Upload File

kubernetes runtime security - jfokus...@mimmingcodes -- mimming.com some things are harder for both...

  • Home
  • Documents
  • Kubernetes Runtime Security - Jfokus...@MimmingCodes -- mimming.com Some things are harder for both sides Offense Kill chains have less time to execute More layers to break out of
63

Upload: others

Post on 29-Jan-2021

5 views

Category:

Documents


0 download

Report

TRANSCRIPT

  • @MimmingCodes -- mimming.com

    Kubernetes Runtime Security

  • @MimmingCodes -- mimming.com

    Kubernetes Runtime Security

  • Jen TongSecurity AdvocateGoogle Cloud Platform

    @MimmingCodesmimming.com

    About me

    https://twitter.com/MimmingCodeshttps://mimming.com

  • How many of you● use Kubernetes in production?● use containers?● are security engineers?● gotten a shell on a system?● have ever discovered a long ago

    compromised system?

  • @MimmingCodes -- mimming.com

    Agenda

    Security overview

    Containers & Kubernetes

    Impact on security

    Demo of a sad day

    Fix low hanging fruit

    Discuss higher up fruit

  • Security overviewoffense vs defense

  • @MimmingCodes -- mimming.com

    Offensive Security

    Goal

  • @MimmingCodes -- mimming.com

    Offensive Security

    GoalInt

    egrit

    y

  • @MimmingCodes -- mimming.com

    Offensive Security

    GoalInt

    egrit

    y Availability

  • @MimmingCodes -- mimming.com

    Offensive Security

    GoalInt

    egrit

    y Availability

    Confidentiality

  • @MimmingCodes -- mimming.com

    Offensive Security

    GoalDefensive measure Intermediate resources

  • @MimmingCodes -- mimming.com

    Offensive Security

    Goal

  • @MimmingCodes -- mimming.com

    Offensive Security

    Goal

  • @MimmingCodes -- mimming.com

    Offensive Security

    Goal

    Kill chain

  • @MimmingCodes -- mimming.com

    It feels like development on a terrible API

  • @MimmingCodes -- mimming.com

    Defensive security

    Goal

  • @MimmingCodes -- mimming.com

    Defensive security

    Goal

  • @MimmingCodes -- mimming.com

    Defensive security

    Goal

  • @MimmingCodes -- mimming.com

    Defensive security

    Goal

    Lessons

  • @MimmingCodes -- mimming.com

    Defensive security

    Goal

    Lessons

  • Containers & Kubernetes… or as much as I can cover in 5 min

  • @MimmingCodes -- mimming.com

    The promises of virtualization, but it

    actually works

  • @MimmingCodes -- mimming.com

    Virtualization

    Hardware

    Host OS

    Guest OS

    Libraries

    Application

    Guest OS

    Libraries

    Application

  • @MimmingCodes -- mimming.com

    Containers

    Hardware

    Host OS

    Libraries

    Application

    Libraries

    Application

  • @MimmingCodes -- mimming.com

    Lots of containers

  • @MimmingCodes -- mimming.com

  • @MimmingCodes -- mimming.com

    Nodes

  • @MimmingCodes -- mimming.com

    Pods

  • @MimmingCodes -- mimming.com

    Pods

    Pod

  • @MimmingCodes -- mimming.com

    Management infrastructure

    etcd

    scheduler

    controllers

    apiserver

    Master

  • @MimmingCodes -- mimming.com

    Management infrastructure

    etcd

    scheduler

    controllers

    apiserver

    Master kubelet

  • @MimmingCodes -- mimming.com

    UI

    CLI

    API

    All together

    Users

    etcd

    scheduler

    controllers

    apiserver

    Master Nodes

  • Impact on securityContainerization changes some stuff

  • @MimmingCodes -- mimming.com

    Dynamic

  • @MimmingCodes -- mimming.com

    Dynamic

  • @MimmingCodes -- mimming.com

    Dynamic

  • @MimmingCodes -- mimming.com

    Dynamic

  • @MimmingCodes -- mimming.com

    Some things are harder for both sides

    ● Offense○ Kill chains have less time to execute○ More layers to break out of

    ● Defence○ Old tricks don't work as well○ More complexity -- bigger attack surface

  • @MimmingCodes -- mimming.com

    DevelopmentDeployment

    Runtime

  • @MimmingCodes -- mimming.com

    During development

    Tools for securely building containerized services

    ● Identity, RBAC (role based access control)● Secure inter-service communication● Secret access control & rotation

  • @MimmingCodes -- mimming.com

    During deployment

    Secure supply chain to prevent threats from entering

    ● Detect known vulnerable in dependencies● Add metadata to images● Verify the build pipeline

  • @MimmingCodes -- mimming.com

    During runtime

    Detect and respond to threats in running containers

    ● Proper configuration● Security context● Security centric monitoring

  • DemoOf a really bad day :(

  • Low hanging fruit

  • @MimmingCodes -- mimming.com

    Never do this

    $ kubectl create -f https://foo.com/bar.yml

  • @MimmingCodes -- mimming.com

    Disable the Kubernetes Dashboard

  • @MimmingCodes -- mimming.com

    Restrict the GCP service account

    ● Currently has project editor permission● Only need a few narrow permissions

    ○ monitoring.viewer○ monitoring.metricWriter○ logging.logWriter

  • @MimmingCodes -- mimming.com

    Network policies

    So an attacker can't hop between pods

    Great list of examples:github.com/ahmetb/kubernetes-network-policy-recipes

    https://github.com/ahmetb/kubernetes-network-policy-recipes

  • Demo 2.0

  • Higher up fruitIf you have more time

  • @MimmingCodes -- mimming.com

    Security context

    Further restrict permissions with

    ● AppArmor● SELinux● Seccomp

    kubernetes.io/docs/tasks/configure-pod-container/security-context/

    https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

  • @MimmingCodes -- mimming.com

    Security monitoring

    ● Hook into your cluster● Log a bunch of stuff● More policies

    ○ alerts○ automatic remediation○ forensics

    ● Mostly commercial products… for now

  • @MimmingCodes -- mimming.com

    Deployment models

    Node

    Pod

    Container

    Kernel

    User space

    Pod

    Container

  • @MimmingCodes -- mimming.com

    Deployment models

    Node

    Pod

    Container

    Kernel

    User space

    Pod

    Management Container

    Container

  • @MimmingCodes -- mimming.com

    Deployment models

    Node

    Pod

    Container

    Kernel

    User space

    Privileged Container

    Pod

    Management Container

    Container

  • @MimmingCodes -- mimming.com

    Deployment models

    Node

    Pod

    Container

    Kernel

    User space

    Pod

    Management Container

    Container

    Kernel module

  • @MimmingCodes -- mimming.com

    Deployment models

    Node

    Pod

    Container

    Kernel

    User space

    Pod

    Management Container

    Container

    ● Network events● System calls

  • @MimmingCodes -- mimming.com

    Deployment models

    Node

    Pod

    Container

    Kernel

    User space

    Pod

    Management Container

    Container

    Ring buffer

    Local database

    Persistent disk

    Hosted database

  • @MimmingCodes -- mimming.com

    Open source options

    ● Sysdig ○ sysdig○ Inspect○ Falco

    ● Cilium● Capsule8

    https://github.com/draioshttps://github.com/cilium/ciliumhttps://github.com/capsule8

  • @MimmingCodes -- mimming.com

    What we discussed

    Security overview

    Containers & Kubernetes

    Impact on security

    Low hanging fruit

    Higher up fruit

  • @MimmingCodes -- mimming.com

    Thank you!

  • @MimmingCodes -- mimming.com


[Jfokus] Riding the Jet Streams

JFokus 2016 - Beyond Lambdas - the Aftermath

Jfokus 2017 - Experiences from using discovery services in a

JavaScript Beyond jQuery (Jfokus 2013)

Introduction to JavaFX - Jfokus

Android my Scala @ JFokus 2013

pratik patel | cto | triplingo twitter: @prpatel - Jfokus

Android Application Development at JFokus 2011

Jfokus functional groovy

webcomponents (Jfokus 2015)

Coping with IoT Data · 7/19/2016  · Coping with IoT Data On Google Cloud Platform. Jen Tong Developer Advocate Google Cloud Platform @MimmingCodes mimming.com. Agenda IoT Data

Visualizing Java code bases for Jfokus 2017

From Mess To Masterpiece - JFokus 2017

Jfokus 2016 - A JVMs Journey into Polyglot Runtimes

Biohacking - Jfokus#JFokus #biohacking @per_siko Disclaimer Me: They’re offering free chip implants and I’m thinking about taking one. What do you think? #JFokus #biohacking @per_siko

2016-07-19 - how to build 1000 of something - wearables techcon - jen.run · •Easy to deploy •Can run on a battery Wants @MimmingCodes MCU - ESP8266 Credit: SparkFun @MimmingCodes

Testing Angular Applications - Jfokus 2017

HTML5 APIs - The New Frontier - Jfokus 2011

Intro to MongoDB & the JVM - Jfokus · Intro to MongoDB & the JVM 10gen, Inc. JFokus 2012 Bringing NoSQL and Java Together

JRuby + Rails = Awesome Java Web Framework at Jfokus 2011

JFokus 50 new things with java 8

Outsmarting the smart meter (Jfokus 2017)

Coping with IoT Data - mimming.com...Coping with IoT Data On Google Cloud Platform. Google Cloud Platform Confidential & Proprietary 2 Jen Tong @MimmingCodes ... Asha Cheryl Ari Tuesday

HTML5 with Play Scala, CoffeeScript and Jade - Jfokus 2012

Identity theft: Developers are key - JFokus 2017

Hops, the world's fastest Hadoop distribution - Jfokus the world's fastest Hadoop distribution JFokus, Feb 6th 2018 Jim Dowling ... *

OSGi Release 4, version 4 - Jfokus

Real World Hadoop Use Cases - Jfokus World Hadoop Use Cases JFokus 2013, ... • Aggregate tweets by original poster and count retweets ... PowerPoint Presentation

Surviving the Zombie Apocalypse of Connected devices - Jfokus 2013

goto java; (Jfokus)

Kanban Kata - Jfokus

Jfokus 2012: PaaSing a Java EE Application

Introduction to bluetooth low energy - JFokus IoT 2015

Asynchronous Data Streams in Angular 2 - Jfokus€¦ · - April 14-15th Jfokus - Stockholm 2 Days: Angular 2 Workshop TypeScript, Dependency Injection, Template Syntax, Components,

Bootiful Applications with Spring Boot - Jfokus