cto, alcide gadi naor webinar...copyright ©2019 alcide.io, all rights reserved → → example:...
TRANSCRIPT
Copyright ©2019 Alcide.io, All Rights Reserved
Webinar
Kubernetes Audit Log
Gadi Naor CTO, Alcide
Copyright ©2019 Alcide.io, All Rights Reserved
about# gadi.naor --from tel_aviv--enjoy sk8boarding--kernel-dev @check_point --kernel-dev @altor_networks --kernel-dev @juniper_networks --cloud-native @alcideio validate k8s cluster
@alcideio@gadinaor
Copyright ©2019 Alcide.io, All Rights Reserved
Kubernetes Security Framework
Runtime Detection & Protection
HygieneScan
Source Scan
ArtifactScan
MicroserviceDeploymentAdmission Controller
Compliance &
Behavior AnomalyDetection
Multi-Cluster
Copyright ©2019 Alcide.io, All Rights Reserved
→
→
→ authentication
→ authorization
→→ admission control
→ validation
Kubernetes API Server
Istio Control Plane
Copyright ©2019 Alcide.io, All Rights Reserved
→
→
→
→
→
→
→
Who/What Access Kubernetes API Server
Copyright ©2019 Alcide.io, All Rights Reserved6
Raw Audit logs Critical threats in the Audit logs
Copyright ©2019 Alcide.io, All Rights Reserved
Collect→
→
Filter & Transform → Audit Features→ →→
Feature Analysis→
→
→
→
Report→
7
Copyright ©2019 Alcide.io, All Rights Reserved
Kubernetes API Server Audit Log - Stream Analysis
Copyright ©2019 Alcide.io, All Rights Reserved
{
"kind": "Event",
"apiVersion": "audit.k8s.io/v1",
...
"requestURI": "/api/v1/namespaces/ default/configmaps",
"verb": "create",
"user": {
"username": "someuser",
"groups": ["system:authenticated"]
},
"userAgent": "GoogleContainerEngine",
...
"sourceIPs": ["192.168.99.1"],
...
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": ""
}
...
Kubernetes API Server Audit Log
namespace
resource kind
principal
client
location
decision
api operation
Copyright ©2019 Alcide.io, All Rights Reserved10
Cluster Troubleshooting → What:
→
→
When:→
→
Copyright ©2019 Alcide.io, All Rights Reserved11
Alert On Pod Access → What:
→
→
→
→ When:→
→
→
Copyright ©2019 Alcide.io, All Rights Reserved12
Detect Unauthorized Access → What:
→
→
→ How:
→
→
Copyright ©2019 Alcide.io, All Rights Reserved13
Detect Credential Theft → What:
→
→ How:
→
Copyright ©2019 Alcide.io, All Rights Reserved14
Resource Checks
Workload Level Protection
Performance Monitoring
Copyright ©2019 Alcide.io, All Rights Reserved15
Copyright ©2019 Alcide.io, All Rights Reserved16
Stolen Token & Credentials
Misconfigured RBAC
Exploited Vulnerabilities in Kubernetes API Server
Compliance best practices
→
→
→
→
Copyright ©2019 Alcide.io, All Rights Reserved
❏ Early Access Alcide kAudit alcide.io/kaudit-K8s-forensics
❏ Free Cloud Account www.alcide.io/advisor-free-trial/
❏ CD Integrations github.com/alcideio/pipeline
❏ Tutorials: codelab.alcide.io
Copyright ©2019 Alcide.io, All Rights Reserved
Copyright ©2019 Alcide.io, All Rights Reserved19
→
Copyright ©2019 Alcide.io, All Rights Reserved
→
→ Example: Taking and restoring backups of that application’s state→ Example: Handling upgrades of application code
→ ClusterRole→ Example: Prometheus Operator - cluster-wide Pod list & delete, secret create, read, Secret get, create,..→ Example: Strimzi Kafka Operator - cluster-wide Pod create, list, delete, update , Secret get, create,..
→
→
? Jobs vs. Controllers ?
Pick Your Poison - https://operatorhub.io