SlideShare a Scribd company logo

Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, January 2019)

M
Michael Man

A look at historical Kubernetes breaches, the high level security primitives, and an overview of multi-tenancy models in Kubernetes.

Technology
1 of 79
Download to read offline
Continuous Kubernetes Security @sublimino and @controlplaneio
I’m: - Andy - Dev-like - Sec-ish - Ops-y
Common Pwns
https://github.com/kayrus/kubelet-exploit
Security vs Features
No RBAC Attacking Kubernetes - Dino Dai Zovi, Capsule8
No Workload Security Building for Trust: How to Secure Your Kubernetes Cluster [I] - Alexander Mohr & Jess Frazelle
No Security - Cluster Edition Hacking and Hardening Kubernetes Clusters by Example - Brad Geesaman, Symantec
Helm Exploring The Security Of Helm / Using SSL Between Helm and Tiller
Unsecured Dashboard - Tesla Lessons from the Cryptojacking Attack at Tesla - RedLock CSI Team
CVE-2017-1002101 - subpath volume mount handling allows arbitrary file access in host filesystem #60813
CVE-2018-1002105: proxy request handling in kube-apiserver can leave vulnerable TCP connections #71411
Is this Kubernetes cluster secure?
The Kubernetes Control Plane
Nodes Master Node 3 OS Container Runtime Kubelet Networking Node 2 OS Container Runtime Kubelet Networking Node 1 OS Container Runtime Kubelet Networking API Server (REST API) Controller Manager (Controller Loops) Scheduler (Bind Pod to Node) etcd (key-value DB, SSOT) User Legend: CNI CRI OCI Protobuf gRPC JSON By Lucas Käldström
Minimum Viable Security TLS Everywhere Note that some components and installation methods may enable local ports over HTTP and administrators should familiarize themselves with the settings of each component to identify potentially unsecured traffic. https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/#use-transpo rt-level-security-tls-for-all-api-traffic
Bootstrapping TLS https://medium.com/@toddrosner/kubernetes-tls-bootstrapping-cf203776abc7
Enable RBAC RBAC Support in Kubernetes (stable v1.8)
External Auth to API Server (e.g. via kubectl) ● https://github.com/coreos/dex - OpenID Connect Identity (OIDC) and OAuth 2.0 provider with pluggable connectors ● https://github.com/pusher/k8s-auth-example - OIDC connector ● https://thenewstack.io/kubernetes-single-sign-one-less-identity/ ● https://github.com/negz/kuberos - OIDC authentication helper for kubectl (also https://cloud.google.com/community/tutorials/kubernetes-auth-openid-rbac) ● https://github.com/micahhausler/k8s-oidc-helper - helper tool for authenticating to Kubernetes using Google's OpenID Connect
Disable API server read only port (default: 8080) --insecure-port=0
Disable API server read only port (default: 8080) andy@kube-master:~ [0]# curl localhost:8080/api/v1/secrets?limit=1 { "kind": "SecretList", "apiVersion": "v1", "metadata": {...}, "items": [ { "metadata": { "name": "default-token-dhj8b", "namespace": "default", ... "annotations": { "kubernetes.io/service-account.name": "default", "kubernetes.io/service-account.uid": "a7e874b7-6186-11e8-92ba-4af3186f8390" } }, "data": { "ca.crt": "LS0tLS1CRUdJTiBD...", "namespace": "ZGVmYXVsdA==", "token": "ZXlKaGJHY..." }, "type": "kubernetes.io/service-account-token" } ] }
No system:anonymous role for anonymous user (API server flag) --anonymous-auth=false
No system:anonymous role for anonymous user (API server flag) andy@localhost:~ [0]# curl https://kube-master:6443/version { "major": "1", "minor": "10", "gitVersion": "v1.10.3", "gitCommit": "2bba0127d85d5a46ab4b778548be28623b32d0b0", "gitTreeState": "clean", "buildDate": "2018-05-21T09:05:37Z", "goVersion": "go1.9.3", "compiler": "gc", "platform": "linux/amd64" }
Separate, Firewalled etcd Cluster Implementation details
Rotate keys
Securing Workloads
Containers
Containers ● Namespaces ● cgroups ● seccomp-bpf ● AppArmor / SELinux ● Users ● Capabilities
Pods
Pods apiVersion: v1 kind: Pod metadata: name: nfs-server labels: role: nfs-server spec: containers: - name: nfs-server image: jsafrane/nfs-data securityContext: privileged: true
kubesec.io - risk score for K8S YAML
kubesec.io - example insecure pod { "score": -30, "scoring": { "critical": [{ "selector": "containers[] .securityContext .privileged == true", "reason": "Privileged containers can allow almost completely unrestricted host access" }], "advise": [{ "selector": "containers[] .securityContext .runAsNonRoot == true", "reason": "Force the running image to run as a non-root user to ensure least privilege" }, { "selector": "containers[] .securityContext .capabilities .drop", "reason": "Reducing kernel capabilities available to a container limits its attack surface", "href": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" }, ...
PodSecurityPolicies apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: restricted annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' spec: privileged: false allowPrivilegeEscalation: false # Required to prevent escalations to root. # This is redundant with non-root + disallow privilege escalation, # but we can provide it for defense in depth. requiredDropCapabilities: - ALL # Allow core volume types. volumes: - 'configMap' - 'emptyDir' ... hostNetwork: false hostIPC: false hostPID: false runAsUser: rule: 'MustRunAsNonRoot' # Require the container to run without root privileges. ... https://gist.github.com/tallclair/11981031b6bfa829bb1fb9dcb7e026b0
Resource Linting ● https://kubesec.io/ - calculate “risk” of Kubernetes resource YAML by use of security features ● https://github.com/garethr/kubetest - unit tests for your Kubernetes configurations
Deployments
https://twitter.com/jbeda/status/969351665240305664
Services
Services kind: Service apiVersion: v1 metadata: name: my-service spec: selector: app: MyApp ports: - protocol: TCP port: 443 targetPort: 8443
ServiceAccounts “We recommend you create and use a minimally privileged service account to run your Kubernetes Engine Cluster” https://cloudplatform.googleblog.com/2017/11/precious-cargo-securing-containers- with-Kubernetes-Engine-18.html
API Admission Controllers
Extensible Admission Controllers http://blog.kubernetes.io/2018/01/extensible-admission-is-beta.html
Docs: Recommended Admission Controllers # For versions >= v1.13.0 ● AlwaysPullImages ● DenyEscalatingExec ● DefaultStorageClass (enabled by default) ● DefaultTolerationSeconds (enabled by default) ● EventRateLimit ● LimitRanger (enabled by default) ● MutatingAdmissionWebhook (enabled by default, potentially used to inject sidecar containers or change resource parameters) ● NamespaceExists ● NamespaceLifecycle (enabled by default) https://kubernetes.io/docs/ admin/admission-controllers/ ● NodeRestriction ● OwnerReferencesPermissionEnforcement ● PersistentVolumeClaimResize (enabled by default) ● PodNodeSelector ● PodSecurityPolicy ● PodTolerationRestriction ● Priority (enabled by default) ● Resource Quota (enabled by default) ● Service Account (enabled by default) ● ValidatingAdmissionWebhook (enabled by default, to enforce CI/CD Pipeline security controls) --admission-control=${CONTROLLERS}
Admission Controllers: NodeRestriction limits the Node and Pod objects a kubelet can modify kubelets must use credentials in the system:nodes group, with a username in the form system:node:<nodeName> n.b. Node Authorizer authorization mode required https://kubernetes.io/docs/admin/authorization/node/
NodeRestriction authz plugin: Node Authorizer --authorization-mode=Node A kubelet can not: ● alter the state of resources of any Pod it does not manage ● access Secrets, ConfigMaps or Persistent Volumes / PVCs, unless they are bound to a Pod managed by itself ● alter the state of any Node but the one it is running on https://kubernetes.io/docs/admin/authorization/node/
Admission Controllers: PodSecurityPolicy determines if it should be admitted based on the requested security context and available Pod Security Policies https://github.com/kubernetes/examples/tree/master/staging/podsecuritypolicy/rbac
Admission Controllers: ServiceAccount automation for serviceAccounts if not exist, set: ServiceAccount, ImagePullSecrets, /var/run/secrets/kubernetes.io/serviceaccount volume
Admission Controllers: ValidatingAdmissionWebhook (v1.9 beta) calls validating webhooks in parallel, rejects pod if any fail
Compliance Scanning ● https://github.com/nccgroup/kube-auto-analyzer - review Kubernetes installations against the CIS Kubernetes 1.8 Benchmark ● https://github.com/aquasecurity/kube-bench - test versions of Kubernetes (1.6, 1.7 and 1.8) against CIS Kubernetes 1.0.0, 1.1.0 and 1.2.0 ● https://github.com/heptio/sonobuoy - running a set of Kubernetes conformance tests in an accessible and non-destructive manner ● https://github.com/bgeesaman/sonobuoy-plugin-bulkhead - kube-bench for sonobouy ● https://github.com/bgeesaman/kubeatf - spin up, test, and destroy Kubernetes clusters in a human and CI/CD friendly way
Image Scanning ● https://github.com/coreos/clair ● https://github.com/arminc/clair-local-scan ● https://github.com/optiopay/klar - integration of Clair and Docker Registry ● https://github.com/banyanops/collector ● https://github.com/anchore/anchore-engine
Securing Kubernetes Networking
Kubernetes networking https://medium.com/google-cloud/ understanding-kubernetes-networ king-services-f0cb48e4cc82
NetworkPolicy ● Calico ● Cilium (Learn more about eBPF) ● Kube-router ● Romana ● Weave Net
Kubernetes NetworkPolicy: default deny apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny spec: podSelector: https://github.com/ahmetb/kube rnetes-network-policy-recipes
Kubernetes NetworkPolicy: default deny apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny spec: podSelector: - “*” https://github.com/ahmetb/kube rnetes-network-policy-recipes Illegal syntax, but represents what it actually does (effectively a wildcard)
Kubernetes NetworkPolicy https://github.com/ahmetb/kube rnetes-network-policy-recipes apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: foo-deny-external-egress spec: podSelector: matchLabels: app: foo policyTypes: - Egress egress: - ports: - port: 53 protocol: UDP - port: 53 protocol: TCP - to: - namespaceSelector: {}
Kubernetes NetworkPolicy - NO DNS NAMES https://github.com/kubernetes/kubernetes/issues/56901
Kubernetes NetworkPolicy - ILLEGAL! https://github.com/ahmetb/kube rnetes-network-policy-recipes apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: foo-deny-external-egress spec: podSelector: dnsName: control-plane.io policyTypes: - Egress egress: - ports: - port: 53 protocol: UDP - port: 53 protocol: TCP - to: - namespaceSelector: {} ILLEGAL! NOT ALLOWED!
http://blog.christianposta.com/istio-workshop/
netassert - cloud native network testing ● netassert - network security testing for DevSecOps workflows https://github.com/controlplaneio/netassert host: localhost: bitbucket.com: - 22 control-plane.io: github.com: - 22
netassert - cloud native network testing k8s: # used for Kubernetes pods deployment: # only deployments currently supported test-frontend: # pod name, defaults to `default` namespace test-microservice: 80 # `test-microservice` is the DNS name of the target service test-database: -80 # should not be able to access port 80 of `test-database` new-namespace:test-microservice: # `new-namespace` is the namespace name test-database.new-namespace: 80 # longer DNS names can be used for other namespaces test-frontend.default: 80 default:test-database: test-frontend.default.svc.cluster.local: 80 # full DNS names can be used test-microservice.default.svc.cluster.local: -80 control-plane.io: 443 # we can check remote services too https://github.com/controlplaneio/netassert
Multi Tenancy Principles
Secure Hosts ● Minimal attack surface ○ CoreOS (RIP), forked as FlatCar Linux- https://coreos.com/ and https://kinvolk.io/ ○ Red Hat Atomic - https://www.redhat.com/en/resources/enterprise-linux-atomic-host-datasheet ○ Ubuntu Core - https://www.ubuntu.com/core ○ Container-Optimized OS from Google - https://cloud.google.com/container-optimized-os/docs/ ● Security extensions enabled, configured, and monitored ● Immutable infrastructure ● Group nodes by type, usage, and/or security level
Proxy to Metadata APIs ● https://github.com/uswitch/kiam - allows cluster users to associate IAM roles to Pods ● https://github.com/jtblin/kube2iam - provides different AWS IAM roles for pods running on Kubernetes ● https://github.com/heptio/authenticator - allow AWS IAM credentials to authenticate to a Kubernetes cluster ● https://github.com/GoogleCloudPlatform/k8s-metadata-proxy - a simple proxy for serving concealed metadata to container workloads
MULTI TENANCY: Soft
MULTI TENANCY: Soft ● Isolate by namespace ○ Don't forget the default NetworkPolicy and PodSecurityPolicy ○ Assign limits to the namespace with LimitRanges https://kubernetes.io/docs/tasks/administer-cluster/memory-default-namespace/ ● Separate dev/test from production ● Image scanning ○ Private registry and build artefacts/supply chain
MULTI TENANCY: Soft ● Policed, scanned, compliant base images, stored within organisation ○ Minimal attack surface ○ FROM scratch if possible ● Deploy Admission Controllers, PodSecurityPolicy, etc ● Everything as code ○ https://www.weave.works/blog/gitops-operations-by-pull-request
MULTI TENANCY: Hard
MULTI TENANCY: Hard ● All users untrusted, potentially malicious ○ Comfortable running code from multiple third parties, with the potential for malice that implies, in the same cluster ● Only co-tenant along your existing security boundaries ● Segregate logically by application type, security level, and/or physically by project/account ● Separate node pools for different tenants
MULTI TENANCY: Hard ● This may not look a lot like hard multitenancy? ○ It's still running a centralised control plane ● Run kubedns in a sidecar to restrict DNS leakage ● Mixed vm and container workload ○ Dan Walsh nailed it ○ "glasshouse VMs" ● Defence in depth ● Remote logging
MULTI TENANCY: Hard https://www.weave.works/blog/container-security-with-dan-walsh-redhat
Persisting Configuration: Continuous Security
Continuous Security
Continuous Infra Security ● The system can continually self-validate ● Test pipelines are more robust ● Highly skilled penetration testers are free to focus on the “high-hanging fruit”
Conclusion ● The brave new world of Kubernetes increases attack surface and potential for misconfiguration ● Lots of new security primitives are landing ● The only way to iterate quickly is: supported by a test suite ● Security testing keeps you young

Recommended

Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickMichael Man
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Michael Man
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDays Riga
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Securityinovex GmbH
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 
Kubernetes - security you need to know about it
Kubernetes - security you need to know about itKubernetes - security you need to know about it
Kubernetes - security you need to know about itHaydn Johnson
 
KVM_security
KVM_securityKVM_security
KVM_securityFrank Caviggia
 
User authentication and authorizarion in Kubernetes
User authentication and authorizarion in KubernetesUser authentication and authorizarion in Kubernetes
User authentication and authorizarion in KubernetesNeependra Khare
 

Recommended

Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickMichael Man
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Michael Man
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDays Riga
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Securityinovex GmbH
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 
Kubernetes - security you need to know about it
Kubernetes - security you need to know about itKubernetes - security you need to know about it
Kubernetes - security you need to know about itHaydn Johnson
 
KVM_security
KVM_securityKVM_security
KVM_securityFrank Caviggia
 
User authentication and authorizarion in Kubernetes
User authentication and authorizarion in KubernetesUser authentication and authorizarion in Kubernetes
User authentication and authorizarion in KubernetesNeependra Khare
 
OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdanOpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdanOpenShift Origin
 
Istio Cloud Native Online Series - Intro to Istio Security
Istio Cloud Native Online Series - Intro to Istio SecurityIstio Cloud Native Online Series - Intro to Istio Security
Istio Cloud Native Online Series - Intro to Istio SecurityMatt Baldwin
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secretsCameron More
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutionsNick Owen
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbain|u - The Open Security Community
 
Cloud networking deep dive
Cloud networking deep diveCloud networking deep dive
Cloud networking deep diveamylynn11
 
London HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HashiCorp User Group
 
From pets to cattle - powered by CoreOS, docker, Mesos & nginx
From pets to cattle - powered by CoreOS, docker, Mesos & nginxFrom pets to cattle - powered by CoreOS, docker, Mesos & nginx
From pets to cattle - powered by CoreOS, docker, Mesos & nginxQAware GmbH
 
Istio Playground
Istio PlaygroundIstio Playground
Istio PlaygroundQAware GmbH
 
JEE on DC/OS
JEE on DC/OSJEE on DC/OS
JEE on DC/OSJosef Adersberger
 
Container secrets talk from DevSecCon
Container secrets talk from DevSecConContainer secrets talk from DevSecCon
Container secrets talk from DevSecConLiz Rice
 
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능Hyperledger Korea User Group
 
HashiTLS Demystifying Security Certs
HashiTLS Demystifying Security CertsHashiTLS Demystifying Security Certs
HashiTLS Demystifying Security CertsMitchell Pronschinske
 
Your (container) secret's safe with me
Your (container) secret's safe with me Your (container) secret's safe with me
Your (container) secret's safe with me Liz Rice
 
Project kuryr returns: Docker delivered, Kubernetes Next
Project kuryr returns: Docker delivered, Kubernetes NextProject kuryr returns: Docker delivered, Kubernetes Next
Project kuryr returns: Docker delivered, Kubernetes NextAntoni Segura Puimedon
 
Microservices with Micronaut
Microservices with MicronautMicroservices with Micronaut
Microservices with MicronautQAware GmbH
 
Your secret's safe with me
Your secret's safe with meYour secret's safe with me
Your secret's safe with meLiz Rice
 
MongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local Austin 2018: MongoDB Ops Manager + KubernetesMongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local Austin 2018: MongoDB Ops Manager + KubernetesMongoDB
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with FalcoMichael Ducy
 
ModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedNGINX, Inc.
 
DCEU 18: Docker Container Networking
DCEU 18: Docker Container NetworkingDCEU 18: Docker Container Networking
DCEU 18: Docker Container NetworkingDocker, Inc.
 
Evolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfEvolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfJose Manuel Ortega Candel
 

More Related Content

What's hot

OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdanOpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdanOpenShift Origin
 
Istio Cloud Native Online Series - Intro to Istio Security
Istio Cloud Native Online Series - Intro to Istio SecurityIstio Cloud Native Online Series - Intro to Istio Security
Istio Cloud Native Online Series - Intro to Istio SecurityMatt Baldwin
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secretsCameron More
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutionsNick Owen
 
Cloud networking deep dive
Cloud networking deep diveCloud networking deep dive
Cloud networking deep diveamylynn11
 
From pets to cattle - powered by CoreOS, docker, Mesos & nginx
From pets to cattle - powered by CoreOS, docker, Mesos & nginxFrom pets to cattle - powered by CoreOS, docker, Mesos & nginx
From pets to cattle - powered by CoreOS, docker, Mesos & nginxQAware GmbH
 
Istio Playground
Istio PlaygroundIstio Playground
Istio PlaygroundQAware GmbH
 
Container secrets talk from DevSecCon
Container secrets talk from DevSecConContainer secrets talk from DevSecCon
Container secrets talk from DevSecConLiz Rice
 
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능Hyperledger Korea User Group
 
HashiTLS Demystifying Security Certs
HashiTLS Demystifying Security CertsHashiTLS Demystifying Security Certs
HashiTLS Demystifying Security CertsMitchell Pronschinske
 
Your (container) secret's safe with me
Your (container) secret's safe with me Your (container) secret's safe with me
Your (container) secret's safe with me Liz Rice
 
Project kuryr returns: Docker delivered, Kubernetes Next
Project kuryr returns: Docker delivered, Kubernetes NextProject kuryr returns: Docker delivered, Kubernetes Next
Project kuryr returns: Docker delivered, Kubernetes NextAntoni Segura Puimedon
 
Microservices with Micronaut
Microservices with MicronautMicroservices with Micronaut
Microservices with MicronautQAware GmbH
 
Your secret's safe with me
Your secret's safe with meYour secret's safe with me
Your secret's safe with meLiz Rice
 
MongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local Austin 2018: MongoDB Ops Manager + KubernetesMongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local Austin 2018: MongoDB Ops Manager + KubernetesMongoDB
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with FalcoMichael Ducy
 
ModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedNGINX, Inc.
 

What's hot (20)

OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdanOpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdan
 
Istio Cloud Native Online Series - Intro to Istio Security
Istio Cloud Native Online Series - Intro to Istio SecurityIstio Cloud Native Online Series - Intro to Istio Security
Istio Cloud Native Online Series - Intro to Istio Security
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secrets
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutions
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
 
Cloud networking deep dive
Cloud networking deep diveCloud networking deep dive
Cloud networking deep dive
 
London HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vault
 
From pets to cattle - powered by CoreOS, docker, Mesos & nginx
From pets to cattle - powered by CoreOS, docker, Mesos & nginxFrom pets to cattle - powered by CoreOS, docker, Mesos & nginx
From pets to cattle - powered by CoreOS, docker, Mesos & nginx
 
Istio Playground
Istio PlaygroundIstio Playground
Istio Playground
 
JEE on DC/OS
JEE on DC/OSJEE on DC/OS
JEE on DC/OS
 
Container secrets talk from DevSecCon
Container secrets talk from DevSecConContainer secrets talk from DevSecCon
Container secrets talk from DevSecCon
 
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
 
HashiTLS Demystifying Security Certs
HashiTLS Demystifying Security CertsHashiTLS Demystifying Security Certs
HashiTLS Demystifying Security Certs
 
Your (container) secret's safe with me
Your (container) secret's safe with me Your (container) secret's safe with me
Your (container) secret's safe with me
 
Project kuryr returns: Docker delivered, Kubernetes Next
Project kuryr returns: Docker delivered, Kubernetes NextProject kuryr returns: Docker delivered, Kubernetes Next
Project kuryr returns: Docker delivered, Kubernetes Next
 
Microservices with Micronaut
Microservices with MicronautMicroservices with Micronaut
Microservices with Micronaut
 
Your secret's safe with me
Your secret's safe with meYour secret's safe with me
Your secret's safe with me
 
MongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local Austin 2018: MongoDB Ops Manager + KubernetesMongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
 
ModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting Started
 

Similar to Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, January 2019)

DCEU 18: Docker Container Networking
DCEU 18: Docker Container NetworkingDCEU 18: Docker Container Networking
DCEU 18: Docker Container NetworkingDocker, Inc.
 
Evolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfEvolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfJose Manuel Ortega Candel
 
Build Your Own CaaS (Container as a Service)
Build Your Own CaaS (Container as a Service)Build Your Own CaaS (Container as a Service)
Build Your Own CaaS (Container as a Service)HungWei Chiu
 
网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...
网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...
网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...Xiaohui Chen
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container PlatformAll Things Open
 
Kubernetes - Why It's Cool & Why It Maaters
Kubernetes - Why It's Cool & Why It MaatersKubernetes - Why It's Cool & Why It Maaters
Kubernetes - Why It's Cool & Why It MaatersBob Reselman
 
Top 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKETop 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKESreenivas Makam
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Michael Man
 
Cloud orchestration risks
Cloud orchestration risksCloud orchestration risks
Cloud orchestration risksGlib Pakharenko
 
Kubered -Recipes for C2 Operations on Kubernetes
Kubered -Recipes for C2 Operations on KubernetesKubered -Recipes for C2 Operations on Kubernetes
Kubered -Recipes for C2 Operations on KubernetesJeffrey Holden
 
Lines of Defense - Securing your Kubernetes Clusters by Koray Oksay
Lines of Defense - Securing your Kubernetes Clusters by Koray OksayLines of Defense - Securing your Kubernetes Clusters by Koray Oksay
Lines of Defense - Securing your Kubernetes Clusters by Koray OksayContainerDay Security 2023
 
Kubernetes - Sailing a Sea of Containers
Kubernetes - Sailing a Sea of ContainersKubernetes - Sailing a Sea of Containers
Kubernetes - Sailing a Sea of ContainersKel Cecil
 
Container & kubernetes
Container & kubernetesContainer & kubernetes
Container & kubernetesTed Jung
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Velocidex Enterprises
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetesRishabh Indoria
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Assisted-Installer-DevConf-US-2021
Assisted-Installer-DevConf-US-2021Assisted-Installer-DevConf-US-2021
Assisted-Installer-DevConf-US-2021Nir Magnezi
 

Similar to Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, January 2019) (20)

DCEU 18: Docker Container Networking
DCEU 18: Docker Container NetworkingDCEU 18: Docker Container Networking
DCEU 18: Docker Container Networking
 
Evolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfEvolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdf
 
Build Your Own CaaS (Container as a Service)
Build Your Own CaaS (Container as a Service)Build Your Own CaaS (Container as a Service)
Build Your Own CaaS (Container as a Service)
 
网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...
网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...
网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container Platform
 
Kubernetes - Why It's Cool & Why It Maaters
Kubernetes - Why It's Cool & Why It MaatersKubernetes - Why It's Cool & Why It Maaters
Kubernetes - Why It's Cool & Why It Maaters
 
Top 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKETop 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKE
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
 
Cloud orchestration risks
Cloud orchestration risksCloud orchestration risks
Cloud orchestration risks
 
Dockers zero to hero
Dockers zero to heroDockers zero to hero
Dockers zero to hero
 
Kubered -Recipes for C2 Operations on Kubernetes
Kubered -Recipes for C2 Operations on KubernetesKubered -Recipes for C2 Operations on Kubernetes
Kubered -Recipes for C2 Operations on Kubernetes
 
Lines of Defense - Securing your Kubernetes Clusters by Koray Oksay
Lines of Defense - Securing your Kubernetes Clusters by Koray OksayLines of Defense - Securing your Kubernetes Clusters by Koray Oksay
Lines of Defense - Securing your Kubernetes Clusters by Koray Oksay
 
Kubernetes - Sailing a Sea of Containers
Kubernetes - Sailing a Sea of ContainersKubernetes - Sailing a Sea of Containers
Kubernetes - Sailing a Sea of Containers
 
Container & kubernetes
Container & kubernetesContainer & kubernetes
Container & kubernetes
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
Kubernetes
KubernetesKubernetes
Kubernetes
 
Container security
Container securityContainer security
Container security
 
Assisted-Installer-DevConf-US-2021
Assisted-Installer-DevConf-US-2021Assisted-Installer-DevConf-US-2021
Assisted-Installer-DevConf-US-2021
 

More from Michael Man

5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)Michael Man
 
K8S Certifications - Exam Cram
K8S Certifications - Exam CramK8S Certifications - Exam Cram
K8S Certifications - Exam CramMichael Man
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)Michael Man
 
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...Michael Man
 
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...Michael Man
 
Extract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling SlidesExtract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling SlidesMichael Man
 
Sept 2019 - DSO-LG Tooling Examples
Sept 2019 - DSO-LG Tooling ExamplesSept 2019 - DSO-LG Tooling Examples
Sept 2019 - DSO-LG Tooling ExamplesMichael Man
 
DevSecOps Manchester - May 2019
DevSecOps Manchester - May 2019DevSecOps Manchester - May 2019
DevSecOps Manchester - May 2019Michael Man
 
Extract: DevSecOps - London Gathering (March 2019)
Extract: DevSecOps - London Gathering (March 2019)Extract: DevSecOps - London Gathering (March 2019)
Extract: DevSecOps - London Gathering (March 2019)Michael Man
 
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...Michael Man
 
August 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London GatheringAugust 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London GatheringMichael Man
 
DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018Michael Man
 
The mechanics behind how attackers exploit simple programming mistakes ...
The mechanics behind how attackers exploit simple programming mistakes ...The mechanics behind how attackers exploit simple programming mistakes ...
The mechanics behind how attackers exploit simple programming mistakes ...Michael Man
 
Secret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsSecret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsMichael Man
 
DevSecOps March 2018 - Extract
DevSecOps March 2018 - ExtractDevSecOps March 2018 - Extract
DevSecOps March 2018 - ExtractMichael Man
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsMichael Man
 
Dynaminet -DevSecOps
Dynaminet -DevSecOpsDynaminet -DevSecOps
Dynaminet -DevSecOpsMichael Man
 
DevSecOps: Test Automation
DevSecOps: Test AutomationDevSecOps: Test Automation
DevSecOps: Test AutomationMichael Man
 
Project management experience security in agile 1309
Project management experience security in agile 1309Project management experience security in agile 1309
Project management experience security in agile 1309Michael Man
 

More from Michael Man (19)

5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)
 
K8S Certifications - Exam Cram
K8S Certifications - Exam CramK8S Certifications - Exam Cram
K8S Certifications - Exam Cram
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
 
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
 
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
 
Extract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling SlidesExtract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling Slides
 
Sept 2019 - DSO-LG Tooling Examples
Sept 2019 - DSO-LG Tooling ExamplesSept 2019 - DSO-LG Tooling Examples
Sept 2019 - DSO-LG Tooling Examples
 
DevSecOps Manchester - May 2019
DevSecOps Manchester - May 2019DevSecOps Manchester - May 2019
DevSecOps Manchester - May 2019
 
Extract: DevSecOps - London Gathering (March 2019)
Extract: DevSecOps - London Gathering (March 2019)Extract: DevSecOps - London Gathering (March 2019)
Extract: DevSecOps - London Gathering (March 2019)
 
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
 
August 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London GatheringAugust 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London Gathering
 
DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018
 
The mechanics behind how attackers exploit simple programming mistakes ...
The mechanics behind how attackers exploit simple programming mistakes ...The mechanics behind how attackers exploit simple programming mistakes ...
The mechanics behind how attackers exploit simple programming mistakes ...
 
Secret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsSecret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret Dragons
 
DevSecOps March 2018 - Extract
DevSecOps March 2018 - ExtractDevSecOps March 2018 - Extract
DevSecOps March 2018 - Extract
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOps
 
Dynaminet -DevSecOps
Dynaminet -DevSecOpsDynaminet -DevSecOps
Dynaminet -DevSecOps
 
DevSecOps: Test Automation
DevSecOps: Test AutomationDevSecOps: Test Automation
DevSecOps: Test Automation
 
Project management experience security in agile 1309
Project management experience security in agile 1309Project management experience security in agile 1309
Project management experience security in agile 1309
 

Recently uploaded

A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Recently uploaded (20)

A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, January 2019)

  • 2. I’m: - Andy - Dev-like - Sec-ish - Ops-y
  • 3.
  • 7. No RBAC Attacking Kubernetes - Dino Dai Zovi, Capsule8
  • 8. No Workload Security Building for Trust: How to Secure Your Kubernetes Cluster [I] - Alexander Mohr & Jess Frazelle
  • 9. No Security - Cluster Edition Hacking and Hardening Kubernetes Clusters by Example - Brad Geesaman, Symantec
  • 10. Helm Exploring The Security Of Helm / Using SSL Between Helm and Tiller
  • 11. Unsecured Dashboard - Tesla Lessons from the Cryptojacking Attack at Tesla - RedLock CSI Team
  • 12. CVE-2017-1002101 - subpath volume mount handling allows arbitrary file access in host filesystem #60813
  • 13. CVE-2018-1002105: proxy request handling in kube-apiserver can leave vulnerable TCP connections #71411
  • 14. Is this Kubernetes cluster secure?
  • 15.
  • 17. Nodes Master Node 3 OS Container Runtime Kubelet Networking Node 2 OS Container Runtime Kubelet Networking Node 1 OS Container Runtime Kubelet Networking API Server (REST API) Controller Manager (Controller Loops) Scheduler (Bind Pod to Node) etcd (key-value DB, SSOT) User Legend: CNI CRI OCI Protobuf gRPC JSON By Lucas Käldström
  • 18. Minimum Viable Security TLS Everywhere Note that some components and installation methods may enable local ports over HTTP and administrators should familiarize themselves with the settings of each component to identify potentially unsecured traffic. https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/#use-transpo rt-level-security-tls-for-all-api-traffic
  • 20. Enable RBAC RBAC Support in Kubernetes (stable v1.8)
  • 21. External Auth to API Server (e.g. via kubectl) ● https://github.com/coreos/dex - OpenID Connect Identity (OIDC) and OAuth 2.0 provider with pluggable connectors ● https://github.com/pusher/k8s-auth-example - OIDC connector ● https://thenewstack.io/kubernetes-single-sign-one-less-identity/ ● https://github.com/negz/kuberos - OIDC authentication helper for kubectl (also https://cloud.google.com/community/tutorials/kubernetes-auth-openid-rbac) ● https://github.com/micahhausler/k8s-oidc-helper - helper tool for authenticating to Kubernetes using Google's OpenID Connect
  • 22. Disable API server read only port (default: 8080) --insecure-port=0
  • 23. Disable API server read only port (default: 8080) andy@kube-master:~ [0]# curl localhost:8080/api/v1/secrets?limit=1 { "kind": "SecretList", "apiVersion": "v1", "metadata": {...}, "items": [ { "metadata": { "name": "default-token-dhj8b", "namespace": "default", ... "annotations": { "kubernetes.io/service-account.name": "default", "kubernetes.io/service-account.uid": "a7e874b7-6186-11e8-92ba-4af3186f8390" } }, "data": { "ca.crt": "LS0tLS1CRUdJTiBD...", "namespace": "ZGVmYXVsdA==", "token": "ZXlKaGJHY..." }, "type": "kubernetes.io/service-account-token" } ] }
  • 24. No system:anonymous role for anonymous user (API server flag) --anonymous-auth=false
  • 25. No system:anonymous role for anonymous user (API server flag) andy@localhost:~ [0]# curl https://kube-master:6443/version { "major": "1", "minor": "10", "gitVersion": "v1.10.3", "gitCommit": "2bba0127d85d5a46ab4b778548be28623b32d0b0", "gitTreeState": "clean", "buildDate": "2018-05-21T09:05:37Z", "goVersion": "go1.9.3", "compiler": "gc", "platform": "linux/amd64" }
  • 26. Separate, Firewalled etcd Cluster Implementation details
  • 30. Containers ● Namespaces ● cgroups ● seccomp-bpf ● AppArmor / SELinux ● Users ● Capabilities
  • 31. Pods
  • 32. Pods apiVersion: v1 kind: Pod metadata: name: nfs-server labels: role: nfs-server spec: containers: - name: nfs-server image: jsafrane/nfs-data securityContext: privileged: true
  • 33. kubesec.io - risk score for K8S YAML
  • 34. kubesec.io - example insecure pod { "score": -30, "scoring": { "critical": [{ "selector": "containers[] .securityContext .privileged == true", "reason": "Privileged containers can allow almost completely unrestricted host access" }], "advise": [{ "selector": "containers[] .securityContext .runAsNonRoot == true", "reason": "Force the running image to run as a non-root user to ensure least privilege" }, { "selector": "containers[] .securityContext .capabilities .drop", "reason": "Reducing kernel capabilities available to a container limits its attack surface", "href": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" }, ...
  • 35. PodSecurityPolicies apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: restricted annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' spec: privileged: false allowPrivilegeEscalation: false # Required to prevent escalations to root. # This is redundant with non-root + disallow privilege escalation, # but we can provide it for defense in depth. requiredDropCapabilities: - ALL # Allow core volume types. volumes: - 'configMap' - 'emptyDir' ... hostNetwork: false hostIPC: false hostPID: false runAsUser: rule: 'MustRunAsNonRoot' # Require the container to run without root privileges. ... https://gist.github.com/tallclair/11981031b6bfa829bb1fb9dcb7e026b0
  • 36. Resource Linting ● https://kubesec.io/ - calculate “risk” of Kubernetes resource YAML by use of security features ● https://github.com/garethr/kubetest - unit tests for your Kubernetes configurations
  • 40. Services kind: Service apiVersion: v1 metadata: name: my-service spec: selector: app: MyApp ports: - protocol: TCP port: 443 targetPort: 8443
  • 41. ServiceAccounts “We recommend you create and use a minimally privileged service account to run your Kubernetes Engine Cluster” https://cloudplatform.googleblog.com/2017/11/precious-cargo-securing-containers- with-Kubernetes-Engine-18.html
  • 44. Docs: Recommended Admission Controllers # For versions >= v1.13.0 ● AlwaysPullImages ● DenyEscalatingExec ● DefaultStorageClass (enabled by default) ● DefaultTolerationSeconds (enabled by default) ● EventRateLimit ● LimitRanger (enabled by default) ● MutatingAdmissionWebhook (enabled by default, potentially used to inject sidecar containers or change resource parameters) ● NamespaceExists ● NamespaceLifecycle (enabled by default) https://kubernetes.io/docs/ admin/admission-controllers/ ● NodeRestriction ● OwnerReferencesPermissionEnforcement ● PersistentVolumeClaimResize (enabled by default) ● PodNodeSelector ● PodSecurityPolicy ● PodTolerationRestriction ● Priority (enabled by default) ● Resource Quota (enabled by default) ● Service Account (enabled by default) ● ValidatingAdmissionWebhook (enabled by default, to enforce CI/CD Pipeline security controls) --admission-control=${CONTROLLERS}
  • 45. Admission Controllers: NodeRestriction limits the Node and Pod objects a kubelet can modify kubelets must use credentials in the system:nodes group, with a username in the form system:node:<nodeName> n.b. Node Authorizer authorization mode required https://kubernetes.io/docs/admin/authorization/node/
  • 46. NodeRestriction authz plugin: Node Authorizer --authorization-mode=Node A kubelet can not: ● alter the state of resources of any Pod it does not manage ● access Secrets, ConfigMaps or Persistent Volumes / PVCs, unless they are bound to a Pod managed by itself ● alter the state of any Node but the one it is running on https://kubernetes.io/docs/admin/authorization/node/
  • 47. Admission Controllers: PodSecurityPolicy determines if it should be admitted based on the requested security context and available Pod Security Policies https://github.com/kubernetes/examples/tree/master/staging/podsecuritypolicy/rbac
  • 48. Admission Controllers: ServiceAccount automation for serviceAccounts if not exist, set: ServiceAccount, ImagePullSecrets, /var/run/secrets/kubernetes.io/serviceaccount volume
  • 49. Admission Controllers: ValidatingAdmissionWebhook (v1.9 beta) calls validating webhooks in parallel, rejects pod if any fail
  • 50. Compliance Scanning ● https://github.com/nccgroup/kube-auto-analyzer - review Kubernetes installations against the CIS Kubernetes 1.8 Benchmark ● https://github.com/aquasecurity/kube-bench - test versions of Kubernetes (1.6, 1.7 and 1.8) against CIS Kubernetes 1.0.0, 1.1.0 and 1.2.0 ● https://github.com/heptio/sonobuoy - running a set of Kubernetes conformance tests in an accessible and non-destructive manner ● https://github.com/bgeesaman/sonobuoy-plugin-bulkhead - kube-bench for sonobouy ● https://github.com/bgeesaman/kubeatf - spin up, test, and destroy Kubernetes clusters in a human and CI/CD friendly way
  • 51. Image Scanning ● https://github.com/coreos/clair ● https://github.com/arminc/clair-local-scan ● https://github.com/optiopay/klar - integration of Clair and Docker Registry ● https://github.com/banyanops/collector ● https://github.com/anchore/anchore-engine
  • 54. NetworkPolicy ● Calico ● Cilium (Learn more about eBPF) ● Kube-router ● Romana ● Weave Net
  • 55. Kubernetes NetworkPolicy: default deny apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny spec: podSelector: https://github.com/ahmetb/kube rnetes-network-policy-recipes
  • 56. Kubernetes NetworkPolicy: default deny apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny spec: podSelector: - “*” https://github.com/ahmetb/kube rnetes-network-policy-recipes Illegal syntax, but represents what it actually does (effectively a wildcard)
  • 57. Kubernetes NetworkPolicy https://github.com/ahmetb/kube rnetes-network-policy-recipes apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: foo-deny-external-egress spec: podSelector: matchLabels: app: foo policyTypes: - Egress egress: - ports: - port: 53 protocol: UDP - port: 53 protocol: TCP - to: - namespaceSelector: {}
  • 58. Kubernetes NetworkPolicy - NO DNS NAMES https://github.com/kubernetes/kubernetes/issues/56901
  • 59. Kubernetes NetworkPolicy - ILLEGAL! https://github.com/ahmetb/kube rnetes-network-policy-recipes apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: foo-deny-external-egress spec: podSelector: dnsName: control-plane.io policyTypes: - Egress egress: - ports: - port: 53 protocol: UDP - port: 53 protocol: TCP - to: - namespaceSelector: {} ILLEGAL! NOT ALLOWED!
  • 60.
  • 62. netassert - cloud native network testing ● netassert - network security testing for DevSecOps workflows https://github.com/controlplaneio/netassert host: localhost: bitbucket.com: - 22 control-plane.io: github.com: - 22
  • 63. netassert - cloud native network testing k8s: # used for Kubernetes pods deployment: # only deployments currently supported test-frontend: # pod name, defaults to `default` namespace test-microservice: 80 # `test-microservice` is the DNS name of the target service test-database: -80 # should not be able to access port 80 of `test-database` new-namespace:test-microservice: # `new-namespace` is the namespace name test-database.new-namespace: 80 # longer DNS names can be used for other namespaces test-frontend.default: 80 default:test-database: test-frontend.default.svc.cluster.local: 80 # full DNS names can be used test-microservice.default.svc.cluster.local: -80 control-plane.io: 443 # we can check remote services too https://github.com/controlplaneio/netassert
  • 64.
  • 66. Secure Hosts ● Minimal attack surface ○ CoreOS (RIP), forked as FlatCar Linux- https://coreos.com/ and https://kinvolk.io/ ○ Red Hat Atomic - https://www.redhat.com/en/resources/enterprise-linux-atomic-host-datasheet ○ Ubuntu Core - https://www.ubuntu.com/core ○ Container-Optimized OS from Google - https://cloud.google.com/container-optimized-os/docs/ ● Security extensions enabled, configured, and monitored ● Immutable infrastructure ● Group nodes by type, usage, and/or security level
  • 67. Proxy to Metadata APIs ● https://github.com/uswitch/kiam - allows cluster users to associate IAM roles to Pods ● https://github.com/jtblin/kube2iam - provides different AWS IAM roles for pods running on Kubernetes ● https://github.com/heptio/authenticator - allow AWS IAM credentials to authenticate to a Kubernetes cluster ● https://github.com/GoogleCloudPlatform/k8s-metadata-proxy - a simple proxy for serving concealed metadata to container workloads
  • 69. MULTI TENANCY: Soft ● Isolate by namespace ○ Don't forget the default NetworkPolicy and PodSecurityPolicy ○ Assign limits to the namespace with LimitRanges https://kubernetes.io/docs/tasks/administer-cluster/memory-default-namespace/ ● Separate dev/test from production ● Image scanning ○ Private registry and build artefacts/supply chain
  • 70. MULTI TENANCY: Soft ● Policed, scanned, compliant base images, stored within organisation ○ Minimal attack surface ○ FROM scratch if possible ● Deploy Admission Controllers, PodSecurityPolicy, etc ● Everything as code ○ https://www.weave.works/blog/gitops-operations-by-pull-request
  • 72. MULTI TENANCY: Hard ● All users untrusted, potentially malicious ○ Comfortable running code from multiple third parties, with the potential for malice that implies, in the same cluster ● Only co-tenant along your existing security boundaries ● Segregate logically by application type, security level, and/or physically by project/account ● Separate node pools for different tenants
  • 73. MULTI TENANCY: Hard ● This may not look a lot like hard multitenancy? ○ It's still running a centralised control plane ● Run kubedns in a sidecar to restrict DNS leakage ● Mixed vm and container workload ○ Dan Walsh nailed it ○ "glasshouse VMs" ● Defence in depth ● Remote logging
  • 77. Continuous Infra Security ● The system can continually self-validate ● Test pipelines are more robust ● Highly skilled penetration testers are free to focus on the “high-hanging fruit”
  • 78.
  • 79. Conclusion ● The brave new world of Kubernetes increases attack surface and potential for misconfiguration ● Lots of new security primitives are landing ● The only way to iterate quickly is: supported by a test suite ● Security testing keeps you young