SlideShare a Scribd company logo

Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, January 2019)

M
Michael Man

Security Rationale For Istio An introduction to Istio security, looking at how Istio helps to keeps your security team happy by satisfying Kubernetes security requirements for multi-tenancy, and your developers happy by reducing implementation effort. Istio is still an evolving technology, and outstanding issues and impending improvements will be discussed.

Technology
1 of 44
Download to read offline
Security Rationale for Istio Rowan Baker @controlplaneio
Talk Structure ● Secure Kubernetes multi-tenancy and Istio ● Istio security ○ Secure installation and configuration ○ Threats and issues
Securing Multi-tenanted Kubernetes Clusters ● Secure administration ○ Cloud IaaS & PaaS services ○ Kubernetes Platform ● CI/CD pipeline security ● Runtime security ○ This is where Istio fits in
A slice of the Kubernetes runtime threat model What can go wrong? Compromised microservice attempts to: ● Eavesdrop ● Impersonate ● Escalate privilege ● Pivot & access other services ● Initiate an outbound connection API db webadmin API db webadmin Compromised Service
A slice of the Kubernetes runtime threat model What are we going to do about that? ● Authn & Authz ● Encryption in transit ● L3/4 Firewalling API db webadmin API db webadmin Mitigated threat
A slice of the Kubernetes runtime threat model What are we going to do about that? ● Authn & Authz ● Encryption in transit ● L3/4 Firewalling API db webadmin API db webadmin
A slice of the Kubernetes runtime threat model API db webadmin API db webadmin What are we going to do about that? ● Authn & Authz ● Encryption in transit ● L3/4 Firewalling
A slice of the Kubernetes runtime threat model What are we going to do about that? ● Authn & Authz ● Encryption in transit ● L3/4 Firewalling Kubernetes v1.7+ Network Policy API db webadmin API db webadmin
Satisfying requirements at scale Security requirements for every application team: ● Authentication ● Authorisation ● Encryption Against a backdrop of: ● Different developer teams working with different languages ● Security vs Speed dichotomy ● Migration of legacy applications.
Satisfying requirements at scale ● Option 1: In-house or 3rd party libraries ○ In all the languages your company uses ○ And maintain them for all your services and teams ● Option 2: Sidecars ○ Repeatable ○ Abstracted from Devs ○ Could end up maintaining a large number of sidecars over time
Istio
Security controls provided by Istio ● Mutual TLS - Encryption & Authentication ● L7 Authorisation ● Rate limiting ● Whitelisting/Denials ● Egress control Compromised services have a blast radius defined by Istio policy API db webadmin API db webadmin
Threats not mitigated by Istio Amongst others: ● Injection Attacks ● Container breakout API db webadmin API db webadmin Worker Node
Istio Threats & Issues
Threat: Insecure Control Plane Configuration ● Secure the control plane: ○ Enable control plane mutual TLS ○ Protect Citadel ○ Don’t write authorization policies for Istio control plane components
Threat: User Misconfiguration YAML, lots of YAML: ● Ingress Gateway (Gateways, Virtual Services) ● Authentication (Mesh Policy, Destination Rules) ● Authorisation (ServiceRole, ServiceRoleBinding) ● Rate Limits (QuotaSpec QuotaSpecBinding etc) ● Denials (Denier) ● Egress (Gateway,Service Entry, Virtual Service)
Threat: User Misconfiguration ● Avoid manual configuration ● Regularly apply config defined in git ○ Regular CI server job ○ GitOps
Threat: Compromised workload attacks Istio sidecar API db admin API db web service K8s Network Policy K8s Network Policy
Threat: Compromised workload attacks Istio sidecar ● Access to in-mesh services subject to Istio RBAC & Auth ● Attack other services ● Circumvent Istio egress control ● Can mitigate with a Kubernetes Network Policy O API db admin API db web service K8s Network Policy K8s Network Policy
Threat: Compromised workload attacks Istio sidecar ● Defence in depth: use dedicated Egress Gateway, K8S Network Policy & IaaS FW rules API db web service K8s Network Policy + IaaS FW Worker Node (Egress) Egress Gateway Worker Node
Threat: Init Containers Run Off-mesh ● Init container for application runs before the Istio init container ○ Unconstrained by istio security ○ Use K8s network policy App Init Istio init App Init (completed) Pod Initialising Pod Ready Application
Issue: PodSecurityPolicy blocks Istio init & sidecar ● I want my Pods to comply to a restrictive Pod Security Policy ○ Non-privileged ○ Drop linux capabilities Kubernetes API Authentication & Authorisation Admission Controllers Mutating Validating apiVersion: apps/v1 kind: Deployment ... securityContext: privileged: false allowPrivilegeEscalation: false capabilities: drop: - ALL Pod Security Policy ... kind: PodSecurityPolicy ... spec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: - ALL
Issue: PodSecurityPolicy blocks Istio init & sidecar Kubernetes API Authentication & Authorisation Admission Controllers Mutating Validating apiVersion: apps/v1 kind: Deployment …. securityContext: privileged: false allowPrivilegeEscalation: false capabilities: drop: - all Pod Security Policy ... kind: PodSecurityPolicy ... spec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: - ALL istio-sidecar- injector template: |- initContainers: ... securityContext: capabilities: add: - NET_ADMIN privileged: true containers: - name: istio-proxy ... securityContext: readOnlyRootFilesystem: true capabilities: add: - NET_ADMIN
Issue: PodSecurityPolicy blocks Istio init & sidecar ● Must relax Pod Security Policy to run Istio ● Might be fixed by: ○ CNI Plugin ○ Sub-pod isolation proposals
Threat: Misconfigured app container could run as privileged or use NET_ADMIN to exit the mesh ● Due to relaxed PodSecurityPolicy ● Workarounds (weak!) ○ Templating YAML ○ Reviews & process (e.g Kubesec.io review) ○ IDS ● Istio CNI Plugin intended to mitigate this long term
Issue: Some security features are in Alpha
Pending Improvements ● TLS health-checking: coming in v1.1 ● CNI Plugin: optional in v1.1 ● Hardening, robustification, v2 workload attestation, plugable CA adapters: all on the way
In Conclusion ● Istio is exciting ● Security functionality at scale for microservices ○ Authentication & Authorisation ○ Encryption in transit ● Still maturing ○ Some improvements required ○ Some features still in alpha
Thank you! Rowan Baker @controlplaneio
Appendix
Security controls provided by Istio ● Compromised services only have the blast radius of their Istio policy ○ RBAC L7 policy is granular: HTTP verb and path ○ Tight configuration increases cluster compromise resilience API db webadmin API db webadmin
Security controls provided by Istio ● Mutual TLS - Encryption & Authentication ● L7 Authorisation ● Rate limiting ● Whitelisting/Blacklisting ● Egress control + ● Kubernetes Network Policy API db webadmin API db webadmin
Bugs and Issues ● Improper namespace labelling ○
A slice of the Kubernetes runtime threat model What are we going to do about that? ● Authn & Authz ● Encryption in transit ● L3/4 Firewalling Kubernetes v1.7> Network Policy API db webadmin API db webadmin
Threat Modelling Runtime Security Threat Modelling 1. What are we building? 2. What can go wrong? 3. What are we going to do about that? 4. Did we do a good enough job? API db webadmin API db webadmin
Threat: PodSecurityPolicy blocks Istio init & sidecar ● I want my Pods to comply to a restrictive Pod Security Policy ○ Non-privileged ○ Drop linux capabilities ● Istio init & sidecar runs as root and requires NET_ADMIN ● Threat: Misconfigured app container could run as root or use NET_ADMIN to exit the mesh ● Workaround - by templating YAML, using Kubesec or IDS ● Istio CNI Plugin intended to mitigate this long term
Threat: PodSecurityPolicy blocks Istio init & sidecar ● I want my Pods to comply to a restrictive Pod Security Policy ○ Non-privileged ○ Drop linux capabilities
Threat: Compromised workload attacks Istio sidecar ● Compromised services could attack Istio sidecar proxy to exit the mesh ○ access to in-mesh services subject to Istio RBAC & Auth ○ circumvent egress control ○ Mitigate using a combination of egress gateway, K8s network policy and infrastructure firewall rules
Limiting Compromised Workloads ● Compromised services only have the blast radius of their Istio RBAC policy ○ RBAC L7 policy is granular: HTTP verb and path ○ Tight configuration increases cluster compromise resilience
Reassess the Threat Model
Risk: Accidental deployments outside of the mesh ● Improper namespace labelling ○ failure to trigger automatic sidecar injection
A slice of the Kubernetes runtime threat model Worker node 1 Worker node 2 App1 Service A App1 Service B App2 Service A App2 Service B App2 Service B App2 Service A App1 Service B App1 Service A Worker node 1 Worker node 2 App1 Service A App1 Service B App2 Service A App2 Service B App2 Service B App2 Service A + App1 Service B App1 Service A L3/L4 Network Policy - Kubernetes v1.7
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, January 2019)

Recommended

Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Michael Man
 
Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security Brick
Michael Man
 
Istio Cloud Native Online Series - Intro to Istio Security
Istio Cloud Native Online Series - Intro to Istio SecurityIstio Cloud Native Online Series - Intro to Istio Security
Istio Cloud Native Online Series - Intro to Istio Security
Matt Baldwin
 
OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdanOpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift Origin
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDays Riga
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secrets
Cameron More
 
ModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting Started
NGINX, Inc.
 
Kubernetes - security you need to know about it
Kubernetes - security you need to know about itKubernetes - security you need to know about it
Kubernetes - security you need to know about it
Haydn Johnson
 

Recommended

Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Michael Man
 
Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security Brick
Michael Man
 
Istio Cloud Native Online Series - Intro to Istio Security
Istio Cloud Native Online Series - Intro to Istio SecurityIstio Cloud Native Online Series - Intro to Istio Security
Istio Cloud Native Online Series - Intro to Istio Security
Matt Baldwin
 
OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdanOpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift Origin
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDays Riga
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secrets
Cameron More
 
ModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting Started
NGINX, Inc.
 
Kubernetes - security you need to know about it
Kubernetes - security you need to know about itKubernetes - security you need to know about it
Kubernetes - security you need to know about it
Haydn Johnson
 
London HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vault
London HashiCorp User Group
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
Jerry Jalava
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security Linters
EricBrown328
 
Your (container) secret's safe with me
Your (container) secret's safe with me Your (container) secret's safe with me
Your (container) secret's safe with me
Liz Rice
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
Aqua Security
 
Container secrets talk from DevSecCon
Container secrets talk from DevSecConContainer secrets talk from DevSecCon
Container secrets talk from DevSecCon
Liz Rice
 
Your secret's safe with me
Your secret's safe with meYour secret's safe with me
Your secret's safe with me
Liz Rice
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
NGINX, Inc.
 
London Hug 20/6 - Clustering RabbitMQ using Consul
London Hug 20/6 - Clustering RabbitMQ using ConsulLondon Hug 20/6 - Clustering RabbitMQ using Consul
London Hug 20/6 - Clustering RabbitMQ using Consul
London HashiCorp User Group
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
NGINX, Inc.
 
Kubernetes networking & Security
Kubernetes networking & SecurityKubernetes networking & Security
Kubernetes networking & Security
Vietnam Open Infrastructure User Group
 
Security threats with Kubernetes - Igor Khoroshchenko
Security threats with Kubernetes - Igor Khoroshchenko Security threats with Kubernetes - Igor Khoroshchenko
Security threats with Kubernetes - Igor Khoroshchenko
Kuberton
 
Nex clipper 1905_summary_eng
Nex clipper 1905_summary_engNex clipper 1905_summary_eng
Nex clipper 1905_summary_eng
Jinyong Kim
 
Locking down your Kubernetes cluster with Linkerd
Locking down your Kubernetes cluster with LinkerdLocking down your Kubernetes cluster with Linkerd
Locking down your Kubernetes cluster with Linkerd
Buoyant
 
4. Kubernetes - Application centric infrastructure kubernetes, contiv
4. Kubernetes - Application centric infrastructure kubernetes, contiv4. Kubernetes - Application centric infrastructure kubernetes, contiv
4. Kubernetes - Application centric infrastructure kubernetes, contiv
Juraj Hantak
 
ModSecurity 3.0 and NGINX: Getting Started - EMEA
ModSecurity 3.0 and NGINX: Getting Started - EMEAModSecurity 3.0 and NGINX: Getting Started - EMEA
ModSecurity 3.0 and NGINX: Getting Started - EMEA
NGINX, Inc.
 
Kubernetes meetup geneva june 2021
Kubernetes meetup geneva june 2021Kubernetes meetup geneva june 2021
Kubernetes meetup geneva june 2021
SebastienSEYMARC
 
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
Juraj Hantak
 
OSMC 2018 | Tailored SNMP monitoring – Your own SNMP MIB and sub-agent with P...
OSMC 2018 | Tailored SNMP monitoring – Your own SNMP MIB and sub-agent with P...OSMC 2018 | Tailored SNMP monitoring – Your own SNMP MIB and sub-agent with P...
OSMC 2018 | Tailored SNMP monitoring – Your own SNMP MIB and sub-agent with P...
NETWAYS
 
Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop
Cisco Canada
 
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesYour Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Mirantis
 
Hello istio
Hello istioHello istio
Hello istio
Jooho Lee
 

More Related Content

What's hot

ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
NGINX, Inc.
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
NGINX, Inc.
 
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
Juraj Hantak
 
OSMC 2018 | Tailored SNMP monitoring – Your own SNMP MIB and sub-agent with P...
OSMC 2018 | Tailored SNMP monitoring – Your own SNMP MIB and sub-agent with P...OSMC 2018 | Tailored SNMP monitoring – Your own SNMP MIB and sub-agent with P...
OSMC 2018 | Tailored SNMP monitoring – Your own SNMP MIB and sub-agent with P...
NETWAYS
 

What's hot (20)

London HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vault
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security Linters
 
Your (container) secret's safe with me
Your (container) secret's safe with me Your (container) secret's safe with me
Your (container) secret's safe with me
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
 
Container secrets talk from DevSecCon
Container secrets talk from DevSecConContainer secrets talk from DevSecCon
Container secrets talk from DevSecCon
 
Your secret's safe with me
Your secret's safe with meYour secret's safe with me
Your secret's safe with me
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
 
London Hug 20/6 - Clustering RabbitMQ using Consul
London Hug 20/6 - Clustering RabbitMQ using ConsulLondon Hug 20/6 - Clustering RabbitMQ using Consul
London Hug 20/6 - Clustering RabbitMQ using Consul
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
 
Kubernetes networking & Security
Kubernetes networking & SecurityKubernetes networking & Security
Kubernetes networking & Security
 
Security threats with Kubernetes - Igor Khoroshchenko
Security threats with Kubernetes - Igor Khoroshchenko Security threats with Kubernetes - Igor Khoroshchenko
Security threats with Kubernetes - Igor Khoroshchenko
 
Nex clipper 1905_summary_eng
Nex clipper 1905_summary_engNex clipper 1905_summary_eng
Nex clipper 1905_summary_eng
 
Locking down your Kubernetes cluster with Linkerd
Locking down your Kubernetes cluster with LinkerdLocking down your Kubernetes cluster with Linkerd
Locking down your Kubernetes cluster with Linkerd
 
4. Kubernetes - Application centric infrastructure kubernetes, contiv
4. Kubernetes - Application centric infrastructure kubernetes, contiv4. Kubernetes - Application centric infrastructure kubernetes, contiv
4. Kubernetes - Application centric infrastructure kubernetes, contiv
 
ModSecurity 3.0 and NGINX: Getting Started - EMEA
ModSecurity 3.0 and NGINX: Getting Started - EMEAModSecurity 3.0 and NGINX: Getting Started - EMEA
ModSecurity 3.0 and NGINX: Getting Started - EMEA
 
Kubernetes meetup geneva june 2021
Kubernetes meetup geneva june 2021Kubernetes meetup geneva june 2021
Kubernetes meetup geneva june 2021
 
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
 
OSMC 2018 | Tailored SNMP monitoring – Your own SNMP MIB and sub-agent with P...
OSMC 2018 | Tailored SNMP monitoring – Your own SNMP MIB and sub-agent with P...OSMC 2018 | Tailored SNMP monitoring – Your own SNMP MIB and sub-agent with P...
OSMC 2018 | Tailored SNMP monitoring – Your own SNMP MIB and sub-agent with P...
 
Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop
 

Similar to Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, January 2019)

Introduction to Kubernetes Security
Introduction to Kubernetes SecurityIntroduction to Kubernetes Security
Introduction to Kubernetes Security
All Things Open
 
Kubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdfKubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdf
KawimbaLofgrens
 
Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Opersys inc.
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
Christian Posta
 
Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...
Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...
Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Binary Authorization in Kubernetes
Binary Authorization in KubernetesBinary Authorization in Kubernetes
Binary Authorization in Kubernetes
Aysylu Greenberg
 
Automate Your Container Deployments Securely
Automate Your Container Deployments SecurelyAutomate Your Container Deployments Securely
Automate Your Container Deployments Securely
DevOps.com
 

Similar to Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, January 2019) (20)

Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesYour Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
 
Hello istio
Hello istioHello istio
Hello istio
 
Introduction to Kubernetes Security
Introduction to Kubernetes SecurityIntroduction to Kubernetes Security
Introduction to Kubernetes Security
 
Securing Prometheus. Lessons Learned from OpenShift.pdf
Securing Prometheus. Lessons Learned from OpenShift.pdfSecuring Prometheus. Lessons Learned from OpenShift.pdf
Securing Prometheus. Lessons Learned from OpenShift.pdf
 
Kubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdfKubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdf
 
Communication Amongst Microservices: Kubernetes, Istio, and Spring Cloud - An...
Communication Amongst Microservices: Kubernetes, Istio, and Spring Cloud - An...Communication Amongst Microservices: Kubernetes, Istio, and Spring Cloud - An...
Communication Amongst Microservices: Kubernetes, Istio, and Spring Cloud - An...
 
Apigee Edge: Intro to Microgateway
Apigee Edge: Intro to MicrogatewayApigee Edge: Intro to Microgateway
Apigee Edge: Intro to Microgateway
 
Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...
 
Istio Triangle Kubernetes Meetup Aug 2019
Istio Triangle Kubernetes Meetup Aug 2019Istio Triangle Kubernetes Meetup Aug 2019
Istio Triangle Kubernetes Meetup Aug 2019
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
 
How to Make Istio Work with Your App
How to Make Istio Work with Your AppHow to Make Istio Work with Your App
How to Make Istio Work with Your App
 
How to Make Istio Work with Your App
How to Make Istio Work with Your AppHow to Make Istio Work with Your App
How to Make Istio Work with Your App
 
Cncf microservices security
Cncf microservices securityCncf microservices security
Cncf microservices security
 
Securing an NGINX deployment for K8s
Securing an NGINX deployment for K8sSecuring an NGINX deployment for K8s
Securing an NGINX deployment for K8s
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT Devices
 
Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...
Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...
Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...
 
Binary Authorization in Kubernetes
Binary Authorization in KubernetesBinary Authorization in Kubernetes
Binary Authorization in Kubernetes
 
Cloud Native API Management : Microservices to APIs in Kubernetes
Cloud Native API Management : Microservices to APIs in KubernetesCloud Native API Management : Microservices to APIs in Kubernetes
Cloud Native API Management : Microservices to APIs in Kubernetes
 
Automate Your Container Deployments Securely
Automate Your Container Deployments SecurelyAutomate Your Container Deployments Securely
Automate Your Container Deployments Securely
 

More from Michael Man

DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
Michael Man
 

More from Michael Man (20)

5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)
 
K8S Certifications - Exam Cram
K8S Certifications - Exam CramK8S Certifications - Exam Cram
K8S Certifications - Exam Cram
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
 
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
 
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
 
Extract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling SlidesExtract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling Slides
 
Sept 2019 - DSO-LG Tooling Examples
Sept 2019 - DSO-LG Tooling ExamplesSept 2019 - DSO-LG Tooling Examples
Sept 2019 - DSO-LG Tooling Examples
 
DevSecOps Manchester - May 2019
DevSecOps Manchester - May 2019DevSecOps Manchester - May 2019
DevSecOps Manchester - May 2019
 
Extract: DevSecOps - London Gathering (March 2019)
Extract: DevSecOps - London Gathering (March 2019)Extract: DevSecOps - London Gathering (March 2019)
Extract: DevSecOps - London Gathering (March 2019)
 
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
 
August 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London GatheringAugust 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London Gathering
 
DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
 
The mechanics behind how attackers exploit simple programming mistakes ...
The mechanics behind how attackers exploit simple programming mistakes ...The mechanics behind how attackers exploit simple programming mistakes ...
The mechanics behind how attackers exploit simple programming mistakes ...
 
Secret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsSecret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret Dragons
 
DevSecOps March 2018 - Extract
DevSecOps March 2018 - ExtractDevSecOps March 2018 - Extract
DevSecOps March 2018 - Extract
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOps
 
Dynaminet -DevSecOps
Dynaminet -DevSecOpsDynaminet -DevSecOps
Dynaminet -DevSecOps
 
DevSecOps: Test Automation
DevSecOps: Test AutomationDevSecOps: Test Automation
DevSecOps: Test Automation
 
Project management experience security in agile 1309
Project management experience security in agile 1309Project management experience security in agile 1309
Project management experience security in agile 1309
 

Recently uploaded

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Recently uploaded (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, January 2019)

  • 1. Security Rationale for Istio Rowan Baker @controlplaneio
  • 2. Talk Structure ● Secure Kubernetes multi-tenancy and Istio ● Istio security ○ Secure installation and configuration ○ Threats and issues
  • 3. Securing Multi-tenanted Kubernetes Clusters ● Secure administration ○ Cloud IaaS & PaaS services ○ Kubernetes Platform ● CI/CD pipeline security ● Runtime security ○ This is where Istio fits in
  • 4. A slice of the Kubernetes runtime threat model What can go wrong? Compromised microservice attempts to: ● Eavesdrop ● Impersonate ● Escalate privilege ● Pivot & access other services ● Initiate an outbound connection API db webadmin API db webadmin Compromised Service
  • 5. A slice of the Kubernetes runtime threat model What are we going to do about that? ● Authn & Authz ● Encryption in transit ● L3/4 Firewalling API db webadmin API db webadmin Mitigated threat
  • 6. A slice of the Kubernetes runtime threat model What are we going to do about that? ● Authn & Authz ● Encryption in transit ● L3/4 Firewalling API db webadmin API db webadmin
  • 7. A slice of the Kubernetes runtime threat model API db webadmin API db webadmin What are we going to do about that? ● Authn & Authz ● Encryption in transit ● L3/4 Firewalling
  • 8. A slice of the Kubernetes runtime threat model What are we going to do about that? ● Authn & Authz ● Encryption in transit ● L3/4 Firewalling Kubernetes v1.7+ Network Policy API db webadmin API db webadmin
  • 9. Satisfying requirements at scale Security requirements for every application team: ● Authentication ● Authorisation ● Encryption Against a backdrop of: ● Different developer teams working with different languages ● Security vs Speed dichotomy ● Migration of legacy applications.
  • 10. Satisfying requirements at scale ● Option 1: In-house or 3rd party libraries ○ In all the languages your company uses ○ And maintain them for all your services and teams ● Option 2: Sidecars ○ Repeatable ○ Abstracted from Devs ○ Could end up maintaining a large number of sidecars over time
  • 11. Istio
  • 12. Security controls provided by Istio ● Mutual TLS - Encryption & Authentication ● L7 Authorisation ● Rate limiting ● Whitelisting/Denials ● Egress control Compromised services have a blast radius defined by Istio policy API db webadmin API db webadmin
  • 13. Threats not mitigated by Istio Amongst others: ● Injection Attacks ● Container breakout API db webadmin API db webadmin Worker Node
  • 14. Istio Threats & Issues
  • 15. Threat: Insecure Control Plane Configuration ● Secure the control plane: ○ Enable control plane mutual TLS ○ Protect Citadel ○ Don’t write authorization policies for Istio control plane components
  • 16. Threat: User Misconfiguration YAML, lots of YAML: ● Ingress Gateway (Gateways, Virtual Services) ● Authentication (Mesh Policy, Destination Rules) ● Authorisation (ServiceRole, ServiceRoleBinding) ● Rate Limits (QuotaSpec QuotaSpecBinding etc) ● Denials (Denier) ● Egress (Gateway,Service Entry, Virtual Service)
  • 17. Threat: User Misconfiguration ● Avoid manual configuration ● Regularly apply config defined in git ○ Regular CI server job ○ GitOps
  • 18. Threat: Compromised workload attacks Istio sidecar API db admin API db web service K8s Network Policy K8s Network Policy
  • 19. Threat: Compromised workload attacks Istio sidecar ● Access to in-mesh services subject to Istio RBAC & Auth ● Attack other services ● Circumvent Istio egress control ● Can mitigate with a Kubernetes Network Policy O API db admin API db web service K8s Network Policy K8s Network Policy
  • 20. Threat: Compromised workload attacks Istio sidecar ● Defence in depth: use dedicated Egress Gateway, K8S Network Policy & IaaS FW rules API db web service K8s Network Policy + IaaS FW Worker Node (Egress) Egress Gateway Worker Node
  • 21. Threat: Init Containers Run Off-mesh ● Init container for application runs before the Istio init container ○ Unconstrained by istio security ○ Use K8s network policy App Init Istio init App Init (completed) Pod Initialising Pod Ready Application
  • 22. Issue: PodSecurityPolicy blocks Istio init & sidecar ● I want my Pods to comply to a restrictive Pod Security Policy ○ Non-privileged ○ Drop linux capabilities Kubernetes API Authentication & Authorisation Admission Controllers Mutating Validating apiVersion: apps/v1 kind: Deployment ... securityContext: privileged: false allowPrivilegeEscalation: false capabilities: drop: - ALL Pod Security Policy ... kind: PodSecurityPolicy ... spec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: - ALL
  • 23. Issue: PodSecurityPolicy blocks Istio init & sidecar Kubernetes API Authentication & Authorisation Admission Controllers Mutating Validating apiVersion: apps/v1 kind: Deployment …. securityContext: privileged: false allowPrivilegeEscalation: false capabilities: drop: - all Pod Security Policy ... kind: PodSecurityPolicy ... spec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: - ALL istio-sidecar- injector template: |- initContainers: ... securityContext: capabilities: add: - NET_ADMIN privileged: true containers: - name: istio-proxy ... securityContext: readOnlyRootFilesystem: true capabilities: add: - NET_ADMIN
  • 24. Issue: PodSecurityPolicy blocks Istio init & sidecar ● Must relax Pod Security Policy to run Istio ● Might be fixed by: ○ CNI Plugin ○ Sub-pod isolation proposals
  • 25. Threat: Misconfigured app container could run as privileged or use NET_ADMIN to exit the mesh ● Due to relaxed PodSecurityPolicy ● Workarounds (weak!) ○ Templating YAML ○ Reviews & process (e.g Kubesec.io review) ○ IDS ● Istio CNI Plugin intended to mitigate this long term
  • 26. Issue: Some security features are in Alpha
  • 27. Pending Improvements ● TLS health-checking: coming in v1.1 ● CNI Plugin: optional in v1.1 ● Hardening, robustification, v2 workload attestation, plugable CA adapters: all on the way
  • 28. In Conclusion ● Istio is exciting ● Security functionality at scale for microservices ○ Authentication & Authorisation ○ Encryption in transit ● Still maturing ○ Some improvements required ○ Some features still in alpha
  • 30.
  • 32. Security controls provided by Istio ● Compromised services only have the blast radius of their Istio policy ○ RBAC L7 policy is granular: HTTP verb and path ○ Tight configuration increases cluster compromise resilience API db webadmin API db webadmin
  • 33. Security controls provided by Istio ● Mutual TLS - Encryption & Authentication ● L7 Authorisation ● Rate limiting ● Whitelisting/Blacklisting ● Egress control + ● Kubernetes Network Policy API db webadmin API db webadmin
  • 34. Bugs and Issues ● Improper namespace labelling ○
  • 35. A slice of the Kubernetes runtime threat model What are we going to do about that? ● Authn & Authz ● Encryption in transit ● L3/4 Firewalling Kubernetes v1.7> Network Policy API db webadmin API db webadmin
  • 36. Threat Modelling Runtime Security Threat Modelling 1. What are we building? 2. What can go wrong? 3. What are we going to do about that? 4. Did we do a good enough job? API db webadmin API db webadmin
  • 37. Threat: PodSecurityPolicy blocks Istio init & sidecar ● I want my Pods to comply to a restrictive Pod Security Policy ○ Non-privileged ○ Drop linux capabilities ● Istio init & sidecar runs as root and requires NET_ADMIN ● Threat: Misconfigured app container could run as root or use NET_ADMIN to exit the mesh ● Workaround - by templating YAML, using Kubesec or IDS ● Istio CNI Plugin intended to mitigate this long term
  • 38. Threat: PodSecurityPolicy blocks Istio init & sidecar ● I want my Pods to comply to a restrictive Pod Security Policy ○ Non-privileged ○ Drop linux capabilities
  • 39. Threat: Compromised workload attacks Istio sidecar ● Compromised services could attack Istio sidecar proxy to exit the mesh ○ access to in-mesh services subject to Istio RBAC & Auth ○ circumvent egress control ○ Mitigate using a combination of egress gateway, K8s network policy and infrastructure firewall rules
  • 40. Limiting Compromised Workloads ● Compromised services only have the blast radius of their Istio RBAC policy ○ RBAC L7 policy is granular: HTTP verb and path ○ Tight configuration increases cluster compromise resilience
  • 42. Risk: Accidental deployments outside of the mesh ● Improper namespace labelling ○ failure to trigger automatic sidecar injection
  • 43. A slice of the Kubernetes runtime threat model Worker node 1 Worker node 2 App1 Service A App1 Service B App2 Service A App2 Service B App2 Service B App2 Service A App1 Service B App1 Service A Worker node 1 Worker node 2 App1 Service A App1 Service B App2 Service A App2 Service B App2 Service B App2 Service A + App1 Service B App1 Service A L3/L4 Network Policy - Kubernetes v1.7