kubernetes und container aber sicher container k8s
play

Kubernetes und Container Aber Sicher! Container / K8s Security - PowerPoint PPT Presentation

Jan 16, 2023 •437 likes •1.1k views

Kubernetes und Container Aber Sicher! Container / K8s Security Andreas Falk Vorstellung Andreas Falk Novatec Consulting andreas.falk@novatec-gmbh.de / @andifalk https://www.novatec-gmbh.de/beratung/agile-security 2

  1. Kubernetes und Container – Aber Sicher! Container / K8s Security Andreas Falk

  2. Vorstellung Andreas Falk Novatec Consulting andreas.falk@novatec-gmbh.de / @andifalk https://www.novatec-gmbh.de/beratung/agile-security 2

  3. https://www.novatec-gmbh.de/schulung/application-security-training-for-developers-by-jim-manico 3

  4. Agenda 1. What can go wrong 2. Application Security 3. Container Security 4. Kubernetes Security 5. Kubernetes Secrets 4

  5. Where are the Slides and the Code? Presentation Slides and Demo Code: https://github.com/andifalk/secure-development-on-kubernetes 5

  6. What can go wrong? Introduction 6

  7. Top Challenges in Kubernetes Source: https://thenewstack.io 7

  8. Severe Vulnerability in Kubernetes Source: https://blog.aquasec.com 8

  9. Crypto Mining Via K8s Dashboard Source: https://blog.heptio.com 9

  10. Open ETCD Ports in Kubernetes (1) https://shodan.io 10

  11. Open ETCD Ports in Kubernetes (2) $ etcdctl --endpoints=http://xx.xx.xx.xx:2379 cluster-health member b97ee4034db41d17 is healthy: got healthy result from http://xx.xx.xx.xx:2379 cluster is healthy https://github.com/etcd-io/etcd/releases 11

  12. Vulnerable Docker Images Source: The state of open source security report (snyk.io) 12

  13. All is Root 13

  14. Kubernetes attack vectors Source: Kubernetes Security, O’Reilly, 2018 14

  15. Operational / Development Kubernetes Security K8s Development Security Master Node Worker Node Container TLS TLS API Server Scheduler Kubelet Runtime Auth Auth Controller Authz Authz Etcd Kube Proxy Manager K8s Operational Security https://kubernetes.io/docs/concepts/security/overview/#the-4c-s-of-cloud-native-security https://learnk8s.io/production-best-practices/ 15

  16. So what can we do as developers? Application- / Docker- / K8s-Security 16

  17. The Path for Secure Development on K8s Application Container Kubernetes Kubernetes Security Security Security Secrets 17

  18. The Path for Secure Development on K8s Application Container Kubernetes Kubernetes Security Security Secrets Security 18

  19. Application Security Authentication Authorization SQL Injection Cross Site Scripting (XSS) Web Application Cross Site Request Forgery (CSRF) Data Protection (Crypto) ... 19

  20. Application Security 20

  21. Live Demo: Show me the code Iteration 1: Application Security https://github.com/andifalk/secure-development-on-kubernetes 21

  22. The Path for Secure Development on K8s Application Container Kubernetes Kubernetes Security Security Secrets Security 22

  23. Docker Security Basics 23

  24. Linux Kernel Namespaces ▪ Process ID (pid) Network (net) ▪ ▪ Filesystem/mount (mnt) Inter-Process Communication (ipc) ▪ ▪ User (user) UTS (hostname) ▪ 24

  25. Linux Control Groups (CGroups) ▪ Resource Limits − CPU − Memory − Devices − Processes − Network For Java this only works with container aware JDK versions as of OpenJDK 8u192 or above 25

  26. Linux Capabilities ▪ Break up root privileges into smaller units − CAP_SYS_ADMIN − CAP_NET_ADMIN − CAP_NET_BIND_SERVICE − CAP_CHOWN − ... $ docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE http://man7.org/linux/man-pages/man7/capabilities.7.html 26

  27. Mandatory Access Control (MAC) ▪ AppArmor ▪ Security Enhanced Linux (SELinux) https://gitlab.com/apparmor/apparmor/wikis/home https://github.com/SELinuxProject 27

  28. Secure Computing Mode (SecComp) ▪ Deny critical system calls by default − reboot − mount − swapon − ... http://man7.org/linux/man-pages/man2/seccomp.2.html https://docs.docker.com/engine/security/seccomp 28

  29. OWASP Docker Top 10 1. Secure User Mapping 2. Patch Management Strategy 3. Network Segmentation and Firewalling 4. Secure Defaults and Hardening 5. Maintain Security Contexts 6. Protect Secrets 7. Resource Protection 8. Container Image Integrity and Origin 9. Follow Immutable Paradigm 10. Logging https://github.com/OWASP/Docker-Security 29

  30. Docker Images 30

  31. Docker Image Security 31

  32. Say No To Root! USER directive in Dockerfile FROM openjdk:11-jre-slim COPY hello-spring-kubernetes-1.0.0-SNAPSHOT.jar app.jar EXPOSE 8080 RUN addgroup --system --gid 1002 app && adduser --system --uid 1002 --gid 1002 appuser USER 1002 ENTRYPOINT java -jar /app.jar https://opensource.com/article/18/3/just-say-no-root-containers 32

  33. Say No To Root! Use JIB and Distroless Images plugins { id 'com.google.cloud.tools.jib' version '...' } jib { container { user = 1002 } } https://github.com/GoogleContainerTools/jib 33

  34. Keep Being Secure ▪ Perform Image Scanning − Anchore − Clair − Trivy ▪ Regularly Update Base Images https://anchore.com/opensource/ https://github.com/coreos/clair https://github.com/aquasecurity/trivy 34

  35. Live Demo: Show me the code Iteration 2: Container Security https://github.com/andifalk/secure-development-on-kubernetes 35

  36. The Path for Secure Development on K8s Application Security Kubernetes Container Kubernetes Security Secrets Security 36

  37. Kubernetes Basics Ingress Service Deployment Replica Set Pod Pod Pod https://kubernetes.io/docs/concepts https://www.aquasec.com/wiki/display/containers/70+Best+Kube rnetes+Tutorials 37

  38. Kubernetes Security Kubernetes Auditing Network Policies Role Based Access Control (RBAC) Resource Limits Pod Security Context Pod Security Policy

  39. Resource Limits spec: ... containers: resources: limits: cpu: "1" memory: "512Mi" requests: cpu: 500m memory: "256Mi" ... https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource 39

  40. Pod/Container Security Context spec: securityContext: runAsNonRoot: true containers: securityContext: allowPrivilegeEscalation: false privileged: false runAsNonRoot: true readOnlyRootFilesystem: true capabilities: drop: - ALL https://kubernetes.io/docs/tasks/configure-pod-container/security-context 40

  41. Pod Security Policy (Still In Beta!) apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: no-root-policy spec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: - ALL runAsUser: rule: 'MustRunAsNonRoot' ... https://kubernetes.io/docs/concepts/policy/pod-security-policy 41

  42. Pod Security Policy (Policy Order) Policy order selection criteria: 1. Policies which allow the pod as-is are preferred 2. If pod must be defaulted or mutated, the first policy (ordered by name) to allow the pod is selected. https://kubernetes.io/docs/concepts/policy/pod-security-policy/#policy-order https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers 42

  43. Kubernetes Role Based Access Control (RBAC) Cluster-Wide Subject API Groups ClusterRole ClusterRoleBinding Resources - User - Group - ServiceAccount Role RoleBinding Verbs Namespace https://kubernetes.io/docs/reference/access-authn-authz/rbac/ 43

  44. Kubernetes Role Based Access Control (RBAC) apiGroups extensions, apps, policy, ... resources pods, deployments, configmaps, secrets, nodes, services, endpoints, podsecuritypolicies, ... verbs get, list, watch, create, update, patch, delete, use, ... https://kubernetes.io/docs/reference/access-authn-authz/rbac/ 44

  45. Service Account apiVersion: v1 kind: ServiceAccount metadata: name: deploy-pod-security-policy namespace: default https://kubernetes.io/docs/concepts/policy/pod-security-policy/#authorizing-policies 45

  46. Pod Security Policy Role apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: no-root-policy-role namespace: default rules: - apiGroups: ['policy'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: - no-root-policy https://kubernetes.io/docs/concepts/policy/pod-security-policy/#authorizing-policies 46

  47. Pod Security Policy Role Binding apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: deploy-pod-security-policy namespace: default roleRef: kind: Role name: no-root-policy-role apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: deploy-pod-security-policy namespace: default 47

  48. Helm 3 Is Here! https://v3.helm.sh https://helm.sh/docs/faq/#removal-of-tiller 48

  49. Live Demo: Show me the code Iteration 3: Kubernetes Security https://github.com/andifalk/secure-development-on-kubernetes 49

  50. The Path for Secure Development on K8s Application Container Kubernetes Security Kubernetes Security Security Secrets 50

  51. Kubernetes Secrets KMS Etcd Secrets Secrets Secrets

  52. Kubernetes Secrets apiVersion: v1 kind: Secret metadata: name: hello-spring-cloud-kubernetes namespace: default type: Opaque data: user.username: dXNlcg== user.password: azhzX3VzZXI= admin.username: YWRtaW4= admin.password: azhzX2FkbWlu https://kubernetes.io/docs/concepts/configuration/secret 52

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

OPENSTACK + KUBERNETES + HYPERCONTAINER The Container Platform for NFV ABOUT ME Harry Zhang

OPENSTACK + KUBERNETES + HYPERCONTAINER The Container Platform for NFV ABOUT ME Harry Zhang

OPENSTACK + KUBERNETES + HYPERCONTAINER The Container Platform for NFV ABOUT ME Harry Zhang ID: @resouer Coder, Author, Speaker Member of Hyper Feature Maintainer & Project Manager of Kubernetes sig-scheduling,

3.57k views • 46 slides
DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x

DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x

DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x Galley Container 1x Medical Container 1x Feed Water Container 1x Water Treatment Container 2x Generator Container 1x

569 views • 8 slides
OpenAFS as Persistent Storage inside Kubernetes using Container Storage Interface plugin for

OpenAFS as Persistent Storage inside Kubernetes using Container Storage Interface plugin for

OpenAFS as Persistent Storage inside Kubernetes using Container Storage Interface plugin for OpenAFS Yadavendra Yadav T odd DeSantis OpenAFS WorkShop 2019 Pittsburgh, US Application Modernization Evolution of Container Agenda

542 views • 27 slides
Matthias Sohn Adel Zaalouk SAP From Containers to Kubernetes From Containers to Kubernetes

Matthias Sohn Adel Zaalouk SAP From Containers to Kubernetes From Containers to Kubernetes

Matthias Sohn Adel Zaalouk SAP From Containers to Kubernetes From Containers to Kubernetes Container Container Runtime Host OS VM From Containers to Kubernetes Container Container Runtime Host OS VM From Containers to Kubernetes

1.72k views • 135 slides
CONTAINER ORCHESTRATION WITH SWARM MODE, MESOS/MARATHON AND KUBERNETES ADRIAN MOUAT WHO AM I?

CONTAINER ORCHESTRATION WITH SWARM MODE, MESOS/MARATHON AND KUBERNETES ADRIAN MOUAT WHO AM I?

CONTAINER ORCHESTRATION WITH SWARM MODE, MESOS/MARATHON AND KUBERNETES ADRIAN MOUAT WHO AM I? Chief Scientist at Container Solutions Wrote "Using Docker" for O'Reilly 40% discount with code AUTHD Docker Captain @adrianmouat WHAT

1.4k views • 59 slides
Build Your Serverless Container Cloud with OpenStack and Kubernetes Kevin Zhao Senior Software

Build Your Serverless Container Cloud with OpenStack and Kubernetes Kevin Zhao Senior Software

22.05.2018 Build Your Serverless Container Cloud with OpenStack and Kubernetes Kevin Zhao Senior Software Engineer on Arm. OpenStack Zun Core Reviewer kevin.zhao@arm.com Agenda What is Serverless Container Cloud Demo Zun and Container

750 views • 35 slides
Deployment Strategies on Kubernetes By Etienne Tremel Software engineer at Container Solutions

Deployment Strategies on Kubernetes By Etienne Tremel Software engineer at Container Solutions

Deployment Strategies on Kubernetes By Etienne Tremel Software engineer at Container Solutions @etiennetremel February 13th, 2017 Agenda Kubernetes in brief Look at 6 different strategies Recreate Ramped Blue/Green

822 views • 61 slides
Container Library and FUSE Container File System Softwarepraktikum f ur Fortgeschrittene

Container Library and FUSE Container File System Softwarepraktikum f ur Fortgeschrittene

Introduction Container Library Container Tools FUSE Container File System Evaluation Container Library and FUSE Container File System Softwarepraktikum f ur Fortgeschrittene Michael Kuhn Parallele und Verteilte Systeme Institut f ur

353 views • 22 slides
Kubernetes Crossing the Chasm 05.03.2018 Ian Crosby @IanDCrosby info@container-solutions.com

Kubernetes Crossing the Chasm 05.03.2018 Ian Crosby @IanDCrosby info@container-solutions.com

Kubernetes Crossing the Chasm 05.03.2018 Ian Crosby @IanDCrosby info@container-solutions.com container-solutions.com container-solutions.com info@container-solutions.com Kubernetes: Crossing the Chasm @IanDCrosby container-solutions.com

424 views • 40 slides
K8s Intermediate Kubernetes a clustered container orchestration Software an open-source system

K8s Intermediate Kubernetes a clustered container orchestration Software an open-source system

K8s Intermediate Kubernetes a clustered container orchestration Software an open-source system for automating deployment, scaling, and management of containerized applications. It groups containers that make up an application into logical units

566 views • 45 slides
Deliver Docker Containers Continuously on AWS Philipp Garbe @pgarbe Google Container So many

Deliver Docker Containers Continuously on AWS Philipp Garbe @pgarbe Google Container So many

Deliver Docker Containers Continuously on AWS Philipp Garbe @pgarbe Google Container So many choices... Engine Azure Container Services Cloud Foundrys Amazon ECS Diego Kubernetes Docker Swarm Mesosphere CoreOS Marathon Fleet

465 views • 45 slides
Managing Kubernetes and OpenShift with ManageIQ Alissa Bonas @ Container Con Seattle 2015 The

Managing Kubernetes and OpenShift with ManageIQ Alissa Bonas @ Container Con Seattle 2015 The

Managing Kubernetes and OpenShift with ManageIQ Alissa Bonas @ Container Con Seattle 2015 The stages of containers world Containerizing an app Alissa Bonas @ Container Con Seattle 2015 The stages of containers world Run a container

911 views • 62 slides
K8s or Die! You must do Kubernetes. Or should you? If so when, where, why? How?! Marco Ceppi

K8s or Die! You must do Kubernetes. Or should you? If so when, where, why? How?! Marco Ceppi

K8s or Die! You must do Kubernetes. Or should you? If so when, where, why? How?! Marco Ceppi @marcoceppi Ryan Beisner @ryanbeisner Why Kubernetes Computing in the modern age Virtual Process Machines Containers Traditional Container

516 views • 24 slides
Secure Kubernetes Container Workloads with Production-Grade Networking Cynthia Thomas Irena

Secure Kubernetes Container Workloads with Production-Grade Networking Cynthia Thomas Irena

Secure Kubernetes Container Workloads with Production-Grade Networking Cynthia Thomas Irena Berezovsky Tim Hockin CIA IT operations have top secret apps for their agents, most of which require isolation Antoni is in Ops and wants to help CIA

458 views • 31 slides
Container Deposits The story so far, and why doesn t everyone do this? Container Deposit

Container Deposits The story so far, and why doesn t everyone do this? Container Deposit

Plastic Bags Ban and Container Deposits The story so far, and why doesn t everyone do this? Container Deposit Legislation Remember 1975? Source: Adelaide Now Adelaide Oval Cricket test 1973 Football Grand Final 1973Adelaide Cans

658 views • 18 slides
Kubernetes Security Zooming In, Zooming Out A comprehensive Container Security Strategy Kavya

Kubernetes Security Zooming In, Zooming Out A comprehensive Container Security Strategy Kavya

Kubernetes Security Zooming In, Zooming Out A comprehensive Container Security Strategy Kavya Pearlman Global Cybersecurity Strategist - Wallarm @KavyaPearlman | @Wallarm Rob Richardson Technical Evangelist - MemSQL @Rob_Rich | @MemSQL

279 views • 27 slides
Dealing With I/O Dealing With I/O CS 105 Tour of the Black Holes of Computing Problem:

Dealing With I/O Dealing With I/O CS 105 Tour of the Black Holes of Computing Problem:

Dealing With I/O Dealing With I/O CS 105 Tour of the Black Holes of Computing Problem: I/O devices are slow Solution 1: wait for I/O CPU stops executing instructions

342 views • 9 slides
parents(charles,elizabeth,philip). parents charles elizabeth philip a+b*c + a * b c

parents(charles,elizabeth,philip). parents charles elizabeth philip a+b*c + a * b c

parents(charles,elizabeth,philip). parents charles elizabeth

436 views • 20 slides
ECE 242 Data Structures Lecture 29 Graph Traversal November 23, 2009 ECE242 L29: Graph

ECE 242 Data Structures Lecture 29 Graph Traversal November 23, 2009 ECE242 L29: Graph

ECE 242 Data Structures Lecture 29 Graph Traversal November 23, 2009 ECE242 L29: Graph Traversal Overview Problem: How can we efficiently visit all vertices in the graph? Depth first search Quickly follow paths between vertices

532 views • 19 slides
THermodynamic Formalism and Uncertainty Quantification Luc Rey-Bellet University of

THermodynamic Formalism and Uncertainty Quantification Luc Rey-Bellet University of

THermodynamic Formalism and Uncertainty Quantification Luc Rey-Bellet University of Massachusetts Amherst Quantissima III, Venice, August 2019 Work supported by NSF and AFOSR 1 Collaborators on related projects Paul Dupuis (Brown

827 views • 34 slides
The need for a data improvement plan Clair Alcock LGA, Firefighters Pension Adviser 16 March

The need for a data improvement plan Clair Alcock LGA, Firefighters Pension Adviser 16 March

The need for a data improvement plan Clair Alcock LGA, Firefighters Pension Adviser 16 March 2018 www.local.gov.uk Who am I, and what qualifies me to talk about data? The Temporary NI Number Record Keeping? Inputs Change of CARE

559 views • 18 slides
Time For a New North American Rail Strategy November 28, 2017 Transp sportation a and Logist

Time For a New North American Rail Strategy November 28, 2017 Transp sportation a and Logist

Time For a New North American Rail Strategy November 28, 2017 Transp sportation a and Logist stics s Adviso sors, s, LLC Disclaimer Statement This report has been prepared by Transportation and Logistics Advisors (T&LA) for Stifel

541 views • 29 slides
Alma Integrations Plugin Kevin Clair 2020 April 8 Background Developed at University of Denver

Alma Integrations Plugin Kevin Clair 2020 April 8 Background Developed at University of Denver

Alma Integrations Plugin Kevin Clair 2020 April 8 Background Developed at University of Denver Part of effort to integrate description work across archival systems (collection database, discovery, digital repository)

530 views • 42 slides
2014 CLAIR Forum Alderman James Walker Clarence City Council Tasmania Akkeshi Japan - sister

2014 CLAIR Forum Alderman James Walker Clarence City Council Tasmania Akkeshi Japan - sister

2014 CLAIR Forum Alderman James Walker Clarence City Council Tasmania Akkeshi Japan - sister city of Clarence The 32 year sister city relationship between Clarence and Akkeshi is based on historical and geographical grounds. Clarence

437 views • 15 slides

More recommend