Securing an NGINX deployment for K8s
0 likes160 views
This document summarizes steps for securing an NGINX deployment on Kubernetes. It begins by outlining the challenge of securing a website hosted on NGINX without vulnerabilities. The plan is then described in three steps: 1) Use NGINX and get example code, 2) Wrap the code in a Kubernetes Deployment, and 3) Check for security issues using Checkov. Key aspects of securing the deployment discussed are applying the principle of least privilege through profiles, capabilities, and users, ensuring immutability with read-only filesystems and unmounting service account tokens, and increasing resilience with liveness/readiness probes and resource limits. The importance of using secure defaults, open source scanning tools, and an overall Dev
Securing an NGINX deployment for K8s
- 1. PAGE 1 DEVOPS INDONESIA PAGE 1 DEVOPS INDONESIA Steve Giguere Palo ALto Jakarta, 8 Maret 2022 Securing an NGINX deployment for Kubernetes
- 2. Securing an Deployment for Kubernetes Featuring: ● Checkov: Open Source IaC Scanning Your guide: Steve Giguere @_SteveGiguere_
- 3. ● Developer Advocate - Bridgecrew ● DevSecOp s Enthusiast ● DevSecOps London - Organiser ● Raspberry Pi Geek ● Formerly: Aqua Security, StackRox, Synopsys Software Integrity Group ● Twitch show: https://Clust3rF8ck (.com) ● Podcaster: BeerSecOps, CoSeCast (.com) ● Beer Taster: BeerNative (.tv) ● More Steve: https://stevegiguere.com W h o is… Steve Giguere (shig-air)
- 4. T H E C H A L L E N G E
- 5. T H E C H A L L E N G E ● NEED WEBSITE FOR TWITCH SHOW ● HOST ON RASPBERRY PI ● CREATED WITH HUGO ● USE NGINX TRY NOT TO L O O K L I KE TOTAL IDIOT WO R KI N G F O R A N IAC SECURITY COMPAN Y BY DEPLOYI NG A N NGINX W E B S I T E F O R A TWITCH S H O W A B O U T C L O U D NATIVE SECURITY THAT DOESN’ T PA S S O U R C H E C KO V YAML S C A N
- 6. ● A01:2021-Broken A cce ss Control ● A02:2021-Cryptographic Failures ● A03:2021-Injection ● A04:2021-Insecure De sig n ● A05:2021-Security Misconfiguration ● A06:2021-Vulnerable a n d Outdated C omponents ● A07:2021-Identification and Authentication Failures ● A08:2021-Software and Data Integrity Failures ● A09:2021-Security L o g g i n g and Monitoring Failures ● A10:2021-Server-Side Request Forgery Coding issues like input sanitization have been replaced by misconfigurations and dependency (supply chain) risks
- 7. The Problem Defaults are bad! Misconfigurations are bad! ● Unintended behaviour ● Outage ● Data Breach ● Lateral movement ● Supply Chain Compromise ● PII Exposure Security best practices are important!
- 8. IF COMPROMISED ● T HE NGINX DEFAULT IMAGE HAS… ○ NSENTER ○ CURL ○ APT ○ And much much more!! ● T HE NGINX IMAGE CAN... ○ Enumerate the network ○ Breakout to the host ■ EG. CVE-2021-22555 ○ Serve malicious content
- 9. T H E P L A N
- 10. ST E P 1 - U S E NGINX ● B T W NGINX RECENTLY HIT #1
- 11. ST E P 1 ● GET CODE FROM SOMEBODY ELSE
- 12. S T E P 2 - W R A P IT IN A K8s D E P L O Y M E N T ● Get the code (from somebody else) ○ SEARCH GOOGLE/DUCKDUCKGO? ● Go to the source (kubernetes.io)
- 13. S T E P 3 - C H E C K IT IS S E C U R E ● Checkov ○ DEPLOYMENT ■ Are my defaults secure and what happens when they are not? ○ IMAGE ■ Can I use the default image or should I make changes?
- 14. W H A T D O E S S E C U R E MEAN?
- 15. W H A T D O E S S E C U R E MEAN ● CIA ○ Confidentiality ■ Least Privilege ○ Integrity ■ Immutability ○ Availability ■ Resilience
- 16. What is ? Open source (Apache 2.0) misconfiguration scanner for IaC, intended to be used in CI/CD pipelines 1.1000+ built in checks 2. Supports extensions 3. Built in best practices and security
- 17. W h a t is Checkov ● Open source ● Analyze infrastructure as code (IaC) ● Terraform, CloudFormation, Kubernetes, Helm, ARM Templates and Serverless framework ● > 500 rules ● VSCode Plugin ● Optional config file ○ .checkov.yaml *
- 18. L E A S T PRIVILEGE
- 19. Add S e c c o m p Profile ● Disables > 44 system calls ○ Expelliarmus ● Eg. ○ Mount (host filesystems) ○ Ptrace (watch everything) ○ Reboot (the host!) ○ Setns (change linux namespace) ○ Quotactl (mess with cpu limits) ● Default defence in depth ○ Many of these overlap with blocking CAP_SYS_ADMIN
- 20. Set allowPrivilegeEscalation to false setuid ● Prevents binaries from changing the effective user ID ○ Blocks enabling of extra capabilities, ○ Even blocks the use of ping.
- 21. D o not run as root (the default) ● Seems obvious but ● Assign a UID and GID > 10000 to avoid conflict I a m root!
- 22. Drop all capabilities ● Add them back as required
- 23. IMMUTABILITY
- 24. Read-only filesystem ● Prevents the creation, installation or downloading of malicious code ● Containers should be immutable CAN’T TOUCH THIS
- 25. Unmount Service Account Token ● Uses the default service account ● Can impersonate the service account ● Abuse the K8s RESTAPIs.
- 26. Avoid Supply Chain Attacks ● Use the digest for your image NOT tags
- 27. RE S I LI E N CE
- 28. Liveness/Readiness Probes ● Let kubernetes know you’re there and it will keep you alive and kicking Can be difficult to come up with methods to determine a ready and live state. Not the case for NGINX however.
- 29. C P U / Memory Requests and Limits ● Prevents self induced DoS ● Ensures weighted scheduling of pods ● Limits losses from crypto-mining attacks Can be difficult to determine up front but defaults can be quickly derived from the K8s metrics server. MO RE P OWE R!
- 30. Key Takeaways ● Finding Secure Examples Is Difficult ● Basic Best Practices Can Be Easy ● Tools are Available To Help ● Many Defaults Aren’t Secure Checkov: https://www.checkov.io/ Our blog: https://bridgecrew.io/blog T H A N KS ! DEPLOYMENTS SERVICES JOBS DEFAULTS OUR BATTERED POD COMES FROM A SECURE SUPPLY CHAIN
- 31. 30 | ©2020 Palo Alto Networks, Inc. All rights reserved. Sca n to register >> When: 24 March 2022 (Thu) Time: 7.00am Indonesia Time Spea kers: W h a t topics will be covered? Code to Cloud is dedicated to covering security best practices W h o should join: Relevant job titles include but are not Code to Cloud Virtual Su mmi t Block your calendar now! limited to DevOps engineers and team leads, infrastructure and platform engineers, security engineers, SREs, CTOs, engineering and InfoSec managers. across cloud native tech stacks and the development lifecycle — from IaC and open source packages to containers and workloads.
- 32. Survey Form We hope you’ve found our session beneficial. Please help us in answering a short 5 questions survey. A small INR200,000 Grab thank you token awaits. https://forms.gle/bGzk2ntgCmuHCuRg7 Please scan the Q R code or use clickable link in Chatbox
- 33. Stay Connected With Us! t.me/iddevops DevOps Indonesia DevOps Indonesia DevOps Indonesia @iddevops @iddevops DevOps Indonesia Scan here
- 34. PAGE 34 DEVOPS INDONESIA Alone Wearesmart,togetherWearebrilliant THANKYOU! Quote by Steve Anderson