kubernetes security best practices cncf webinar series · cncf webinar series kubernetes security...
TRANSCRIPT
![Page 1: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020](https://reader036.vdocuments.site/reader036/viewer/2022062603/5f0d11f47e708231d43887bb/html5/thumbnails/1.jpg)
CNCF Webinar Series
Kubernetes Security Best PracticesConnor Gorman, Principal Engineer, StackRox11 March 2020
![Page 2: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020](https://reader036.vdocuments.site/reader036/viewer/2022062603/5f0d11f47e708231d43887bb/html5/thumbnails/2.jpg)
2©2020 StackRox. All rights reserved.
What we’ll cover
• General Kubernetes hygiene
• Workload best practices
• Demo
• Questions?
![Page 3: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020](https://reader036.vdocuments.site/reader036/viewer/2022062603/5f0d11f47e708231d43887bb/html5/thumbnails/3.jpg)
3©2020 StackRox. All rights reserved.
What are we doing here?
![Page 4: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020](https://reader036.vdocuments.site/reader036/viewer/2022062603/5f0d11f47e708231d43887bb/html5/thumbnails/4.jpg)
4©2020 StackRox. All rights reserved.
Scratch that … Kubernetes is here!
![Page 5: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020](https://reader036.vdocuments.site/reader036/viewer/2022062603/5f0d11f47e708231d43887bb/html5/thumbnails/5.jpg)
5©2019 StackRox. All rights reserved.
Kubernetes Hygiene
![Page 6: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020](https://reader036.vdocuments.site/reader036/viewer/2022062603/5f0d11f47e708231d43887bb/html5/thumbnails/6.jpg)
6©2020 StackRox. All rights reserved.
Upgrade to a current version!
![Page 7: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020](https://reader036.vdocuments.site/reader036/viewer/2022062603/5f0d11f47e708231d43887bb/html5/thumbnails/7.jpg)
7©2020 StackRox. All rights reserved.
Keep up to date with Security and major API announcements https://groups.google.com/forum/#!forum/kubernetes-announce
Kubernetes-Announce Google Group
![Page 8: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020](https://reader036.vdocuments.site/reader036/viewer/2022062603/5f0d11f47e708231d43887bb/html5/thumbnails/8.jpg)
8©2020 StackRox. All rights reserved.
Harden Node Security
Control network access to sensitive ports.
Make sure that your network restricts access to ports used by kubelet, including 10250 and 10255. Consider limiting access to the Kubernetes API server except from trusted networks.
![Page 9: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020](https://reader036.vdocuments.site/reader036/viewer/2022062603/5f0d11f47e708231d43887bb/html5/thumbnails/9.jpg)
9©2020 StackRox. All rights reserved.
Harden Node Security
Minimize administrative access to Kubernetes nodes.
Access to the nodes in your cluster should generally be restricted — debugging and other tasks can usually be handled without direct access to the node.
![Page 10: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020](https://reader036.vdocuments.site/reader036/viewer/2022062603/5f0d11f47e708231d43887bb/html5/thumbnails/10.jpg)
10©2020 StackRox. All rights reserved.
Enable Role-Based Access Control
Control who can access the Kubernetes API and what permissions they have.
![Page 11: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020](https://reader036.vdocuments.site/reader036/viewer/2022062603/5f0d11f47e708231d43887bb/html5/thumbnails/11.jpg)
11©2019 StackRox. All rights reserved.
Workload Best Practices
![Page 12: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020](https://reader036.vdocuments.site/reader036/viewer/2022062603/5f0d11f47e708231d43887bb/html5/thumbnails/12.jpg)
12©2020 StackRox. All rights reserved.
Contextualizing Risk
![Page 13: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020](https://reader036.vdocuments.site/reader036/viewer/2022062603/5f0d11f47e708231d43887bb/html5/thumbnails/13.jpg)
13©2020 StackRox. All rights reserved.
How can we think about Risk?
![Page 14: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020](https://reader036.vdocuments.site/reader036/viewer/2022062603/5f0d11f47e708231d43887bb/html5/thumbnails/14.jpg)
14©2020 StackRox. All rights reserved.
Leverage Namespaces
• Great for resource usage tracking
• Allows RBAC to be finely-tuned
• Allows for generic network policies and network segmentation
• Makes kubectl results more sane
![Page 15: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020](https://reader036.vdocuments.site/reader036/viewer/2022062603/5f0d11f47e708231d43887bb/html5/thumbnails/15.jpg)
15©2020 StackRox. All rights reserved.
Leverage Network Policies
• Pod-centric firewalling - Pod A can/can’t talk to Pod B
• Generic policies on Ingress/Egress can help ensure fine-grained connections
• Namespace isolation helps ensure compliance especially in multi-tenant environments
Challenges
• What if my environment already exists?
• How can I scale network policies at my organization?
• How do I make sure that developers are enabled to build their own network policies?
![Page 16: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020](https://reader036.vdocuments.site/reader036/viewer/2022062603/5f0d11f47e708231d43887bb/html5/thumbnails/16.jpg)
16©2020 StackRox. All rights reserved.
Visualize Network Traffic and Policies
![Page 17: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020](https://reader036.vdocuments.site/reader036/viewer/2022062603/5f0d11f47e708231d43887bb/html5/thumbnails/17.jpg)
17©2020 StackRox. All rights reserved.
Slim down your images
• Go distroless or use lightweight base images
• Remove package managers and network utilities
• Remove filesystem modification utilities (chmod, chown)
• Scan and enforce to prevent them from entering your environment again
...how do I debug now?
![Page 18: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020](https://reader036.vdocuments.site/reader036/viewer/2022062603/5f0d11f47e708231d43887bb/html5/thumbnails/18.jpg)
18©2020 StackRox. All rights reserved.
• Alpha as of 1.16! So use with caution
• Allows binding of a new container to an existing Pod to facilitate the execution of debugging commands, network utilities, etc
• Images no longer have to include: curl, apt, bash, or other utilities
Looking ahead to Ephemeral Containers!
![Page 19: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020](https://reader036.vdocuments.site/reader036/viewer/2022062603/5f0d11f47e708231d43887bb/html5/thumbnails/19.jpg)
19©2019 StackRox. All rights reserved.
Demo
![Page 20: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020](https://reader036.vdocuments.site/reader036/viewer/2022062603/5f0d11f47e708231d43887bb/html5/thumbnails/20.jpg)
20©2020 StackRox. All rights reserved.
Configurations to explore
• Read-only root file system
• Linux capabilities
• Network policies
• Host mounts
• Disable service account auto-mount
• Environment
• Resource requirements
![Page 21: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020](https://reader036.vdocuments.site/reader036/viewer/2022062603/5f0d11f47e708231d43887bb/html5/thumbnails/21.jpg)
21©2020 StackRox. All rights reserved.
Read-only filesystem
securityContext: readOnlyRootFilesystem: true
volumes: - emptyDir: {} name: varlog
Specifies read-only FS
Creates RAM based empty-dir
![Page 22: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020](https://reader036.vdocuments.site/reader036/viewer/2022062603/5f0d11f47e708231d43887bb/html5/thumbnails/22.jpg)
22©2020 StackRox. All rights reserved.
Example: Stopping a Struts exploit
Deploying a vulnerable container (with R/W root FS)
![Page 23: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020](https://reader036.vdocuments.site/reader036/viewer/2022062603/5f0d11f47e708231d43887bb/html5/thumbnails/23.jpg)
23©2020 StackRox. All rights reserved.
Example: Stopping a Struts exploit
The exploit works — we can download and run minerd.
![Page 24: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020](https://reader036.vdocuments.site/reader036/viewer/2022062603/5f0d11f47e708231d43887bb/html5/thumbnails/24.jpg)
24©2020 StackRox. All rights reserved.
Can my app be read-only?
$ docker diff k8s_nginx_nginx-7db9fccd9b-xyzC /runA /run/nginx.pidA /run/secretsA /run/secrets/kubernetes.ioA /run/secrets/kubernetes.io/serviceaccountC /varC /var/cacheC /var/cache/nginxA /var/cache/nginx/client_tempA /var/cache/nginx/fastcgi_tempA /var/cache/nginx/proxy_tempA /var/cache/nginx/scgi_tempA /var/cache/nginx/uwsgi_temp
![Page 25: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020](https://reader036.vdocuments.site/reader036/viewer/2022062603/5f0d11f47e708231d43887bb/html5/thumbnails/25.jpg)
25©2020 StackRox. All rights reserved.
Example: Stopping a Struts exploit
After declaring a VOLUME for /usr/local/tomcat,and opting-in for a read-only root FS:
![Page 26: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020](https://reader036.vdocuments.site/reader036/viewer/2022062603/5f0d11f47e708231d43887bb/html5/thumbnails/26.jpg)
26©2020 StackRox. All rights reserved.
Linux Capabilities
Split root superpowers into a series of capabilities such as
- CAP_FOWNER (used by chmod)
- CAP_CHOWN (used by chown)
- CAP_NET_RAW (used by ping)
![Page 27: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020](https://reader036.vdocuments.site/reader036/viewer/2022062603/5f0d11f47e708231d43887bb/html5/thumbnails/27.jpg)
27©2020 StackRox. All rights reserved.
Linux Capabilities
![Page 28: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020](https://reader036.vdocuments.site/reader036/viewer/2022062603/5f0d11f47e708231d43887bb/html5/thumbnails/28.jpg)
28©2020 StackRox. All rights reserved.
securityContext: capabilities: drop: - all
minerdtar: minerd: Cannot change ownership to uid 1000, gid 1000: Operation not permittedtar: Exiting with failure status due to previous errors
Example: Capabilities dropped
![Page 29: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020](https://reader036.vdocuments.site/reader036/viewer/2022062603/5f0d11f47e708231d43887bb/html5/thumbnails/29.jpg)
29©2020 StackRox. All rights reserved.
Network Policies
kind: NetworkPolicyapiVersion: networking.k8s.io/v1metadata: name: web-allow-all-ns-monitoringspec: podSelector: matchLabels: app: web ingress: - from: - namespaceSelector: matchLabels: team: operations podSelector: matchLabels: type: monitoring
![Page 30: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020](https://reader036.vdocuments.site/reader036/viewer/2022062603/5f0d11f47e708231d43887bb/html5/thumbnails/30.jpg)
30©2019 StackRox. All rights reserved.
Security is Hard!
![Page 31: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020](https://reader036.vdocuments.site/reader036/viewer/2022062603/5f0d11f47e708231d43887bb/html5/thumbnails/31.jpg)
31©2019 StackRox. All rights reserved.
Let’s chat
Think of a question [email protected]
Want to learn more?https://www.stackrox.com/
We’re hiring!