Slides from my talk at MS Ignite Tour in Paris

3. $whoami

4. What to Expect?

5. Why Shifting to the Left?

6. “DevOps is those set of cultural
norms and technology practices that
enable the fast flow of planned work
from, among others, development,
through tests into operations while
preserving world-class reliability,
operation and security. DevOps is
not about what you do, but what
your outcomes are.” (Gene Kim)

7. Products

8. The Three Ways of DevOps

9. So … DevSecOps? Guardrails!
Leaning in over Always Saying “No”
Data & Security Science
Open Contribution & Collaboration
Consumable Security Services with APIs over Mandated Security Controls & Paperwork
Business Driven Security Scores over Rubber Stamp Security
Red & Blue Team Exploit Testing
24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident
Shared Threat Intelligence over Keeping Info to Ourselves
Compliance Operations over Clipboards & Checklists

10. Security is not an afterthought!

11. Approach: Red, Green, Refactor
Red: reproduce vulnerability
Green: fix vulnerability
Refactor: improve

13. Kubernetes Security

14. Kubernetes is Great!
Self-healing

16. “Kubernetes is insecure by design”

17. Kubernetes Security Practices
https://blog.sqreen.com/kubernetes-security-best-practices/

19. Practices for Containers

20. Mission: Limiting the Attack Surface

21. Public Image Repositories?

22. Yes, But … Only From Official Repositories

23. And … Build Your Own Images
mcr.microsoft.com
With Your Private Registry

24. Use Multi-Stage Builds
Your application doesn’t need most of the compiling tooling … SSH?

25. Non-Root Users
RUN adduser -D myuser
USER myuser

26. Sign Your Container Images
Content Trust
Only release candidates
export DOCKER_CONTENT_TRUST=1
docker build --disable-content-trust=false -t myacr.azurecr.io/myimage:v1 .

27. Run Scanners
https://github.com/quay/clair
Azure Security Centerhttps://github.com/docker/docker-bench-security
And many more: https://techbeacon.com/security/10-top-open-source-tools-docker-security
https://github.com/cilium/cilium

28. Practices for Kubernetes

29. Mission: Limiting the Attack Surface

30. Working with Namespaces

31. Secure Pod Access

32. Secrets
Kubernetes default:
Hashicorp
https://www.hashicorp.com/resources/ephemeral-database-
credentials-with-vault-and-terraform-at-bench-accounting

33. Managed Pod Identities

34. Managing Secrets with Azure Vault + FlexVol
https://thorsten-hans.com/azure-key-vault-flexvolume-for-kubernetes

35. Demo: Working with Secrets
Thorsten Hans post J

36. Security in Distributed Systems

37. Security in Distributed Systems

38. Service Mesh
A Sidecar Proxy within Pods

39. Service Mesh Traffic Overview

40. Service Mesh Options

41. Istio
Network of Services
Few / No Code Changes
Traffic Management
Encryption In-Transit
Metrics, Logs, Traces
Secure service-to-service

42. Istio Archirecture

43. Istio Security Overview

44. Istio Installation on AKS
istioctl
Helm
Istio Helm

45. Networking Policies
Services
Pods
Why? Tell Me More!
DenyAll traffic within the mesh
Block access to Instance Metadata service
https://ahmet.im/blog/kubernetes-network-policy/

46. Circuit Breaker

47. Circuit Breaker
maxConnections: 100

48. Demo: Security using Istio

49. What’s Next for Security
in Kubernetes?

50. You Can Only Go Deeper!

51. Homework
https://kubernetespodcast.com/episode/065-attacking-and-defending-kubernetes/

52. Takeaways!
Be mindful about Docker / Kubernetes defaults
least-privileged principle
Networking plays a big role in security

53. Thanks!!
https://github.com/christianhxc/security-kubernetes