SlideShare a Scribd company logo

Kubernetes Security Best Practices

Download as PPTX, PDF
M
Michael Cherny

This document provides best practices for securing a Kubernetes deployment. It recommends integrating security into the CI/CD pipeline by only using vetted code for builds, scanning images for vulnerabilities, and using private registries to store and push only approved images. It also suggests limiting direct access to Kubernetes nodes, implementing fine-grained role-based access control and quotas, securely managing secrets, implementing network segmentation and "least privilege" controls. Finally, it stresses the importance of logging all activity and integrating logs with monitoring systems for visibility.

Software
1 of 34
Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. Security Best Practices for Kubernetes Deployment Michael Cherny Head of Research, Aqua Security
2 WHO AM I  Head of Security Research at Aqua Security, a leader in container security  20 years of building security products, development and research  Held senior security research positions at Microsoft, Aorato and Imperva.  Presented at security conferences, among them, BlackHat Europe, RSA Europe and Virus Bulleting.
3 BUILD SECURITY ALIGNED WITH DEVOPS Build Ship Cluster Environment Networking and Runtime Monitoring Productio n Dev. / Testing  
BUILD AND SHIP
5 BUILD AND SHIP  Ensure That Only Authorized Images are Used in Your Environment  Ensure That Images Are Free of Vulnerabilities  Integrate Security into your CI/CD pipeline
6 SECURITY INTEGRATED WITH CI/CD Build • Only vetted code (approved for production) is used for building the images ShipTest  
7 SECURITY INTEGRATED WITH CI/CD Build • Implement Continuous Security Vulnerability Scanning • Regularly Apply Security Updates to Your Environment ShipTest  
8 SECURITY INTEGRATED WITH CI/CD Build • Use private registries to store your approved images - make sure you only push approved images to these registries ShipTest  
CLUSTER ENVIRONMENT
10 SSH LIMIT DIRECT ACCESS TO KUBERNETES NODES  Limit SSH access to Kubernetes nodes  Ask users to use “kubectl exec”
11 CONSIDER KUBERNETES AUTHORIZATION PLUGINS  Enables define fine-grained-access control rules  Namespaces  Containers  Operations  ABAC mode  RBAC mode  Webhook mode  Custom mode
12 CREATE ADMINISTRATIVE BOUNDARIES BETWEEN RESOURCES  Limits the damage of mistake or malicious intent  Partition resources into logical groups  Use Kubernetes namespaces to facilitate resource segregation  Kubernetes Authorization plugins to segregate user’s access to namespace resources
13 CREATE ADMINISTRATIVE BOUNDARIES BETWEEN RESOURCES  Example: allow ‘alice’ to read pods from namespace ‘fronto’ { "apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": { "user": "alice", "namespace": "fronto", "resource": "pods", "readonly": true } }
14 DEFINE RESOURCE QUOTA  Resource-unbound containers in shared cluster are bad practice  Create resource quota policies  Pods  CPUs  Memory  Etc.  Assigned to namespace
15 DEFINE RESOURCE QUOTA EXAMPLE  computer-resource.yaml apiVersion: v1 kind: ResourceQuota metadata: name: compute-resources spec: hard: pods: "4“ requests.cpu: "1“ requests.memory: 1Gi limits.cpu: "2“ limits.memory: 2Gi  kubectl create -f ./compute-resources.yaml -- namespace=myspace
16 SAFELY DISTRIBUTE YOUR SECRETS  Storing sensitive data in docker file, POD definition etc. is not safe  Centrally and securely stored secrets  Manage user access  Manage containers/pods access  Store securely  Facilitate secrets expiry and rotation  Etc.
17 KUBERNETES SECRETS  Secret object  As file  As Environment variable  Risks  Secrets stored in plain text  Is at rest  No separation of duties: operator can see secret value  Secrets are available, even if there is no container using it
18 KUBERNETES SECRETS - EXAMPLE  echo -n "admin" > ./username.txt echo -n "1f2d1e2e67df" > ./password.txt  kubectl create secret generic db-user-pass --from- file=./username.txt --from-file=./password.txt secret "db-user-pass" created  kubectl get secrets  Kubectl describe secrets/db-user-pass
19 KUBERNETES SECRETS - EXAMPLE  It call also be done manually  echo -n "admin" | base64 YWRtaW4=  echo -n "1f2d1e2e67df" | base64 MWYyZDFlMmU2N2Rm apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: username: YWRtaW4= password: MWYyZDFlMmU2N2Rm  kubectl create -f ./secret.yaml
NETWORKING
21 IMPLEMENT NETWORK SEGMENTATION  “Good neighbor” compromised application is a door open into cluster  Network segmentation  Ensures that container can communicate only with whom it must
22 IMPLEMENT NETWORK SEGMENTATION  Cross-cluster segmentation can be achieved using firewall rules  “dynamic” nature of container network identities makes container network segmentation a true challenge  Kubernetes Network SIG works on pod-to-pod network policies  Currently only ingress policies can be defined
23 IMPLEMENT NETWORK SEGMENTATION: EXAMPLE  Enable using an annotation on the Namespace kind: Namespace apiVersion: v1 metadata: annotations: net.beta.kubernetes.io/network-policy: | { "ingress": { "isolation": "DefaultDeny" } } kubectl annotate ns <namespace> "net.beta.kubernetes.io/network-policy={"ingress": {"isolation": "DefaultDeny"}}"
24 IMPLEMENT NETWORK SEGMENTATION: EXAMPLE apiVersion: extensions/v1beta1 kind: NetworkPolicy metadata: name: test-network-policy namespace: default spec: podSelector: matchLabels: role: db ingress: - from: - namespaceSelector: matchLabels: project: myproject - podSelector: matchLabels: role: frontend ports: - protocol: tcp port: 6379 kubectl create -f policy.yaml
RUNTIME
26 RUNTIME  Implement “least privileges” principal  Security Context control security parameters to be assigned  Pod  Containers  Pod Security Policy  Consider Kubernetes admission controllers:  “DenyEscalatingExec” – for containers/pods with elevated privileges  “ImagePolicyWebhook” – Kubernetes support to plug external image reviewer  “AlwaysPullImages” – in multitenant cluster
27 SECURITY CONTEXT Security Context Setting Description SecurityContext->runAsNonRoot Indicates that containers should run as non-root user SecurityContext->Capabilities Controls the Linux capabilities assigned to the container. SecurityContext->readOnlyRootFilesystem Controls whether a container will be able to write into the root filesystem. PodSecurityContext->runAsNonRoot Prevents running a container with ‘root’ user as part of the pod
28 SECURITY CONTEXT: EXAMPLE apiVersion: v1 kind: Pod metadata: name: hello-world spec: containers: # specification of the pod’s containers # ... securityContext: readOnlyRootFilesystem: true runAsNonRoot: true
29 IMAGE POLICY WEBHOOK  api.imagepolicy.v1alpha1.ImageReview object describing the action  Fields describing the containers being admitted, as well as any pod annotations that match *.image- policy.k8s.io/*
30 IMAGE POLICY WEBHOOK: EXAMPLE { "apiVersion":"imagepolicy.k8s.io/v1alpha1", "kind":"ImageReview", "spec":{ "containers":[ { "image":"myrepo/myimage:v1“ }, { "image":"myrepo/myimage@sha256:beb6bd6a68f114c1dc2ea4b28db81bdf91de202a9014972bec5e4d9171d 90ed“ } ], "annotations":[ "mycluster.image-policy.k8s.io/ticket-1234": "break-glass“ ], "namespace":"mynamespace“ } }
31 MONITORING AND VISIBILITY  Log everything  Cluster-based logging  Log container activity into a central log hub.  Use Fluentd agent on each node  Ingested logs using  Google Stackdriver Logging  Elasticsearch  Viewed with Kibana.
SUMMARY
33 SECURITY ALIGNED WITH DEVOPS Build Ship Cluster Environment Networking and Runtime Monitoring Productio n Dev. / Testing Only vetted code can be used for build Scan images against known vulnerabilities Use private registries Only approved images are pushed Only use kubectl Fine-grained-access control to resources Create administrative boundaries and assign resource quotas Manage your secrets Implement “least privileges” principal Isolate container networks in logical application groups Log everything Integrates with SIEM and monitoring systems  
THANK YOU Michael Cherny cherny@aquasec.com @chernymi https://www.aquasec.com

Recommended

Kubernetes deployment on bare metal with container linux
Kubernetes deployment on bare metal with container linuxKubernetes deployment on bare metal with container linux
Kubernetes deployment on bare metal with container linuxmacchiang
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practicesSharon Vendrov
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 
How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...Aqua Security
 
Multi-Container Apps spanning Docker, Mesos and OpenStack
Multi-Container Apps spanning Docker, Mesos and OpenStackMulti-Container Apps spanning Docker, Mesos and OpenStack
Multi-Container Apps spanning Docker, Mesos and OpenStackDocker, Inc.
 
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014brendandburns
 
Introducing LinuxKit
Introducing LinuxKitIntroducing LinuxKit
Introducing LinuxKitDocker, Inc.
 

Recommended

Kubernetes deployment on bare metal with container linux
Kubernetes deployment on bare metal with container linuxKubernetes deployment on bare metal with container linux
Kubernetes deployment on bare metal with container linuxmacchiang
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practicesSharon Vendrov
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 
How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...Aqua Security
 
Multi-Container Apps spanning Docker, Mesos and OpenStack
Multi-Container Apps spanning Docker, Mesos and OpenStackMulti-Container Apps spanning Docker, Mesos and OpenStack
Multi-Container Apps spanning Docker, Mesos and OpenStackDocker, Inc.
 
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014brendandburns
 
Introducing LinuxKit
Introducing LinuxKitIntroducing LinuxKit
Introducing LinuxKitDocker, Inc.
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practicesSharon Vendrov
 
Building Clustered Applications with Kubernetes and Docker
Building Clustered Applications with Kubernetes and DockerBuilding Clustered Applications with Kubernetes and Docker
Building Clustered Applications with Kubernetes and DockerSteve Watt
 
Container Security
Container SecurityContainer Security
Container SecurityJie Liau
 
Effective Data Pipelines with Docker & Jenkins - Brian Donaldson
Effective Data Pipelines with Docker & Jenkins - Brian DonaldsonEffective Data Pipelines with Docker & Jenkins - Brian Donaldson
Effective Data Pipelines with Docker & Jenkins - Brian DonaldsonDocker, Inc.
 
A brief study on Kubernetes and its components
A brief study on Kubernetes and its componentsA brief study on Kubernetes and its components
A brief study on Kubernetes and its componentsRamit Surana
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Securityinovex GmbH
 
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes ClusterKubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes Clustersmalltown
 
Kubernetes - how to orchestrate containers
Kubernetes - how to orchestrate containersKubernetes - how to orchestrate containers
Kubernetes - how to orchestrate containersinovex GmbH
 
Achieving CI/CD with Kubernetes
Achieving CI/CD with KubernetesAchieving CI/CD with Kubernetes
Achieving CI/CD with KubernetesRamit Surana
 
Scaling Microservices with Kubernetes
Scaling Microservices with KubernetesScaling Microservices with Kubernetes
Scaling Microservices with KubernetesDeivid Hahn Fração
 
Cloud networking deep dive
Cloud networking deep diveCloud networking deep dive
Cloud networking deep diveamylynn11
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesSysdig
 
Platform as a Service with Kubernetes and Mesos
Platform as a Service with Kubernetes and Mesos Platform as a Service with Kubernetes and Mesos
Platform as a Service with Kubernetes and Mesos Miguel Zuniga
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 
Moving to Kubernetes - Tales from SoundCloud
Moving to Kubernetes - Tales from SoundCloudMoving to Kubernetes - Tales from SoundCloud
Moving to Kubernetes - Tales from SoundCloudTobias Schmidt
 
Docker Online Meetup: Infrakit update and Q&A
Docker Online Meetup: Infrakit update and Q&ADocker Online Meetup: Infrakit update and Q&A
Docker Online Meetup: Infrakit update and Q&ADocker, Inc.
 
Kubernetes - Starting with 1.2
Kubernetes - Starting with 1.2Kubernetes - Starting with 1.2
Kubernetes - Starting with 1.2William Stewart
 
Continuous delivery of microservices with kubernetes - Quintor 27-2-2017
Continuous delivery of microservices with kubernetes - Quintor 27-2-2017Continuous delivery of microservices with kubernetes - Quintor 27-2-2017
Continuous delivery of microservices with kubernetes - Quintor 27-2-2017Arjen Wassink
 
Kubernetes - Sailing a Sea of Containers
Kubernetes - Sailing a Sea of ContainersKubernetes - Sailing a Sea of Containers
Kubernetes - Sailing a Sea of ContainersKel Cecil
 
Deploying Kubernetes without scaring off your security team - KubeCon 2017
Deploying Kubernetes without scaring off your security team - KubeCon 2017Deploying Kubernetes without scaring off your security team - KubeCon 2017
Deploying Kubernetes without scaring off your security team - KubeCon 2017Major Hayden
 
Extend and build on Kubernetes
Extend and build on KubernetesExtend and build on Kubernetes
Extend and build on KubernetesStefan Schimanski
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Michael Boelen
 

More Related Content

What's hot

K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practicesSharon Vendrov
 
Building Clustered Applications with Kubernetes and Docker
Building Clustered Applications with Kubernetes and DockerBuilding Clustered Applications with Kubernetes and Docker
Building Clustered Applications with Kubernetes and DockerSteve Watt
 
Container Security
Container SecurityContainer Security
Container SecurityJie Liau
 
Effective Data Pipelines with Docker & Jenkins - Brian Donaldson
Effective Data Pipelines with Docker & Jenkins - Brian DonaldsonEffective Data Pipelines with Docker & Jenkins - Brian Donaldson
Effective Data Pipelines with Docker & Jenkins - Brian DonaldsonDocker, Inc.
 
A brief study on Kubernetes and its components
A brief study on Kubernetes and its componentsA brief study on Kubernetes and its components
A brief study on Kubernetes and its componentsRamit Surana
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Securityinovex GmbH
 
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes ClusterKubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes Clustersmalltown
 
Kubernetes - how to orchestrate containers
Kubernetes - how to orchestrate containersKubernetes - how to orchestrate containers
Kubernetes - how to orchestrate containersinovex GmbH
 
Achieving CI/CD with Kubernetes
Achieving CI/CD with KubernetesAchieving CI/CD with Kubernetes
Achieving CI/CD with KubernetesRamit Surana
 
Scaling Microservices with Kubernetes
Scaling Microservices with KubernetesScaling Microservices with Kubernetes
Scaling Microservices with KubernetesDeivid Hahn Fração
 
Cloud networking deep dive
Cloud networking deep diveCloud networking deep dive
Cloud networking deep diveamylynn11
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesSysdig
 
Platform as a Service with Kubernetes and Mesos
Platform as a Service with Kubernetes and Mesos Platform as a Service with Kubernetes and Mesos
Platform as a Service with Kubernetes and Mesos Miguel Zuniga
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 
Moving to Kubernetes - Tales from SoundCloud
Moving to Kubernetes - Tales from SoundCloudMoving to Kubernetes - Tales from SoundCloud
Moving to Kubernetes - Tales from SoundCloudTobias Schmidt
 
Docker Online Meetup: Infrakit update and Q&A
Docker Online Meetup: Infrakit update and Q&ADocker Online Meetup: Infrakit update and Q&A
Docker Online Meetup: Infrakit update and Q&ADocker, Inc.
 
Kubernetes - Starting with 1.2
Kubernetes - Starting with 1.2Kubernetes - Starting with 1.2
Kubernetes - Starting with 1.2William Stewart
 
Continuous delivery of microservices with kubernetes - Quintor 27-2-2017
Continuous delivery of microservices with kubernetes - Quintor 27-2-2017Continuous delivery of microservices with kubernetes - Quintor 27-2-2017
Continuous delivery of microservices with kubernetes - Quintor 27-2-2017Arjen Wassink
 
Kubernetes - Sailing a Sea of Containers
Kubernetes - Sailing a Sea of ContainersKubernetes - Sailing a Sea of Containers
Kubernetes - Sailing a Sea of ContainersKel Cecil
 
Deploying Kubernetes without scaring off your security team - KubeCon 2017
Deploying Kubernetes without scaring off your security team - KubeCon 2017Deploying Kubernetes without scaring off your security team - KubeCon 2017
Deploying Kubernetes without scaring off your security team - KubeCon 2017Major Hayden
 

What's hot (20)

K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practices
 
Building Clustered Applications with Kubernetes and Docker
Building Clustered Applications with Kubernetes and DockerBuilding Clustered Applications with Kubernetes and Docker
Building Clustered Applications with Kubernetes and Docker
 
Container Security
Container SecurityContainer Security
Container Security
 
Effective Data Pipelines with Docker & Jenkins - Brian Donaldson
Effective Data Pipelines with Docker & Jenkins - Brian DonaldsonEffective Data Pipelines with Docker & Jenkins - Brian Donaldson
Effective Data Pipelines with Docker & Jenkins - Brian Donaldson
 
A brief study on Kubernetes and its components
A brief study on Kubernetes and its componentsA brief study on Kubernetes and its components
A brief study on Kubernetes and its components
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
 
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes ClusterKubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
 
Kubernetes - how to orchestrate containers
Kubernetes - how to orchestrate containersKubernetes - how to orchestrate containers
Kubernetes - how to orchestrate containers
 
Achieving CI/CD with Kubernetes
Achieving CI/CD with KubernetesAchieving CI/CD with Kubernetes
Achieving CI/CD with Kubernetes
 
Scaling Microservices with Kubernetes
Scaling Microservices with KubernetesScaling Microservices with Kubernetes
Scaling Microservices with Kubernetes
 
Cloud networking deep dive
Cloud networking deep diveCloud networking deep dive
Cloud networking deep dive
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in Kubernetes
 
Platform as a Service with Kubernetes and Mesos
Platform as a Service with Kubernetes and Mesos Platform as a Service with Kubernetes and Mesos
Platform as a Service with Kubernetes and Mesos
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
Moving to Kubernetes - Tales from SoundCloud
Moving to Kubernetes - Tales from SoundCloudMoving to Kubernetes - Tales from SoundCloud
Moving to Kubernetes - Tales from SoundCloud
 
Docker Online Meetup: Infrakit update and Q&A
Docker Online Meetup: Infrakit update and Q&ADocker Online Meetup: Infrakit update and Q&A
Docker Online Meetup: Infrakit update and Q&A
 
Kubernetes - Starting with 1.2
Kubernetes - Starting with 1.2Kubernetes - Starting with 1.2
Kubernetes - Starting with 1.2
 
Continuous delivery of microservices with kubernetes - Quintor 27-2-2017
Continuous delivery of microservices with kubernetes - Quintor 27-2-2017Continuous delivery of microservices with kubernetes - Quintor 27-2-2017
Continuous delivery of microservices with kubernetes - Quintor 27-2-2017
 
Kubernetes - Sailing a Sea of Containers
Kubernetes - Sailing a Sea of ContainersKubernetes - Sailing a Sea of Containers
Kubernetes - Sailing a Sea of Containers
 
Deploying Kubernetes without scaring off your security team - KubeCon 2017
Deploying Kubernetes without scaring off your security team - KubeCon 2017Deploying Kubernetes without scaring off your security team - KubeCon 2017
Deploying Kubernetes without scaring off your security team - KubeCon 2017
 

Viewers also liked

Extend and build on Kubernetes
Extend and build on KubernetesExtend and build on Kubernetes
Extend and build on KubernetesStefan Schimanski
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Michael Boelen
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Zach Hill
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container SecurityShea Stewart
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
Why You Need to Rethink Container Security
Why You Need to Rethink Container SecurityWhy You Need to Rethink Container Security
Why You Need to Rethink Container SecurityFlawCheck
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...HackerOne
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...DynamicInfraDays
 
Monetising Your Skill
Monetising Your SkillMonetising Your Skill
Monetising Your Skill'Detola Amure
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container SecurityJim Barlow
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefNathen Harvey
 
AWS Security Architecture - Overview
AWS Security Architecture - OverviewAWS Security Architecture - Overview
AWS Security Architecture - OverviewSai Kesavamatham
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAmazon Web Services
 
Monitoring, Logging and Tracing on Kubernetes
Monitoring, Logging and Tracing on KubernetesMonitoring, Logging and Tracing on Kubernetes
Monitoring, Logging and Tracing on KubernetesMartin Etmajer
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
Container Orchestration Wars
Container Orchestration WarsContainer Orchestration Wars
Container Orchestration WarsKarl Isenberg
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security OverviewSreenivas Makam
 

Viewers also liked (20)

Extend and build on Kubernetes
Extend and build on KubernetesExtend and build on Kubernetes
Extend and build on Kubernetes
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
 
Atomic CLI scan
Atomic CLI scanAtomic CLI scan
Atomic CLI scan
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container Security
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
Why You Need to Rethink Container Security
Why You Need to Rethink Container SecurityWhy You Need to Rethink Container Security
Why You Need to Rethink Container Security
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
 
Monetising Your Skill
Monetising Your SkillMonetising Your Skill
Monetising Your Skill
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container Security
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to Chef
 
AWS Security Architecture - Overview
AWS Security Architecture - OverviewAWS Security Architecture - Overview
AWS Security Architecture - Overview
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
 
Monitoring, Logging and Tracing on Kubernetes
Monitoring, Logging and Tracing on KubernetesMonitoring, Logging and Tracing on Kubernetes
Monitoring, Logging and Tracing on Kubernetes
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
 
London HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vault
 
Container Orchestration Wars
Container Orchestration WarsContainer Orchestration Wars
Container Orchestration Wars
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
 

Similar to Kubernetes Security Best Practices

Evolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfEvolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfJose Manuel Ortega Candel
 
2015 DockerCon Using Docker in production at bity.com
2015 DockerCon Using Docker in production at bity.com2015 DockerCon Using Docker in production at bity.com
2015 DockerCon Using Docker in production at bity.comMathieu Buffenoir
 
Who is afraid of privileged containers ?
Who is afraid of privileged containers ?Who is afraid of privileged containers ?
Who is afraid of privileged containers ?Marko Bevc
 
DockerCon EU 2015: Trading Bitcoin with Docker
DockerCon EU 2015: Trading Bitcoin with DockerDockerCon EU 2015: Trading Bitcoin with Docker
DockerCon EU 2015: Trading Bitcoin with DockerDocker, Inc.
 
Cloud Native TLV Meetup: Securing Containerized Applications Primer
Cloud Native TLV Meetup: Securing Containerized Applications PrimerCloud Native TLV Meetup: Securing Containerized Applications Primer
Cloud Native TLV Meetup: Securing Containerized Applications PrimerPhil Estes
 
Deep Dive into Kubernetes - Part 2
Deep Dive into Kubernetes - Part 2Deep Dive into Kubernetes - Part 2
Deep Dive into Kubernetes - Part 2Imesh Gunaratne
 
K8s best practices from the field!
K8s best practices from the field!K8s best practices from the field!
K8s best practices from the field!DoiT International
 
Integrating security testing into your container build pipeline - SDD308 - AW...
Integrating security testing into your container build pipeline - SDD308 - AW...Integrating security testing into your container build pipeline - SDD308 - AW...
Integrating security testing into your container build pipeline - SDD308 - AW...Amazon Web Services
 
A Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container PlatformsA Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container PlatformsSalman Baset
 
Securing the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersSecuring the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersMassimiliano Mattetti
 
Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor Volkov Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor VolkovKuberton
 
Docker Runtime Security
Docker Runtime SecurityDocker Runtime Security
Docker Runtime SecuritySysdig
 
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016Manideep Konakandla
 
It's 2018. Are My Containers Secure Yet!?
It's 2018. Are My Containers Secure Yet!?It's 2018. Are My Containers Secure Yet!?
It's 2018. Are My Containers Secure Yet!?Phil Estes
 
Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Jose Manuel Ortega Candel
 
ClickHouse on Kubernetes! By Robert Hodges, Altinity CEO
ClickHouse on Kubernetes! By Robert Hodges, Altinity CEOClickHouse on Kubernetes! By Robert Hodges, Altinity CEO
ClickHouse on Kubernetes! By Robert Hodges, Altinity CEOAltinity Ltd
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in ProductionGianluca Arbezzano
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)Amazon Web Services
 

Similar to Kubernetes Security Best Practices (20)

Evolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfEvolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdf
 
2015 DockerCon Using Docker in production at bity.com
2015 DockerCon Using Docker in production at bity.com2015 DockerCon Using Docker in production at bity.com
2015 DockerCon Using Docker in production at bity.com
 
Who is afraid of privileged containers ?
Who is afraid of privileged containers ?Who is afraid of privileged containers ?
Who is afraid of privileged containers ?
 
DockerCon EU 2015: Trading Bitcoin with Docker
DockerCon EU 2015: Trading Bitcoin with DockerDockerCon EU 2015: Trading Bitcoin with Docker
DockerCon EU 2015: Trading Bitcoin with Docker
 
Cloud Native TLV Meetup: Securing Containerized Applications Primer
Cloud Native TLV Meetup: Securing Containerized Applications PrimerCloud Native TLV Meetup: Securing Containerized Applications Primer
Cloud Native TLV Meetup: Securing Containerized Applications Primer
 
Deep Dive into Kubernetes - Part 2
Deep Dive into Kubernetes - Part 2Deep Dive into Kubernetes - Part 2
Deep Dive into Kubernetes - Part 2
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
 
K8s best practices from the field!
K8s best practices from the field!K8s best practices from the field!
K8s best practices from the field!
 
Integrating security testing into your container build pipeline - SDD308 - AW...
Integrating security testing into your container build pipeline - SDD308 - AW...Integrating security testing into your container build pipeline - SDD308 - AW...
Integrating security testing into your container build pipeline - SDD308 - AW...
 
A Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container PlatformsA Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container Platforms
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
 
Securing the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersSecuring the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux Containers
 
Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor Volkov Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor Volkov
 
Docker Runtime Security
Docker Runtime SecurityDocker Runtime Security
Docker Runtime Security
 
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
 
It's 2018. Are My Containers Secure Yet!?
It's 2018. Are My Containers Secure Yet!?It's 2018. Are My Containers Secure Yet!?
It's 2018. Are My Containers Secure Yet!?
 
Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops
 
ClickHouse on Kubernetes! By Robert Hodges, Altinity CEO
ClickHouse on Kubernetes! By Robert Hodges, Altinity CEOClickHouse on Kubernetes! By Robert Hodges, Altinity CEO
ClickHouse on Kubernetes! By Robert Hodges, Altinity CEO
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in Production
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
 

Recently uploaded

Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Intelisync
 

Recently uploaded (20)

Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)
 

Kubernetes Security Best Practices

  • 1. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. Security Best Practices for Kubernetes Deployment Michael Cherny Head of Research, Aqua Security
  • 2. 2 WHO AM I  Head of Security Research at Aqua Security, a leader in container security  20 years of building security products, development and research  Held senior security research positions at Microsoft, Aorato and Imperva.  Presented at security conferences, among them, BlackHat Europe, RSA Europe and Virus Bulleting.
  • 3. 3 BUILD SECURITY ALIGNED WITH DEVOPS Build Ship Cluster Environment Networking and Runtime Monitoring Productio n Dev. / Testing  
  • 5. 5 BUILD AND SHIP  Ensure That Only Authorized Images are Used in Your Environment  Ensure That Images Are Free of Vulnerabilities  Integrate Security into your CI/CD pipeline
  • 6. 6 SECURITY INTEGRATED WITH CI/CD Build • Only vetted code (approved for production) is used for building the images ShipTest  
  • 7. 7 SECURITY INTEGRATED WITH CI/CD Build • Implement Continuous Security Vulnerability Scanning • Regularly Apply Security Updates to Your Environment ShipTest  
  • 8. 8 SECURITY INTEGRATED WITH CI/CD Build • Use private registries to store your approved images - make sure you only push approved images to these registries ShipTest  
  • 10. 10 SSH LIMIT DIRECT ACCESS TO KUBERNETES NODES  Limit SSH access to Kubernetes nodes  Ask users to use “kubectl exec”
  • 11. 11 CONSIDER KUBERNETES AUTHORIZATION PLUGINS  Enables define fine-grained-access control rules  Namespaces  Containers  Operations  ABAC mode  RBAC mode  Webhook mode  Custom mode
  • 12. 12 CREATE ADMINISTRATIVE BOUNDARIES BETWEEN RESOURCES  Limits the damage of mistake or malicious intent  Partition resources into logical groups  Use Kubernetes namespaces to facilitate resource segregation  Kubernetes Authorization plugins to segregate user’s access to namespace resources
  • 13. 13 CREATE ADMINISTRATIVE BOUNDARIES BETWEEN RESOURCES  Example: allow ‘alice’ to read pods from namespace ‘fronto’ { "apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": { "user": "alice", "namespace": "fronto", "resource": "pods", "readonly": true } }
  • 14. 14 DEFINE RESOURCE QUOTA  Resource-unbound containers in shared cluster are bad practice  Create resource quota policies  Pods  CPUs  Memory  Etc.  Assigned to namespace
  • 15. 15 DEFINE RESOURCE QUOTA EXAMPLE  computer-resource.yaml apiVersion: v1 kind: ResourceQuota metadata: name: compute-resources spec: hard: pods: "4“ requests.cpu: "1“ requests.memory: 1Gi limits.cpu: "2“ limits.memory: 2Gi  kubectl create -f ./compute-resources.yaml -- namespace=myspace
  • 16. 16 SAFELY DISTRIBUTE YOUR SECRETS  Storing sensitive data in docker file, POD definition etc. is not safe  Centrally and securely stored secrets  Manage user access  Manage containers/pods access  Store securely  Facilitate secrets expiry and rotation  Etc.
  • 17. 17 KUBERNETES SECRETS  Secret object  As file  As Environment variable  Risks  Secrets stored in plain text  Is at rest  No separation of duties: operator can see secret value  Secrets are available, even if there is no container using it
  • 18. 18 KUBERNETES SECRETS - EXAMPLE  echo -n "admin" > ./username.txt echo -n "1f2d1e2e67df" > ./password.txt  kubectl create secret generic db-user-pass --from- file=./username.txt --from-file=./password.txt secret "db-user-pass" created  kubectl get secrets  Kubectl describe secrets/db-user-pass
  • 19. 19 KUBERNETES SECRETS - EXAMPLE  It call also be done manually  echo -n "admin" | base64 YWRtaW4=  echo -n "1f2d1e2e67df" | base64 MWYyZDFlMmU2N2Rm apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: username: YWRtaW4= password: MWYyZDFlMmU2N2Rm  kubectl create -f ./secret.yaml
  • 21. 21 IMPLEMENT NETWORK SEGMENTATION  “Good neighbor” compromised application is a door open into cluster  Network segmentation  Ensures that container can communicate only with whom it must
  • 22. 22 IMPLEMENT NETWORK SEGMENTATION  Cross-cluster segmentation can be achieved using firewall rules  “dynamic” nature of container network identities makes container network segmentation a true challenge  Kubernetes Network SIG works on pod-to-pod network policies  Currently only ingress policies can be defined
  • 23. 23 IMPLEMENT NETWORK SEGMENTATION: EXAMPLE  Enable using an annotation on the Namespace kind: Namespace apiVersion: v1 metadata: annotations: net.beta.kubernetes.io/network-policy: | { "ingress": { "isolation": "DefaultDeny" } } kubectl annotate ns <namespace> "net.beta.kubernetes.io/network-policy={"ingress": {"isolation": "DefaultDeny"}}"
  • 24. 24 IMPLEMENT NETWORK SEGMENTATION: EXAMPLE apiVersion: extensions/v1beta1 kind: NetworkPolicy metadata: name: test-network-policy namespace: default spec: podSelector: matchLabels: role: db ingress: - from: - namespaceSelector: matchLabels: project: myproject - podSelector: matchLabels: role: frontend ports: - protocol: tcp port: 6379 kubectl create -f policy.yaml
  • 26. 26 RUNTIME  Implement “least privileges” principal  Security Context control security parameters to be assigned  Pod  Containers  Pod Security Policy  Consider Kubernetes admission controllers:  “DenyEscalatingExec” – for containers/pods with elevated privileges  “ImagePolicyWebhook” – Kubernetes support to plug external image reviewer  “AlwaysPullImages” – in multitenant cluster
  • 27. 27 SECURITY CONTEXT Security Context Setting Description SecurityContext->runAsNonRoot Indicates that containers should run as non-root user SecurityContext->Capabilities Controls the Linux capabilities assigned to the container. SecurityContext->readOnlyRootFilesystem Controls whether a container will be able to write into the root filesystem. PodSecurityContext->runAsNonRoot Prevents running a container with ‘root’ user as part of the pod
  • 28. 28 SECURITY CONTEXT: EXAMPLE apiVersion: v1 kind: Pod metadata: name: hello-world spec: containers: # specification of the pod’s containers # ... securityContext: readOnlyRootFilesystem: true runAsNonRoot: true
  • 29. 29 IMAGE POLICY WEBHOOK  api.imagepolicy.v1alpha1.ImageReview object describing the action  Fields describing the containers being admitted, as well as any pod annotations that match *.image- policy.k8s.io/*
  • 30. 30 IMAGE POLICY WEBHOOK: EXAMPLE { "apiVersion":"imagepolicy.k8s.io/v1alpha1", "kind":"ImageReview", "spec":{ "containers":[ { "image":"myrepo/myimage:v1“ }, { "image":"myrepo/myimage@sha256:beb6bd6a68f114c1dc2ea4b28db81bdf91de202a9014972bec5e4d9171d 90ed“ } ], "annotations":[ "mycluster.image-policy.k8s.io/ticket-1234": "break-glass“ ], "namespace":"mynamespace“ } }
  • 31. 31 MONITORING AND VISIBILITY  Log everything  Cluster-based logging  Log container activity into a central log hub.  Use Fluentd agent on each node  Ingested logs using  Google Stackdriver Logging  Elasticsearch  Viewed with Kibana.
  • 33. 33 SECURITY ALIGNED WITH DEVOPS Build Ship Cluster Environment Networking and Runtime Monitoring Productio n Dev. / Testing Only vetted code can be used for build Scan images against known vulnerabilities Use private registries Only approved images are pushed Only use kubectl Fine-grained-access control to resources Create administrative boundaries and assign resource quotas Manage your secrets Implement “least privileges” principal Isolate container networks in logical application groups Log everything Integrates with SIEM and monitoring systems  