Kubernetes (K8s) is an open-source system for automating deployment, scaling, and management of containerized applications. K8s groups containers that make up an application into logical units for easy management and discovery. It was originally designed by Google and is now maintained by the Cloud Native Computing Foundation. As organizations accelerate their adoption of containers and container orchestrators, they will need to take necessary steps to protect such a critical part of their compute infrastructure. How this topic is relevant 1 out of 5 organization going for container installation Container security attack vectors are rising Recently major vulnerability discovered in containers and got good media attention Duration (Mentioned on sacon.io, if not as per program committee call).

1. SACON
SACON International 2020
India | Bangalore | February 21 - 22 | Taj Yeshwantpur
Attack Vectors of Kubernetes
infra
Are we on right path of securing
it? Anand Tapikar
GE Healthcare
Product Security Leader
@AnandTapikar

2. SACON 2020
All Information mentioned in the presentation is based on my
personal research, understanding and experience. No Inference
can be drawn with my organization IT systems and policies.
Allmentioned views, recommendations and statements are
made from my personal capacity.

3. SACON 2020
Kubernetes : A Brief Background
The Need
• Rise in containerization of Micro
services
• Need Management system to Manage
the containers
• Automation
• Deploying and updating software at
scale
What is kubernetes?
Kubernetes is a portable, extensible, open-
source platform for managing containerized
applications and services that facilitates
both declarative configuration and
automation. Kubernetes provides a platform
to configure, automate, and manage
• Intelligent and balanced scheduling of
containers
• Creation, deletion, and movement of
containers
• Easy scaling of containers
• Monitoring and self-healing abilities

4. SACON 2020
Kubernetes Adoption
http://blog.shippable.com/why-the-adoption-of-kubernetes-will-explode-in-2018
• Strong Organization behind
development of software
•Cloud Native technology
•Ecosystem developed
• All major cloud vendor supports
k8s

5. SACON 2020
Lets understand containers from security perspective
• Self Contained
• Small Foot print than VM
• Faster provisioning
• Effective solution for micro-
services
• Kernel shared
• Less Isolation
• Management issues
• Low visibility on processes
running containers processes
• OS vulnerability, mis-
configuration
• Accountability

6. SACON 2020
Managing the containers
• Managing containers for production is challenging.
• Monitoring running containers
• Moving containers so utilization improves
• Auto-scaling container instances to handle load
• Making the container services easily accessible
• Connecting containers to a variety of external data sources

7. SACON 2020
Kubernetes in container management
The Kubernetes architecture enables:
• A single administrator to manage thousands of containers
running simultaneously
• Workload portability and orchestration of containers across on-
site deployments to public or private clouds

8. SACON 2020
Kubernetes Architecture
• Kubernetes Master: manage the scheduling
and deployment
• Ectd: Store the state and configuration data
for the entire cluster
• API server: Help communicate with rest of
the cluster
• Kube-Controller-manager: registering the
node and monitoing its health
• Kube-Sheduler: Keeps track of capacity and
resources of nodes and assigns work to nodes
based on their availibility
• Node : Application runs within node
• Kubelet: each Kubernetes node runs an
agent process that is responsible for
managing the state of the node
• Pod: the basic scheduling unit, which
consists of one or more containers.

9. SACON 2020
Evolution of application Infrastructure
• Service focused
• Ease of use deployment
• Power of containers with kubernetes
orchestration

10. SACON 2020
Kubernetes Deployment Pattern

11. SACON 2020
Kubernetes Network Diagram
• By default containers in Pod can
see each other as they share a
network interface and namespace,
but not exposed outside
• Exposure outside is established
using Load balancer
• Communication within the cluster
can be implemented
• TLS termination generally done at
API gateway
• Communication between two
micro services containers are
controlled through service mesh

12. SACON 2020
Kubernetes Deployment Pattern

13. SACON 2020
Kubernetes Deployment : CI/CD pipeline

14. SACON 2020
Security Epics
• Safe Images from trusted sources
• Network segmentation
• Safeguard sensitive data
• accountability and audit data of container
usage
• Data for demonstrating compliance

15. SACON 2020
DevSecOps

16. SACON 2020
Security Threats with K8s
Complexity and visibility challenges
Network security issues
Container security issues
Configuration security issues
Host security issues
Data security issues
Vulnerability management
challenges
Operational security issues
Multi tenant and credential
management
•Explosion of East-West Traffic. Containers can be
dynamically deployed across hosts or even clouds,
dramatically increasing the east-west, or internal, traffic
that must be monitored for attacks.
•Increased Attack Surface. Each container may have a
different attack surface and vulnerabilities which can be
exploited. In addition, the additional attack surface
introduced by container orchestration tools such as
Kubernetes and Docker must be considered.
•Privilege escalations to root.
•Stealing of secrets used for secure application or
infrastructure access.
•Changing of cluster admin privileges.
•Host resource damage or hijacking (e.g. crypto mining
software)

17. SACON 2020
Security Architecture
Node Node
POD POD PODPOD
Load Balancer Master
API Gateway
Web UI
CI/CD
Build
Pipeline
and
registry
Container
Notary
Vulnerability
Management
Resource
Monitoring
Identity
Management
Security
Monitoring
Threat
Intelligence
APP Device
• Container signing
• Vulnerability
scanning
• Benchmarks
• Network
segmentation
•Host security
•SElinux
• Namespaces
•Logs
• User authentication
and authorization
• Web security
protection
• Pre registered user/
app/device
• DOS, DDOS
protection
• API security

18. SACON 2020
Handling K8s Security : Best Practices
• Used signed containers
• Use namespaces per app with Wallets to store secrets
• Restrict Linux capabilities with SElinux
• Utilize eco systems
• Update systems, patches
• Run Benchmarks

19. SACON 2020
Common Security Tools
• Istio : Istio creates a service mesh and provide default Mutual TLS between
Micro services
• Grafeas : Grafeas provides a uniform way for auditing and governance
• Clair: Vulnerability scanning
• Harbour: secure Image distribution

20. SACON 2020
Thank you

21. SACON 2020
1. A container integration bridge is created initially on the container host system. This bridge lives in the
host network namespace and is shared across all containers and PODs on the given host for providing
network connectivity.
2. When a POD is created, the container runtime creates a network namespace for the POD. All the
containers of the POD will live in this namespace and each POD will have its own namespace.
3. The container network plugin creates a logical ‘cable’ between the POD namespace and the container
integration bridge.
4. Traffic between PODs on the same host traverses the local container integration bridge and does not
leave the host.
5. Traffic destined for PODs on other hosts are forwarded to the container overlay network. The
container network logically spans all hosts in the cluster, i.e. it provides a common layer 3 network for
connecting all PODs in the cluster.
6.The container overlay network encapsulates POD traffic and forwards it to the host network. The host
network ensures the traffic ends up on the host containing the target POD and the reverse of the steps
above are applied.
7. Whether the cluster hosts are VMs or bare-metal systems there will inevitably be an infrastructure
below these hosts. It is not always possible to gain access to this infrastructure. However, this
infrastructure can be a considerable source of network issues so it is important to remember that it exists.
8. Traffic between PODs on different hosts always traverse the container overlay network, the host
network, and the infrastructure network