security best practices operationalizing kubernetes cncf ... · what will run? any guardrails? with...
TRANSCRIPT
CNCF Webinar:
Operationalizing Kubernetes Security Best PracticesConnor Gilbert26 March 2019
● How does Kubernetes change security?● How does cooperation work in a Kubernetes
stack?● What can I do to improve the security of:
○ My infrastructure?○ My applications?
● What are some Kubernetes controls I could consider adopting?
What we’ll cover
How does Kuberneteschange security?
“Move fast,” they said
http://www.newseum.org/exhibits/current/conus-1-satellite-truck/
“Move fast,” they said
Personal photo
“Move fast,” they said
Personal photo
Most people use defaults —but you don’t have to.
apiVersion: apps/v1 kind: Deployment spec: replicas: 1 template: spec: containers: - name: server image: my-app:1.0.0-1-g123456+ securityContext:+ capabilities:+ drop: ["NET_RAW"]+ readOnlyRootFilesystem: true+---+apiVersion: networking.k8s.io/v1+kind: NetworkPolicy+metadata:+ name: allow-server-https+spec:+ ingress:+ - ports:+ - port: 443+ protocol: TCP
apiVersion: apps/v1kind: Deploymentspec:replicas: 1template: spec: containers: - name: server image: my-app:1.0.0-1-g123456
Test your security like your app
How does cooperation workin a Kubernetes stack?
“Things move too fast for my security team to keep up!”
“Things move too fast for my security team to keep up!I’m afraid we’ll miss something.”
“I don’t want this security feature deployed in my cluster!”
“I don’t want this security feature deployed in my cluster!I’m afraid it will stop me from recovering from an outage.”
What can I do to improve thesecurity of my infrastructure?
Good infrastructure habits● Be ready to upgrade
○ You may need to do this on short notice!● Automate, automate, automate● Keep the abstractions tight — no leaks● Think carefully about API access control
What can I do to improve thesecurity of my applications?
Workload dataWho runs this?What is it?
What code is it?What can it access?
How is it exposed?
Workload data, zooming in
What will run?Any guardrails?
With which privileges?With a writable FS?What’s the env like?Any disk or secrets?
“Not pictured”A complete spec may also include:
● Network Policies● Storage● Configuration Maps● Health Check Procedures● Custom Resources● More?
Kubernetes context
● Have a “style guide”● Apply metadata consistently● Know your images● Plan for replicas to be killed in case of
compromise● Establish secure practices early
○ Workload configurations○ Network policies
Good application habits
Options include:
● Pod Security Policies● Custom admission controllers● Ongoing monitoring and analysis
But, remember the user experience when choosing what to enforce, and where.
...and how to enforce them
What are some specificsecurity controls I might consider?
● Read-only root file system● Linux capabilities● Network policies● Host mounts● Disable service account auto-mount● Environment● Resource requirements
Configurations to explore
Demo: Stopping a Struts exploitDeploying a vulnerable container (with R/W root FS)
Demo: Stopping a Struts exploitThe exploit works — we can download and run minerd.
Can my app be read-only?
Demo: Stopping a Struts exploitAfter declaring a VOLUME for /usr/local/tomcat,and opting-in for a read-only root FS:
Linux capabilities
securityContext: capabilities: drop: - all
minerdtar: minerd: Cannot change ownership to uid 1000, gid 1000: Operation not permittedtar: Exiting with failure status due to previous errors
Demo: Capabilities dropped
Network policies
● Read-only root file system● Linux capabilities● Network policies● Host mounts● Disable service account auto-mount● Environment● Resource requirements
Configurations to explore
What next?Have a question now?Ask in Zoom!
Think of one [email protected]@connorgilbert
Want to learn more?https://stackrox.com/cncf/