Liz Rice The latest Kubernetes version provides many security-related enhancements and controls, but it is far from being secure by default. Kubernetes is a complex orchestration platform with many different implementations, across multi-cloud/hybrid environments. Configuring it to comply with security best practices and specific security requires time and expertise that most organizations don’t possess. Aqua’s open source tools arm Kubernetes administrators and developers with an easy way to identify weaknesses in their deployments so that they can address those issues before they are exploited by attackers. During this presentation, we’ll review how these open source tools offer preventive security for Kubernetes: Kube-Bench: checks a Kubernetes cluster against 100+ checks documented in the CIS Kubernetes Benchmark. Kube-Hunter: conducts penetration tests against Kubernetes clusters that hunt for exploitable vulnerabilities and misconfiguration - both from outside the cluster as well as inside it (running as a pod)

1. © 2018-19 Aqua Security Software Ltd., All Rights Reserved
Preventative Security for
Kubernetes
Liz Rice
@lizrice | @aquasecteam

2. @lizrice
Agenda
■ Kubernetes configuration for security
■ CIS benchmarks – testing the configuration
■ Penetration testing – testing for vulnerabilities

3. 3
Authored by Liz Rice from Aqua Security and Michael Hausenblas from Red
Hat
https://info.aquasec.com/kubernetes-security

4. @lizrice
▪ Secure the CI/CD pipeline
▪ “Shift left” security, fix
issues early and fast
▪ Accelerate app delivery
with security automation
Aqua: our approach
▪ Enforce immutability –
no patching, no drift
▪ Whitelist good behavior,
preventing anomalies
▪ Prevent lateral movement
▪ Secure apps regardless of
platform, cloud, or OS
▪ Enable hybrid cloud and
cloud migration
▪ Avoid cloud lock-in and
security reconfiguration
Automate
DevSecOps
Modernize security
through containers
Secure once,
run anywhere

5. @lizrice
Create
software
Build Deploy
Code
quality
Security
testing
Vulnerability
scanning
Image
policies
Runtime
protection
Artifacts free of security defects Only expected
code & config
Detect anomalous
behaviour
Host
configuration
Automating Security at Every Stage

6. @lizrice
Kubernetes Host Configuration

7. @lizrice
■ Kubernetes components installed on your servers
■ Master & node components
■ Many configuration settings have a security impact
■ Example: open Kubelet port = root access
■ Defaults depend on the installer
Kubernetes configuration
What config settings
should I use?

8. @lizrice
CIS Kubernetes Benchmark

9. @lizrice
■ Open source automated tests for CIS Kubernetes Benchmark
■ Tests for Kubernetes Masters and Nodes
■ Available as a container
kube-bench
github.com/aquasecurity/kube-bench

10. @lizrice

11. @lizrice
■ Job configuration YAML
■ Run regularly to ensure no configuration drift
■ Tests defined in YAML
■ Released code follows the CIS Benchmark
■ Modify for your own purposes
kube-bench
github.com/aquasecurity/kube-bench

12. @lizrice
■ Built into the Aqua CSP
■ Provides a scored
report of the results
■ Can be scheduled to
run daily
Kubernetes & Docker CIS Benchmarks

13. @lizrice
Kubernetes penetration testing

14. @lizrice
■ Open source penetration tests for Kubernetes
■ See what an attacker would see
■ github.com/aquasecurity/kube-hunter
■ Online report viewer
■ kube-hunter.aquasec.com
kube-hunter
How do I know the
config is working to
secure my cluster?

15. @lizrice
kube-hunter.aquasec.com

16. 16

17. 17

18. @lizrice
kube-hunter with kube-bench

19. 19

20. 20

21. 21

22. @lizrice
kube-hunter inside a pod

23. @lizrice
Kubernetes cluster
pod
kube-hunter inside a pod
What if my app gets
compromised?
token
API server

24. @lizrice
■ Results depend on RBAC settings
■ and the service account you use for the pod
kube-hunter inside a pod
What if my app gets
compromised?

25. © 2018-19 Aqua Security Software Ltd., All Rights Reserved
github.com/aquasecurity/kube-bench
github.com/aquasecurity/kube-hunter
@lizrice | @aquasecteam