O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
Harden Your
Kubernetes Cluster
Hello!
I am smalltown
Maicoin Site Reliability Engineer
Taipei HashiCorp UG Organizer
AWS UG Taiwan Staff
2
3
4
Network RuntimeImage Credential PaC
5
Network RuntimeImage Credential PaC
6
7
Image Build Practice (1/2)
◎ Minimal Base Images
◎ Least Privileged User
◎ Use Fixed Tags
◎ Sign/Verify Images (Docker N...
8
Image Build Practice (2/2)
◎ Use COPY Instead of ADD
◎ Use Metadata Labels
◎ Multi-Stage Build Small/Secure Images
◎ Use...
How to Find Vulnerabilities?
◎ Of Course! Scanning!
◎ Commercial V.S. Open Source
◎ Open Source: Anchor, Clair, Trivy...
9
Scan Coverage
◎ OS Packages
○ Alpine, Red Hat Universal Base Image, Red Hat
Enterprise Linux, CentOS, Debian and Ubuntu
◎ ...
Try to Use It! (1/2)
11
~$ docker run --rm -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy
python:alpine3.10
Try to Use It! (2/2)
12
~$ docker run --rm -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy
golang:1.12.9-buster
DevSecOps
◎ Integrate with CI/CD Framework, e.g. if Find
Critical Vulnerability then Fail the Pipeline
◎ Don’t Forget Stor...
14
Competitive Analysis
Ref
Regular Vulnerability Assessment
◎ Process of Defining, Identifying, Classifying
and Prioritizing Vulnerabilities
◎ Inform...
Network RuntimeImage Credential PaC
16
Kubernetes Secret
17
Ref
HashiCorp Vault
◎ Secures, stores, and tightly controls access
to tokens, passwords, certificates, API keys
◎ Handles leas...
Ideal Credential Lifecycle
Service is Accessed
Application
1. Request Access Credential (Running)
2. Use the Credential to...
Authentication
◎ Vault provide various auth method
○ Tokens, AppRole
○ AWS, Azure, Google Cloud
○ LDAP, GitHub ...etc
20
Authorization
◎ Vault store credentials like key/value DB, e.g.
○ /secret/stag/database/admin
○ /secret/prod/database/admi...
Dynamic Credentials
◎ Vault support many secret backend
○ AWS, Azure, GCP, Database...etc
◎ Take database for example, you...
HashiCorp Vault Workshop:幫
Credentials 找個窩
◎ Slide: Here
◎ GitHub: Here
23
Network RuntimeImage Credential PaC
24
Connection Between Pods/Endpoints
Out In Internet
- Port
- IP, FQDN
- Protocol
25
What is The Problem?
◎ By Default, Pods are Non-Isolated; They
Accept Traffic from any Source.
26
27
Kubernetes Network Policy
podSelector
Ref
- podSelector
- namespaceSelector
- ipBlock
- podSelector
- namespaceSelector...
28
How to Enable Network Policy
Ref
Connection Between Pods/Endpoints
Out In Internet
- Port
- IP, FQDN
- Protocol
29
What is The Problem?
◎ MITM (Man-In-The-Middle Attack)
30
Istio
31
32
Istio with Mutual TLS
Ref
33
Policy & DestinationRule
Ref
Istio with Kiali
34
Network RuntimeImage Credential PaC
35
Runtime Security Tools
Enforcement
Auditing
36
Enforcement Runtime Security Tools
◎ Using the Policy to Change the Behavior of
a Process by Preventing System Calls from
...
38
Pod Security Policies
◎ Define a Set of Conditions that a Pod Must
Run With in Order to be Accepted Into the
System
○ U...
How to Use PSP
(Cluster)Role
(Cluster)RoleBinding For Pod
For Deployment, ...
Create
Use
With
39
When a Pod Created...
◎ The PSP is Enabled, Pod Don’t Use the PSP
-> Fail
◎ The PSP is Enabled, Pod Can Use the PSP,
Pod D...
Auditing Runtime Security Tools
◎ Using the Policy to Monitor the Behavior of
a Process and Notify when its behavior
steps...
Falco
◎ A Behavioral Activity Monitor Designed to
Detect Anomalous Activity in Your
Applications
42
How Falco Take Effect
43
Falco Rules
- macro: access_file
condition: evt.type=open
- rule: program_accesses_file
desc: track whenever a set of prog...
Falco V.S. Others
Falco Others
User Space Kernel Level
Kill/Suspend/Starve the Falco
Process
Replacing a loaded set of
pol...
Network RuntimeImage Credential PaC
46
Policy as Code
YAML Engineer 4NI ?!
47
Open Policy Agent
◎ A general-purpose Policy Engine that Helps Solve Use
Cases Ranging From Authorization and Admission
Co...
OPA Flow
ContextPolicy
API Authorization
API
Retrieve Data from Target Service
49
Finally Not YAML
◎ Rego was Inspired by Datalog, Which is a
Well Understood, Decades Old Query
Language
◎ Rego Queries are...
51
Rego Sample Code
package kubernetes.admission
import data.kubernetes.namespaces
deny[msg] {
input.request.kind.kind == ...
Thanks!
Any questions?
You can find me at:
facebook.com/smalltown0110
smalltown@awsug.tw
52
We’re Hiring!!
Software Engineer in
Test
Software Engineer
53
Próximos SlideShares
Carregando em…5
×

Kubernetes Summit 2019 - Harden Your Kubernetes Cluster

Sharing the experience about how to harden the Kubernetes cluster

  • Seja o primeiro a comentar

Kubernetes Summit 2019 - Harden Your Kubernetes Cluster

  1. 1. Harden Your Kubernetes Cluster
  2. 2. Hello! I am smalltown Maicoin Site Reliability Engineer Taipei HashiCorp UG Organizer AWS UG Taiwan Staff 2
  3. 3. 3
  4. 4. 4
  5. 5. Network RuntimeImage Credential PaC 5
  6. 6. Network RuntimeImage Credential PaC 6
  7. 7. 7 Image Build Practice (1/2) ◎ Minimal Base Images ◎ Least Privileged User ◎ Use Fixed Tags ◎ Sign/Verify Images (Docker Notary) ◎ Don’t Contain Sensitive Information Ref
  8. 8. 8 Image Build Practice (2/2) ◎ Use COPY Instead of ADD ◎ Use Metadata Labels ◎ Multi-Stage Build Small/Secure Images ◎ Use Linter (hadolint) ◎ Find/Fix/Monitor Vulnerabilities Ref
  9. 9. How to Find Vulnerabilities? ◎ Of Course! Scanning! ◎ Commercial V.S. Open Source ◎ Open Source: Anchor, Clair, Trivy... 9
  10. 10. Scan Coverage ◎ OS Packages ○ Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, Debian and Ubuntu ◎ Application Dependencies ○ Bundler, Composer, Pipenv, Poetry, npm, yarn and Cargo 10
  11. 11. Try to Use It! (1/2) 11 ~$ docker run --rm -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy python:alpine3.10
  12. 12. Try to Use It! (2/2) 12 ~$ docker run --rm -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy golang:1.12.9-buster
  13. 13. DevSecOps ◎ Integrate with CI/CD Framework, e.g. if Find Critical Vulnerability then Fail the Pipeline ◎ Don’t Forget Store the Vulnerability Database/Data ◎ Use Json Format Output to Generate Report 13
  14. 14. 14 Competitive Analysis Ref
  15. 15. Regular Vulnerability Assessment ◎ Process of Defining, Identifying, Classifying and Prioritizing Vulnerabilities ◎ Information on the Security Weaknesses in its environment ◎ Assess the Risks Associated with those Weaknesses and Evolving Threats 15
  16. 16. Network RuntimeImage Credential PaC 16
  17. 17. Kubernetes Secret 17 Ref
  18. 18. HashiCorp Vault ◎ Secures, stores, and tightly controls access to tokens, passwords, certificates, API keys ◎ Handles leasing, key revocation, key rolling, and auditing 18
  19. 19. Ideal Credential Lifecycle Service is Accessed Application 1. Request Access Credential (Running) 2. Use the Credential to Access Service 3. Revoke the Credential Credentials Only Exist in Memory 19
  20. 20. Authentication ◎ Vault provide various auth method ○ Tokens, AppRole ○ AWS, Azure, Google Cloud ○ LDAP, GitHub ...etc 20
  21. 21. Authorization ◎ Vault store credentials like key/value DB, e.g. ○ /secret/stag/database/admin ○ /secret/prod/database/admin ◎ Hence, predefined policy grant appropriate permission, e.g. path "secret/stag/database/admin" { capabilities = ["read"] } 21
  22. 22. Dynamic Credentials ◎ Vault support many secret backend ○ AWS, Azure, GCP, Database...etc ◎ Take database for example, you could generate dynamic database credentials $ vault read database/creds/my-role Key Value --- ----- lease_duration 1h password 8cab931c-d62e-a73d-60d3-5ee85139cd66 username v-root-e2978cd0- 22
  23. 23. HashiCorp Vault Workshop:幫 Credentials 找個窩 ◎ Slide: Here ◎ GitHub: Here 23
  24. 24. Network RuntimeImage Credential PaC 24
  25. 25. Connection Between Pods/Endpoints Out In Internet - Port - IP, FQDN - Protocol 25
  26. 26. What is The Problem? ◎ By Default, Pods are Non-Isolated; They Accept Traffic from any Source. 26
  27. 27. 27 Kubernetes Network Policy podSelector Ref - podSelector - namespaceSelector - ipBlock - podSelector - namespaceSelector - ipBlock Ingress (From) Egress(To) Protocol Port
  28. 28. 28 How to Enable Network Policy Ref
  29. 29. Connection Between Pods/Endpoints Out In Internet - Port - IP, FQDN - Protocol 29
  30. 30. What is The Problem? ◎ MITM (Man-In-The-Middle Attack) 30
  31. 31. Istio 31
  32. 32. 32 Istio with Mutual TLS Ref
  33. 33. 33 Policy & DestinationRule Ref
  34. 34. Istio with Kiali 34
  35. 35. Network RuntimeImage Credential PaC 35
  36. 36. Runtime Security Tools Enforcement Auditing 36
  37. 37. Enforcement Runtime Security Tools ◎ Using the Policy to Change the Behavior of a Process by Preventing System Calls from Succeeding ○ Pod Security Policy ○ AppArmor ○ Seccomp 37
  38. 38. 38 Pod Security Policies ◎ Define a Set of Conditions that a Pod Must Run With in Order to be Accepted Into the System ○ Usage of volume types ○ Usage of host networking and ports ○ The user and group IDs of the container ○ ... Ref
  39. 39. How to Use PSP (Cluster)Role (Cluster)RoleBinding For Pod For Deployment, ... Create Use With 39
  40. 40. When a Pod Created... ◎ The PSP is Enabled, Pod Don’t Use the PSP -> Fail ◎ The PSP is Enabled, Pod Can Use the PSP, Pod Don’t Follow PSP -> Fail ◎ The PSP is Enabled, Pod Can Use the PSP, Pod Follow PSP -> Success 40
  41. 41. Auditing Runtime Security Tools ◎ Using the Policy to Monitor the Behavior of a Process and Notify when its behavior steps outside the policy ○ Falco ○ Auditd 41
  42. 42. Falco ◎ A Behavioral Activity Monitor Designed to Detect Anomalous Activity in Your Applications 42
  43. 43. How Falco Take Effect 43
  44. 44. Falco Rules - macro: access_file condition: evt.type=open - rule: program_accesses_file desc: track whenever a set of programs opens a file condition: proc.name in (cat, ls) and (access_file) output: a tracked program opened a file (user=%user.name command=%proc.cmdline file=%fd.name) priority: INFO 44
  45. 45. Falco V.S. Others Falco Others User Space Kernel Level Kill/Suspend/Starve the Falco Process Replacing a loaded set of policies or BPF program in the kernel is probably more difficult Much Richer Set of Information Powering Its Policies Those Types of Policies are More Difficult to Implement at the Kernel Level 45
  46. 46. Network RuntimeImage Credential PaC 46
  47. 47. Policy as Code YAML Engineer 4NI ?! 47
  48. 48. Open Policy Agent ◎ A general-purpose Policy Engine that Helps Solve Use Cases Ranging From Authorization and Admission Control to Resource Placement. ○ Kubernetes Admission Control ○ HTTP API Authorization ○ Remote Access ○ Data Filtering with Partial Evaluation 48
  49. 49. OPA Flow ContextPolicy API Authorization API Retrieve Data from Target Service 49
  50. 50. Finally Not YAML ◎ Rego was Inspired by Datalog, Which is a Well Understood, Decades Old Query Language ◎ Rego Queries are Assertions on Data Stored in OPA 50 Ref
  51. 51. 51 Rego Sample Code package kubernetes.admission import data.kubernetes.namespaces deny[msg] { input.request.kind.kind == "Ingress" input.request.operation == "CREATE" host := input.request.object.spec.rules[_].host not fqdn_matches_any(host, valid_ingress_hosts) msg := sprintf("invalid ingress host %q", [host]) } Ref
  52. 52. Thanks! Any questions? You can find me at: facebook.com/smalltown0110 smalltown@awsug.tw 52
  53. 53. We’re Hiring!! Software Engineer in Test Software Engineer 53

×