security best practices for kubernetes deployment
TRANSCRIPT
![Page 1: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/1.jpg)
Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.
Security Best Practices for Kubernetes DeploymentMichael ChernyHead of Research, Aqua Security
![Page 2: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/2.jpg)
2
WHO AM I Head of Security Research at Aqua Security, a leader
in container security 20 years of building security products, development
and research Held senior security research positions at Microsoft,
Aoratoand Imperva.
Presented at security conferences, among them, BlackHat Europe, RSA Europe and Virus Bulleting.
![Page 3: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/3.jpg)
3
BUILD SECURITY ALIGNED WITH DEVOPS
Build Ship Cluster Environmen
t
Networking and
Runtime
Monitoring
Production
Dev. / Testing
![Page 4: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/4.jpg)
BUILD AND SHIP
![Page 5: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/5.jpg)
5
BUILD AND SHIP Ensure That Only Authorized Images are Used in Your
Environment Ensure That Images Are Free of Vulnerabilities Integrate Security into your CI/CD pipeline
![Page 6: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/6.jpg)
6
SECURITY INTEGRATED WITH CI/CDBuild
• Only vetted code (approved for production) is used for building the images
ShipTest
![Page 7: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/7.jpg)
7
SECURITY INTEGRATED WITH CI/CDBuild
• Implement Continuous Security Vulnerability Scanning
• Regularly Apply Security Updates to Your Environment
ShipTest
![Page 8: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/8.jpg)
8
SECURITY INTEGRATED WITH CI/CDBuild
• Use private registries to store your approved images - make sure you only push approved images to these registries
ShipTest
![Page 9: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/9.jpg)
CLUSTER ENVIRONMENT
![Page 10: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/10.jpg)
10
SSH
LIMIT DIRECT ACCESS TO KUBERNETES NODES Limit SSH access to Kubernetes nodes Ask users to use “kubectl exec”
![Page 11: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/11.jpg)
11
CONSIDER KUBERNETES AUTHORIZATION PLUGINS Enables define fine-grained-access control rules
Namespaces Containers Operations
ABAC mode RBAC mode Webhook mode Custom mode
![Page 12: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/12.jpg)
12
CREATE ADMINISTRATIVE BOUNDARIES BETWEEN RESOURCES Limits the damage of mistake or malicious intent Partition resources into logical groups Use Kubernetes namespaces to facilitate resource
segregation Kubernetes Authorization plugins to segregate user’s
access to namespace resources
![Page 13: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/13.jpg)
13
CREATE ADMINISTRATIVE BOUNDARIES BETWEEN RESOURCES Example: allow ‘alice’ to read pods from namespace
‘fronto’{
"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": { "user": "alice", "namespace": "fronto", "resource": "pods", "readonly": true }}
![Page 14: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/14.jpg)
14
DEFINE RESOURCE QUOTA Resource-unbound containers in shared cluster are
bad practice Create resource quota policies
Pods CPUs Memory Etc.
Assigned to namespace
![Page 15: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/15.jpg)
15
DEFINE RESOURCE QUOTA EXAMPLE computer-resource.yaml
apiVersion: v1kind: ResourceQuotametadata:
name: compute-resourcesspec:
hard:pods: "4“requests.cpu: "1“requests.memory: 1Gilimits.cpu: "2“limits.memory: 2Gi
kubectl create -f ./compute-resources.yaml --namespace=myspace
![Page 16: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/16.jpg)
16
SAFELY DISTRIBUTE YOUR SECRETS Storing sensitive data in docker file, POD definition
etc. is not safe Centrally and securely stored secrets
Manage user access Manage containers/pods access Store securely Facilitate secrets expiry and rotation Etc.
![Page 17: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/17.jpg)
17
KUBERNETES SECRETS Secret object
As file As Environment variable
Risks Secrets stored in plain text Is at rest No separation of duties: operator can see secret value Secrets are available, even if there is no container using it
![Page 18: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/18.jpg)
18
KUBERNETES SECRETS - EXAMPLE echo -n "admin" > ./username.txt
echo -n "1f2d1e2e67df" > ./password.txt kubectl create secret generic db-user-pass --from-
file=./username.txt --from-file=./password.txtsecret "db-user-pass" created
kubectl get secrets Kubectl describe secrets/db-user-pass
![Page 19: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/19.jpg)
19
KUBERNETES SECRETS - EXAMPLE It call also be done manually echo -n "admin" | base64
YWRtaW4=
echo -n "1f2d1e2e67df" | base64MWYyZDFlMmU2N2Rm
apiVersion: v1kind: Secretmetadata:
name: mysecrettype: Opaquedata:
username: YWRtaW4=password: MWYyZDFlMmU2N2Rm
kubectl create -f ./secret.yaml
![Page 20: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/20.jpg)
NETWORKING
![Page 21: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/21.jpg)
21
IMPLEMENT NETWORK SEGMENTATION “Good neighbor” compromised application is a door
open into cluster Network segmentation Ensures that container can communicate only with
whom it must
![Page 22: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/22.jpg)
22
IMPLEMENT NETWORK SEGMENTATION Cross-cluster segmentation can be achieved using
firewall rules “dynamic” nature of container network identities
makes container network segmentation a true challenge
Kubernetes Network SIG works on pod-to-pod network policies Currently only ingress policies can be defined
![Page 23: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/23.jpg)
23
IMPLEMENT NETWORK SEGMENTATION: EXAMPLE Enable using an annotation on the Namespacekind: NamespaceapiVersion: v1metadata: annotations: net.beta.kubernetes.io/network-policy: | { "ingress": {
"isolation": "DefaultDeny" } }
kubectl annotate ns <namespace> "net.beta.kubernetes.io/network-policy={\"ingress\": {\"isolation\": \"DefaultDeny\"}}"
![Page 24: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/24.jpg)
24
IMPLEMENT NETWORK SEGMENTATION: EXAMPLEapiVersion: extensions/v1beta1kind: NetworkPolicymetadata:
name: test-network-policy namespace: default
spec:podSelector:matchLabels:role: db
ingress:- from:- namespaceSelector:matchLabels:project: myproject- podSelector:matchLabels:role: frontendports: - protocol: tcpport: 6379
kubectl create -f policy.yaml
![Page 25: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/25.jpg)
RUNTIME
![Page 26: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/26.jpg)
26
RUNTIME Implement “least privileges” principal Security Context control security parameters to be assigned
Pod Containers
Pod Security Policy Consider Kubernetes admission controllers:
“DenyEscalatingExec” – for containers/pods with elevated privileges “ImagePolicyWebhook” – Kubernetes support to plug external image
reviewer “AlwaysPullImages” – in multitenant cluster
![Page 27: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/27.jpg)
27
SECURITY CONTEXTSecurity Context Setting Description
SecurityContext->runAsNonRoot Indicates that containers should run as non-root user
SecurityContext->Capabilities Controls the Linux capabilities assigned to the container.
SecurityContext->readOnlyRootFilesystem Controls whether a container will be able to write into the root filesystem.
PodSecurityContext->runAsNonRoot Prevents running a container with ‘root’ user as part of the pod
![Page 28: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/28.jpg)
28
SECURITY CONTEXT: EXAMPLEapiVersion: v1kind: Podmetadata: name: hello-worldspec: containers:# specification of the pod’s containers# ...securityContext:
readOnlyRootFilesystem: truerunAsNonRoot: true
![Page 29: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/29.jpg)
29
IMAGE POLICY WEBHOOK api.imagepolicy.v1alpha1.ImageReview object
describing the action Fields describing the containers being admitted, as
well as any pod annotations that match *.image-policy.k8s.io/*
![Page 30: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/30.jpg)
30
IMAGE POLICY WEBHOOK: EXAMPLE{ "apiVersion":"imagepolicy.k8s.io/v1alpha1", "kind":"ImageReview", "spec":{ "containers":[ { "image":"myrepo/myimage:v1“ }, { "image":"myrepo/myimage@sha256:beb6bd6a68f114c1dc2ea4b28db81bdf91de202a9014972bec5e4d9171d90ed“ } ], "annotations":[ "mycluster.image-policy.k8s.io/ticket-1234": "break-glass“ ], "namespace":"mynamespace“ }}
![Page 31: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/31.jpg)
31
MONITORING AND VISIBILITY Log everything Cluster-based logging
Log container activity into a central log hub. Use Fluentd agent on each node Ingested logs using
Google Stackdriver Logging Elasticsearch
Viewed with Kibana.
![Page 32: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/32.jpg)
SUMMARY
![Page 33: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/33.jpg)
33
SECURITY ALIGNED WITH DEVOPS
Build Ship Cluster Environmen
t
Networking and
Runtime
Monitoring
Production
Dev. / Testing
Only vetted code can be used for buildScan images against known vulnerabilities
Use private registriesOnly approved images are pushed
Only use kubectlFine-grained-access control to resourcesCreate administrative boundaries and assign resource quotasManage your secrets
Implement “least privileges” principalIsolate container networks in logical application groups
Log everythingIntegrates with SIEM and monitoring systems
![Page 34: Security best practices for kubernetes deployment](https://reader034.vdocuments.us/reader034/viewer/2022042707/58d1044a1a28ab823e8b4931/html5/thumbnails/34.jpg)
THANK YOUMichael [email protected]@chernymihttps://www.aquasec.com