SlideShare una empresa de Scribd logo

Introduction to Kubernetes Security

All Things Open
All Things Open

Presented at Open Source 101 2023 - Charlotte Presented by Marc Boorshtein, Tremolo Security, Inc. Title: Introduction to Kubernetes Security Abstract: This 90 minute session will be an overview of Kubernetes security from both an operations perspective and an application development perspective. It won't give you everything you need to lock down a cluster, but will give you enough information to know what to look for and what questions to ask. The first half of the session will focus on cluster security: * How users access the cluster * How pipelines access the cluster * Dashboards * NetworkPolicies * Secrets * Node Security * Defense-in-Depth * Multi-tenancy The second half will focus on building secure containers that run on your clusters: * How your application can be be a security risk * Basics of a secure image * SBOMs * Farm-to-Table Supply Chain Security

Tecnología
1 de 28
Descargar para leer sin conexión
Kubernetes Security 101 http://tremolo.io
https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org Who Am I? ● CTO Tremolo Security ● Identity Management expert for 20+ years ● Experience in commercial and federal agencies ● Kubernetes since 2015 ● Co-Author Kubernetes an Enterprise Guide: 2nd Ed
Agenda ● Part I - Cluster Security ○ What is Kubernetes? ○ How users access the cluster ○ How pipelines access the cluster ○ Dashboards ○ NetworkPolicies ○ Secrets ○ Node Security ○ Defense-in-Depth ○ Multi-tenancy https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org
Agenda ● Part II - Container Security ○ How your application can be be a security risk ○ Basics of a secure image ○ SBOMs ○ Farm-to-Table Supply Chain Security https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org
https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org What is Kubernetes? ● Scheduler - Determines what containers should run and where ● Kubelet - Works with the scheduler to run and manage containers ● API Server - API for interacting with the Kubelet and Scheduler
https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org How users access the cluster
https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org How users access the cluster ● Kubernetes supports multiple authentication mechanisms: ○ Certificates ○ OpenID Connect ○ Impersonating proxy ○ TokenRequest API ○ Custom Webhooks
https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org How users access the cluster - Certificates ● “Break Glass” authentication ● Can’t be revoked ● Hardware certificates aren’t supported ● External CAs not supported ● Groups only supported through static subject mapping ● Requires point-to-point connectivity between the client and server
https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org How users access the cluster - OpenID Connect ● Use of a JSON Web Token (JWT) ● Bearer token ● Easily maps groups ● Should be short lived (1-2 minutes with clock skew) ● Allows for network segmentation ● Can not be revoked ● JWT Demo
https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org How users access the cluster - Impersonating Proxy ● Reverse Proxy authenticates users ● Reverse proxy sends headers with the user’s request to tell the API server who the user is ● Impersonation proxy is responsible for authorizing inbound impersonation ● ServiceAccount for Impersonating Proxy is a privileged account ● Important to tie API access back to original request ● Impersonation Demo
https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org How users access the cluster - TokenRequest API ● JWT issued by API Server ● Intended for identifying workloads to the API Server ● Intended for identifying workloads to external services ● Not meant for use from outside of the cluster ● Demo of a container talking to the API server
https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org How users access the cluster - Custom Webhooks ● If you’re not a cloud provider, don’t do it
https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org How users access the cluster - RBAC ● How the API server authorizes access ● Two Scopes ○ Cluster - Objects that impact everyone ○ Namespaced - Objects that are contained inside of a Namespace ■ Namespaces are Cluster scoped ● Roles/ClusterRoles → Define permissions ● RoleBindings/ClusterRoleBindings → Assign permissions ● Rights are enumerated ● No “negative” rights ● Don’t use “*” ● Bindings - Groups, not Users
https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org How users access the cluster - RBAC Aggregate Roles ● Create large Roles & ClusterRoles without maintaining large objects ● Uses labels to assemble a Role/ClusterRole from smaller Roles/ClusterRoles ● Examples are admin, editor ● How to let an admin create a new instance of a CRD
https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org How pipelines access the cluster ● Don’t use long lived tokens ● Use a local identity to get short lived token ● Spire (project) & SPIFFE (standards)
https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org Dashboards ● Centralized ○ Can be secured via reverse proxy and impersonation ○ Should never have a privileged identity ○ Rely on the user’s identity ● Local ○ Uses user’s kubectl configuration ○ Opens a local port on loop-back with no TLS or authentication
https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org NetworkPolicies ● “Firewalls” of the cluster ● Control both inbound and outbound traffic ● Dependent on CNI implementation ● Not on by default ● Important to add ● Demo of network policy
https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org Secrets ● Stored in etcd as base64 encoded string ○ Encoded to preserve binary data ● Threat model your Secrets ○ Plain Kubernetes Secrets are Fine - https://bit.ly/3K1nEcU ● Externalize Secrets ○ Mount directly to Pods ○ Synchronize Secrets ● DON’T EVER STORE SECRETS IN GIT OR HELM, EVEN WHEN ENCRYPTED
https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org Node Security ● Don’t run containers as root ○ Unless you need to run a container as root ○ Init containers ● Limit, or drop all, capabilities ● You don’t need a port under 1024 ● Admission Controller Webhooks - Enforce rules ● Mutating Webhooks - Enable sane defaults ● Common Tools ○ Pod Security Standards ○ OPA/GateKeeper ○ Kyverno ○ JSPolicy
https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org Defense-in-depth ● Don’t rely on a single layer ● Strong Identity+RBAC+Policy Enforcement ● Multi-factor Authentication ● Short lived tokens ● Self Service
https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org Multitenancy ● Better utilization of resources ● Manage sprawl ● “Something” needs to be multitenant ● Self Service ● Combination of all of the above ● Virtual clusters
https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org Part II
https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org How Your Application Can Be A Security Risk ● ServiceAccount token mounted to your Pod ● RCE from an app can lead to access to your Pod’s tokens ● Lack of sane defaults and policies lead to a container breakout ● Leaking bearer tokens ● Debug tools ○ “Distroless” containers ○ Ephemeral Containers
https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org Basics of a Secure Image ● Switch from root ● Assume no Linux userid ● Write only to volumes ○ emptyDir for “scratch space” ● Rebuild often ● Be mindful of where you get base images from ● Take contracts and policies into consideration
https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org Software Bill of Materials ● Multiple standards ● Stored with containers ● Signed?
https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org Farm-to-table Supply Chain Security Container registry Proof
https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org Farm-to-table Supply Chain Security Test Lab Build Infrastructure
Connect with us ● Web - https://openunison.github.io / http://tremolo.io ● Twitter - @tremolosecurity / @mlbiam ● Masstodon - @mlbiam@fosstodon.org / @tremolo@hachyderm.io ● GitHub - http://github.com/tremolosecurity/ / http://github.com/openunison/

Recomendados

Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbain|u - The Open Security Community
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes SecurityKarthik Gaekwad
 
Deep Dive on Container Networking at Scale on Amazon EKS, Amazon ECS, & Amazo...
Deep Dive on Container Networking at Scale on Amazon EKS, Amazon ECS, & Amazo...Deep Dive on Container Networking at Scale on Amazon EKS, Amazon ECS, & Amazo...
Deep Dive on Container Networking at Scale on Amazon EKS, Amazon ECS, & Amazo...Amazon Web Services
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes securityThomas Fricke
 

Recomendados

Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbain|u - The Open Security Community
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes SecurityKarthik Gaekwad
 
Deep Dive on Container Networking at Scale on Amazon EKS, Amazon ECS, & Amazo...
Deep Dive on Container Networking at Scale on Amazon EKS, Amazon ECS, & Amazo...Deep Dive on Container Networking at Scale on Amazon EKS, Amazon ECS, & Amazo...
Deep Dive on Container Networking at Scale on Amazon EKS, Amazon ECS, & Amazo...Amazon Web Services
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes securityThomas Fricke
 
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CTPalestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CTTenchi Security
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
 
Cloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK MatrixCloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK MatrixMITRE ATT&CK
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing VaultRamit Surana
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key ManagementAnthony Ikeda
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...Lenur Dzhemiliev
 
Supply Chain Attacks
Supply Chain AttacksSupply Chain Attacks
Supply Chain AttacksLionel Faleiro
 
SQL Injection INSERT ON DUPLICATE KEY trick
SQL Injection INSERT ON DUPLICATE KEY trickSQL Injection INSERT ON DUPLICATE KEY trick
SQL Injection INSERT ON DUPLICATE KEY trickMathias Karlsson
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolMichael Gough
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultMitchell Pronschinske
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to VaultKnoldus Inc.
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scaleAlex Schoof
 
Secure your web app presentation
Secure your web app presentationSecure your web app presentation
Secure your web app presentationFrans Lytzen
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Michael Man
 

Más contenido relacionado

La actualidad más candente

Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CTPalestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CTTenchi Security
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
 
Cloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK MatrixCloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK MatrixMITRE ATT&CK
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key ManagementAnthony Ikeda
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...Lenur Dzhemiliev
 
SQL Injection INSERT ON DUPLICATE KEY trick
SQL Injection INSERT ON DUPLICATE KEY trickSQL Injection INSERT ON DUPLICATE KEY trick
SQL Injection INSERT ON DUPLICATE KEY trickMathias Karlsson
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolMichael Gough
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultMitchell Pronschinske
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to VaultKnoldus Inc.
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scaleAlex Schoof
 

La actualidad más candente (20)

Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CTPalestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
 
Cloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK MatrixCloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK Matrix
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing Vault
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
 
Supply Chain Attacks
Supply Chain AttacksSupply Chain Attacks
Supply Chain Attacks
 
SQL Injection INSERT ON DUPLICATE KEY trick
SQL Injection INSERT ON DUPLICATE KEY trickSQL Injection INSERT ON DUPLICATE KEY trick
SQL Injection INSERT ON DUPLICATE KEY trick
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp Vault
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
 
Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to Vault
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
 

Similar a Introduction to Kubernetes Security

Secure your web app presentation
Secure your web app presentationSecure your web app presentation
Secure your web app presentationFrans Lytzen
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Michael Man
 
Integrating Puppet and Gitolite for sysadmins cooperations
Integrating Puppet and Gitolite for sysadmins cooperationsIntegrating Puppet and Gitolite for sysadmins cooperations
Integrating Puppet and Gitolite for sysadmins cooperationsLuca Mazzaferro
 
Rejekts 24 EU No GitOps Pain, No Platform Gain
Rejekts 24 EU No GitOps Pain, No Platform GainRejekts 24 EU No GitOps Pain, No Platform Gain
Rejekts 24 EU No GitOps Pain, No Platform GainŁukasz Piątkowski
 
Automate Your Container Deployments Securely
Automate Your Container Deployments SecurelyAutomate Your Container Deployments Securely
Automate Your Container Deployments SecurelyDevOps.com
 
Rtf externalize tls MuleSoft meetup
Rtf externalize tls MuleSoft meetupRtf externalize tls MuleSoft meetup
Rtf externalize tls MuleSoft meetupSandeep Deshmukh
 
How to Create Blockchain Products by Slice.Market CTO
How to Create Blockchain Products by Slice.Market CTOHow to Create Blockchain Products by Slice.Market CTO
How to Create Blockchain Products by Slice.Market CTOProduct School
 
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdfK8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdfMichaelOLeary82
 
Securing the Internet of Things
Securing the Internet of ThingsSecuring the Internet of Things
Securing the Internet of ThingsPaul Fremantle
 
Securing Containerized Applications: A Primer
Securing Containerized Applications: A PrimerSecuring Containerized Applications: A Primer
Securing Containerized Applications: A PrimerPhil Estes
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE
 
Montreal MuleSoft_Meetup_16-Aug.pptx
Montreal MuleSoft_Meetup_16-Aug.pptxMontreal MuleSoft_Meetup_16-Aug.pptx
Montreal MuleSoft_Meetup_16-Aug.pptxshubhamkalsi2
 
Hardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsHardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsSuraj Deshmukh
 
Microservices, Containers, and Beyond
Microservices, Containers, and BeyondMicroservices, Containers, and Beyond
Microservices, Containers, and BeyondLakmal Warusawithana
 
[WSO2Con Asia 2018] Microservices, Containers, and Beyond
[WSO2Con Asia 2018] Microservices, Containers, and Beyond[WSO2Con Asia 2018] Microservices, Containers, and Beyond
[WSO2Con Asia 2018] Microservices, Containers, and BeyondWSO2
 
Secure your Azure Web App 2019
Secure your Azure Web App 2019Secure your Azure Web App 2019
Secure your Azure Web App 2019Frans Lytzen
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...CloudOps2005
 
Not my problem - Delegating responsibility to infrastructure
Not my problem - Delegating responsibility to infrastructureNot my problem - Delegating responsibility to infrastructure
Not my problem - Delegating responsibility to infrastructureYshay Yaacobi
 

Similar a Introduction to Kubernetes Security (20)

Secure your web app presentation
Secure your web app presentationSecure your web app presentation
Secure your web app presentation
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
 
Integrating Puppet and Gitolite for sysadmins cooperations
Integrating Puppet and Gitolite for sysadmins cooperationsIntegrating Puppet and Gitolite for sysadmins cooperations
Integrating Puppet and Gitolite for sysadmins cooperations
 
Rejekts 24 EU No GitOps Pain, No Platform Gain
Rejekts 24 EU No GitOps Pain, No Platform GainRejekts 24 EU No GitOps Pain, No Platform Gain
Rejekts 24 EU No GitOps Pain, No Platform Gain
 
K8s identity management
K8s identity managementK8s identity management
K8s identity management
 
Automate Your Container Deployments Securely
Automate Your Container Deployments SecurelyAutomate Your Container Deployments Securely
Automate Your Container Deployments Securely
 
Rtf externalize tls MuleSoft meetup
Rtf externalize tls MuleSoft meetupRtf externalize tls MuleSoft meetup
Rtf externalize tls MuleSoft meetup
 
How to Create Blockchain Products by Slice.Market CTO
How to Create Blockchain Products by Slice.Market CTOHow to Create Blockchain Products by Slice.Market CTO
How to Create Blockchain Products by Slice.Market CTO
 
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdfK8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
 
Securing the Internet of Things
Securing the Internet of ThingsSecuring the Internet of Things
Securing the Internet of Things
 
Securing Containerized Applications: A Primer
Securing Containerized Applications: A PrimerSecuring Containerized Applications: A Primer
Securing Containerized Applications: A Primer
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT Devices
 
Montreal MuleSoft_Meetup_16-Aug.pptx
Montreal MuleSoft_Meetup_16-Aug.pptxMontreal MuleSoft_Meetup_16-Aug.pptx
Montreal MuleSoft_Meetup_16-Aug.pptx
 
Hardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsHardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing Pods
 
Microservices, Containers, and Beyond
Microservices, Containers, and BeyondMicroservices, Containers, and Beyond
Microservices, Containers, and Beyond
 
[WSO2Con Asia 2018] Microservices, Containers, and Beyond
[WSO2Con Asia 2018] Microservices, Containers, and Beyond[WSO2Con Asia 2018] Microservices, Containers, and Beyond
[WSO2Con Asia 2018] Microservices, Containers, and Beyond
 
Secure your Azure Web App 2019
Secure your Azure Web App 2019Secure your Azure Web App 2019
Secure your Azure Web App 2019
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
 
Not my problem - Delegating responsibility to infrastructure
Not my problem - Delegating responsibility to infrastructureNot my problem - Delegating responsibility to infrastructure
Not my problem - Delegating responsibility to infrastructure
 

Más de All Things Open

Building Reliability - The Realities of Observability
Building Reliability - The Realities of ObservabilityBuilding Reliability - The Realities of Observability
Building Reliability - The Realities of ObservabilityAll Things Open
 
Modern Database Best Practices
Modern Database Best PracticesModern Database Best Practices
Modern Database Best PracticesAll Things Open
 
Open Source and Public Policy
Open Source and Public PolicyOpen Source and Public Policy
Open Source and Public PolicyAll Things Open
 
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...All Things Open
 
The State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil NashThe State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil NashAll Things Open
 
Total ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScriptTotal ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScriptAll Things Open
 
What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?All Things Open
 
How to Write & Deploy a Smart Contract
How to Write & Deploy a Smart ContractHow to Write & Deploy a Smart Contract
How to Write & Deploy a Smart ContractAll Things Open
 
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlowAll Things Open
 
DEI Challenges and Success
DEI Challenges and SuccessDEI Challenges and Success
DEI Challenges and SuccessAll Things Open
 
Scaling Web Applications with Background
Scaling Web Applications with BackgroundScaling Web Applications with Background
Scaling Web Applications with BackgroundAll Things Open
 
Supercharging tutorials with WebAssembly
Supercharging tutorials with WebAssemblySupercharging tutorials with WebAssembly
Supercharging tutorials with WebAssemblyAll Things Open
 
Using SQL to Find Needles in Haystacks
Using SQL to Find Needles in HaystacksUsing SQL to Find Needles in Haystacks
Using SQL to Find Needles in HaystacksAll Things Open
 
Configuration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit InterceptConfiguration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit InterceptAll Things Open
 
Scaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship ProgramScaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship ProgramAll Things Open
 
Build Developer Experience Teams for Open Source
Build Developer Experience Teams for Open SourceBuild Developer Experience Teams for Open Source
Build Developer Experience Teams for Open SourceAll Things Open
 
Deploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache BeamDeploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache BeamAll Things Open
 
Sudo – Giving access while staying in control
Sudo – Giving access while staying in controlSudo – Giving access while staying in control
Sudo – Giving access while staying in controlAll Things Open
 
Fortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML ApplicationsFortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML ApplicationsAll Things Open
 
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...All Things Open
 

Más de All Things Open (20)

Building Reliability - The Realities of Observability
Building Reliability - The Realities of ObservabilityBuilding Reliability - The Realities of Observability
Building Reliability - The Realities of Observability
 
Modern Database Best Practices
Modern Database Best PracticesModern Database Best Practices
Modern Database Best Practices
 
Open Source and Public Policy
Open Source and Public PolicyOpen Source and Public Policy
Open Source and Public Policy
 
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
 
The State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil NashThe State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil Nash
 
Total ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScriptTotal ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScript
 
What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?
 
How to Write & Deploy a Smart Contract
How to Write & Deploy a Smart ContractHow to Write & Deploy a Smart Contract
How to Write & Deploy a Smart Contract
 
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
 
DEI Challenges and Success
DEI Challenges and SuccessDEI Challenges and Success
DEI Challenges and Success
 
Scaling Web Applications with Background
Scaling Web Applications with BackgroundScaling Web Applications with Background
Scaling Web Applications with Background
 
Supercharging tutorials with WebAssembly
Supercharging tutorials with WebAssemblySupercharging tutorials with WebAssembly
Supercharging tutorials with WebAssembly
 
Using SQL to Find Needles in Haystacks
Using SQL to Find Needles in HaystacksUsing SQL to Find Needles in Haystacks
Using SQL to Find Needles in Haystacks
 
Configuration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit InterceptConfiguration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit Intercept
 
Scaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship ProgramScaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship Program
 
Build Developer Experience Teams for Open Source
Build Developer Experience Teams for Open SourceBuild Developer Experience Teams for Open Source
Build Developer Experience Teams for Open Source
 
Deploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache BeamDeploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache Beam
 
Sudo – Giving access while staying in control
Sudo – Giving access while staying in controlSudo – Giving access while staying in control
Sudo – Giving access while staying in control
 
Fortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML ApplicationsFortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML Applications
 
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
 

Último

Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 

Último (20)

Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 

Introduction to Kubernetes Security

  • 2. https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org Who Am I? ● CTO Tremolo Security ● Identity Management expert for 20+ years ● Experience in commercial and federal agencies ● Kubernetes since 2015 ● Co-Author Kubernetes an Enterprise Guide: 2nd Ed
  • 3. Agenda ● Part I - Cluster Security ○ What is Kubernetes? ○ How users access the cluster ○ How pipelines access the cluster ○ Dashboards ○ NetworkPolicies ○ Secrets ○ Node Security ○ Defense-in-Depth ○ Multi-tenancy https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org
  • 4. Agenda ● Part II - Container Security ○ How your application can be be a security risk ○ Basics of a secure image ○ SBOMs ○ Farm-to-Table Supply Chain Security https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org
  • 5. https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org What is Kubernetes? ● Scheduler - Determines what containers should run and where ● Kubelet - Works with the scheduler to run and manage containers ● API Server - API for interacting with the Kubelet and Scheduler
  • 6. https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org How users access the cluster
  • 7. https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org How users access the cluster ● Kubernetes supports multiple authentication mechanisms: ○ Certificates ○ OpenID Connect ○ Impersonating proxy ○ TokenRequest API ○ Custom Webhooks
  • 8. https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org How users access the cluster - Certificates ● “Break Glass” authentication ● Can’t be revoked ● Hardware certificates aren’t supported ● External CAs not supported ● Groups only supported through static subject mapping ● Requires point-to-point connectivity between the client and server
  • 9. https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org How users access the cluster - OpenID Connect ● Use of a JSON Web Token (JWT) ● Bearer token ● Easily maps groups ● Should be short lived (1-2 minutes with clock skew) ● Allows for network segmentation ● Can not be revoked ● JWT Demo
  • 10. https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org How users access the cluster - Impersonating Proxy ● Reverse Proxy authenticates users ● Reverse proxy sends headers with the user’s request to tell the API server who the user is ● Impersonation proxy is responsible for authorizing inbound impersonation ● ServiceAccount for Impersonating Proxy is a privileged account ● Important to tie API access back to original request ● Impersonation Demo
  • 11. https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org How users access the cluster - TokenRequest API ● JWT issued by API Server ● Intended for identifying workloads to the API Server ● Intended for identifying workloads to external services ● Not meant for use from outside of the cluster ● Demo of a container talking to the API server
  • 12. https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org How users access the cluster - Custom Webhooks ● If you’re not a cloud provider, don’t do it
  • 13. https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org How users access the cluster - RBAC ● How the API server authorizes access ● Two Scopes ○ Cluster - Objects that impact everyone ○ Namespaced - Objects that are contained inside of a Namespace ■ Namespaces are Cluster scoped ● Roles/ClusterRoles → Define permissions ● RoleBindings/ClusterRoleBindings → Assign permissions ● Rights are enumerated ● No “negative” rights ● Don’t use “*” ● Bindings - Groups, not Users
  • 14. https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org How users access the cluster - RBAC Aggregate Roles ● Create large Roles & ClusterRoles without maintaining large objects ● Uses labels to assemble a Role/ClusterRole from smaller Roles/ClusterRoles ● Examples are admin, editor ● How to let an admin create a new instance of a CRD
  • 15. https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org How pipelines access the cluster ● Don’t use long lived tokens ● Use a local identity to get short lived token ● Spire (project) & SPIFFE (standards)
  • 16. https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org Dashboards ● Centralized ○ Can be secured via reverse proxy and impersonation ○ Should never have a privileged identity ○ Rely on the user’s identity ● Local ○ Uses user’s kubectl configuration ○ Opens a local port on loop-back with no TLS or authentication
  • 17. https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org NetworkPolicies ● “Firewalls” of the cluster ● Control both inbound and outbound traffic ● Dependent on CNI implementation ● Not on by default ● Important to add ● Demo of network policy
  • 18. https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org Secrets ● Stored in etcd as base64 encoded string ○ Encoded to preserve binary data ● Threat model your Secrets ○ Plain Kubernetes Secrets are Fine - https://bit.ly/3K1nEcU ● Externalize Secrets ○ Mount directly to Pods ○ Synchronize Secrets ● DON’T EVER STORE SECRETS IN GIT OR HELM, EVEN WHEN ENCRYPTED
  • 19. https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org Node Security ● Don’t run containers as root ○ Unless you need to run a container as root ○ Init containers ● Limit, or drop all, capabilities ● You don’t need a port under 1024 ● Admission Controller Webhooks - Enforce rules ● Mutating Webhooks - Enable sane defaults ● Common Tools ○ Pod Security Standards ○ OPA/GateKeeper ○ Kyverno ○ JSPolicy
  • 20. https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org Defense-in-depth ● Don’t rely on a single layer ● Strong Identity+RBAC+Policy Enforcement ● Multi-factor Authentication ● Short lived tokens ● Self Service
  • 21. https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org Multitenancy ● Better utilization of resources ● Manage sprawl ● “Something” needs to be multitenant ● Self Service ● Combination of all of the above ● Virtual clusters
  • 22. https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org Part II
  • 23. https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org How Your Application Can Be A Security Risk ● ServiceAccount token mounted to your Pod ● RCE from an app can lead to access to your Pod’s tokens ● Lack of sane defaults and policies lead to a container breakout ● Leaking bearer tokens ● Debug tools ○ “Distroless” containers ○ Ephemeral Containers
  • 24. https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org Basics of a Secure Image ● Switch from root ● Assume no Linux userid ● Write only to volumes ○ emptyDir for “scratch space” ● Rebuild often ● Be mindful of where you get base images from ● Take contracts and policies into consideration
  • 25. https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org Software Bill of Materials ● Multiple standards ● Stored with containers ● Signed?
  • 26. https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org Farm-to-table Supply Chain Security Container registry Proof
  • 27. https://openunison.github.io / @mlbiam / @mlbiam@fosstodon.org Farm-to-table Supply Chain Security Test Lab Build Infrastructure
  • 28. Connect with us ● Web - https://openunison.github.io / http://tremolo.io ● Twitter - @tremolosecurity / @mlbiam ● Masstodon - @mlbiam@fosstodon.org / @tremolo@hachyderm.io ● GitHub - http://github.com/tremolosecurity/ / http://github.com/openunison/