zoom in zoom out
play

Zoom In, Zoom Out. A Fresh look at Kubernetes Security Rob - PowerPoint PPT Presentation

Jun 03, 2023 •284 likes •602 views

Zoom In, Zoom Out. A Fresh look at Kubernetes Security Rob Richardson Technical Evangelist - MemSQL @Rob_Rich | @MemSQL Kavya Pearlman Global Cybersecurity Strategist - Wallarm @KavyaPearlman | @Wallarm Introducing Rob... Rob Richardson

  1. Zoom In, Zoom Out. A Fresh look at Kubernetes Security Rob Richardson Technical Evangelist - MemSQL @Rob_Rich | @MemSQL Kavya Pearlman Global Cybersecurity Strategist - Wallarm @KavyaPearlman | @Wallarm

  2. Introducing Rob... Rob Richardson Tech Evangelist for MemSQL ● Microsoft MVP ● Leads the Southeast Valley .NET User Group ● AZGiveCamp Organizer ● Personal interests Travel, Coding, and Teaching 2

  3. Introducing Kavya... Kavya Pearlman Well known as the “Cyber Guardian” ● Cybersecurity Strategist at Wallarm ● An Award-winning Cybersecurity Professional ● Founder and CEO of XR Safety Initiative ● Former Information Security Director Linden Lab ● Former Facebook Third Party Security Risk Advisor ● Personal interests Travel, Gaming, Virtual Worlds 3

  4. Agenda Let's Talk About Kubernetes! Overview of Containers ● Monolithic vs Microservices ● What is Kubernetes and its Benefits ● Securing K8 - Zooming in ● Essentials to build a secure Kubernetes environment ○ Securing K8 - Zooming Out ● ○ Do’s and Don’ts for Containerized Environments How Istio and Service Mesh can affect security ● Conclusion ● 4

  5. Kubernetes - Getting started KUBERNETES NEEDS NEW SECURITY MINDSET Cloud-native applications and infrastructure create several new challenges for all of us security professionals. We need to establish new security programs, have a new mindset and adopt advanced new tools that are focused primarily on securing cloud-native technologies.” - Kavya Pearlman 5

  6. Monolith vs. Microservices User Interface User Interface Business Logic Data Layer Microservice Microservice Microservice MONOLITH APPLICATION DB DATA SOURCE DATA SOURCE DATA SOURCE 6

  7. Containers vs. VMs App App App Containers are isolated, but share OS and, where A B A’ appropriate, bins/libraries Bins/ Bins/ Bins/ Libs Libs Libs App App App App App App A A’ B B’ B’ B’ Guest OS Guest OS Guest OS Bins/Libs Bins/Libs Hypervisor Container Orchestrator Host OS Host OS SERVER SERVER VIRTUAL MACHINE CONTAINERS 7

  8. What is Kubernetes? Kubernetes Master Controller Manager API Server Scheduler Developer/ Users Operator etcd Kubelet cAdvisor Kube-Proxy Kubelet cAdvisor Kube-Proxy Pod Pod Pod Pod Pod Pod Pod Pod Kubernetes Node Kubernetes Node 8

  9. Benefits of using Kubernetes Bring new products Enjoy peace of mind that Avoid vendor lock-in to market faster your applications are always on Kubernetes self-heals Kubernetes auto-scales 9

  10. Benefits of using Kubernetes It’s the de facto standard Free community support or for running cloud-native paid professional services applications at scale 10

  11. Kubernetes - Zooming In The Essentials for Building a Secure Kubernetes Environment

  12. Shopify Breach Caused by lack of K8 security Essentials Exploited Weakness API configuration flaw Type of attack SSRF Attack whereby metadata used to steal API keys and credential packets Effect Thousands of stores and store-clients information was exposed

  13. Tesla Breach Caused by lack of K8 security Essentials Exploited Weakness: Kubernetes instance and an insecure administrative console Type of attack False credentials Effect The total scope of the breach is yet unknown

  14. What is Docker? Docker hub Container docker hypervisor Dockerfile Image Docker swarm docker hypervisor docker-compose.yml Images 14 Docker ecosystem, infographic by Rob Richardson robrich.org

  15. What is Kubernetes? Docker hub Container docker hypervisor Dockerfile Image Docker swarm docker hypervisor docker-compose.yml Images 15 Docker ecosystem, infographic by Rob Richardson robrich.org

  16. “ “ Namespaces “K8s does not provide a mechanism to enforce security across Namespaces. You should only use it within trusted domains and not use when you need to be able to provide guarantees that a user of the cluster or pods be unable to access any of the other Namespaces resources” --GCP Team tl;dr : A namespace is not a security boundary for inter-pod communication. 16

  17. Role based access control (RBAC) Roles and ClusterRoles are a whitelist ; essentially a list of the allowed permissions. RoleBindings and ClusterRoleBindings marry users to roles: Subject includes the person, place, or thing that has been whitelisted. ● Ex) a developer, DevOps, a team member, user, or process. Resource is the kind of object ● Ex) pod, service, the cluster itself, or another logic instance related to Kubernetes. Operations that are whitelisted are action we permit the system to do. It's an action related ● to REST method. Namespace is the kubernetes section that is allowed. ● 17

  18. Network Policies “By default, pods are not isolated; they accept traffic from any source.” GCP – https://kubernetes.io/docs/concepts/services-networking/network-policies/ Secure traffic Disable legacy APIs Restrict API/ between containers Dashboard access etcd access from worker nodes using service mesh tools like (Shopify) (Tesla) Istio 18

  19. Kubernetes: Pod security policies Smallest base Smallest base Don’t install container container unnecessary software Note: Don’t run as Root 19

  20. Configuration Management Config File in Container Environment External Key Vault Variables must trust developers, Must change application registry, git repo Must trust operations Note: RBAC is usually best 20

  21. Istio Service Mesh 21

  22. Istio Service Mesh 22

  23. Kubernetes API request lifecycle Mutating Object Validating API Authentication Persisted to admission schema admission HTTP handler / authorization ETCD API controllers validation controllers request Mutating Validating admission admission webhooks webhooks 23

  24. What’s next? Client-side Orchestrator Container Content Vulnerabilities vulnerabilities Vulnerabilities Injection attacks and cross-site scripting Note: enumerate and secure all the things 24

  25. Kubernetes - Zooming Out Do’s and Don’ts for Containerized Environments

  26. Build. Deploy. Run. DEPLOY BUILD RUN Orchestrator Container Runtime Artifact Download Environments Host Runtime Container Registries Workload at Runtime CI/CD pipeline 26

  27. DOs for Containerized Environments CREATE IMMUTABLE RUN IMAGES ONLY FROM USE CONTAINER-NATIVE CONTAINERS TRUSTED SOURCES MONITORING TOOLS 27

  28. Open Source Tools For Container Security DAGDA 28

  29. NOT To Dos for Containerized Environments Don’t install an operating system in a container Don’t run unnecessary services Don’t store critical data in a container Don’t put hard-coded credentials for accessing Registry DON’T run a container as root 29

  30. Securing Kubernetes with a Service Mesh like Istio Observe Control Secure map, log, discover access policies, rate limits, mutual tls between containers a/b testing, canary channel, inject faults, circuit breaker 30

  31. Kavya Pearlman Rob Richardson @KavyaPearlman @rob_rich www.wallarm.com robrich.org 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Using Zoom at DU https://udenver.zoom.us/ Zoom: 1, 2, 3, 4, 5 1. Sign into Zoom with DU email

Using Zoom at DU https://udenver.zoom.us/ Zoom: 1, 2, 3, 4, 5 1. Sign into Zoom with DU email

Using Zoom at DU https://udenver.zoom.us/ Zoom: 1, 2, 3, 4, 5 1. Sign into Zoom with DU email (first.lastname@du.edu) 2. Download Zoom App 3. Test Microphone and Speakers in Zoom 4. Share your Screen 5. Record and Distribute Video Link 1. Sign

434 views • 11 slides
I. I.c. Zo Zoom Presentat ation Why Zoom? Zoom is commonly used at UTRGV to deliver live

I. I.c. Zo Zoom Presentat ation Why Zoom? Zoom is commonly used at UTRGV to deliver live

I. I.c. Zo Zoom Presentat ation Why Zoom? Zoom is commonly used at UTRGV to deliver live presentations. Who will present via Zoom? From June 1 st through the 4th, an adhoc committee will decide which research projects merit a live

58 views • 5 slides
Zoom zoom zoom zoom Chloe Martindale Joint work with Francois Dupressoir Inspired by DJ

Zoom zoom zoom zoom Chloe Martindale Joint work with Francois Dupressoir Inspired by DJ

Zoom zoom zoom zoom Chloe Martindale Joint work with Francois Dupressoir Inspired by DJ Bernstein and the Vengaboys Woah oh Woah oh Woah oh Woah oh Cryptoband is back in town If you're alone and you need a friend Someone to help you solve

124 views • 9 slides
Event Presentations in Zoom *If you have not claimed your Kenan-Flagler Zoom Pro account or

Event Presentations in Zoom *If you have not claimed your Kenan-Flagler Zoom Pro account or

Event Presentations in Zoom *If you have not claimed your Kenan-Flagler Zoom Pro account or installed zoom, please use the instructions on the Zoom Video Conferencing IT page to do so* Event This guide will walk you through creating and hosting

326 views • 4 slides
Recording a Video Presentation Using Zoom Recording a Video Presentation Using Zoom Before you

Recording a Video Presentation Using Zoom Recording a Video Presentation Using Zoom Before you

Recording a Video Presentation Using Zoom Recording a Video Presentation Using Zoom Before you begin recording, make sure you have a webcam and microphone connected to your computer. 1. Access Zoom by going to https://walsh.zoom.us/ and clicking

135 views • 9 slides
Zoom Record and Share an Asynchronous Video or Presentation Zoom is available to all faculty,

Zoom Record and Share an Asynchronous Video or Presentation Zoom is available to all faculty,

Zoom Record and Share an Asynchronous Video or Presentation Zoom is available to all faculty, staff, and students at ETSU. Activate your ETSU Zoom account by signing in to the web portal at https://etsu.zoom.us/ using your current ETSU email and

504 views • 6 slides
HOW TO CREATE PRESENTATION RECORDINGS ON ZOOM Steps If you do not have zoom, please see the

HOW TO CREATE PRESENTATION RECORDINGS ON ZOOM Steps If you do not have zoom, please see the

HOW TO CREATE PRESENTATION RECORDINGS ON ZOOM Steps If you do not have zoom, please see the https://www.adelaide.edu.au/technology/your- support/self-help-guides for instructions on how to download the application If you require further

75 views • 5 slides
Energy Trust Info Session and Q&A July 16, 2020 Zoom Tips Zoom Tips Zoom Tips Send chats

Energy Trust Info Session and Q&A July 16, 2020 Zoom Tips Zoom Tips Zoom Tips Send chats

Energy Trust Info Session and Q&A July 16, 2020 Zoom Tips Zoom Tips Zoom Tips Send chats to the whole group, or to one of the meeting hosts Hannah Cruz Ryan Cook Our Agenda 12 12:30 p.m. Welcome Message (Reverend E.D.

469 views • 45 slides
Recording a Presentation in Zoom Zoom is a free video communications tool that will allow you to

Recording a Presentation in Zoom Zoom is a free video communications tool that will allow you to

Recording a Presentation in Zoom Zoom is a free video communications tool that will allow you to record your presentations and poster sessions. You will need to download Zoom to your computer in order to record and present. If you already have

245 views • 10 slides
ZOOM Meeting Tips Zoom Meeting ID: 918 6155 6777 # Join the Zoom meeting with video, if you have

ZOOM Meeting Tips Zoom Meeting ID: 918 6155 6777 # Join the Zoom meeting with video, if you have

ZOOM Meeting Tips Zoom Meeting ID: 918 6155 6777 # Join the Zoom meeting with video, if you have a camera Join the Zoom meeting with computer audio If you are having issues on your computer or app, join by call-in number: 1-312-626-6799 Meeting

578 views • 35 slides
Welcome to Zoom lectures: T/Th 10:00 11:20 (recordings on Canvas) Zoom office hours CSE

Welcome to Zoom lectures: T/Th 10:00 11:20 (recordings on Canvas) Zoom office hours CSE

Organization Welcome to Zoom lectures: T/Th 10:00 11:20 (recordings on Canvas) Zoom office hours CSE 571 Robotics Dieter: Fri 9am Chris: Mon 4pm Xiangyun: Wed 2pm Tasks 4 homeworks covering Gaussian processes,

979 views • 8 slides
the right camera mic equipment zoom.us Sign-in to ZOOM getting started JOIN JOIN a MEETING

the right camera mic equipment zoom.us Sign-in to ZOOM getting started JOIN JOIN a MEETING

THREE BASIC GOALS to help your ministry ZOOM! Z M 1. tools for participants TRAINING 2. tools for host ZOOM into Ministry 3. ideas for ministry presented by Carol Lynn Tetzla ff COMPUTER: camera, speakers & mic speakers the right

776 views • 13 slides
SETTING UP FREE ZOOM VIDEO CONFERENCING ACCOUNT STEP-BY-SETP Type zoom.us (not zoom.com) in

SETTING UP FREE ZOOM VIDEO CONFERENCING ACCOUNT STEP-BY-SETP Type zoom.us (not zoom.com) in

SETTING UP FREE ZOOM VIDEO CONFERENCING ACCOUNT STEP-BY-SETP Type zoom.us (not zoom.com) in browsers address bar Click Sign up for Free button Complete date of birth Click Continue button information Enter your work email address Click

777 views • 20 slides
Online Meetings with Zoom For Participants and Hosts 1 Zoom for Participants and Hosts July

Online Meetings with Zoom For Participants and Hosts 1 Zoom for Participants and Hosts July

Zoom for Participants and Hosts July 2018 Online Meetings with Zoom For Participants and Hosts 1 Zoom for Participants and Hosts July 2018 What is Zoom? This Web Conferencing service is offered free of charge to eligible officers of

180 views • 17 slides
Zoom Instructions Please click here to view the recording a zoom meeting video. Further step

Zoom Instructions Please click here to view the recording a zoom meeting video. Further step

Zoom Instructions Please click here to view the recording a zoom meeting video. Further step by step instructions are included below: 1. Open the slides you wish to present, then minimise. 2. Install the Zoom.us software or application on

544 views • 3 slides
Welcome! Welcome! Todays session will begin shortly. Zoom Webinar Reminders Zoom

Welcome! Welcome! Todays session will begin shortly. Zoom Webinar Reminders Zoom

Welcome! Welcome! Todays session will begin shortly. Zoom Webinar Reminders Zoom technical support at 1-888-799-9666, option 2 Audio streamed through your speakers Submit questions at any time in the Q&A box at the bottom of

1.14k views • 93 slides
South Campus Continuous Learning Teacher Information 4/27-5/1 Name: Bruce Callahan Mr.

South Campus Continuous Learning Teacher Information 4/27-5/1 Name: Bruce Callahan Mr.

South Campus Continuous Learning Teacher Information 4/27-5/1 Name: Bruce Callahan Mr. Callahan Email: bcallahan@sw.wednet.edu Announcements: I sure enjoy seeing all of you during our zoom meeting. You all look awesome and so do your

569 views • 20 slides
LISC Houston Opportunity Zone Briefing January 18, 2019 What are Opportunity Zones? The

LISC Houston Opportunity Zone Briefing January 18, 2019 What are Opportunity Zones? The

LISC Houston Opportunity Zone Briefing January 18, 2019 What are Opportunity Zones? The Opportunity Zone tax incentive is a bipartisan initiative to spur long-term private investment in low-income urban and rural communities, established by

731 views • 28 slides
Mesos at Yelp: Building a production ready PaaS Rob Johnson robj@yelp.com/@rob_johnson_ Who Am

Mesos at Yelp: Building a production ready PaaS Rob Johnson robj@yelp.com/@rob_johnson_ Who Am

Mesos at Yelp: Building a production ready PaaS Rob Johnson robj@yelp.com/@rob_johnson_ Who Am I: - Rob Johnson - Operations Team at Yelp - Spend most of my time working on PaaSTA Yelps Mission: Connecting people with great local

927 views • 74 slides
Infrastructure as a Service (IaaS) Google Compute Engine AWS Elastic Compute Cloud (EC2) Azure

Infrastructure as a Service (IaaS) Google Compute Engine AWS Elastic Compute Cloud (EC2) Azure

Infrastructure as a Service (IaaS) Google Compute Engine AWS Elastic Compute Cloud (EC2) Azure Virtual Machines Google Compute Engine (GCE) Infrastructure-as-a-Service Hardware service for you to create and run virtual machine instances

535 views • 34 slides
Support Lubbock Fund OVERVIEW Who is this program for? What can the funds be used for? What are

Support Lubbock Fund OVERVIEW Who is this program for? What can the funds be used for? What are

Support Lubbock Fund OVERVIEW Who is this program for? What can the funds be used for? What are the terms/conditions? Is there loan forgiveness? How does a small business apply? This fund was created for small businesses in Lubbock that have

249 views • 9 slides
Convolutional Networks Instructor: John Thickstun Discussion Board: Available on Ed Zoom Link:

Convolutional Networks Instructor: John Thickstun Discussion Board: Available on Ed Zoom Link:

Convolutional Networks Instructor: John Thickstun Discussion Board: Available on Ed Zoom Link: Available on Canvas Instructor Contact: thickstn@cs.washington.edu Course Webpage: https://courses.cs.washington.edu/courses/cse599i/20au/ CSE 599I:

364 views • 15 slides
MATH 20: PROBABILITY Course Overview Xingru Chen xingru.chen.gr@dartmouth.edu XC 2020 Co

MATH 20: PROBABILITY Course Overview Xingru Chen xingru.chen.gr@dartmouth.edu XC 2020 Co

MATH 20: PROBABILITY Course Overview Xingru Chen xingru.chen.gr@dartmouth.edu XC 2020 Co Course Description Instructor Course time Xingru Chen li live sessions MWF 11:30 am - 12:35 pm Email:

386 views • 11 slides
D3 Tutorial Interactions Edit by Jiayi Xu and Han-Wei Shen, The Ohio State University

D3 Tutorial Interactions Edit by Jiayi Xu and Han-Wei Shen, The Ohio State University

D3 Tutorial Interactions Edit by Jiayi Xu and Han-Wei Shen, The Ohio State University Interactions It is often required to interact with our visualizations, e.g. hovering, zooming, clicking etc., to change the appearance of the visual

585 views • 24 slides

More recommend