preventing kubernetes misconfiguration: static matt johnson · 2020. 12. 9. · matt johnson...
TRANSCRIPT
M att J o h n s o nD e v e l o p e r A d v o c a t e L e a d
Preventing Kubernetes Misconfiguration: Static Analysis and Beyond
2
Misconfiguration challenges
Write policy as code
AGENDAAutomate in our CI Pipeline
Runtime analysis of k8 cluster
Helm chart analysis
3
Matt Johnson
@Metahertzmetahertz
4
As an engineerI want to move fast
5
I DO NOTwant to break things
6
The thing I have love/hate relationship with is…
7
8
9
10
11
And this is where our story begins…
12
13
So let’s open our eyes and look at some…
14
…data
15
0 10 20 30 40 50 60 70
Ensure Kubernetes Clusters are configured with Labels
Ensure a client certificate is used by clients to authenticate to Kubernetes…
Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters
Ensure Network Policy is enabled on Kubernetes Engine Clusters
Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters…
Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters
Ensure 'Automatic node repair' is enabled for Kubernetes Clusters
Ensure Amazon EKS public endpoint disabled
Ensure Amazon EKS control plane logging enabled for all log types
Ensure EKS Cluster has Secrets Encryption Enabled
Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0
Top Failing Kubernetes checks
16
Infrastructure as code (IaC) presents a new risk and a new opportunity
17
18
https://github.com/bridgecrewio/checkov
19
• Released publicly in December 2019
• Apache 2.0 license• 50+ contributors• >800K downloads • >1400 stars• Written in Python
20
Checkov statically analyzes for known best practices
implemented in IaCmanifests like k8s YAML
21
• Version controlled• Peer reviewed• Can utilize inheritance and
have code reuse (python)• Part of SDLC• Continuous integration
Policy as code
22
Policy as code
23
Brace for live demo
24
Destination Account
ChangeRequest
Infrastructure security tests
Deployment Trigger
Deploy/ Apply changes
1
2
3
4
25
Brace for live demo
26
27
Another one!
28
Keep your manifests secure
Monitor both Build-time and Runtime
Have a fast feedback loop on configuration changes
Runtime analysis of K8s cluster
Version control your policies
29
Destination Account
ChangeRequest
Infrastructure security tests
Deployment Trigger
Deploy/ Apply changes1
2
3
Runtime Config Analysis
Notify
5
6
4
30
Pre-commit Continuous Integration
RunningCluster
Misconfig Analysis
31
Infrastructure is developed and secured in the same place
Issues are automatically prevented from being deployed
Security is a business enabler rather than a hindrance
A WORLD WHERE:
32
Keep your Kubernetes manifests and Helm charts secure
Monitor both build-time and runtime
Have a fast feedback loop on configuration changesTAKEAWAYS
Version control your policies
33
Tr y C h e c k o v a n d j o i n o u r S l a c k s l a c k . b r i d g e c r ew. i o
C O N TA C T M E ma t t@b r i d g e c r ew. i o