Mais conteúdo relacionado Semelhante a Policy as code what helm developers need to know about security (20) Mais de LibbySchulze (20) Policy as code what helm developers need to know about security1. Policy as code: What Helm
Developers Need to Know About
Security
1
Cesar Rodriguez
Head of Developer Advocacy
2. 2
CNCF Survey 2020 / Photo by CHUTTERSNAP on Unsplash
92%
organizations
using containers
in production
83%
organizations
using
Kubernetes in
production
6. 6
➜ ~ brew install mysql
➜ ~ docker run --name cesar-mysql -e
MYSQL_ROOT_PASSWORD=super-secret-password -d mysql:latest
7. 7
➜ ~ brew install mysql
➜ ~ docker run --name cesar-mysql -e
MYSQL_ROOT_PASSWORD=super-secret-password -d mysql:latest
➜ ~ helm install mysql bitnami/mysql
14. Security Risk Categories
14
Data
Protection
Enforcing encryption helps
protect data traversing
network boundaries and
at-rest
Access
Management
Access to cloud resources
should be controlled
enforcing least privilege
and avoid accidental public
exposure
Network
Security
Security controls should be
applied at the network
layer to prevent
unintended exposure
Visibility
Ensuring logging and
monitoring of cloud
systems is enabled and
accessible by security team
17. Example - Wordpress Architecture Policies
17
1. Secrets in environment vars
(CIS k8s benchmark 5.4.1)
18. Example - Wordpress Architecture Policies
18
1. Secrets in environment vars
(CIS k8s benchmark 5.4.1)
2. Containers running as root
(CIS k8s benchmark 5.2.6)
19. Example - Wordpress Architecture Policies
19
1. Secrets in environment vars
(CIS k8s benchmark 5.4.1)
2. Containers running as root
(CIS k8s benchmark 5.2.6)
3. Privilege escalation setting
(CIS k8s benchmark 5.2.5)
24. Rego #1: Avoid Secrets in Env Variables
24
containerUsesSecretsInEnvironmentVar[api.id] {
api = input.kubernetes_deployment[_]
spec = api.config.spec.template.spec
containers = spec.containers[_]
envVars := containers.env[_]
envVars.valueFrom.secretKeyRef
}
1
2
3
4
5
6
7
25. Rego #1: Avoid Secrets in Env Variables
25
containerUsesSecretsInEnvironmentVar[api.id]{
api = input.kubernetes_deployment[_]
spec = api.config.spec.template.spec
containers = spec.containers[_]
envVars := containers.env[_]
envVars.valueFrom.secretKeyRef
}
1
2
3
4
5
6
7
apiVersion: v1
kind: Deployment
metadata:
name: secret-env-pod
spec:
containers:
- name: mycontainer
image: redis
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
restartPolicy: Never
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
26. Rego #2: Privilege Escalation
26
privilegeEscalationCheck
[pod.id] {
pod := object.get(input, "kubernetes_deployment", "undefined")[_]
secContext := pod.config.spec.template.spec.securityContext
podSecurityCheck(secContext)
}
podSecurityCheck(secContext) {
secContext.allowPrivilegeEscalation == "true"
}
podSecurityCheck(secContext) {
object.get(secContext, "allowPrivilegeEscalation", "undefined") == "undefined"
}
1
2
3
4
5
6
7
8
9
10
11
27. Rego #2: Privilege Escalation
27
privilegeEscalationCheck[pod.id] {
pod := object.get(input, "kubernetes_deployment", "undefined")[_]
secContext := pod.config.spec.template.spec.securityContext
podSecurityCheck(secContext)
}
podSecurityCheck(secContext) {
secContext.allowPrivilegeEscalation == "true"
}
podSecurityCheck(secContext) {
object.get(secContext, "allowPrivilegeEscalation", "undefined") == "undefined"
}
1
2
3
4
5
6
7
8
9
10
11
28. Rego #2: Privilege Escalation
28
privilegeEscalationCheck[pod.id] {
pod := object.get(input, "kubernetes_deployment", "undefined")[_]
secContext := pod.config.spec.template.spec.securityContext
podSecurityCheck(secContext)
}
podSecurityCheck(secContext) {
secContext.allowPrivilegeEscalation == "true"
}
podSecurityCheck(secContext) {
object.get(secContext, "allowPrivilegeEscalation", "undefined")== "undefined"
}
1
2
3
4
5
6
7
8
9
10
11
29. Rego #2: Privilege Escalation
29
podSecurityCheck(secContext) {
secContext.allowPrivilegeEscalation == "true"
}
podSecurityCheck(secContext) {
object.get(secContext,
"allowPrivilegeEscalation", "undefined") ==
"undefined"
}
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
allowPrivilegeEscalation: true
1
2
3
4
5
8
9
10
11
12
13
14
15
30. Rego #3 Running as Root
30
runAsNonRootCheck(secContext) {
secContext.runAsNonRoot == "false"
}
runAsNonRootCheck(secContext) {
object.get(secContext, "runAsNonRoot", "undefined") == "undefined"
}
runAsUserCheck(secContext) {
secContext.runAsUser == "0"
}
runAsUserCheck(secContext) {
object.get(secContext, "runAsUser", "undefined") == "undefined"
}
10
11
12
13
14
15
16
17
18
19
20
21
31. Rego #3 Running as Root
31
10
11
12
13
14
15
16
17
18
19
20
21
runAsNonRootCheck(secContext) {
secContext.runAsNonRoot == "false"
}
runAsNonRootCheck(secContext) {
object.get(secContext, "runAsNonRoot", "undefined") == "undefined"
}
runAsUserCheck(secContext) {
secContext.runAsUser == "0"
}
runAsUserCheck(secContext) {
object.get(secContext, "runAsUser", "undefined") == "undefined"
}
32. Rego #3 Running as Root
32
runAsNonRootCheck(secContext) {
secContext.runAsNonRoot == "false"
}
runAsNonRootCheck(secContext) {
object.get(secContext,
"runAsNonRoot", "undefined") ==
"undefined"
}
runAsUserCheck(secContext) {
secContext.runAsUser == "0"
}
runAsUserCheck(secContext) {
object.get(secContext, "runAsUser",
"undefined") == "undefined"
}
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
securityContext:
runAsNonRoot: false
runAsGroup: 3000
fsGroup: 2000
securityContext:
runAsUser: 0
runAsGroup: 3000
fsGroup: 2000
1
2
3
4
1
2
3
4
36. 36
➜ ~ terrascan scan -p policies -i helm
Violation Details -
Description: Container uses secrets in environment variables
File : wordpress/templates/deployment.yaml
Line : 1
Severity : HIGH
-----------------------------------------------------------------------
Description: Containers Should Not Run with AllowPrivilegeEscalation
File : wordpress/templates/deployment.yaml
Line : 1
Severity : HIGH
-----------------------------------------------------------------------
Description: Minimize Admission of Root Containers
File : wordpress/templates/deployment.yaml
Line : 1
Severity : HIGH
37. 37
➜ ~ terrascan scan -p policies -i helm -r git -u
git@github.com:helm/charts.git//stable//wordpress
Violation Details -
Description: Container uses secrets in environment variables
File : wordpress/templates/deployment.yaml
Line : 1
Severity : HIGH
-----------------------------------------------------------------------
Description: Containers Should Not Run with AllowPrivilegeEscalation
File : wordpress/templates/deployment.yaml
Line : 1
Severity : HIGH
-----------------------------------------------------------------------
38. 38
➜ ~ alias no_terrascan_highs='terrascan scan -p policies -i helm -o json | ((
$(jq ".results.scan_summary.high") == 0 ))'
➜ ~ no_terrascan_highs && helm install wordpress .