Zoom In, Zoom Out. A Fresh look at Kubernetes Security Rob - - PowerPoint PPT Presentation

zoom in zoom out
SMART_READER_LITE
LIVE PREVIEW

Zoom In, Zoom Out. A Fresh look at Kubernetes Security Rob - - PowerPoint PPT Presentation

Jun 03, 2023 284 likes •605 views

Zoom In, Zoom Out. A Fresh look at Kubernetes Security Rob Richardson Technical Evangelist - MemSQL @Rob_Rich | @MemSQL Kavya Pearlman Global Cybersecurity Strategist - Wallarm @KavyaPearlman | @Wallarm Introducing Rob... Rob Richardson

slide-1
SLIDE 1

Zoom In, Zoom Out.

A Fresh look at Kubernetes Security Rob Richardson Technical Evangelist - MemSQL @Rob_Rich | @MemSQL Kavya Pearlman Global Cybersecurity Strategist - Wallarm @KavyaPearlman | @Wallarm
slide-2
SLIDE 2 Introducing Rob... Rob Richardson
  • Tech Evangelist for MemSQL
  • Microsoft MVP
  • Leads the Southeast Valley .NET User Group
  • AZGiveCamp Organizer
Personal interests Travel, Coding, and Teaching 2
slide-3
SLIDE 3 Introducing Kavya... Kavya Pearlman
  • Well known as the “Cyber Guardian”
  • Cybersecurity Strategist at Wallarm
  • An Award-winning Cybersecurity Professional
  • Founder and CEO of XR Safety Initiative
  • Former Information Security Director Linden Lab
  • Former Facebook Third Party Security Risk Advisor
Personal interests Travel, Gaming, Virtual Worlds 3
slide-4
SLIDE 4 Agenda Let's Talk About Kubernetes!
  • Overview of Containers
  • Monolithic vs Microservices
  • What is Kubernetes and its Benefits
  • Securing K8 - Zooming in
○ Essentials to build a secure Kubernetes environment
  • Securing K8 - Zooming Out
○ Do’s and Don’ts for Containerized Environments
  • How Istio and Service Mesh can affect security
  • Conclusion
4
slide-5
SLIDE 5

Kubernetes - Getting started

KUBERNETES NEEDS NEW SECURITY MINDSET Cloud-native applications and infrastructure create several new challenges for all of us security professionals. We need to establish new security programs, have a new mindset and adopt advanced new tools that are focused primarily on securing cloud-native technologies.”
  • Kavya Pearlman
5
slide-6
SLIDE 6 Monolith vs. Microservices User Interface Business Logic Data Layer Microservice User Interface Microservice Microservice DATA SOURCE DATA SOURCE DATA SOURCE MONOLITH APPLICATION DB 6
slide-7
SLIDE 7 Containers vs. VMs SERVER Host OS Hypervisor Guest OS Bins/ Libs App A Guest OS Bins/ Libs App A’ Guest OS Bins/ Libs App B VIRTUAL MACHINE Bins/Libs App A SERVER Host OS Container Orchestrator Bins/Libs App A’ App B App B’ App B’ App B’ Containers are isolated, but share OS and, where appropriate, bins/libraries CONTAINERS 7
slide-8
SLIDE 8 What is Kubernetes? API Server Controller Manager Scheduler etcd Kubelet cAdvisor Kube-Proxy Pod Pod Pod Pod Kubelet cAdvisor Kube-Proxy Pod Pod Pod Pod Kubernetes Master Kubernetes Node Kubernetes Node Developer/ Operator Users 8
slide-9
SLIDE 9 Avoid vendor lock-in Bring new products to market faster Enjoy peace of mind that your applications are always on Kubernetes self-heals Kubernetes auto-scales Benefits of using Kubernetes 9
slide-10
SLIDE 10 It’s the de facto standard for running cloud-native applications at scale Benefits of using Kubernetes 10 Free community support or paid professional services
slide-11
SLIDE 11

Kubernetes - Zooming In

The Essentials for Building a Secure Kubernetes Environment
slide-12
SLIDE 12 Caused by lack of K8 security Essentials Exploited Weakness API configuration flaw Type of attack SSRF Attack whereby metadata used to steal API keys and credential packets Effect Thousands of stores and store-clients information was exposed Shopify Breach
slide-13
SLIDE 13 Caused by lack of K8 security Essentials Exploited Weakness: Kubernetes instance and an insecure administrative console Type of attack False credentials Effect The total scope of the breach is yet unknown Tesla Breach
slide-14
SLIDE 14 What is Docker? Dockerfile Image docker hypervisor Container Docker ecosystem, infographic by Rob Richardson robrich.org docker-compose.yml Images docker hypervisor Docker swarm Docker hub 14
slide-15
SLIDE 15 What is Kubernetes? Dockerfile Image docker hypervisor Container Docker ecosystem, infographic by Rob Richardson robrich.org docker-compose.yml Images docker hypervisor Docker swarm Docker hub 15
slide-16
SLIDE 16

Namespaces

“K8s does not provide a mechanism to enforce security across
  • Namespaces. You should only use it within trusted domains and
not use when you need to be able to provide guarantees that a user of the cluster or pods be unable to access any of the other Namespaces resources”
  • -GCP Team
tl;dr: A namespace is not a security boundary for inter-pod communication. 16
slide-17
SLIDE 17 Roles and ClusterRoles are a whitelist; essentially a list of the allowed permissions. RoleBindings and ClusterRoleBindings marry users to roles:
  • Subject includes the person, place, or thing that has been whitelisted.
Ex) a developer, DevOps, a team member, user, or process.
  • Resource is the kind of object
Ex) pod, service, the cluster itself, or another logic instance related to Kubernetes.
  • Operations that are whitelisted are action we permit the system to do. It's an action related
to REST method.
  • Namespace is the kubernetes section that is allowed.
Role based access control (RBAC) 17
slide-18
SLIDE 18 “By default, pods are not isolated; they accept traffic from any source.” GCP – https://kubernetes.io/docs/concepts/services-networking/network-policies/ Network Policies Secure traffic between containers using service mesh tools like Istio Disable legacy APIs etcd access from worker nodes (Shopify) Restrict API/ Dashboard access (Tesla) 18
slide-19
SLIDE 19 Kubernetes: Pod security policies Note: Don’t run as Root Smallest base container Don’t install unnecessary software 19 Smallest base container
slide-20
SLIDE 20 Environment Variables Must trust operations External Key Vault Must change application Configuration Management Note: RBAC is usually best 20 Config File in Container must trust developers, registry, git repo
slide-21
SLIDE 21 Istio Service Mesh 21
slide-22
SLIDE 22 Istio Service Mesh 22
slide-23
SLIDE 23 Kubernetes API request lifecycle Authentication / authorization Persisted to ETCD API request Mutating admission controllers Mutating admission webhooks Validating admission controllers Validating admission webhooks API HTTP handler Object schema validation 23
slide-24
SLIDE 24 Container Content Vulnerabilities Client-side Vulnerabilities Injection attacks and cross-site scripting What’s next? Note: enumerate and secure all the things 24 Orchestrator vulnerabilities
slide-25
SLIDE 25

Kubernetes - Zooming Out

Do’s and Don’ts for Containerized Environments
slide-26
SLIDE 26 DEPLOY RUN BUILD Artifact Download CI/CD pipeline Container Runtime Environments Host Runtime Workload at Runtime Orchestrator Container Registries
  • Build. Deploy. Run.
26
slide-27
SLIDE 27 RUN IMAGES ONLY FROM TRUSTED SOURCES USE CONTAINER-NATIVE MONITORING TOOLS CREATE IMMUTABLE CONTAINERS DOs for Containerized Environments 27
slide-28
SLIDE 28 Open Source Tools For Container Security DAGDA 28
slide-29
SLIDE 29 Don’t install an operating system in a container Don’t run unnecessary services NOT To Dos for Containerized Environments Don’t store critical data in a container DON’T run a container as root Don’t put hard-coded credentials for accessing Registry 29
slide-30
SLIDE 30 Securing Kubernetes with a Service Mesh like Istio Control access policies, rate limits, a/b testing, canary channel, inject faults, circuit breaker Secure mutual tls between containers 30 Observe map, log, discover
slide-31
SLIDE 31 @KavyaPearlman www.wallarm.com @rob_rich robrich.org Kavya Pearlman Rob Richardson 31