This document provides an overview of 10 tips for cloud native security when using Kubernetes. It discusses reducing the attack surface by securing hosts, container images, and the Kubernetes cluster. It also covers security features in Kubernetes like secrets, authentication and authorization, audit logging, network policies, and pod security policies. Finally, it recommends several open source tools for assessing security like Clair, Kube-bench, Kubesec, and Kubeaudit. The overall message is that security needs to be an ongoing process of evaluating risks and hardening the environment over time.
Immutable Image-Based Operating Systems - EW2024.pdf
10 Tips for Cloud Native Security
1. 1
10 Tips for
Cloud Native Security
Karthik Gaekwad
Austin Developer Week 2018
DevSecOps in a
Cloud Native World
Karthik Gaekwad
@iteration1
Devnet Create 2019
2. •I’m Karthik Gaekwad
•NOT a DBA
•Cloud Native Evangelist at Oracle Cloud
•https://cloudnative.oracle.com/
•Past: Developer on the Oracle Managed
Kubernetes Team
Hello
@iteration1
@iteration1
3. Hello
• Been in Industry 15 years.
• In general, I like building stuff with friends.
• Maintainer for Gauntlt- Open source security scanner.
• Love Teaching and building community.
• Run Devopsdays Austin, Container Days, Cloud Austin.
• Chair All Day Devops Cloud Native track.
• LinkedIn Learning Author for Learning Kubernetes (and more).
@iteration1
4. The Cloud Native Journey
4
Phase I
Developer Focus
Phase II
DevOps Focus
Phase III
Business Focus
(end-to-end)
Container Adoption Application Deployment Intelligent Operations
SpeedEfficiencyAgility
Docker
Kubernetes
Core to Edge
Developer adoption
Dev/Test apps
Simple orchestration
Individual developers
DevOps deployment
Production apps
Advanced orchestration
Teams & lines of business
End-to-end integration
Digital business apps
Serverless, DevSecOps, & ML
Cloud native enterprises
Focus
Applications
Automation
Community
@iteration1
5. CNCF Survey: August 2018
How Does Your Company Use Containers and Where?
Lots of adoption on
dev/staging
Continued production
increase
@iteration1
6. CNCF Survey: August 2018
How Does Your Company Use Containers and Where?
Adoption over public and on-prem
@iteration1
8. Top 5 challenges to cloud native adoption…
0 5 10 15 20 25 30 35 40 45
Complexity
Cultural Challenges
Lack of Training
Security
Monitoring
Percentages
@iteration1
9. • Managing, maintaining, upgrading Kubernetes Control
Plane
• API Server, etcd, scheduler etc….
• Managing, maintaining, upgrading Kubernetes Data
Plane
• In place upgrades, deploy parallel cluster etc….
• Figuring out container networking & storage
• Overlays, persistent storage etc… - it should just work
• Managing Teams
• How do I manage & control team access to my clusters?
• Security, security, security
9
Kubernetes & Cloud Native Challenges
Source: Oracle Customer Survey 2018
@iteration1
10. How Are Teams Addressing Complexity, Training Issues?
App Management
Upgrades & Patching
Platform Backup &
Recovery
High Availability
Scaling
App Deployment
Power, HVAC
Rack and Stack
Server Provisioning
Software Installation
Customer Managed Fully-Managed
App Management
Upgrades & Patching
Platform Backup &
Recovery
High Availability
Scaling
App Deployment
Power, HVAC
Rack and Stack
Server Provisioning
Software Installation
Faster Time to Deploy
Lower Risk
Accelerate Innovation
Fully managed
Benefits
YOU
@iteration1
13. Unsecured K8s dashboards
• Unsecured Kubernetes
Dashboard with account creds.
• Used this to mine
cryptocurrency.
• 2017: Aviva
• 2018: Tesla, Weight Watchers
• https://redlock.io/blog/cryptojacking-
tesla
@iteration1
14. Kubelet credentials hack
• Shopify: Server Side request
Forgery
• Get kubelet certs/private key
• Root access to any container in
part of infrastructure.
• https://hackerone.com/reports/341876
@iteration1
24. Let’s look at:
•Attack Surface
• More importantly, how to limit damage
•Security related features in K8s
• The more you know, the better you build
•Opensource Tooling to help
• Because we all need help
26. Attack Surface
Goal: Reduce the attack surface
•Analysis for:
•Host(s)
•Container (Images and running)
•Kubernetes Cluster
@iteration1
27. Attack Surface: Host
• These are the machines you’re running Kubernetes on.
• Age old principles of Linux still apply:
• Enable SELinux
• AppArmor
• Seccomp
• Hardened Images
• Goal: Minimize privilege to applications running on the host
• Good news: Already a wealth of information on this subject!
• http://lmgtfy.com/?q=how+to+reduce+attack+surface+linux
@iteration1
29. Attack Surface: Container Images
GOAL: Know your base image when building containers
**BTW, this is just a ruby helloworld app @iteration1
30. Attack Surface: Container Images
GOAL: Know your base image when building containers
Full disclosure: I’m karthequian; I created this as a ruby 101 container for learning purposes only
@iteration1
31. Attack Surface: Container Images
GOAL: Know your base image when building containers
• When in doubt, stick to an official images!
• Or start from a sane base image (example: alpine linux)
@iteration1
32. Attack Surface: Container Images
GOAL: Smaller the image, the better
• Less things for an attacker to exploit.
• Quicker to push, quicker to pull.
@iteration1
33. Attack Surface: Container Images
GOAL: Don’t rely on :latest tag
• :latest image yesterday might not be :latest image tomorrow
• Instead, you’d want to know what specific version you’re operating
with.
• Side benefit: If there is a new vulnerability announced for OS version
x.y.z, you know immediately whether you’re running that version!
@iteration1
34. Attack Surface: Container Images
GOAL: Check for vulnerabilities
periodically
• Plenty of ways to do this in registries. We’ll cover more in the tooling
section
@iteration1
35. Attack Surface: Running Containers
GOAL: Don’t run as root
• Containers running as root might be completely unnecessary for the
actual application.
• If compromised, attacker can do a lot more things..
• Pod security policies can help (we’ll see how later).
@iteration1
36. Attack Surface: Running Containers
GOAL: Limit host mounts
• Be wary of images that require broad access to paths on the host.
• Limit your host mount to a smaller subset of directories.
• Reduces blast radius on compromise.
@iteration1
40. Kubernetes Cluster- TLS
• TLS Checklist:
1. User and Master
2. Nodes and Master
3. Everything etcd
@iteration1
41. CVE’s
41
GOAL: Have an upgrade strategy
• Because…CVE’s are fixed in new minor versions.
• Don’t treat K8s as “install once, run all the time”.
• Make your K8s install repeatable for different versions.
• ..Or use a Managed Provider.
• Either automatically patch for you, or tell you what to do.
@iteration1
44. K8s Features
• Kubernetes Secrets
• Authentication
• Authorization
• Audit Logging
• Network Policies
• Pod security policies
• Open Policy Agent
@iteration1
45. Kubernetes Secrets
• GOAL: Use Kubernetes secrets to store sensitive data instead of
config maps.
• Also look at: secrets encryption provider.
• Controls how etcd encrypts API data
• --experimental-encryption-provider-config
• https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
@iteration1
46. Authentication and Authorization
• Do you know how you are authenticating with Kubernetes?
• Many ways to Authenticate
• Client Certs
• Static token file
• Service Account tokens
• OpenID
• Webhook Mode
• And more (https://kubernetes.io/docs/reference/access-authn-authz/authentication/)
@iteration1
50. Authentication and Authorization
• Pro tip: Nobody uses ABAC anymore. Don’t be that guy….
• RBAC is the defacto standard
• Based on roles and role bindings
• Good set of defaults: https://github.com/uruddarraju/kubernetes-rbac-policies
• Can use multiple authorizers together, but can get confusing.
• 1st authorizer to authorize passes authz
@iteration1
51. Kubernetes Cluster- Audit Logs
• Wat?
• “Kubernetes auditing provides a security-relevant chronological set of
records documenting the sequence of activities that have affected
system by individual users, administrators or other components of the
system.”
• Answers: What/when/who/where information on security events.
• Your job: Periodically watch Kubernetes Audit logs
• https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
@iteration1
52.
53. Kubernetes Cluster- Network Policies
• Consider adding a network policy to the cluster…
• Default Policy: All pods can talk to all other pods.
• Consider limiting this with a Network Policy
• https://kubernetes.io/docs/concepts/services-networking/network-policies/
@iteration1
54. Kubernetes Cluster- Pod Security Policies
• Consider adding Pod Security policies
• PodSecurityPolicy: A Defined set of conditions a pod must run with.
• Think of this as authorization for pods.
@iteration1
55. Kubernetes Cluster: Pod Security Policies
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#what-is-a-pod-security-policy
Capability for an
admin to
control specific
actions
@iteration1
56. Open Policy Agent
• Policy based control for your whole environment.
• Full featured Policy Engine to offload policy decisions from each
application/service.
• Deploy OPA alongside your service
• Add policy data to OPA’s store
• Query OPA on decisions.
• Great idea, still early, watch this space…
• Standardize policies for all clusters
• https://www.openpolicyagent.org/
56@iteration1
58. Keep tabs on the CNCF Security landscape
https://landscape.cncf.io/landscape=security-complia
59. CNCF Projects
• “The Update Framework”
• Is a framework or a
methodology.
• Used for secure software
updates.
• Based on ideas surrounding trust
and integrity.
• Is a project.
• Based on TUF.
• A solution to secure software
updates and distribution.
• Used in Docker Trusted Registry.
@iteration1
60. Clair
• Open source project for the static analysis of vulnerabilities in
containers.
• Find vulnerable images in your repo.
• Built into quay.io, but you can add to your own repo.
• https://github.com/coreos/clair
@iteration1
64. Kube-bench
• Checks whether a Kubernetes cluster is deployed according to
security best practices.
• Run this after creating your K8s cluster.
• https://github.com/aquasecurity/kube-bench
• Defined by the CIS Benchmarks Docs: https://www.cisecurity.org/cis-
benchmarks/
• Run it against your Kubernetes Master, or Kubernetes node.
@iteration1
66. Kubesec
• Helps you quantify risk for Kubernetes resources.
• Run against your K8s applications (deployments/pods/daemonsets
etc)
• https://kubesec.io/ from controlplane
• Can be used standalone, or as a kubectl plugin
(https://github.com/stefanprodan/kubectl-kubesec)
@iteration1
68. Kubeaudit
• Opensourced from Shopify.
• Auditing your applications in your K8s cluster.
• https://github.com/Shopify/kubeaudit
• Little more targeted than Kubesec.
@iteration1
72. Apply It!
72
• Day 1:
• Know what version of Docker and Kubernetes you use.
• Understand if your control and data plane nodes are
hardened.
• Understand how your Docker containers are built.
• Find out how you authenticate and authorize for your
clusters.
@iteration1
73. Apply It!
73
•Week 1:
•Build an Automation Pipeline:
• To build Docker images on code pushes
• Versioning strategy for code
• To build your Kubernetes clusters
@iteration1
74. Apply It!
74
•1st Month
•Sanitize your code:
• Know your base images
• Implement versioning for your containers
• Invest in a registry (or tooling) that does vulnerability
scanning
•Kubernetes:
• Have an upgrade strategy in place
• Analyze secrets/sensitive cluster data
• Turn on audit logging
@iteration1
75. Apply It!
75
• 3 Months:
• Continuously Monitor
• Tooling like Kubesec/Kube-audit
• Plan how to address vulnerabilities/CVE’s
• K8s:
• Strategy for Pod Security Policies
• Strategy for Network Policies
• Run scans (like kube-bench) on cluster creation
@iteration1
76. Apply It!
76
•6 Months:
•Re-ask day 1 questions.
•Review strategies- is it working? What needs
tweaking?
•Review tooling- are there new tools that help? Are
existing tools working?
•Review CVE’s
@iteration1
77. Couple more resources to look at:
• 11 ways not to get hacked:
https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked
• K8s security (from Image Hygiene to Network Policy):
https://speakerdeck.com/mhausenblas/kubernetes-security-from-
image-hygiene-to-network-policies
@iteration1
However, customers face challenges along the way. As we have spoken to customers, many have agreed with the challenges presented on this slide.
Faster Time to Deploy
No need to provision and maintain Operating System and Platforms (Linux, Kubernetes, Docker Registry, Continuous Integration Systems)
Lower Risk
Oracle is committed to SLAs on Performance and Manageability,in addition to Availability
Accelerate Innovation
Develop new Container Native apps quickly, and port existing apps faster
Photo by rawpixel on Unsplash
Photo by rawpixel on Unsplash
Photo by Byron Sterk on Unsplash
Photo by Byron Sterk on Unsplash
Photo by rawpixel on Unsplash
Photo by rawpixel on Unsplash
Photo by rawpixel on Unsplash
Diagram from https://docs.google.com/presentation/d/1Gp-2blk5WExI_QR59EUZdwfO2BWLJqa626mK2ej-huo/edit#slide=id.g1e639c415b_0_56. Thanks @Lucas Käldström