Introduction to Kubernetes Security (Aqua & Weaveworks)
2 likes549 views
The document is a GitOps security primer focusing on securing Kubernetes clusters and GitOps pipelines. It discusses the importance of defining system states declaratively, the management of credentials across security boundaries, and best practices for securing repositories and the control plane. Key recommendations include enforcing strong identities, preventing history rewrites, managing secrets carefully, and ensuring up-to-date configurations.
![28
Signing each commit is [a bad idea]. It just
means that you automate it, and you make the
signature worth less. It also doesn't add any real
value, since the way the git DAG-chain of SHA1's
work, you only ever need one signature to make
all the commits reachable from that one be
effectively covered by that one. So signing each
commit is simply missing the point.
* A word from above](https://image.slidesharecdn.com/introductiontokubernetes-190605164733/85/Introduction-to-Kubernetes-Security-Aqua-Weaveworks-28-320.jpg)
Introduction to Kubernetes Security (Aqua & Weaveworks)
- 1. 1
- 2. GitOps Security primer Aqua / Weaveworks Webinar June 2019 2
- 5. 5 GitOps ON Kubernetes Kubectl / Direct access
- 9. 9 Deployment Agent * GitOps ON Kubernetes
- 14. 14 1 The entire system is described declaratively. 2 The desired system state is versioned 3 Approved changes to the desired state are automatically applied to the system 4 Software agents ensure correctness and alert on divergence
- 15. 15 GitOps ON Kubernetes Image Repository 1 The entire system is described declaratively.
- 16. 16 GitOps ON Kubernetes Image Repository 2 The desired system state is versioned
- 17. 17 GitOps ON Kubernetes Image Repository 3 Approved changes to the desired state are automatically applied to the system
- 18. 18 GitOps ON Kubernetes Image Repository 4 Software agents ensure correctness and alert on divergence
- 19. Why do we care 19
- 20. Typical CICD pipeline Continuous Integration Cluster API Continuous Delivery/Deployment Container Registry CI Code Repo Dev RW CI credsGit creds RW CR creds3 RO RW API creds CR creds1 Shares credentials cross several logical security boundaries. Boundary RO RW Container Registry (CR) creds2
- 21. Cluster API GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2CI credsGit creds RO Deploy CR creds3 RO RW Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Cluster API creds Canonical desired state store Config Repo
- 22. Cluster API GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2CI credsGit creds RO Deploy CR creds3 RO RW Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Cluster API creds Operator RW Config Repo
- 23. Cluster API GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2CI credsGit creds RO Deploy CR creds3 RO RW Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Cluster API creds Operator RW Config Repo Process & constraints enforcement
- 24. Cluster API GitOps pipeline Container Registry CI Code Repo Dev RO CR creds2CI credsGit creds RO Deploy CR creds3 RO RW Config repo creds CR creds1 Credentials are never shared across a logical security boundary. RW RW RW Cluster API creds Operator RW Config Repo Exceptional auditing and attribution*
- 25. Secure your GitOps pipeline 25
- 26. Move from access to cluster to access to repository. ...So how to secure your repository? Moving the burden of security 26
- 27. Mitigating user impersonation 27 1. Enforce Strong Identity in VCS (GitHub/GitLab) with GPG Signed Commits * 1. Use Physical GPG Keys to increase security 1. Run GPG-Validating Code in CI
- 28. 28 Signing each commit is [a bad idea]. It just means that you automate it, and you make the signature worth less. It also doesn't add any real value, since the way the git DAG-chain of SHA1's work, you only ever need one signature to make all the commits reachable from that one be effectively covered by that one. So signing each commit is simply missing the point. * A word from above
- 29. Prevent History Rewrites 29 1. Prevent Force Pushes to Master Branch 1. Backup Git Repositories
- 30. Prevent Removal of Security Features 30 1. Configure Git Provider with Infrastructure as Code (Meta-GitOps FTW!) 1. Monitor Git Provider’s Audit Logs 1. Verify Commits to Master
- 31. Don’t use deprecated software 31
- 34. 34 Thank you Over to you Liz [email protected] @fractallambda
- 35. © 2019 Aqua Security Software Ltd., All Rights Reserved The State of Kubernetes Security Liz Rice, Aqua Security @lizrice | @aquasecteam
- 36. 36 Attack vectors 36 @lizrice Photo by Henry Hustava on Unsplash
- 37. 37
- 38. Control plane Securing access to the APIs • API server • Kubelets • etcd Photo by James Sutton on Unsplash39 @lizrice
- 39. Control plane checks CIS Benchmarks kube-bench Photo by James Sutton on Unsplash40 @lizrice
- 40. Keep up to date with Kubernetes releases
- 41. Section Title Keep up to date with Kubernetes releases
- 42. 43 Don’t allow privileged containers „ Except that it’s needed for some components like kube-dns Don’t allow anonymous API access „ Health checks „ Current thinking is to rely on RBAC @lizrice Photo by Nik Shuliahin on Unsplash43 Control plane conundrums
- 43. Authentication & Authorization @lizrice Photo by Annie Spratt on Unsplash44
- 44. Authentication @lizrice Photo by Annie Spratt on Unsplash45 Static password/token file X509 client certs Proxy + header OpenID Connect Custom Webhook
- 45. 46 Node (kubelet) ABAC - outdated! RBAC Webhook l Open Policy Agent @lizrice Photo by Belinda Fewings on Unsplash46 Authorization
- 46. 47 @lizrice Photo by Belinda Fewings on Unsplash47 Authorization - RBAC Entity l Service account, User, Group Scope l Namespace / Cluster Roles and bindings
- 47. Container Images @lizrice Photo by Glenn Carstens-Peters on Unsplash48
- 48. 49 Trusted base images Define USER Automate vulnerability scans Private registries Pin dependencies (for reproducible builds) @lizrice Container Images 49
- 49. Running containers Running containers @lizrice Photo by Josh Hild on Unsplash50 Don’t run as root § RunAsUser PodSecurityPolicy § Limit volume mounts NetworkPolicy Seccomp / AppArmor / SELinux
- 50. Section Title Keep up to date with Kubernetes releases
- 52. @lizrice Photo by Sai De Silva on Unsplash53 Secrets
- 53. Secrets @lizrice Photo by Sai De Silva on Unsplash54 Namespaced objects Access via volume or env var Data in tmpfs volumes Per-secret size limit of 1MB Default: base64 encoded § Enable encryption at rest, or § Use third-party tool
- 54. Additional considerations Stay safe! @lizrice Photo by Piotr Chrobot on Unsplash55 Stay up to date Check configuration Image scanning Don’t run as root Use RBAC Manage secrets carefully
- 55. Stay safe! info.aquasec.com/kubernetes-security @lizrice | @aquasecteam