Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Kubernetes security

94 vues

Publié le

Kubernetes securtiy including, attack vectors, RBAC, kube bench, cncf security landscape

Publié dans : Ingénierie
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Kubernetes security

  1. 1. Introduction to Kubernetes Security Saiyam Pathak Twitter - @saiyampathak Blog – https://medium.com/@saiyampathak 21st September 2019
  2. 2. 2 Agenda • Kubernetes Attack Surface • TLS Certificates • Secure Kubelet • Secure etcd • 3 A’s of Kubernetes • Secrets • Kube-Bench • CNCF Tooling Landscape • Pod Security Policies • Network Policies
  3. 3. 3 Security Threats
  4. 4. Kubernetes challenges Kubernetes Challenges
  5. 5. Kubernetes attack surface
  6. 6. Kubernetes Cluster-TLS • TLSChecklist: 1. Nodes and Master 2. User andMaster 3. Everything etcd 4. Kubelet to API Server Image by Karthik Gaekwad
  7. 7. --allow-privileged: Set to false --anonymous-auth:Set to false --authorization-mode:Avoid AlwaysAllow setting --client-ca-file:Should be set to valid certificates --read-only-port:Set to 0 and readOnlyPort specified in kubelet config --tls-cert-file:Set as appropiate Secure Kubelet
  8. 8. Secure etcd CIS Benchmark Recommendations on etcd --etcd-certfile and --etcd-keyfile: Should be set --enable-admission-plugins: Set to include a value for ServiceAccount --tls-cert-file and --tls-private-key-file: Should be set --auto-tls: Should be set to false --etcd-ca-file: Should be set to valid certificate --etcd-cafile on APIServer should be set to CA that signed etcd Ps-aef | grep etcd
  10. 10. Authentication • Do you know how you are authenticating with Kubernetes? • Many ways to Authenticate • Client Certs • Static token file • ServiceAccount tokens • OpenID • Webhook Mode • And more (https://kubernetes.io/docs/reference/access- authn-authz/authentication/)
  11. 11. Authenticati on
  12. 12. Authorization n https://kubernetes.io/docs/reference/access-authn-authz/authorization/ Authorization
  13. 13. Rbacmanager audit2rbac Tooling:
  14. 14. Admission • Do you know how many admission controllers are there in Kubernetes? • Few of Admission Controllers • AlwaysPullImages • PodSecurityPolicy • ResourceQuota • NodeRestriction
  15. 15. Kube- Bench
  16. 16. CNCF Tooling Landscape
  17. 17. Pod Security Policy, Network Policy & Secret A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields. A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. Kubernetes secret objects let you store and manage sensitive information, such as passwords, OAuth tokens, and ssh keys. Putting this information in a secret is safer and more flexible than putting it verbatim in a Pod definition or in a container image.
  18. 18. Thank You @saiyampathak