernetes - Part 1
Deep Dive into Kubernetes - Part 1
 
Kubernetes in Docker
Kubernetes in DockerKubernetes in Docker
Kubernetes in Docker
 
What Is Helm
What Is Helm What Is Helm
What Is Helm
 
Canary Releases on Kubernetes w/ Spinnaker, Istio, and Prometheus
Canary Releases on Kubernetes w/ Spinnaker, Istio, and PrometheusCanary Releases on Kubernetes w/ Spinnaker, Istio, and Prometheus
Canary Releases on Kubernetes w/ Spinnaker, Istio, and Prometheus
 
Hands-on Helm
Hands-on Helm Hands-on Helm
Hands-on Helm
 
Kubernetes and Prometheus
Kubernetes and PrometheusKubernetes and Prometheus
Kubernetes and Prometheus
 

Similar to Keeping Your Kubernetes Cluster Secure

Azure from scratch part 4
Azure from scratch part 4Azure from scratch part 4
Azure from scratch part 4
Girish Kalamati
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
Velocidex Enterprises
 
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECSWeaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
Weaveworks
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDays Riga
 
Cloud-native .NET-Microservices mit Kubernetes @BASTAcon
Cloud-native .NET-Microservices mit Kubernetes @BASTAconCloud-native .NET-Microservices mit Kubernetes @BASTAcon
Cloud-native .NET-Microservices mit Kubernetes @BASTAcon
Mario-Leander Reimer
 
Testing Terraform
Testing TerraformTesting Terraform
Testing Terraform
Nathen Harvey
 
A Developer’s Guide to Kubernetes Security
A Developer’s Guide to Kubernetes SecurityA Developer’s Guide to Kubernetes Security
A Developer’s Guide to Kubernetes Security
Gene Gotimer
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
Michael Man
 
The Container Security Checklist
The Container Security Checklist The Container Security Checklist
The Container Security Checklist
LibbySchulze
 
Behind the Code 'September 2022 // by Exness
Behind the Code 'September 2022 // by ExnessBehind the Code 'September 2022 // by Exness
Behind the Code 'September 2022 // by Exness
Maxim Gaponov
 
12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster
Suman Chakraborty
 
Embacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDEmbacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CD
Nebulaworks
 
Introduction to Container Management on AWS
Introduction to Container Management on AWSIntroduction to Container Management on AWS
Introduction to Container Management on AWS
Amazon Web Services
 
Continuous Delivery: The Next Frontier
Continuous Delivery: The Next FrontierContinuous Delivery: The Next Frontier
Continuous Delivery: The Next Frontier
Carlos Sanchez
 
Cloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit KubernetesCloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit Kubernetes
QAware GmbH
 
WWCode Dallas - Kubernetes: Learning from Zero to Production
WWCode Dallas - Kubernetes: Learning from Zero to ProductionWWCode Dallas - Kubernetes: Learning from Zero to Production
WWCode Dallas - Kubernetes: Learning from Zero to Production
Rosemary Wang
 
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Jeffrey Holden
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
guest3379bd
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
n|u - The Open Security Community
 
Dive into DevOps | March, Building with Terraform, Volodymyr Tsap
Dive into DevOps | March, Building with Terraform, Volodymyr TsapDive into DevOps | March, Building with Terraform, Volodymyr Tsap
Dive into DevOps | March, Building with Terraform, Volodymyr Tsap
Provectus
 

Similar to Keeping Your Kubernetes Cluster Secure (20)

Azure from scratch part 4
Azure from scratch part 4Azure from scratch part 4
Azure from scratch part 4
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
 
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECSWeaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
 
Cloud-native .NET-Microservices mit Kubernetes @BASTAcon
Cloud-native .NET-Microservices mit Kubernetes @BASTAconCloud-native .NET-Microservices mit Kubernetes @BASTAcon
Cloud-native .NET-Microservices mit Kubernetes @BASTAcon
 
Testing Terraform
Testing TerraformTesting Terraform
Testing Terraform
 
A Developer’s Guide to Kubernetes Security
A Developer’s Guide to Kubernetes SecurityA Developer’s Guide to Kubernetes Security
A Developer’s Guide to Kubernetes Security
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
 
The Container Security Checklist
The Container Security Checklist The Container Security Checklist
The Container Security Checklist
 
Behind the Code 'September 2022 // by Exness
Behind the Code 'September 2022 // by ExnessBehind the Code 'September 2022 // by Exness
Behind the Code 'September 2022 // by Exness
 
12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster
 
Embacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDEmbacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CD
 
Introduction to Container Management on AWS
Introduction to Container Management on AWSIntroduction to Container Management on AWS
Introduction to Container Management on AWS
 
Continuous Delivery: The Next Frontier
Continuous Delivery: The Next FrontierContinuous Delivery: The Next Frontier
Continuous Delivery: The Next Frontier
 
Cloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit KubernetesCloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit Kubernetes
 
WWCode Dallas - Kubernetes: Learning from Zero to Production
WWCode Dallas - Kubernetes: Learning from Zero to ProductionWWCode Dallas - Kubernetes: Learning from Zero to Production
WWCode Dallas - Kubernetes: Learning from Zero to Production
 
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
 
Dive into DevOps | March, Building with Terraform, Volodymyr Tsap
Dive into DevOps | March, Building with Terraform, Volodymyr TsapDive into DevOps | March, Building with Terraform, Volodymyr Tsap
Dive into DevOps | March, Building with Terraform, Volodymyr Tsap
 

More from Gene Gotimer

KCDC- Keeping Secrets Out of Your Pipeline
KCDC- Keeping Secrets Out of Your PipelineKCDC- Keeping Secrets Out of Your Pipeline
KCDC- Keeping Secrets Out of Your Pipeline
Gene Gotimer
 
How Fast Is My App? Performance Testing 101
How Fast Is My App? Performance Testing 101How Fast Is My App? Performance Testing 101
How Fast Is My App? Performance Testing 101
Gene Gotimer
 
How I Learned to Stop Worrying and Love Legacy Code
How I Learned to Stop Worrying and Love Legacy CodeHow I Learned to Stop Worrying and Love Legacy Code
How I Learned to Stop Worrying and Love Legacy Code
Gene Gotimer
 
Ten Ways To Doom Your DevOps
Ten Ways To Doom Your DevOpsTen Ways To Doom Your DevOps
Ten Ways To Doom Your DevOps
Gene Gotimer
 
Keeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster SecureKeeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster Secure
Gene Gotimer
 
Explain DevOps To Me Like I’m Five: DevOps for Managers
Explain DevOps To Me Like I’m Five: DevOps for ManagersExplain DevOps To Me Like I’m Five: DevOps for Managers
Explain DevOps To Me Like I’m Five: DevOps for Managers
Gene Gotimer
 
Keeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster SecureKeeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster Secure
Gene Gotimer
 
Creative Solutions to Already Solved Problems II
Creative Solutions to Already Solved Problems IICreative Solutions to Already Solved Problems II
Creative Solutions to Already Solved Problems II
Gene Gotimer
 
Creative Solutions to Already Solved Problems
Creative Solutions to Already Solved ProblemsCreative Solutions to Already Solved Problems
Creative Solutions to Already Solved Problems
Gene Gotimer
 
Get to Green: How to Safely Refactor Legacy Code
Get to Green: How to Safely Refactor Legacy CodeGet to Green: How to Safely Refactor Legacy Code
Get to Green: How to Safely Refactor Legacy Code
Gene Gotimer
 
DevOps for Leadership
DevOps for LeadershipDevOps for Leadership
DevOps for Leadership
Gene Gotimer
 
Pyramid Discussion: DevOps Adoption in Large, Slow Organizations
Pyramid Discussion: DevOps Adoption in Large, Slow OrganizationsPyramid Discussion: DevOps Adoption in Large, Slow Organizations
Pyramid Discussion: DevOps Adoption in Large, Slow Organizations
Gene Gotimer
 
A better faster pipeline for software delivery, even in the government
A better faster pipeline for software delivery, even in the governmentA better faster pipeline for software delivery, even in the government
A better faster pipeline for software delivery, even in the government
Gene Gotimer
 
Building the Pipeline of My Dreams
Building the Pipeline of My DreamsBuilding the Pipeline of My Dreams
Building the Pipeline of My Dreams
Gene Gotimer
 
Tests Your Pipeline Might Be Missing
Tests Your Pipeline Might Be MissingTests Your Pipeline Might Be Missing
Tests Your Pipeline Might Be Missing
Gene Gotimer
 
A Definition of Done for DevSecOps
A Definition of Done for DevSecOpsA Definition of Done for DevSecOps
A Definition of Done for DevSecOps
Gene Gotimer
 
A Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software DeliveryA Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software Delivery
Gene Gotimer
 
Open Source Security Tools for the Pipeline
Open Source Security Tools for the PipelineOpen Source Security Tools for the Pipeline
Open Source Security Tools for the Pipeline
Gene Gotimer
 
Which Development Metrics Should I Watch?
Which Development Metrics Should I Watch?Which Development Metrics Should I Watch?
Which Development Metrics Should I Watch?
Gene Gotimer
 
Add Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery PipelineAdd Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery Pipeline
Gene Gotimer
 

More from Gene Gotimer (20)

KCDC- Keeping Secrets Out of Your Pipeline
KCDC- Keeping Secrets Out of Your PipelineKCDC- Keeping Secrets Out of Your Pipeline
KCDC- Keeping Secrets Out of Your Pipeline
 
How Fast Is My App? Performance Testing 101
How Fast Is My App? Performance Testing 101How Fast Is My App? Performance Testing 101
How Fast Is My App? Performance Testing 101
 
How I Learned to Stop Worrying and Love Legacy Code
How I Learned to Stop Worrying and Love Legacy CodeHow I Learned to Stop Worrying and Love Legacy Code
How I Learned to Stop Worrying and Love Legacy Code
 
Ten Ways To Doom Your DevOps
Ten Ways To Doom Your DevOpsTen Ways To Doom Your DevOps
Ten Ways To Doom Your DevOps
 
Keeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster SecureKeeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster Secure
 
Explain DevOps To Me Like I’m Five: DevOps for Managers
Explain DevOps To Me Like I’m Five: DevOps for ManagersExplain DevOps To Me Like I’m Five: DevOps for Managers
Explain DevOps To Me Like I’m Five: DevOps for Managers
 
Keeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster SecureKeeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster Secure
 
Creative Solutions to Already Solved Problems II
Creative Solutions to Already Solved Problems IICreative Solutions to Already Solved Problems II
Creative Solutions to Already Solved Problems II
 
Creative Solutions to Already Solved Problems
Creative Solutions to Already Solved ProblemsCreative Solutions to Already Solved Problems
Creative Solutions to Already Solved Problems
 
Get to Green: How to Safely Refactor Legacy Code
Get to Green: How to Safely Refactor Legacy CodeGet to Green: How to Safely Refactor Legacy Code
Get to Green: How to Safely Refactor Legacy Code
 
DevOps for Leadership
DevOps for LeadershipDevOps for Leadership
DevOps for Leadership
 
Pyramid Discussion: DevOps Adoption in Large, Slow Organizations
Pyramid Discussion: DevOps Adoption in Large, Slow OrganizationsPyramid Discussion: DevOps Adoption in Large, Slow Organizations
Pyramid Discussion: DevOps Adoption in Large, Slow Organizations
 
A better faster pipeline for software delivery, even in the government
A better faster pipeline for software delivery, even in the governmentA better faster pipeline for software delivery, even in the government
A better faster pipeline for software delivery, even in the government
 
Building the Pipeline of My Dreams
Building the Pipeline of My DreamsBuilding the Pipeline of My Dreams
Building the Pipeline of My Dreams
 
Tests Your Pipeline Might Be Missing
Tests Your Pipeline Might Be MissingTests Your Pipeline Might Be Missing
Tests Your Pipeline Might Be Missing
 
A Definition of Done for DevSecOps
A Definition of Done for DevSecOpsA Definition of Done for DevSecOps
A Definition of Done for DevSecOps
 
A Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software DeliveryA Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software Delivery
 
Open Source Security Tools for the Pipeline
Open Source Security Tools for the PipelineOpen Source Security Tools for the Pipeline
Open Source Security Tools for the Pipeline
 
Which Development Metrics Should I Watch?
Which Development Metrics Should I Watch?Which Development Metrics Should I Watch?
Which Development Metrics Should I Watch?
 
Add Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery PipelineAdd Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery Pipeline
 

Recently uploaded

What is OCR Technology and How to Extract Text from Any Image for Free
What is OCR Technology and How to Extract Text from Any Image for FreeWhat is OCR Technology and How to Extract Text from Any Image for Free
What is OCR Technology and How to Extract Text from Any Image for Free
TwisterTools
 
COMPSAC 2024 D&I Panel: Charting a Course for Equity: Strategies for Overcomi...
COMPSAC 2024 D&I Panel: Charting a Course for Equity: Strategies for Overcomi...COMPSAC 2024 D&I Panel: Charting a Course for Equity: Strategies for Overcomi...
COMPSAC 2024 D&I Panel: Charting a Course for Equity: Strategies for Overcomi...
Hironori Washizaki
 
Attendance Tracking From Paper To Digital
Attendance Tracking From Paper To DigitalAttendance Tracking From Paper To Digital
Attendance Tracking From Paper To Digital
Task Tracker
 
WEBINAR SLIDES: CCX for Cloud Service Providers
WEBINAR SLIDES: CCX for Cloud Service ProvidersWEBINAR SLIDES: CCX for Cloud Service Providers
WEBINAR SLIDES: CCX for Cloud Service Providers
Severalnines
 
一比一原版英国牛津大学毕业证(oxon毕业证书)如何办理
一比一原版英国牛津大学毕业证(oxon毕业证书)如何办理一比一原版英国牛津大学毕业证(oxon毕业证书)如何办理
一比一原版英国牛津大学毕业证(oxon毕业证书)如何办理
avufu
 
Addressing the Top 9 User Pain Points with Visual Design Elements.pptx
Addressing the Top 9 User Pain Points with Visual Design Elements.pptxAddressing the Top 9 User Pain Points with Visual Design Elements.pptx
Addressing the Top 9 User Pain Points with Visual Design Elements.pptx
Sparity1
 
Discover the Power of ONEMONITAR: The Ultimate Mobile Spy App for Android Dev...
Discover the Power of ONEMONITAR: The Ultimate Mobile Spy App for Android Dev...Discover the Power of ONEMONITAR: The Ultimate Mobile Spy App for Android Dev...
Discover the Power of ONEMONITAR: The Ultimate Mobile Spy App for Android Dev...
onemonitarsoftware
 
NYC 26-Jun-2024 Combined Presentations.pdf
NYC 26-Jun-2024 Combined Presentations.pdfNYC 26-Jun-2024 Combined Presentations.pdf
NYC 26-Jun-2024 Combined Presentations.pdf
AUGNYC
 
ThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and DjangoThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and Django
akshesh doshi
 
Wired_2.0_Create_AmsterdamJUG_09072024.pptx
Wired_2.0_Create_AmsterdamJUG_09072024.pptxWired_2.0_Create_AmsterdamJUG_09072024.pptx
Wired_2.0_Create_AmsterdamJUG_09072024.pptx
SimonedeGijt
 
A Comparative Analysis of Functional and Non-Functional Testing.pdf
A Comparative Analysis of Functional and Non-Functional Testing.pdfA Comparative Analysis of Functional and Non-Functional Testing.pdf
A Comparative Analysis of Functional and Non-Functional Testing.pdf
kalichargn70th171
 
Migrate your Infrastructure to the AWS Cloud
Migrate your Infrastructure to the AWS CloudMigrate your Infrastructure to the AWS Cloud
Migrate your Infrastructure to the AWS Cloud
Ortus Solutions, Corp
 
FAST Channels: Explosive Growth Forecast 2024-2027 (Buckle Up!)
FAST Channels: Explosive Growth Forecast 2024-2027 (Buckle Up!)FAST Channels: Explosive Growth Forecast 2024-2027 (Buckle Up!)
FAST Channels: Explosive Growth Forecast 2024-2027 (Buckle Up!)
Roshan Dwivedi
 
Leading Project Management Tool Taskruop.pptx
Leading Project Management Tool Taskruop.pptxLeading Project Management Tool Taskruop.pptx
Leading Project Management Tool Taskruop.pptx
taskroupseo
 
Top 10 Tips To Get Google AdSense For Your Website
Top 10 Tips To Get Google AdSense For Your WebsiteTop 10 Tips To Get Google AdSense For Your Website
Top 10 Tips To Get Google AdSense For Your Website
e-Definers Technology
 
dachnug51 - Whats new in domino 14 .pdf
dachnug51 - Whats new in domino 14 .pdfdachnug51 - Whats new in domino 14 .pdf
dachnug51 - Whats new in domino 14 .pdf
DNUG e.V.
 
dachnug51 - All you ever wanted to know about domino licensing.pdf
dachnug51 - All you ever wanted to know about domino licensing.pdfdachnug51 - All you ever wanted to know about domino licensing.pdf
dachnug51 - All you ever wanted to know about domino licensing.pdf
DNUG e.V.
 
Ported to Cloud with Wing_ Blue ZnZone app from _Hexagonal Architecture Expla...
Ported to Cloud with Wing_ Blue ZnZone app from _Hexagonal Architecture Expla...Ported to Cloud with Wing_ Blue ZnZone app from _Hexagonal Architecture Expla...
Ported to Cloud with Wing_ Blue ZnZone app from _Hexagonal Architecture Expla...
Asher Sterkin
 
Google ML-Kit - Understanding on-device machine learning
Google ML-Kit - Understanding on-device machine learningGoogle ML-Kit - Understanding on-device machine learning
Google ML-Kit - Understanding on-device machine learning
VishrutGoyani1
 
Development of Chatbot Using AI\ML Technologies
Development of Chatbot Using AI\ML TechnologiesDevelopment of Chatbot Using AI\ML Technologies
Development of Chatbot Using AI\ML Technologies
MaisnamLuwangPibarel
 

Recently uploaded (20)

What is OCR Technology and How to Extract Text from Any Image for Free
What is OCR Technology and How to Extract Text from Any Image for FreeWhat is OCR Technology and How to Extract Text from Any Image for Free
What is OCR Technology and How to Extract Text from Any Image for Free
 
COMPSAC 2024 D&I Panel: Charting a Course for Equity: Strategies for Overcomi...
COMPSAC 2024 D&I Panel: Charting a Course for Equity: Strategies for Overcomi...COMPSAC 2024 D&I Panel: Charting a Course for Equity: Strategies for Overcomi...
COMPSAC 2024 D&I Panel: Charting a Course for Equity: Strategies for Overcomi...
 
Attendance Tracking From Paper To Digital
Attendance Tracking From Paper To DigitalAttendance Tracking From Paper To Digital
Attendance Tracking From Paper To Digital
 
WEBINAR SLIDES: CCX for Cloud Service Providers
WEBINAR SLIDES: CCX for Cloud Service ProvidersWEBINAR SLIDES: CCX for Cloud Service Providers
WEBINAR SLIDES: CCX for Cloud Service Providers
 
一比一原版英国牛津大学毕业证(oxon毕业证书)如何办理
一比一原版英国牛津大学毕业证(oxon毕业证书)如何办理一比一原版英国牛津大学毕业证(oxon毕业证书)如何办理
一比一原版英国牛津大学毕业证(oxon毕业证书)如何办理
 
Addressing the Top 9 User Pain Points with Visual Design Elements.pptx
Addressing the Top 9 User Pain Points with Visual Design Elements.pptxAddressing the Top 9 User Pain Points with Visual Design Elements.pptx
Addressing the Top 9 User Pain Points with Visual Design Elements.pptx
 
Discover the Power of ONEMONITAR: The Ultimate Mobile Spy App for Android Dev...
Discover the Power of ONEMONITAR: The Ultimate Mobile Spy App for Android Dev...Discover the Power of ONEMONITAR: The Ultimate Mobile Spy App for Android Dev...
Discover the Power of ONEMONITAR: The Ultimate Mobile Spy App for Android Dev...
 
NYC 26-Jun-2024 Combined Presentations.pdf
NYC 26-Jun-2024 Combined Presentations.pdfNYC 26-Jun-2024 Combined Presentations.pdf
NYC 26-Jun-2024 Combined Presentations.pdf
 
ThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and DjangoThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and Django
 
Wired_2.0_Create_AmsterdamJUG_09072024.pptx
Wired_2.0_Create_AmsterdamJUG_09072024.pptxWired_2.0_Create_AmsterdamJUG_09072024.pptx
Wired_2.0_Create_AmsterdamJUG_09072024.pptx
 
A Comparative Analysis of Functional and Non-Functional Testing.pdf
A Comparative Analysis of Functional and Non-Functional Testing.pdfA Comparative Analysis of Functional and Non-Functional Testing.pdf
A Comparative Analysis of Functional and Non-Functional Testing.pdf
 
Migrate your Infrastructure to the AWS Cloud
Migrate your Infrastructure to the AWS CloudMigrate your Infrastructure to the AWS Cloud
Migrate your Infrastructure to the AWS Cloud
 
FAST Channels: Explosive Growth Forecast 2024-2027 (Buckle Up!)
FAST Channels: Explosive Growth Forecast 2024-2027 (Buckle Up!)FAST Channels: Explosive Growth Forecast 2024-2027 (Buckle Up!)
FAST Channels: Explosive Growth Forecast 2024-2027 (Buckle Up!)
 
Leading Project Management Tool Taskruop.pptx
Leading Project Management Tool Taskruop.pptxLeading Project Management Tool Taskruop.pptx
Leading Project Management Tool Taskruop.pptx
 
Top 10 Tips To Get Google AdSense For Your Website
Top 10 Tips To Get Google AdSense For Your WebsiteTop 10 Tips To Get Google AdSense For Your Website
Top 10 Tips To Get Google AdSense For Your Website
 
dachnug51 - Whats new in domino 14 .pdf
dachnug51 - Whats new in domino 14 .pdfdachnug51 - Whats new in domino 14 .pdf
dachnug51 - Whats new in domino 14 .pdf
 
dachnug51 - All you ever wanted to know about domino licensing.pdf
dachnug51 - All you ever wanted to know about domino licensing.pdfdachnug51 - All you ever wanted to know about domino licensing.pdf
dachnug51 - All you ever wanted to know about domino licensing.pdf
 
Ported to Cloud with Wing_ Blue ZnZone app from _Hexagonal Architecture Expla...
Ported to Cloud with Wing_ Blue ZnZone app from _Hexagonal Architecture Expla...Ported to Cloud with Wing_ Blue ZnZone app from _Hexagonal Architecture Expla...
Ported to Cloud with Wing_ Blue ZnZone app from _Hexagonal Architecture Expla...
 
Google ML-Kit - Understanding on-device machine learning
Google ML-Kit - Understanding on-device machine learningGoogle ML-Kit - Understanding on-device machine learning
Google ML-Kit - Understanding on-device machine learning
 
Development of Chatbot Using AI\ML Technologies
Development of Chatbot Using AI\ML TechnologiesDevelopment of Chatbot Using AI\ML Technologies
Development of Chatbot Using AI\ML Technologies
 

Keeping Your Kubernetes Cluster Secure

  • 1. @OtherDevOpsGene #AllThingsOpen Keeping your Kubernetes Cluster Secure Gene Gotimer @OtherDevOpsGene WEDNESDAY, NOVEMBER 2, 2022
  • 2. Define and Design the Optimal Survey Experience KUBERNETES SECURITY Layers • Infrastructure • Hosts • Cluster • Build • Application • Container images • Deployment code • Runtime • Policies • Resources • Network • System calls and interaction @OtherDevOpsGene #AllThingsOpen 2
  • 4. Define and Design the Optimal Survey Experience INFRASTRUCTURE Hardening Kubernetes Hardening Guidance, National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA). • Start with the kubernetes.io article Kubernetes Security Technical Implementation Guide, Cybersecurity and Infrastructure Security Agency (CISA). • Start with the stigviewer.com client. CIS Kubernetes Benchmark, Center for Internet Security (CIS), non-government, non-profit. https://www.cisecurity.org/benchmark/kubernetes/ @OtherDevOpsGene #AllThingsOpen 4
  • 5. Cluster configuration INFRASTRUCTURE @OtherDevOpsGene #AllThingsOpen 5 Is my Kubernetes cluster installed and configured properly? • Use Aqua kube-bench • May not apply to master nodes
  • 6. INFRASTRUCTURE @OtherDevOpsGene #AllThingsOpen 6 Cluster configuration $ kubectl logs kube-bench-kc82n [INFO] 3 Worker Node Security Configuration [INFO] 3.1 Worker Node Configuration Files [PASS] 3.1.1 Ensure that the kubeconfig file permissions are set to 644 or more restrictive (Manual) [PASS] 3.1.2 Ensure that the kubelet kubeconfig file ownership is set to root:root (Manual) [PASS] 3.1.3 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Manual) [PASS] 3.1.4 Ensure that the kubelet configuration file ownership is set to root:root (Manual) [INFO] 3.2 Kubelet [PASS] 3.2.1 Ensure that the --anonymous-auth argument is set to false (Automated) [PASS] 3.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated) [PASS] 3.2.3 Ensure that the --client-ca-file argument is set as appropriate (Manual) [PASS] 3.2.4 Ensure that the --read-only-port argument is set to 0 (Manual) [PASS] 3.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual) [PASS] 3.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated) [PASS] 3.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated) [PASS] 3.2.8 Ensure that the --hostname-override argument is not set (Manual) [WARN] 3.2.9 Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture (Automated) [PASS] 3.2.10 Ensure that the --rotate-certificates argument is not set to false (Manual) [PASS] 3.2.11 Ensure that the RotateKubeletServerCertificate argument is set to true (Manual) [INFO] 3.3 Container Optimized OS [WARN] 3.3.1 Prefer using Container-Optimized OS when possible (Manual)
  • 8. Static code analysis BUILD @OtherDevOpsGene #AllThingsOpen 8 Are resources configured properly? • Use Checkov by Bridgecrew • Scans source code for • Dockerfiles • Kubernetes manifests • Terraform
  • 9. Static code analysis BUILD @OtherDevOpsGene #AllThingsOpen 9 $ checkov -d manifests --quiet --compact kubernetes scan results: Passed checks: 1066, Failed checks: 166, Skipped checks: 0 Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation" FAILED for resource: Deployment.sock-shop.carts File: /manifests/01-carts-dep.yaml:2-51 Check: CKV_K8S_43: "Image should use digest" FAILED for resource: Deployment.sock-shop.carts File: /manifests/01-carts-dep.yaml:2-51 Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary" FAILED for resource: Deployment.sock-shop.carts File: /manifests/01-carts-dep.yaml:2-51 Check: CKV_K8S_29: "Apply security context to your pods and containers" FAILED for resource: Deployment.sock-shop.carts File: /manifests/01-carts-dep.yaml:2-51 Check: CKV_K8S_8: "Liveness Probe Should be Configured" FAILED for resource: Deployment.sock-shop.carts File: /manifests/01-carts-dep.yaml:2-51 Check: CKV_K8S_9: "Readiness Probe Should be Configured" FAILED for resource: Deployment.sock-shop.carts File: /manifests/01-carts-dep.yaml:2-51 Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default" FAILED for resource: Deployment.sock-shop.carts File: /manifests/01-carts-dep.yaml:2-51
  • 10. Container image scanning BUILD @OtherDevOpsGene #AllThingsOpen 10 Are there vulnerabilities or misconfigurations on the container image? • Use Aqua Security Trivy • Scan images for vulnerable packages • Scan infrastructure-as-code for misconfigurations
  • 11. Container image scanning BUILD @OtherDevOpsGene #AllThingsOpen 11 $ trivy config manifests/01-carts-dep.yaml 2022-10-22T15:55:21.615Z INFO Misconfiguration scanning is enabled 2022-10-22T15:55:21.806Z INFO Detected config files: 1 01-carts-dep.yaml (kubernetes) ============================== Tests: 79 (SUCCESSES: 74, FAILURES: 5, EXCEPTIONS: 0) Failures: 5 (UNKNOWN: 0, LOW: 3, MEDIUM: 2, HIGH: 0, CRITICAL: 0) MEDIUM: Container 'carts' of Deployment 'carts' should set 'securityContext.allowPrivilegeEscalation' to false ════════════════════════════════════════ A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node. See https://avd.aquasec.com/misconfig/ksv001 ──────────────────────────────────────── 01-carts-dep.yaml:20-45 ──────────────────────────────────────── 20 ┌ - name: carts 21 │ image: weaveworksdemos/carts:0.4.8 22 │ env: 23 │ - name: JAVA_OPTS 24 │ value: -Xms64m -Xmx128m -XX:+UseG1GC -Djava.security.egd=file:/dev/urandom -Dspring.zipkin.enabled=false 25 │ resources: 26 │ limits: 27 │ cpu: 300m 28 └ memory: 500Mi .. ────────────────────────────────────────
  • 12. Container image scanning BUILD @OtherDevOpsGene #AllThingsOpen 12 $ trivy image weaveworksdemos/carts:0.4.8 --no-progress 2022-10-22T15:48:40.726Z WARN This OS version is no longer supported by the distribution: alpine 3.4.6 2022-10-22T15:48:40.726Z WARN The vulnerability detection may be insufficient because security updates are not provided weaveworksdemos/carts:0.4.8 (alpine 3.4.6) ========================================== Total: 40 (UNKNOWN: 0, LOW: 0, MEDIUM: 23, HIGH: 13, CRITICAL: 4) ┌──────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ busybox │ CVE-2017-16544 │ HIGH │ 1.24.2-r12 │ 1.24.2-r13 │ busybox: Insufficient sanitization of filenames when │ │ │ │ │ │ │ autocompleting │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-16544 │ │ ├────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2017-15873 │ MEDIUM │ │ │ busybox: Integer overflow in the get_next_block function │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-15873 │ ├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ freetype │ CVE-2017-8105 │ CRITICAL │ 2.6.3-r0 │ 2.6.3-r1 │ freetype: heap-based buffer overflow related to the │ │ │ │ │ │ │ t1_decoder_parse_charstrings │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-8105 │ │ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2017-8287 │ │ │ │ freetype: heap-based buffer overflow related to the │ │ │ │ │ │ │ t1_builder_close_contour function │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-8287 │ │ ├────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2016-10244 │ HIGH │ │ │ freetype: parse_charstrings function in type1/t1load.c does │ │ │ │ │ │ │ not ensure that a font contains... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-10244 │
  • 13. Container image scanning BUILD @OtherDevOpsGene #AllThingsOpen 13 Are there vulnerabilities on the container image? • Use Anchore Grype • Scan images for vulnerable packages • Finds some different vulnerabilities than Aqua Trivy
  • 14. Container image scanning BUILD @OtherDevOpsGene #AllThingsOpen 14 $ grype weaveworksdemos/carts:0.4.8 NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY busybox 1.24.2-r12 apk CVE-2021-42386 High busybox 1.24.2-r12 apk CVE-2018-1000500 High busybox 1.24.2-r12 apk CVE-2021-42379 High busybox 1.24.2-r12 apk CVE-2021-42381 High busybox 1.24.2-r12 apk CVE-2021-42384 High busybox 1.24.2-r12 1.24.2-r13 apk CVE-2017-15873 Medium busybox 1.24.2-r12 apk CVE-2018-1000517 Critical busybox 1.24.2-r12 apk CVE-2022-28391 High busybox 1.24.2-r12 apk CVE-2021-42385 High busybox 1.24.2-r12 apk CVE-2018-20679 High busybox 1.24.2-r12 apk CVE-2021-42378 High busybox 1.24.2-r12 apk CVE-2021-42376 Medium busybox 1.24.2-r12 1.24.2-r13 apk CVE-2017-16544 High busybox 1.24.2-r12 apk CVE-2019-5747 High busybox 1.24.2-r12 apk CVE-2015-9261 Medium freetype 2.6.3-r0 2.6.3-r1 apk CVE-2016-10244 High freetype 2.6.3-r0 apk CVE-2022-27404 Critical freetype 2.6.3-r0 apk CVE-2016-10328 Critical freetype 2.6.3-r0 apk CVE-2022-27405 High freetype 2.6.3-r0 apk CVE-2017-7857 Critical freetype 2.6.3-r0 2.6.3-r1 apk CVE-2017-8287 Critical freetype 2.6.3-r0 apk CVE-2017-7858 Critical freetype 2.6.3-r0 2.6.3-r1 apk CVE-2017-8105 Critical freetype 2.6.3-r0 apk CVE-2020-15999 Medium
  • 15. Software bill of materials (SBOM) BUILD @OtherDevOpsGene #AllThingsOpen 15 What components are in my application and container image? • Use Anchore Syft • OS packages • Libraries • Frameworks
  • 16. Software bill of materials (SBOM) BUILD @OtherDevOpsGene #AllThingsOpen 16 $ syft weaveworksdemos/carts:0.4.8 --output json --file carts-0.4.8.json $ grype sbom:carts-0.4.8.json NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY busybox 1.24.2-r12 apk CVE-2018-20679 High busybox 1.24.2-r12 apk CVE-2018-1000517 Critical busybox 1.24.2-r12 apk CVE-2021-42381 High busybox 1.24.2-r12 1.24.2-r13 apk CVE-2017-16544 High busybox 1.24.2-r12 1.24.2-r13 apk CVE-2017-15873 Medium busybox 1.24.2-r12 apk CVE-2021-42386 High busybox 1.24.2-r12 apk CVE-2021-42385 High busybox 1.24.2-r12 apk CVE-2019-5747 High busybox 1.24.2-r12 apk CVE-2021-42376 Medium busybox 1.24.2-r12 apk CVE-2018-1000500 High busybox 1.24.2-r12 apk CVE-2022-28391 High busybox 1.24.2-r12 apk CVE-2021-42378 High busybox 1.24.2-r12 apk CVE-2015-9261 Medium busybox 1.24.2-r12 apk CVE-2021-42384 High busybox 1.24.2-r12 apk CVE-2021-42379 High freetype 2.6.3-r0 2.6.3-r1 apk CVE-2016-10244 High freetype 2.6.3-r0 apk CVE-2022-27404 Critical freetype 2.6.3-r0 apk CVE-2016-10328 Critical freetype 2.6.3-r0 apk CVE-2022-27405 High freetype 2.6.3-r0 apk CVE-2017-7857 Critical freetype 2.6.3-r0 2.6.3-r1 apk CVE-2017-8287 Critical ... $ syft weaveworksdemos/carts:0.4.8 --output cyclonedx-json --file carts-0.4.8-dx.json
  • 17. SBOM monitoring BUILD @OtherDevOpsGene #AllThingsOpen 17 Do any components have newly identified vulnerabilities? • Use OWASP Dependency-Track • Track SBOMs • Identify vulnerabilities • Notifications
  • 20. Policy enforcement RUNTIME @OtherDevOpsGene #AllThingsOpen 20 Are my Kubernetes workloads and resources following my rules? • Use Open Policy Agent • Admissions controller • Compliance rules
  • 21. Policy enforcement RUNTIME @OtherDevOpsGene #AllThingsOpen 21 $ cat allowed.yaml apiVersion: v1 kind: Pod metadata: name: opa-allowed spec: containers: - name: opa image: openpolicyagent/opa:0.9.2@sha256:04ff8fce2afd1a3bc26260348e5b290e8d945b1fad4b4c16d22834c2f3a1814a args: - "run" - "--server" - "--addr=localhost:8080“ $ kubectl apply -f allowed.yaml pod/opa-allowed created
  • 22. Policy enforcement RUNTIME @OtherDevOpsGene #AllThingsOpen 22 $ cat disallowed.yaml apiVersion: v1 kind: Pod metadata: name: opa-disallowed spec: initContainers: - name: opainit image: openpolicyagent/opa:0.9.2 args: - "run" - "--server" - "--addr=localhost:8080" containers: - name: opa image: openpolicyagent/opa:0.9.2 args: - "run" - "--server" - "--addr=localhost:8080“ $ kubectl apply -f disallowed.yaml Error from server (Forbidden): error when creating "disallowed.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [container-image-must-have-digest] container <opa> uses an image without a digest <openpolicyagent/opa:0.9.2> [container-image-must-have-digest] initContainer <opainit> uses an image without a digest <openpolicyagent/opa:0.9.2>
  • 23. Resource limits RUNTIME @OtherDevOpsGene #AllThingsOpen 23 Can a few containers hog too much memory or CPU? • Set the resource requests and limits for memory and CPU • Use Fairwinds Goldilocks • Watches loads • Makes request and limit recommendations
  • 25. Define and Design the Optimal Survey Experience RUNTIME Network isolation Can Kubernetes resources reach others they don’t need to? • Use a service mesh or CNI • Build a network policy • Network Policy editor • https://networkpolicy.io @OtherDevOpsGene #AllThingsOpen 25
  • 26. Define and Design the Optimal Survey Experience RUNTIME Network isolation @OtherDevOpsGene #AllThingsOpen 26
  • 27. Monitor behavior RUNTIME @OtherDevOpsGene #AllThingsOpen 27 Are any workloads doing something unexpected on the system? • Use Falco • Watches system calls • Privilege escalation • Ownership and mode changes • Unexpected network connections
  • 28. Monitor behavior RUNTIME @OtherDevOpsGene #AllThingsOpen 28 $ kubectl logs -n falco falco-zplnz Sat Oct 22 19:53:03 2022: Falco version: 0.33.0 (x86_64) Sat Oct 22 19:53:03 2022: Falco initialized with configuration file: /etc/falco/falco.yaml Sat Oct 22 19:53:03 2022: Loading rules from file /etc/falco/falco_rules.yaml Sat Oct 22 19:53:03 2022: Loading rules from file /etc/falco/falco_rules.local.yaml Sat Oct 22 19:53:03 2022: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs) Sat Oct 22 19:53:03 2022: Starting health webserver with threadiness 2, listening on port 8765 Sat Oct 22 19:53:03 2022: Enabled event sources: syscall Sat Oct 22 19:53:03 2022: Opening capture with Kernel module 19:53:09.668585724: Warning Docker or kubernetes client executed in container (user=<NA> user_loginuid=-1 k8s.ns=gatekeeper-system k8s.pod=gatekeeper-update-crds-hook-l5zr2 container=006eacc6d95b parent=<NA> cmdline=kubectl apply -f crds/ pid=13671 image=openpolicyagent/gatekeeper-crds:v3.10.0) 19:53:09.739647377: Notice Unexpected connection to K8s API Server from container (command=kubectl apply -f crds/ pid=13671 k8s.ns=gatekeeper-system k8s.pod=gatekeeper-update-crds-hook-l5zr2 container=006eacc6d95b image=openpolicyagent/gatekeeper-crds:v3.10.0 connection=192.168.34.30:45214->10.100.0.1:443) 19:53:21.068878529: Notice Unexpected connection to K8s API Server from container (command=manager --port=8443 -- health-addr=:9090 --prometheus-port=8888 --logtostderr --log-denies=false --emit-admission-events=false --log- level=INFO --exempt-namespace=gatekeeper-system --operation=webhook --enable-external-data=false --enable-generator- resource-expansion=false --log-mutations=false --mutation-annotations=false --disable-cert-rotation=false --max- serving-threads=-1 --tls-min-version=1.3 --metrics-backend=prometheus --operation=mutation-webhook --disable-opa- builtin={http.send} pid=14628 k8s.ns=gatekeeper-system k8s.pod=gatekeeper-controller-manager-78b8774b7c-wknwm container=bb34633b4f13 image=openpolicyagent/gatekeeper:v3.10.0 connection=192.168.60.49:34346->10.100.0.1:443) 19:53:21.133021316: Notice Unexpected connection to K8s API Server from container (command=manager --audit- interval=60 --log-level=INFO --constraint-violations-limit=20 --audit-from-cache=false --audit-chunk-size=500 -- audit-match-kind-only=false --emit-audit-events=false --operation=audit --operation=status --operation=mutation- status --logtostderr --health-addr=:9090 --prometheus-port=8888 --enable-external-data=false --enable-generator- resource-expansion=false --metrics-backend=prometheus --disable-cert-rotation=true pid=14691 k8s.ns=gatekeeper-system k8s.pod=gatekeeper-audit-9b7795dcf-tff44 container=c603d5981dea image=openpolicyagent/gatekeeper:v3.10.0 connection=192.168.62.41:58520->10.100.0.1:443)
  • 30. Define and Design the Optimal Survey Experience WRAP-UP Key takeaways • Enforce the principle of least privilege. • Keep everything up to date. • Scan your container images frequently, before and after deployment. • Monitor your systems for expected and unexpected behavior. • And disk space. @OtherDevOpsGene #AllThingsOpen 30
  • 31. Define and Design the Optimal Survey Experience WRAP-UP Reading list Kubernetes Hardening Guidance, National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA). https://media.defense.gov/2021/Aug/03/2002820425/-1/- 1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF A Closer Look at NSA/CISA Kubernetes Hardening Guidance, Jim Angel, Pushkar Joglekar, and Savitha Raghunathan. https://kubernetes.io/blog/2021/10/05/nsa-cisa- kubernetes-hardening-guidance/ Kubernetes Security Technical Implementation Guide, Cybersecurity and Infrastructure Security Agency (CISA). https://public.cyber.mil/stigs/downloads/ CIS Kubernetes Benchmark, Center for Internet Security (CIS), https://www.cisecurity.org/benchmark/kubernetes/ @OtherDevOpsGene #AllThingsOpen 31
  • 32. Define and Design the Optimal Survey Experience WRAP-UP Tools Aqua Security kube-bench: https://github.com/aquasecurity/kube-bench Checkov by Bridgecrew: https://github.com/bridgecrewio/checkov Aqua Security Trivy: https://github.com/aquasecurity/trivy Anchore Grype: https://github.com/anchore/grype Anchore Syft: https://github.com/anchore/syft OWASP Dependency-Track: https://dependencytrack.org Open Policy Agent: https://www.openpolicyagent.org Fairwinds Goldilocks: https://github.com/fairwindsops/goldilocks Network Policy Editor: https://networkpolicy.io Falco: https://falco.org @OtherDevOpsGene #AllThingsOpen 32

Editor's Notes

  1. We will look at 10 tools across 3 rough layers of the Kubernetes ecosystem. All are open-source and/or freely available Also, some publicly available guidance Security is a type of quality You cannot be insecure and have high quality You cannot have low quality but high security
  2. Kubernetes clusters consist of servers acting as master nodes and worker nodes. The operating system and processes on these servers have to be secured just like any others. These are the tasks traditionally done by Ops and Security YAGNI K8s hosts need the same security as other hosts Keep the systems up-to-date Easiest to do. Just regularly run apt-get update or dnf update or yum update CISA recommends the following remediation timelines: Critical vulnerabilities should be remediated within 15 calendar days of initial detection. High vulnerabilities should be remediated within 30 calendar days of initial detection.
  3. Least privilege Ronald Reagan 1986 – The nine most terrifying words in the English language are "I'm from the Government and I'm here to help." Google both terms, See the Kubernetes.io article from Oct 2021. See the stigviewer.com link Also, not specific to k8s, but Federal, state, local, tribal and territorial governments, as well as public and private sector critical infrastructure organizations. Can request Cyber Hygiene Services at no cost from CISA. CIS is not a government agency, but it is non-profit. CIS Benchmarks are free checklists, very similar to STIGs, easier to read.
  4. "checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark." If you are running in a managed Kubernetes cluster, such as Amazon EKS or Azure AKS, kube-bench does not have access to the master nodes but can still evaluate the worker nodes.   Runs as a kubectl job
  5. Runs as a kubectl job cd ~/git/ggkube/Book/code kubectl apply -f kube-bench-job-eks.yaml kubectl get pods kubectl logs kube-bench-kc82n
  6. These tasks are typically going to fall to the development teams while they are producing their software for deployment All of this is a moot point if the application is security swiss cheese.
  7. Least privilege Checkov by Bridgecrew Frequent updates, sometimes daily I use this extensively on Terraform code
  8. Python pip install or use Docker container pushd ./microservices-demo/deploy/Kubernetes checkov -d manifests --quiet --compact
  9. Can’t just scan once, vulnerabilities can be found even in existing, previously “safe”, containers/code
  10. Installs as package, from script, container, etc. trivy config manifests/01-carts-dep.yaml
  11. trivy image weaveworksdemos/carts:0.4.8 --no-progress
  12. Other options are Clair by Red Hat Can’t just scan once, vulnerabilities can be found even in existing, previously “safe”, containers/code
  13. grype weaveworksdemos/carts:0.4.8
  14. Can feed that back to Grype
  15. Can feed that back to Grype syft weaveworksdemos/carts:0.4.8 --output json --file carts-0.4.8.json grype sbom:carts-0.4.8.json syft weaveworksdemos/carts:0.4.8 --output cyclonedx-json --file carts-0.4.8-dx.json
  16. This is the Ops piece of DevSecOps. After you deploy, the job isn’t finished. Keep monitoring. It is embarrassing how often companies that spend millions to staff a 24x7 SOC have apps go down when they run out of disk space
  17. Oh-pah
  18. https://open-policy-agent.github.io/gatekeeper-library/website/imagedigests kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/imagedigests/template.yaml kubectl describe ConstraintTemplate -A kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/imagedigests/samples/container-image-must-have-digest/constraint.yaml cat allowed.yaml kubectl apply -f allowed.yaml
  19. cat disallowed.yaml kubectl apply -f disallowed.yaml
  20. 014d4142-ca50-4f71-a9f5-a7f727c8df1f kubectl apply -f manifests kubectl label ns sock-shop goldilocks.fairwinds.com/enabled=true kubectl -n goldilocks port-forward svc/goldilocks-dashboard 8444:80& kubectl -n sock-shop port-forward svc/front-end 8555:80&
  21. Least privilege Container network interface Linkerd, Istio, Calico, Cilium mTLS
  22. Least privilege Container network interface Linkerd, Istio, Calico, Cilium mTLS
  23. Install to host so it is isolated from Kubernetes Can also install into cluster using Helm if you don’t control the host, e.g., EKS
  24. kubectl get pods -n falco -o wide kubectl logs -n falco falco-zplnz -f
  25. There are commercial versions that incorporate many of these tools and capabilities, often together in a single package.