Bangalore CNCF Meetup 5min Lightning Talk. Introduction to Google cloud container Security for beginners. GKE (Google Kubernetes Engine) Security Hardening.

1. Google Cloud Container Security QuickView
Lightning talk of 5-10 minutes....
Krishna Kumar – CNCF Ambassador

2. Google Cloud Security – Console View – First Look
https://console.cloud.google.com/

3. Google Compute Engine Security

Google cloud Identity service - IAM

IAM Policies & Organization level
policies

Effectively design the hierarchy

Apply Leave privileaged access policy
mode

Create security groups with conceptual
roles instead randiomly creating users
and groups

Like One top account create/set
polciies & service acconts only and the
other accounts apply it.

Unmanaged credentials night mare!
Key Management Services (KMS)

VPC network can be managed/deleted
as needed

Rootkits & Bootkits for VM hardening

Tools – AuditLogs, CSCC, KMS
Resource Hierarchy in general

4. Google Container Security
Infrastructure Security Software Supply Chain
Security
Run time Security
Cloud IAM, RBAC Google container Registry Stackdriver – monitoring,
Attack profiles
Compliance Certifications Security Vulnerability
Scanning
Anomolous detection by
third party products like
Twistlocks, acqua, sysdig
Cloud Audit Logging Secure base images Cloud SCC
Container Optimized
minimal OS, Node auto
upgrade
Regular builds Isolation
gVisor sandbox
Network policy, Private
clusters, Shared VPC
Deployment policies,
Binary authorization
Runtime detection – host,
network, workload, Boot

5. Google Kubernetes Engine Security
Managed Security by Google
●
Control plane security
– Google does the control plane management (Mater VM, Scheduler,
Cntroll manager, API server, etcd, CA, IAM, logging to stackdriver,) &
Patching the contol plane.
●
Node security
– Google handles K8s comoponents, COS (Chromium OS), logging &
monitoring. Autoupgarde & security patches automatically rolled out.
Manage base images.
– Live migration: Node auto upgrade is like adding new node and drain the
work from old.
● Workloads: User need to secure workloads. Protect the secret with
Cloud KMS or KMS plugin (Vault).

6. Hardening GKE
● Disable the Kubernetes web UI (Dashboard)
● Restrict Cluster discovery RBAC permission & binary authentication
● Restrict Traffic Among Pods with a Network Policy & Pod security policy
● Use Least Privilege Service Accounts for your Nodes
● Restrict your Node Service Account Scopes & Client Authentication Methods
● Protect node metadata & Automatically upgrade nodes
● Authorized networks & meta data concealment
● Google Container Registry (GCR) Vulnerability Scanning
● Third party container security.
● Read secuity bulletins – Vulnerabilties and solutiond

7. GKE Istio Security
Istio, a service mesh implementation, on GKE is an add-on.
●
The version of Istio installed is tied to the GKE version, and you will not be able to
update them independently.
●
Pilot:
●
Istio Auth ensures that services with sensitive data can only be accessed
●
Istio RBAC provides namespace-level, service-level, and method-level access control
●
Mixer:
●
Istio config policy on server side not client side.
●
Citadel:
●
MutualTLS authentication - both service-to-service and end-user-to-service
●
Automates key and certificate generation, distribution, rotation, and revocation.

8. Anthos Security
●
Single pane of glass
visibility across all clusters
●
Service-centric view of
your infrastructure
●
Configuration management
& Compliance centralized
●
Istio providing in-cluster
mTLS and certificate
management.
●
3rd
party marketplace
Hybrid cloud solutions: Anthos relies on Google
Kubernetes Engine (GKE) and GKE On-Prem to
manage Kubernetes installations in the environments

9. Google Cloud Partner Security
●
Splunk
●
Palo alto Networks
●
Checkpoint
●
F5
●
Brocade
●
Nginx
●
Symantec
●
Cisco
●
Hashicorp
●
Acqua
●
Blackduck
●
Twistlock
●
Stackrox
●
& more......
With 3rd
party providers, GCP Protects a wide
variety of hybrid cloud solutions and data.

10. References
●
https://cloud.google.com/containers/security/
●
https://cloud.google.com/kubernetes-engine/docs/security-bulletins
●
https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster
●
https://cloud.google.com/kubernetes-engine/docs/concepts/security-overview
●
https://cloud.withgoogle.com/next/19/sf/sessions?session=SEC110
●
https://console.cloud.google.com/security/command-center/welcome
●
https://cloud.google.com/security/partners/
●
https://cloud.google.com/anthos/docs/concepts/overview
●
https://cloud.google.com/istio/#security
●
https://youtu.be/PfXZovlblJc