SlideShare a Scribd company logo

Securing Kubernetes Workloads

Jim Bugwadia
Jim Bugwadia

The document outlines best practices for securing Kubernetes workloads, covering key components such as secret management, access controls, and network policies. It emphasizes the importance of using policy engines like Kyverno for managing configurations and suggests utilizing management planes like Nirmata for effective Kubernetes configuration. Overall, it highlights the necessity of implementing robust security measures across different cluster components for optimal protection of workloads.

Technology
1 of 35
Downloaded 23 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Securing Kubernetes Workloads Best Practices for Securing Kubernetes Workload Configurations Across Clouds Jim Bugwadia Founder and CEO
Agenda • Kubernetes Security Framework • Kubernetes Constructs for Workload Security • Q & A 2
3 About me • @JimBugwadia • Founder and CEO at Nirmata • Working on large-scale distributed systems (C++, Java, JS, Go) since 1994 CKA-1700-0169-0100
4 Kubernetes Security Framework Build Operate Container Hosts: ❑ Minimal OS ❑ OS Hardening ❑ CIS Benchmarks Clusters: ❑ RBAC ❑ Audit Policies and Logging ❑ Certificate Management ❑ Identity and Access ❑ Kubernetes upgrades ❑ CIS Benchmarks Applications: ❑ Image scanning ❑ Image Provenance ❑ Secrets Management ❑ Namespaces ❑ Access Controls ❑ Network Policies ❑ Resource Quotas ❑ Pod Security Policy
5 Kubernetes Security Framework Build Operate Container Hosts: ❑ Minimal OS ❑ OS Hardening ❑ CIS Benchmarks Clusters: ❑ RBAC ❑ Audit Policies and Logging ❑ Certificate Management ❑ Identity and Access ❑ Kubernetes upgrades ❑ CIS Benchmarks Applications: ❑ Image scanning ❑ Image Provenance ❑ Secrets Management ❑ Namespaces ❑ Access Controls ❑ Network Policies ❑ Resource Quotas ❑ Pod Security Policy
Image Provenance 6
7 Image Provenance • Image scanning checks images for vulnerabilities o Ideally done when the image is built and before it is accepted into the image registry • Image provenance 1. Confirms that an image being deployed is from a trusted source 2. Confirms that image has not been not tampered with
8 Image Provenance - Solutions • Kubernetes ImagePolicyWebhook o Configured as an admission controller o Sends an ImageReview request o Expects an ImageReview response of accept or deny
9 Image Provenance - Solutions • Portieris o Also an admission controller o Integrates with Notary (a content trust store) – part of the The Update Framework (TUF) o Provides way to specify image security policies at a namespace and cluster level https://github.com/IBM/portieris https://theupdateframework.github.io/ https://github.com/theupdateframework/notary
10 Image Provenance – Partial Solutions • Kyverno o Also an admission controller o Kubernetes Native Policy Engine o Policies are written as overlay rules https://kyverno.io/ https://thenewstack.io/kyverno-kubernetes-configuration-via-policy/
11 Image Provenance – Partial Solutions • OPA / Gatekeeper o Also an admission controller o General Purpose Policy Engine o Policies are written in Rego https://www.openpolicyagent.org/ https://github.com/open-policy-agent/gatekeeper https://medium.com/capital-one-tech/policy-enabled-kubernetes-with-open-policy-agent-3b612b3f0203
Secrets Management 12
13 Secrets • Any sensitive data that an application needs o Passwords o Certificates o Keys o …
14 Secrets Management Anti-Patterns (please try not to do this) x Hard-coded x Packaged with code x Inserted via build tools x Environment Variables
15 What Kubernetes Provides • API Object to define secrets • Values are base 64 encoded (default) • Secrets are namespaced • Secrets can be mounted as volumes • Secrets can be used as environment variables • Encryption can be configured at the API Server apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: username: YWRtaW4=
16 So, what’s missing? Kubernetes secrets are a step forward, but have a few limitations: • Encryption requires configuring static keys or a KMS • Shared (static) approach • No leases, rotation, etc.
17 Secrets Management with Hashicorp Vault • Helps automates security best practices for o Secrets Management o Auditing o Certificate Management o Encryption • Dynamic Secrets o Credentials (keys, passwords, certificates) are generated when a client requests them o Credentials are per client o Credentials are automatically deleted if a lease expires
18 An init container to fetch secrets init container Vault Kubernetes Pod application container Service Account & Role Secrets … Volume (secret) https://github.com/nirmata/kube-vault-client https://www.nirmata.com/2018/12/19/managing-kubernetes-secrets-with-hashicorp-vault-and-nirmata/
Namespaces 19
20 Namespaces • Kubernetes Data Plane Virtualization • Namespaces partition the Kubernetes object model so multiple objects with the same name can exist in the same cluster • Namespaces are the foundation for applying other security constructs Kubernetes supports multiple virtual clusters backed by the same physical cluster. These virtual clusters are called namespaces. https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
Access Controls 21
22 Role-based access control (RBAC) • Users are authenticated via OIDC, X.509 certificates, tokens, etc. • The authentication result can provide user and group information. • However, Users and User Groups are managed externally (e.g. in an LDAP / AD server). • Kubernetes has a fine-grained permission model • Role (namespace) / ClusterRole • Roles are mapped to users or groups via role bindings • RoleBinding (namespace) / ClusterRoleBinding
23 Service Accounts • Service Accounts are meant for authenticating and authorizing processes • Each namespace has a default service account • Each Pod has a service account (default – if not specified) • A best practice is to use a service account per app • To prevent a service account token from being mounted in a Pod use “automountServiceAccountToken: false”. This can be enforced via a policy.
Network Policies 24
25 Network Segmentation via Network Policies • By default, Kubernetes pods are “non-isolated” • They accept network connections from any source and can initiate connection requests to any destination • Network Policies define traffic rules for Kubernetes pods • ingress (inbound traffic) • egress (outbound traffic) Network Policy Pod Selector Ingress Ingress Rule Ingress Rule Ingress Rule Egress Ingress Rule Ingress Rule Egress Rule
Resource Quotas 26
27 Resource Management • Pods can have resource requests and limits • This allows three quality of service models GuaranteedBurstable • A namespace can have limits and default allocations • Quotas and limits ensure fairness and stability https://opensource.com/article/18/12/optimizing- kubernetes-resource-allocation-production
Pod Security Policies 28
29 Pod Security Policies • Controls runtime security settings for pods • Enabled at the API Controller • Requires a role binding between pod Service Account and the PSP
30 Use a policy engine to audit and enforce • Pod Security Policies are tricky to manage o Require a role binding to SA o Applied in alphabetical order • Kyverno supports enforcement of the important PSP checks https://github.com/nirmata/kyverno/tree/master/ examples/best_practices
Summary 31
32
33 Summary 1. Kubernetes provides several constructs for workload security 2. Use a Policy Engine like Kyverno to simplify management of configurations 3. Use a management plane like Nirmata to configure Kubernetes correctly https://kyverno.io/ https://nirmata.com/
34 Nirmata – The Kubernetes Management Plane Kubernetes Components, Services, and Workloads K8s Data Center K8s Clouds K8s Edge Service Mgmt VisibilityGovernance Compliance Optimization The Nirmata Platform Change Mgmt. Audit Logs Health Capacity Isolation Policies TuningDiscovery Any Infrastructure Nirmata Cloud or Private Edition Any App
Thank-You! https://try.nirmata.io

More Related Content

What's hot (20)

PDF
Kubernetes Security
inovex GmbH
 
PDF
Data protection in a kubernetes-native world
LibbySchulze
 
PPTX
PKS - Solving Complexity for Modern Data Workloads
Carlos Andrés García
 
PDF
Kubescape single pane of glass
LibbySchulze1
 
PPTX
10 tips for Cloud Native Security
Karthik Gaekwad
 
PPTX
Orchestrating stateful applications with PKS and Portworx
VMware Tanzu
 
PDF
Introduction to Kubernetes Security (Aqua & Weaveworks)
Weaveworks
 
PPTX
Keeping your Kubernetes Cluster Secure
Gene Gotimer
 
PPTX
Building Cloud Native Applications Using Azure Kubernetes Service
Dennis Moon
 
PDF
Whats new in brigade 2
LibbySchulze
 
PDF
Operationalizing Amazon EKS
Jim Bugwadia
 
PPTX
Building Cloud Native Applications Using Spring Boot and Spring Cloud
GeekNightHyderabad
 
PPTX
Kubernetes And Istio and Azure AKS DevOps
Ofir Makmal
 
PDF
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
CodeOps Technologies LLP
 
PDF
Keeping your Kubernetes Cluster Secure
Gene Gotimer
 
PDF
DCSF19 Kubernetes Security with OPA
Docker, Inc.
 
PDF
Stateless and Stateful Services in Kubernetes - Mohit Saxena - Citrix - CC18
CodeOps Technologies LLP
 
PDF
Vietnam Global Azure Bootcamp 2019 - Security on Azure Kubernetes Services wi...
Duc Lai Trung Minh
 
PDF
DCEU 18: From Monolith to Microservices
Docker, Inc.
 
PPTX
Synnefo @ LinuxCon/CloudOpen North America 2014
Vangelis Koukis
 
Kubernetes Security
inovex GmbH
 
Data protection in a kubernetes-native world
LibbySchulze
 
PKS - Solving Complexity for Modern Data Workloads
Carlos Andrés García
 
Kubescape single pane of glass
LibbySchulze1
 
10 tips for Cloud Native Security
Karthik Gaekwad
 
Orchestrating stateful applications with PKS and Portworx
VMware Tanzu
 
Introduction to Kubernetes Security (Aqua & Weaveworks)
Weaveworks
 
Keeping your Kubernetes Cluster Secure
Gene Gotimer
 
Building Cloud Native Applications Using Azure Kubernetes Service
Dennis Moon
 
Whats new in brigade 2
LibbySchulze
 
Operationalizing Amazon EKS
Jim Bugwadia
 
Building Cloud Native Applications Using Spring Boot and Spring Cloud
GeekNightHyderabad
 
Kubernetes And Istio and Azure AKS DevOps
Ofir Makmal
 
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
CodeOps Technologies LLP
 
Keeping your Kubernetes Cluster Secure
Gene Gotimer
 
DCSF19 Kubernetes Security with OPA
Docker, Inc.
 
Stateless and Stateful Services in Kubernetes - Mohit Saxena - Citrix - CC18
CodeOps Technologies LLP
 
Vietnam Global Azure Bootcamp 2019 - Security on Azure Kubernetes Services wi...
Duc Lai Trung Minh
 
DCEU 18: From Monolith to Microservices
Docker, Inc.
 
Synnefo @ LinuxCon/CloudOpen North America 2014
Vangelis Koukis
 

Similar to Securing Kubernetes Workloads (20)

PPTX
Kubernetes Security Act Now Before It’s Too Late
Michael Furman
 
PDF
Container Security Deep Dive & Kubernetes
Aqua Security
 
PDF
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
NoNameCon
 
PPTX
Kubernetes and container security
Volodymyr Shynkar
 
PPTX
12 Ways Not to get 'Hacked' your Kubernetes Cluster
Suman Chakraborty
 
PDF
Attacking and Defending Kubernetes - Nithin Jois
OWASP Hacker Thursday
 
PDF
The Hacker's Guide to Kubernetes
Patrycja Wegrzynowicz
 
PPTX
The State of Kubernetes Security
Jimmy Mesta
 
PPTX
DevSecOps in a cloudnative world
Karthik Gaekwad
 
PPTX
Hybrid - Seguridad en Contenedores v3.pptx
HansFarroCastillo1
 
PDF
Evolution of security strategies in K8s environments- All day devops
Jose Manuel Ortega Candel
 
PPTX
Kubernetes policies 101 - apolicy.io
joanwlevin
 
PDF
Hacking Kubernetes Threat Driven Analysis and Defense 1st Edition Andrew Martin
noniqclarah
 
PPTX
Container security Familiar problems in new technology
Frank Victory
 
PDF
The Hacker's Guide to Kubernetes: Reloaded
Patrycja Wegrzynowicz
 
PDF
Kubernetes 101 for_penetration_testers_-_null_mumbai
n|u - The Open Security Community
 
PPTX
Security best practices for kubernetes deployment
Aqua Security
 
PPTX
Security best practices for kubernetes deployment
Michael Cherny
 
PDF
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
James Anderson
 
PDF
Securing your Kubernetes cluster : a step-by-step guide to success! (v2)
Katia Himeur Talhi
 
Kubernetes Security Act Now Before It’s Too Late
Michael Furman
 
Container Security Deep Dive & Kubernetes
Aqua Security
 
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
NoNameCon
 
Kubernetes and container security
Volodymyr Shynkar
 
12 Ways Not to get 'Hacked' your Kubernetes Cluster
Suman Chakraborty
 
Attacking and Defending Kubernetes - Nithin Jois
OWASP Hacker Thursday
 
The Hacker's Guide to Kubernetes
Patrycja Wegrzynowicz
 
The State of Kubernetes Security
Jimmy Mesta
 
DevSecOps in a cloudnative world
Karthik Gaekwad
 
Hybrid - Seguridad en Contenedores v3.pptx
HansFarroCastillo1
 
Evolution of security strategies in K8s environments- All day devops
Jose Manuel Ortega Candel
 
Kubernetes policies 101 - apolicy.io
joanwlevin
 
Hacking Kubernetes Threat Driven Analysis and Defense 1st Edition Andrew Martin
noniqclarah
 
Container security Familiar problems in new technology
Frank Victory
 
The Hacker's Guide to Kubernetes: Reloaded
Patrycja Wegrzynowicz
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
n|u - The Open Security Community
 
Security best practices for kubernetes deployment
Aqua Security
 
Security best practices for kubernetes deployment
Michael Cherny
 
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
James Anderson
 
Securing your Kubernetes cluster : a step-by-step guide to success! (v2)
Katia Himeur Talhi
 
Ad

More from Jim Bugwadia (10)

PDF
Cloud Native DevOps
Jim Bugwadia
 
PDF
Azure meetup cloud native concepts - may 28th 2018
Jim Bugwadia
 
PDF
Kubernetes for Enterprise DevOps
Jim Bugwadia
 
PDF
Demystifying Kubernetes for Enterprise DevOps
Jim Bugwadia
 
PDF
Multi-cloud Container Management for vRealize Automation
Jim Bugwadia
 
PDF
Cloud Native Applications Maturity Model
Jim Bugwadia
 
PDF
Containerizing Traditional Applications
Jim Bugwadia
 
PDF
Accelerating DevOps
Jim Bugwadia
 
PDF
Microservices on AWS Spot instances
Jim Bugwadia
 
PDF
Multi-Cloud Microservices - DevOps Summit Silicon Valley 2015
Jim Bugwadia
 
Cloud Native DevOps
Jim Bugwadia
 
Azure meetup cloud native concepts - may 28th 2018
Jim Bugwadia
 
Kubernetes for Enterprise DevOps
Jim Bugwadia
 
Demystifying Kubernetes for Enterprise DevOps
Jim Bugwadia
 
Multi-cloud Container Management for vRealize Automation
Jim Bugwadia
 
Cloud Native Applications Maturity Model
Jim Bugwadia
 
Containerizing Traditional Applications
Jim Bugwadia
 
Accelerating DevOps
Jim Bugwadia
 
Microservices on AWS Spot instances
Jim Bugwadia
 
Multi-Cloud Microservices - DevOps Summit Silicon Valley 2015
Jim Bugwadia
 
Ad

Recently uploaded (20)

PDF
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
PDF
Blockchain Transactions Explained For Everyone
CIFDAQ
 
PDF
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
PDF
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
AWS Chicago
 
PDF
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
PDF
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
PPTX
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
PPTX
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
PDF
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
PPTX
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
PPTX
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
PDF
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
PDF
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
PDF
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PDF
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
PDF
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
PDF
Windsurf Meetup Ottawa 2025-07-12 - Planning Mode at Reliza.pdf
Pavel Shukhman
 
PDF
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
PDF
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
PDF
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
Blockchain Transactions Explained For Everyone
CIFDAQ
 
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
AWS Chicago
 
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
Windsurf Meetup Ottawa 2025-07-12 - Planning Mode at Reliza.pdf
Pavel Shukhman
 
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 

Securing Kubernetes Workloads

  • 1. Securing Kubernetes Workloads Best Practices for Securing Kubernetes Workload Configurations Across Clouds Jim Bugwadia Founder and CEO
  • 2. Agenda • Kubernetes Security Framework • Kubernetes Constructs for Workload Security • Q & A 2
  • 3. 3 About me • @JimBugwadia • Founder and CEO at Nirmata • Working on large-scale distributed systems (C++, Java, JS, Go) since 1994 CKA-1700-0169-0100
  • 4. 4 Kubernetes Security Framework Build Operate Container Hosts: ❑ Minimal OS ❑ OS Hardening ❑ CIS Benchmarks Clusters: ❑ RBAC ❑ Audit Policies and Logging ❑ Certificate Management ❑ Identity and Access ❑ Kubernetes upgrades ❑ CIS Benchmarks Applications: ❑ Image scanning ❑ Image Provenance ❑ Secrets Management ❑ Namespaces ❑ Access Controls ❑ Network Policies ❑ Resource Quotas ❑ Pod Security Policy
  • 5. 5 Kubernetes Security Framework Build Operate Container Hosts: ❑ Minimal OS ❑ OS Hardening ❑ CIS Benchmarks Clusters: ❑ RBAC ❑ Audit Policies and Logging ❑ Certificate Management ❑ Identity and Access ❑ Kubernetes upgrades ❑ CIS Benchmarks Applications: ❑ Image scanning ❑ Image Provenance ❑ Secrets Management ❑ Namespaces ❑ Access Controls ❑ Network Policies ❑ Resource Quotas ❑ Pod Security Policy
  • 7. 7 Image Provenance • Image scanning checks images for vulnerabilities o Ideally done when the image is built and before it is accepted into the image registry • Image provenance 1. Confirms that an image being deployed is from a trusted source 2. Confirms that image has not been not tampered with
  • 8. 8 Image Provenance - Solutions • Kubernetes ImagePolicyWebhook o Configured as an admission controller o Sends an ImageReview request o Expects an ImageReview response of accept or deny
  • 9. 9 Image Provenance - Solutions • Portieris o Also an admission controller o Integrates with Notary (a content trust store) – part of the The Update Framework (TUF) o Provides way to specify image security policies at a namespace and cluster level https://github.com/IBM/portieris https://theupdateframework.github.io/ https://github.com/theupdateframework/notary
  • 10. 10 Image Provenance – Partial Solutions • Kyverno o Also an admission controller o Kubernetes Native Policy Engine o Policies are written as overlay rules https://kyverno.io/ https://thenewstack.io/kyverno-kubernetes-configuration-via-policy/
  • 11. 11 Image Provenance – Partial Solutions • OPA / Gatekeeper o Also an admission controller o General Purpose Policy Engine o Policies are written in Rego https://www.openpolicyagent.org/ https://github.com/open-policy-agent/gatekeeper https://medium.com/capital-one-tech/policy-enabled-kubernetes-with-open-policy-agent-3b612b3f0203
  • 13. 13 Secrets • Any sensitive data that an application needs o Passwords o Certificates o Keys o …
  • 14. 14 Secrets Management Anti-Patterns (please try not to do this) x Hard-coded x Packaged with code x Inserted via build tools x Environment Variables
  • 15. 15 What Kubernetes Provides • API Object to define secrets • Values are base 64 encoded (default) • Secrets are namespaced • Secrets can be mounted as volumes • Secrets can be used as environment variables • Encryption can be configured at the API Server apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: username: YWRtaW4=
  • 16. 16 So, what’s missing? Kubernetes secrets are a step forward, but have a few limitations: • Encryption requires configuring static keys or a KMS • Shared (static) approach • No leases, rotation, etc.
  • 17. 17 Secrets Management with Hashicorp Vault • Helps automates security best practices for o Secrets Management o Auditing o Certificate Management o Encryption • Dynamic Secrets o Credentials (keys, passwords, certificates) are generated when a client requests them o Credentials are per client o Credentials are automatically deleted if a lease expires
  • 18. 18 An init container to fetch secrets init container Vault Kubernetes Pod application container Service Account & Role Secrets … Volume (secret) https://github.com/nirmata/kube-vault-client https://www.nirmata.com/2018/12/19/managing-kubernetes-secrets-with-hashicorp-vault-and-nirmata/
  • 20. 20 Namespaces • Kubernetes Data Plane Virtualization • Namespaces partition the Kubernetes object model so multiple objects with the same name can exist in the same cluster • Namespaces are the foundation for applying other security constructs Kubernetes supports multiple virtual clusters backed by the same physical cluster. These virtual clusters are called namespaces. https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
  • 22. 22 Role-based access control (RBAC) • Users are authenticated via OIDC, X.509 certificates, tokens, etc. • The authentication result can provide user and group information. • However, Users and User Groups are managed externally (e.g. in an LDAP / AD server). • Kubernetes has a fine-grained permission model • Role (namespace) / ClusterRole • Roles are mapped to users or groups via role bindings • RoleBinding (namespace) / ClusterRoleBinding
  • 23. 23 Service Accounts • Service Accounts are meant for authenticating and authorizing processes • Each namespace has a default service account • Each Pod has a service account (default – if not specified) • A best practice is to use a service account per app • To prevent a service account token from being mounted in a Pod use “automountServiceAccountToken: false”. This can be enforced via a policy.
  • 25. 25 Network Segmentation via Network Policies • By default, Kubernetes pods are “non-isolated” • They accept network connections from any source and can initiate connection requests to any destination • Network Policies define traffic rules for Kubernetes pods • ingress (inbound traffic) • egress (outbound traffic) Network Policy Pod Selector Ingress Ingress Rule Ingress Rule Ingress Rule Egress Ingress Rule Ingress Rule Egress Rule
  • 27. 27 Resource Management • Pods can have resource requests and limits • This allows three quality of service models GuaranteedBurstable • A namespace can have limits and default allocations • Quotas and limits ensure fairness and stability https://opensource.com/article/18/12/optimizing- kubernetes-resource-allocation-production
  • 29. 29 Pod Security Policies • Controls runtime security settings for pods • Enabled at the API Controller • Requires a role binding between pod Service Account and the PSP
  • 30. 30 Use a policy engine to audit and enforce • Pod Security Policies are tricky to manage o Require a role binding to SA o Applied in alphabetical order • Kyverno supports enforcement of the important PSP checks https://github.com/nirmata/kyverno/tree/master/ examples/best_practices
  • 32. 32
  • 33. 33 Summary 1. Kubernetes provides several constructs for workload security 2. Use a Policy Engine like Kyverno to simplify management of configurations 3. Use a management plane like Nirmata to configure Kubernetes correctly https://kyverno.io/ https://nirmata.com/
  • 34. 34 Nirmata – The Kubernetes Management Plane Kubernetes Components, Services, and Workloads K8s Data Center K8s Clouds K8s Edge Service Mgmt VisibilityGovernance Compliance Optimization The Nirmata Platform Change Mgmt. Audit Logs Health Capacity Isolation Policies TuningDiscovery Any Infrastructure Nirmata Cloud or Private Edition Any App