SlideShare a Scribd company logo

Securing Kubernetes Workloads

Jim Bugwadia
Jim Bugwadia

Kubernetes is the new cloud OS, and enterprises are rapidly migrating existing applications to Kubernetes as well as creating new Kubernetes-native applications. However, Kubernetes configuration management remains complex, and due to this complexity, most implementations do not leverage Kubernetes constructs for security. In this session you will learn: - Key Kubernetes constructs to use for properly securing application workloads in any cloud - How to manage Kubernetes configurations across multiple clusters and cloud providers - How to audit and enforce enterprise-wide Kubernetes best practices

Technology
1 of 35
Download to read offline
Securing Kubernetes Workloads Best Practices for Securing Kubernetes Workload Configurations Across Clouds Jim Bugwadia Founder and CEO
Agenda • Kubernetes Security Framework • Kubernetes Constructs for Workload Security • Q & A 2
3 About me • @JimBugwadia • Founder and CEO at Nirmata • Working on large-scale distributed systems (C++, Java, JS, Go) since 1994 CKA-1700-0169-0100
4 Kubernetes Security Framework Build Operate Container Hosts: ❑ Minimal OS ❑ OS Hardening ❑ CIS Benchmarks Clusters: ❑ RBAC ❑ Audit Policies and Logging ❑ Certificate Management ❑ Identity and Access ❑ Kubernetes upgrades ❑ CIS Benchmarks Applications: ❑ Image scanning ❑ Image Provenance ❑ Secrets Management ❑ Namespaces ❑ Access Controls ❑ Network Policies ❑ Resource Quotas ❑ Pod Security Policy
5 Kubernetes Security Framework Build Operate Container Hosts: ❑ Minimal OS ❑ OS Hardening ❑ CIS Benchmarks Clusters: ❑ RBAC ❑ Audit Policies and Logging ❑ Certificate Management ❑ Identity and Access ❑ Kubernetes upgrades ❑ CIS Benchmarks Applications: ❑ Image scanning ❑ Image Provenance ❑ Secrets Management ❑ Namespaces ❑ Access Controls ❑ Network Policies ❑ Resource Quotas ❑ Pod Security Policy
Image Provenance 6
7 Image Provenance • Image scanning checks images for vulnerabilities o Ideally done when the image is built and before it is accepted into the image registry • Image provenance 1. Confirms that an image being deployed is from a trusted source 2. Confirms that image has not been not tampered with
8 Image Provenance - Solutions • Kubernetes ImagePolicyWebhook o Configured as an admission controller o Sends an ImageReview request o Expects an ImageReview response of accept or deny
9 Image Provenance - Solutions • Portieris o Also an admission controller o Integrates with Notary (a content trust store) – part of the The Update Framework (TUF) o Provides way to specify image security policies at a namespace and cluster level https://github.com/IBM/portieris https://theupdateframework.github.io/ https://github.com/theupdateframework/notary
10 Image Provenance – Partial Solutions • Kyverno o Also an admission controller o Kubernetes Native Policy Engine o Policies are written as overlay rules https://kyverno.io/ https://thenewstack.io/kyverno-kubernetes-configuration-via-policy/
11 Image Provenance – Partial Solutions • OPA / Gatekeeper o Also an admission controller o General Purpose Policy Engine o Policies are written in Rego https://www.openpolicyagent.org/ https://github.com/open-policy-agent/gatekeeper https://medium.com/capital-one-tech/policy-enabled-kubernetes-with-open-policy-agent-3b612b3f0203
Secrets Management 12
13 Secrets • Any sensitive data that an application needs o Passwords o Certificates o Keys o …
14 Secrets Management Anti-Patterns (please try not to do this) x Hard-coded x Packaged with code x Inserted via build tools x Environment Variables
15 What Kubernetes Provides • API Object to define secrets • Values are base 64 encoded (default) • Secrets are namespaced • Secrets can be mounted as volumes • Secrets can be used as environment variables • Encryption can be configured at the API Server apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: username: YWRtaW4=
16 So, what’s missing? Kubernetes secrets are a step forward, but have a few limitations: • Encryption requires configuring static keys or a KMS • Shared (static) approach • No leases, rotation, etc.
17 Secrets Management with Hashicorp Vault • Helps automates security best practices for o Secrets Management o Auditing o Certificate Management o Encryption • Dynamic Secrets o Credentials (keys, passwords, certificates) are generated when a client requests them o Credentials are per client o Credentials are automatically deleted if a lease expires
18 An init container to fetch secrets init container Vault Kubernetes Pod application container Service Account & Role Secrets … Volume (secret) https://github.com/nirmata/kube-vault-client https://www.nirmata.com/2018/12/19/managing-kubernetes-secrets-with-hashicorp-vault-and-nirmata/
Namespaces 19
20 Namespaces • Kubernetes Data Plane Virtualization • Namespaces partition the Kubernetes object model so multiple objects with the same name can exist in the same cluster • Namespaces are the foundation for applying other security constructs Kubernetes supports multiple virtual clusters backed by the same physical cluster. These virtual clusters are called namespaces. https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
Access Controls 21
22 Role-based access control (RBAC) • Users are authenticated via OIDC, X.509 certificates, tokens, etc. • The authentication result can provide user and group information. • However, Users and User Groups are managed externally (e.g. in an LDAP / AD server). • Kubernetes has a fine-grained permission model • Role (namespace) / ClusterRole • Roles are mapped to users or groups via role bindings • RoleBinding (namespace) / ClusterRoleBinding
23 Service Accounts • Service Accounts are meant for authenticating and authorizing processes • Each namespace has a default service account • Each Pod has a service account (default – if not specified) • A best practice is to use a service account per app • To prevent a service account token from being mounted in a Pod use “automountServiceAccountToken: false”. This can be enforced via a policy.
Network Policies 24
25 Network Segmentation via Network Policies • By default, Kubernetes pods are “non-isolated” • They accept network connections from any source and can initiate connection requests to any destination • Network Policies define traffic rules for Kubernetes pods • ingress (inbound traffic) • egress (outbound traffic) Network Policy Pod Selector Ingress Ingress Rule Ingress Rule Ingress Rule Egress Ingress Rule Ingress Rule Egress Rule
Resource Quotas 26
27 Resource Management • Pods can have resource requests and limits • This allows three quality of service models GuaranteedBurstable • A namespace can have limits and default allocations • Quotas and limits ensure fairness and stability https://opensource.com/article/18/12/optimizing- kubernetes-resource-allocation-production
Pod Security Policies 28
29 Pod Security Policies • Controls runtime security settings for pods • Enabled at the API Controller • Requires a role binding between pod Service Account and the PSP
30 Use a policy engine to audit and enforce • Pod Security Policies are tricky to manage o Require a role binding to SA o Applied in alphabetical order • Kyverno supports enforcement of the important PSP checks https://github.com/nirmata/kyverno/tree/master/ examples/best_practices
Summary 31
32
33 Summary 1. Kubernetes provides several constructs for workload security 2. Use a Policy Engine like Kyverno to simplify management of configurations 3. Use a management plane like Nirmata to configure Kubernetes correctly https://kyverno.io/ https://nirmata.com/
34 Nirmata – The Kubernetes Management Plane Kubernetes Components, Services, and Workloads K8s Data Center K8s Clouds K8s Edge Service Mgmt VisibilityGovernance Compliance Optimization The Nirmata Platform Change Mgmt. Audit Logs Health Capacity Isolation Policies TuningDiscovery Any Infrastructure Nirmata Cloud or Private Edition Any App
Thank-You! https://try.nirmata.io

Recommended

Virtual Kubernetes Clusters on Amazon EKS
Virtual Kubernetes Clusters on Amazon EKSVirtual Kubernetes Clusters on Amazon EKS
Virtual Kubernetes Clusters on Amazon EKSJim Bugwadia
 
Kubernetes Policy As Code usando WebAssembly | Flavio Castelli
Kubernetes Policy As Code usando WebAssembly | Flavio CastelliKubernetes Policy As Code usando WebAssembly | Flavio Castelli
Kubernetes Policy As Code usando WebAssembly | Flavio CastelliKCDItaly
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes SecurityKarthik Gaekwad
 
Kubernetes security and you
Kubernetes security and youKubernetes security and you
Kubernetes security and youKarthik Gaekwad
 
Security threats with Kubernetes - Igor Khoroshchenko
Security threats with Kubernetes - Igor Khoroshchenko Security threats with Kubernetes - Igor Khoroshchenko
Security threats with Kubernetes - Igor KhoroshchenkoKuberton
 
ISACA SV Chapter: Securing Software Supply Chains
ISACA SV Chapter: Securing Software Supply ChainsISACA SV Chapter: Securing Software Supply Chains
ISACA SV Chapter: Securing Software Supply ChainsJim Bugwadia
 
Production ready tooling for microservices on kubernetes
Production ready tooling for microservices on kubernetesProduction ready tooling for microservices on kubernetes
Production ready tooling for microservices on kubernetesChandresh Pancholi
 

Recommended

Virtual Kubernetes Clusters on Amazon EKS
Virtual Kubernetes Clusters on Amazon EKSVirtual Kubernetes Clusters on Amazon EKS
Virtual Kubernetes Clusters on Amazon EKSJim Bugwadia
 
Kubernetes Policy As Code usando WebAssembly | Flavio Castelli
Kubernetes Policy As Code usando WebAssembly | Flavio CastelliKubernetes Policy As Code usando WebAssembly | Flavio Castelli
Kubernetes Policy As Code usando WebAssembly | Flavio CastelliKCDItaly
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes SecurityKarthik Gaekwad
 
Kubernetes security and you
Kubernetes security and youKubernetes security and you
Kubernetes security and youKarthik Gaekwad
 
Security threats with Kubernetes - Igor Khoroshchenko
Security threats with Kubernetes - Igor Khoroshchenko Security threats with Kubernetes - Igor Khoroshchenko
Security threats with Kubernetes - Igor KhoroshchenkoKuberton
 
ISACA SV Chapter: Securing Software Supply Chains
ISACA SV Chapter: Securing Software Supply ChainsISACA SV Chapter: Securing Software Supply Chains
ISACA SV Chapter: Securing Software Supply ChainsJim Bugwadia
 
Production ready tooling for microservices on kubernetes
Production ready tooling for microservices on kubernetesProduction ready tooling for microservices on kubernetes
Production ready tooling for microservices on kubernetesChandresh Pancholi
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Securityinovex GmbH
 
Data protection in a kubernetes-native world
Data protection in a kubernetes-native worldData protection in a kubernetes-native world
Data protection in a kubernetes-native worldLibbySchulze
 
PKS - Solving Complexity for Modern Data Workloads
PKS - Solving Complexity for Modern Data Workloads PKS - Solving Complexity for Modern Data Workloads
PKS - Solving Complexity for Modern Data Workloads Carlos Andrés García
 
Kubescape single pane of glass
Kubescape single pane of glassKubescape single pane of glass
Kubescape single pane of glassLibbySchulze1
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native SecurityKarthik Gaekwad
 
Orchestrating stateful applications with PKS and Portworx
Orchestrating stateful applications with PKS and PortworxOrchestrating stateful applications with PKS and Portworx
Orchestrating stateful applications with PKS and PortworxVMware Tanzu
 
Introduction to Kubernetes Security (Aqua & Weaveworks)
Introduction to Kubernetes Security (Aqua & Weaveworks)Introduction to Kubernetes Security (Aqua & Weaveworks)
Introduction to Kubernetes Security (Aqua & Weaveworks)Weaveworks
 
Keeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster SecureKeeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster SecureGene Gotimer
 
Building Cloud Native Applications Using Azure Kubernetes Service
Building Cloud Native Applications Using Azure Kubernetes ServiceBuilding Cloud Native Applications Using Azure Kubernetes Service
Building Cloud Native Applications Using Azure Kubernetes ServiceDennis Moon
 
Whats new in brigade 2
Whats new in brigade 2Whats new in brigade 2
Whats new in brigade 2LibbySchulze
 
Operationalizing Amazon EKS
Operationalizing Amazon EKSOperationalizing Amazon EKS
Operationalizing Amazon EKSJim Bugwadia
 
Building Cloud Native Applications Using Spring Boot and Spring Cloud
Building Cloud Native Applications Using Spring Boot and Spring CloudBuilding Cloud Native Applications Using Spring Boot and Spring Cloud
Building Cloud Native Applications Using Spring Boot and Spring CloudGeekNightHyderabad
 
Kubernetes And Istio and Azure AKS DevOps
Kubernetes And Istio and Azure AKS DevOpsKubernetes And Istio and Azure AKS DevOps
Kubernetes And Istio and Azure AKS DevOpsOfir Makmal
 
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18CodeOps Technologies LLP
 
Keeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster SecureKeeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster SecureGene Gotimer
 
DCSF19 Kubernetes Security with OPA
DCSF19 Kubernetes Security with OPA DCSF19 Kubernetes Security with OPA
DCSF19 Kubernetes Security with OPA Docker, Inc.
 
Stateless and Stateful Services in Kubernetes - Mohit Saxena - Citrix - CC18
Stateless and Stateful Services in Kubernetes - Mohit Saxena - Citrix - CC18Stateless and Stateful Services in Kubernetes - Mohit Saxena - Citrix - CC18
Stateless and Stateful Services in Kubernetes - Mohit Saxena - Citrix - CC18CodeOps Technologies LLP
 
Vietnam Global Azure Bootcamp 2019 - Security on Azure Kubernetes Services wi...
Vietnam Global Azure Bootcamp 2019 - Security on Azure Kubernetes Services wi...Vietnam Global Azure Bootcamp 2019 - Security on Azure Kubernetes Services wi...
Vietnam Global Azure Bootcamp 2019 - Security on Azure Kubernetes Services wi...Duc Lai Trung Minh
 
DCEU 18: From Monolith to Microservices
DCEU 18: From Monolith to MicroservicesDCEU 18: From Monolith to Microservices
DCEU 18: From Monolith to MicroservicesDocker, Inc.
 
Synnefo @ LinuxCon/CloudOpen North America 2014
Synnefo @ LinuxCon/CloudOpen North America 2014Synnefo @ LinuxCon/CloudOpen North America 2014
Synnefo @ LinuxCon/CloudOpen North America 2014Vangelis Koukis
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentCloudOps2005
 
Kubernetes on the Edge / 在邊緣的K8S
Kubernetes on the Edge / 在邊緣的K8SKubernetes on the Edge / 在邊緣的K8S
Kubernetes on the Edge / 在邊緣的K8SYi-Fu Ciou
 

More Related Content

What's hot

Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Securityinovex GmbH
 
Data protection in a kubernetes-native world
Data protection in a kubernetes-native worldData protection in a kubernetes-native world
Data protection in a kubernetes-native worldLibbySchulze
 
PKS - Solving Complexity for Modern Data Workloads
PKS - Solving Complexity for Modern Data Workloads PKS - Solving Complexity for Modern Data Workloads
PKS - Solving Complexity for Modern Data Workloads Carlos Andrés García
 
Kubescape single pane of glass
Kubescape single pane of glassKubescape single pane of glass
Kubescape single pane of glassLibbySchulze1
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native SecurityKarthik Gaekwad
 
Orchestrating stateful applications with PKS and Portworx
Orchestrating stateful applications with PKS and PortworxOrchestrating stateful applications with PKS and Portworx
Orchestrating stateful applications with PKS and PortworxVMware Tanzu
 
Introduction to Kubernetes Security (Aqua & Weaveworks)
Introduction to Kubernetes Security (Aqua & Weaveworks)Introduction to Kubernetes Security (Aqua & Weaveworks)
Introduction to Kubernetes Security (Aqua & Weaveworks)Weaveworks
 
Keeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster SecureKeeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster SecureGene Gotimer
 
Building Cloud Native Applications Using Azure Kubernetes Service
Building Cloud Native Applications Using Azure Kubernetes ServiceBuilding Cloud Native Applications Using Azure Kubernetes Service
Building Cloud Native Applications Using Azure Kubernetes ServiceDennis Moon
 
Whats new in brigade 2
Whats new in brigade 2Whats new in brigade 2
Whats new in brigade 2LibbySchulze
 
Operationalizing Amazon EKS
Operationalizing Amazon EKSOperationalizing Amazon EKS
Operationalizing Amazon EKSJim Bugwadia
 
Building Cloud Native Applications Using Spring Boot and Spring Cloud
Building Cloud Native Applications Using Spring Boot and Spring CloudBuilding Cloud Native Applications Using Spring Boot and Spring Cloud
Building Cloud Native Applications Using Spring Boot and Spring CloudGeekNightHyderabad
 
Kubernetes And Istio and Azure AKS DevOps
Kubernetes And Istio and Azure AKS DevOpsKubernetes And Istio and Azure AKS DevOps
Kubernetes And Istio and Azure AKS DevOpsOfir Makmal
 
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18CodeOps Technologies LLP
 
Keeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster SecureKeeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster SecureGene Gotimer
 
DCSF19 Kubernetes Security with OPA
DCSF19 Kubernetes Security with OPA DCSF19 Kubernetes Security with OPA
DCSF19 Kubernetes Security with OPA Docker, Inc.
 
Stateless and Stateful Services in Kubernetes - Mohit Saxena - Citrix - CC18
Stateless and Stateful Services in Kubernetes - Mohit Saxena - Citrix - CC18Stateless and Stateful Services in Kubernetes - Mohit Saxena - Citrix - CC18
Stateless and Stateful Services in Kubernetes - Mohit Saxena - Citrix - CC18CodeOps Technologies LLP
 
Vietnam Global Azure Bootcamp 2019 - Security on Azure Kubernetes Services wi...
Vietnam Global Azure Bootcamp 2019 - Security on Azure Kubernetes Services wi...Vietnam Global Azure Bootcamp 2019 - Security on Azure Kubernetes Services wi...
Vietnam Global Azure Bootcamp 2019 - Security on Azure Kubernetes Services wi...Duc Lai Trung Minh
 
DCEU 18: From Monolith to Microservices
DCEU 18: From Monolith to MicroservicesDCEU 18: From Monolith to Microservices
DCEU 18: From Monolith to MicroservicesDocker, Inc.
 
Synnefo @ LinuxCon/CloudOpen North America 2014
Synnefo @ LinuxCon/CloudOpen North America 2014Synnefo @ LinuxCon/CloudOpen North America 2014
Synnefo @ LinuxCon/CloudOpen North America 2014Vangelis Koukis
 

What's hot (20)

Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
 
Data protection in a kubernetes-native world
Data protection in a kubernetes-native worldData protection in a kubernetes-native world
Data protection in a kubernetes-native world
 
PKS - Solving Complexity for Modern Data Workloads
PKS - Solving Complexity for Modern Data Workloads PKS - Solving Complexity for Modern Data Workloads
PKS - Solving Complexity for Modern Data Workloads
 
Kubescape single pane of glass
Kubescape single pane of glassKubescape single pane of glass
Kubescape single pane of glass
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native Security
 
Orchestrating stateful applications with PKS and Portworx
Orchestrating stateful applications with PKS and PortworxOrchestrating stateful applications with PKS and Portworx
Orchestrating stateful applications with PKS and Portworx
 
Introduction to Kubernetes Security (Aqua & Weaveworks)
Introduction to Kubernetes Security (Aqua & Weaveworks)Introduction to Kubernetes Security (Aqua & Weaveworks)
Introduction to Kubernetes Security (Aqua & Weaveworks)
 
Keeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster SecureKeeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster Secure
 
Building Cloud Native Applications Using Azure Kubernetes Service
Building Cloud Native Applications Using Azure Kubernetes ServiceBuilding Cloud Native Applications Using Azure Kubernetes Service
Building Cloud Native Applications Using Azure Kubernetes Service
 
Whats new in brigade 2
Whats new in brigade 2Whats new in brigade 2
Whats new in brigade 2
 
Operationalizing Amazon EKS
Operationalizing Amazon EKSOperationalizing Amazon EKS
Operationalizing Amazon EKS
 
Building Cloud Native Applications Using Spring Boot and Spring Cloud
Building Cloud Native Applications Using Spring Boot and Spring CloudBuilding Cloud Native Applications Using Spring Boot and Spring Cloud
Building Cloud Native Applications Using Spring Boot and Spring Cloud
 
Kubernetes And Istio and Azure AKS DevOps
Kubernetes And Istio and Azure AKS DevOpsKubernetes And Istio and Azure AKS DevOps
Kubernetes And Istio and Azure AKS DevOps
 
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
 
Keeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster SecureKeeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster Secure
 
DCSF19 Kubernetes Security with OPA
DCSF19 Kubernetes Security with OPA DCSF19 Kubernetes Security with OPA
DCSF19 Kubernetes Security with OPA
 
Stateless and Stateful Services in Kubernetes - Mohit Saxena - Citrix - CC18
Stateless and Stateful Services in Kubernetes - Mohit Saxena - Citrix - CC18Stateless and Stateful Services in Kubernetes - Mohit Saxena - Citrix - CC18
Stateless and Stateful Services in Kubernetes - Mohit Saxena - Citrix - CC18
 
Vietnam Global Azure Bootcamp 2019 - Security on Azure Kubernetes Services wi...
Vietnam Global Azure Bootcamp 2019 - Security on Azure Kubernetes Services wi...Vietnam Global Azure Bootcamp 2019 - Security on Azure Kubernetes Services wi...
Vietnam Global Azure Bootcamp 2019 - Security on Azure Kubernetes Services wi...
 
DCEU 18: From Monolith to Microservices
DCEU 18: From Monolith to MicroservicesDCEU 18: From Monolith to Microservices
DCEU 18: From Monolith to Microservices
 
Synnefo @ LinuxCon/CloudOpen North America 2014
Synnefo @ LinuxCon/CloudOpen North America 2014Synnefo @ LinuxCon/CloudOpen North America 2014
Synnefo @ LinuxCon/CloudOpen North America 2014
 

Similar to Securing Kubernetes Workloads

Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentCloudOps2005
 
Kubernetes on the Edge / 在邊緣的K8S
Kubernetes on the Edge / 在邊緣的K8SKubernetes on the Edge / 在邊緣的K8S
Kubernetes on the Edge / 在邊緣的K8SYi-Fu Ciou
 
From Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With KubernetesFrom Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With KubernetesShikha Srivastava
 
Securing and Automating Kubernetes with Kyverno
Securing and Automating Kubernetes with KyvernoSecuring and Automating Kubernetes with Kyverno
Securing and Automating Kubernetes with KyvernoSaim Safder
 
12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes ClusterSuman Chakraborty
 
Kubernetes policies 101 - apolicy.io
Kubernetes policies 101 - apolicy.ioKubernetes policies 101 - apolicy.io
Kubernetes policies 101 - apolicy.iojoanwlevin
 
Secure your K8s cluster from multi-layers
Secure your K8s cluster from multi-layersSecure your K8s cluster from multi-layers
Secure your K8s cluster from multi-layersJiantang Hao
 
GitOps 101 Presentation.pdf
GitOps 101 Presentation.pdfGitOps 101 Presentation.pdf
GitOps 101 Presentation.pdfssuser31375f
 
Cloud-native Data: Every Microservice Needs a Cache
Cloud-native Data: Every Microservice Needs a CacheCloud-native Data: Every Microservice Needs a Cache
Cloud-native Data: Every Microservice Needs a Cachecornelia davis
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloadsRuncy Oommen
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHansFarroCastillo1
 
Enhancing Data Protection Workflows with Kanister And Argo Workflows
Enhancing Data Protection Workflows with Kanister And Argo WorkflowsEnhancing Data Protection Workflows with Kanister And Argo Workflows
Enhancing Data Protection Workflows with Kanister And Argo WorkflowsLibbySchulze
 
How To Build Kubernetes Policies To Ensure Compliance for Databases.pptx
How To Build Kubernetes Policies To Ensure Compliance for Databases.pptxHow To Build Kubernetes Policies To Ensure Compliance for Databases.pptx
How To Build Kubernetes Policies To Ensure Compliance for Databases.pptxLibbySchulze
 
Kubernetes for Enterprise DevOps
Kubernetes for Enterprise DevOpsKubernetes for Enterprise DevOps
Kubernetes for Enterprise DevOpsJim Bugwadia
 
AWS Well-Architected Framework
AWS Well-Architected FrameworkAWS Well-Architected Framework
AWS Well-Architected FrameworkHenrique Mecking
 
Cloud-Native-Data with Cornelia Davis
Cloud-Native-Data with Cornelia DavisCloud-Native-Data with Cornelia Davis
Cloud-Native-Data with Cornelia DavisVMware Tanzu
 
AWS Community Day - Vitaliy Shtym - Pragmatic Container Security
AWS Community Day - Vitaliy Shtym - Pragmatic Container SecurityAWS Community Day - Vitaliy Shtym - Pragmatic Container Security
AWS Community Day - Vitaliy Shtym - Pragmatic Container SecurityAWS Chicago
 
Implementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdf
Implementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdfImplementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdf
Implementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdfssuserf4844f
 
Attacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisAttacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisOWASP Hacker Thursday
 

Similar to Securing Kubernetes Workloads (20)

Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy Agent
 
Kubernetes on the Edge / 在邊緣的K8S
Kubernetes on the Edge / 在邊緣的K8SKubernetes on the Edge / 在邊緣的K8S
Kubernetes on the Edge / 在邊緣的K8S
 
From Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With KubernetesFrom Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With Kubernetes
 
Securing and Automating Kubernetes with Kyverno
Securing and Automating Kubernetes with KyvernoSecuring and Automating Kubernetes with Kyverno
Securing and Automating Kubernetes with Kyverno
 
12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster
 
Kubernetes policies 101 - apolicy.io
Kubernetes policies 101 - apolicy.ioKubernetes policies 101 - apolicy.io
Kubernetes policies 101 - apolicy.io
 
Secure your K8s cluster from multi-layers
Secure your K8s cluster from multi-layersSecure your K8s cluster from multi-layers
Secure your K8s cluster from multi-layers
 
GitOps 101 Presentation.pdf
GitOps 101 Presentation.pdfGitOps 101 Presentation.pdf
GitOps 101 Presentation.pdf
 
Cloud-native Data: Every Microservice Needs a Cache
Cloud-native Data: Every Microservice Needs a CacheCloud-native Data: Every Microservice Needs a Cache
Cloud-native Data: Every Microservice Needs a Cache
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloads
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptx
 
Enhancing Data Protection Workflows with Kanister And Argo Workflows
Enhancing Data Protection Workflows with Kanister And Argo WorkflowsEnhancing Data Protection Workflows with Kanister And Argo Workflows
Enhancing Data Protection Workflows with Kanister And Argo Workflows
 
How To Build Kubernetes Policies To Ensure Compliance for Databases.pptx
How To Build Kubernetes Policies To Ensure Compliance for Databases.pptxHow To Build Kubernetes Policies To Ensure Compliance for Databases.pptx
How To Build Kubernetes Policies To Ensure Compliance for Databases.pptx
 
Kubernetes for Enterprise DevOps
Kubernetes for Enterprise DevOpsKubernetes for Enterprise DevOps
Kubernetes for Enterprise DevOps
 
AWS Well-Architected Framework
AWS Well-Architected FrameworkAWS Well-Architected Framework
AWS Well-Architected Framework
 
Cloud-native Data
Cloud-native DataCloud-native Data
Cloud-native Data
 
Cloud-Native-Data with Cornelia Davis
Cloud-Native-Data with Cornelia DavisCloud-Native-Data with Cornelia Davis
Cloud-Native-Data with Cornelia Davis
 
AWS Community Day - Vitaliy Shtym - Pragmatic Container Security
AWS Community Day - Vitaliy Shtym - Pragmatic Container SecurityAWS Community Day - Vitaliy Shtym - Pragmatic Container Security
AWS Community Day - Vitaliy Shtym - Pragmatic Container Security
 
Implementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdf
Implementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdfImplementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdf
Implementing-SaaS-on-Kubernetes-Michael-Knapp-Andrew-Gao-Capital-One.pdf
 
Attacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisAttacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin Jois
 

More from Jim Bugwadia

Cloud Native DevOps
Cloud Native DevOpsCloud Native DevOps
Cloud Native DevOpsJim Bugwadia
 
Azure meetup cloud native concepts - may 28th 2018
Azure meetup cloud native concepts - may 28th 2018Azure meetup cloud native concepts - may 28th 2018
Azure meetup cloud native concepts - may 28th 2018Jim Bugwadia
 
Demystifying Kubernetes for Enterprise DevOps
Demystifying Kubernetes for Enterprise DevOpsDemystifying Kubernetes for Enterprise DevOps
Demystifying Kubernetes for Enterprise DevOpsJim Bugwadia
 
Multi-cloud Container Management for vRealize Automation
Multi-cloud Container Management for vRealize AutomationMulti-cloud Container Management for vRealize Automation
Multi-cloud Container Management for vRealize AutomationJim Bugwadia
 
Cloud Native Applications Maturity Model
Cloud Native Applications Maturity ModelCloud Native Applications Maturity Model
Cloud Native Applications Maturity ModelJim Bugwadia
 
Containerizing Traditional Applications
Containerizing Traditional ApplicationsContainerizing Traditional Applications
Containerizing Traditional ApplicationsJim Bugwadia
 
Accelerating DevOps
Accelerating DevOpsAccelerating DevOps
Accelerating DevOpsJim Bugwadia
 
Microservices on AWS Spot instances
Microservices on AWS Spot instancesMicroservices on AWS Spot instances
Microservices on AWS Spot instancesJim Bugwadia
 
Multi-Cloud Microservices - DevOps Summit Silicon Valley 2015
Multi-Cloud Microservices - DevOps Summit Silicon Valley 2015Multi-Cloud Microservices - DevOps Summit Silicon Valley 2015
Multi-Cloud Microservices - DevOps Summit Silicon Valley 2015Jim Bugwadia
 

More from Jim Bugwadia (9)

Cloud Native DevOps
Cloud Native DevOpsCloud Native DevOps
Cloud Native DevOps
 
Azure meetup cloud native concepts - may 28th 2018
Azure meetup cloud native concepts - may 28th 2018Azure meetup cloud native concepts - may 28th 2018
Azure meetup cloud native concepts - may 28th 2018
 
Demystifying Kubernetes for Enterprise DevOps
Demystifying Kubernetes for Enterprise DevOpsDemystifying Kubernetes for Enterprise DevOps
Demystifying Kubernetes for Enterprise DevOps
 
Multi-cloud Container Management for vRealize Automation
Multi-cloud Container Management for vRealize AutomationMulti-cloud Container Management for vRealize Automation
Multi-cloud Container Management for vRealize Automation
 
Cloud Native Applications Maturity Model
Cloud Native Applications Maturity ModelCloud Native Applications Maturity Model
Cloud Native Applications Maturity Model
 
Containerizing Traditional Applications
Containerizing Traditional ApplicationsContainerizing Traditional Applications
Containerizing Traditional Applications
 
Accelerating DevOps
Accelerating DevOpsAccelerating DevOps
Accelerating DevOps
 
Microservices on AWS Spot instances
Microservices on AWS Spot instancesMicroservices on AWS Spot instances
Microservices on AWS Spot instances
 
Multi-Cloud Microservices - DevOps Summit Silicon Valley 2015
Multi-Cloud Microservices - DevOps Summit Silicon Valley 2015Multi-Cloud Microservices - DevOps Summit Silicon Valley 2015
Multi-Cloud Microservices - DevOps Summit Silicon Valley 2015
 

Recently uploaded

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 

Recently uploaded (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 

Securing Kubernetes Workloads

  • 1. Securing Kubernetes Workloads Best Practices for Securing Kubernetes Workload Configurations Across Clouds Jim Bugwadia Founder and CEO
  • 2. Agenda • Kubernetes Security Framework • Kubernetes Constructs for Workload Security • Q & A 2
  • 3. 3 About me • @JimBugwadia • Founder and CEO at Nirmata • Working on large-scale distributed systems (C++, Java, JS, Go) since 1994 CKA-1700-0169-0100
  • 4. 4 Kubernetes Security Framework Build Operate Container Hosts: ❑ Minimal OS ❑ OS Hardening ❑ CIS Benchmarks Clusters: ❑ RBAC ❑ Audit Policies and Logging ❑ Certificate Management ❑ Identity and Access ❑ Kubernetes upgrades ❑ CIS Benchmarks Applications: ❑ Image scanning ❑ Image Provenance ❑ Secrets Management ❑ Namespaces ❑ Access Controls ❑ Network Policies ❑ Resource Quotas ❑ Pod Security Policy
  • 5. 5 Kubernetes Security Framework Build Operate Container Hosts: ❑ Minimal OS ❑ OS Hardening ❑ CIS Benchmarks Clusters: ❑ RBAC ❑ Audit Policies and Logging ❑ Certificate Management ❑ Identity and Access ❑ Kubernetes upgrades ❑ CIS Benchmarks Applications: ❑ Image scanning ❑ Image Provenance ❑ Secrets Management ❑ Namespaces ❑ Access Controls ❑ Network Policies ❑ Resource Quotas ❑ Pod Security Policy
  • 7. 7 Image Provenance • Image scanning checks images for vulnerabilities o Ideally done when the image is built and before it is accepted into the image registry • Image provenance 1. Confirms that an image being deployed is from a trusted source 2. Confirms that image has not been not tampered with
  • 8. 8 Image Provenance - Solutions • Kubernetes ImagePolicyWebhook o Configured as an admission controller o Sends an ImageReview request o Expects an ImageReview response of accept or deny
  • 9. 9 Image Provenance - Solutions • Portieris o Also an admission controller o Integrates with Notary (a content trust store) – part of the The Update Framework (TUF) o Provides way to specify image security policies at a namespace and cluster level https://github.com/IBM/portieris https://theupdateframework.github.io/ https://github.com/theupdateframework/notary
  • 10. 10 Image Provenance – Partial Solutions • Kyverno o Also an admission controller o Kubernetes Native Policy Engine o Policies are written as overlay rules https://kyverno.io/ https://thenewstack.io/kyverno-kubernetes-configuration-via-policy/
  • 11. 11 Image Provenance – Partial Solutions • OPA / Gatekeeper o Also an admission controller o General Purpose Policy Engine o Policies are written in Rego https://www.openpolicyagent.org/ https://github.com/open-policy-agent/gatekeeper https://medium.com/capital-one-tech/policy-enabled-kubernetes-with-open-policy-agent-3b612b3f0203
  • 13. 13 Secrets • Any sensitive data that an application needs o Passwords o Certificates o Keys o …
  • 14. 14 Secrets Management Anti-Patterns (please try not to do this) x Hard-coded x Packaged with code x Inserted via build tools x Environment Variables
  • 15. 15 What Kubernetes Provides • API Object to define secrets • Values are base 64 encoded (default) • Secrets are namespaced • Secrets can be mounted as volumes • Secrets can be used as environment variables • Encryption can be configured at the API Server apiVersion: v1 kind: Secret metadata: name: mysecret type: Opaque data: username: YWRtaW4=
  • 16. 16 So, what’s missing? Kubernetes secrets are a step forward, but have a few limitations: • Encryption requires configuring static keys or a KMS • Shared (static) approach • No leases, rotation, etc.
  • 17. 17 Secrets Management with Hashicorp Vault • Helps automates security best practices for o Secrets Management o Auditing o Certificate Management o Encryption • Dynamic Secrets o Credentials (keys, passwords, certificates) are generated when a client requests them o Credentials are per client o Credentials are automatically deleted if a lease expires
  • 18. 18 An init container to fetch secrets init container Vault Kubernetes Pod application container Service Account & Role Secrets … Volume (secret) https://github.com/nirmata/kube-vault-client https://www.nirmata.com/2018/12/19/managing-kubernetes-secrets-with-hashicorp-vault-and-nirmata/
  • 20. 20 Namespaces • Kubernetes Data Plane Virtualization • Namespaces partition the Kubernetes object model so multiple objects with the same name can exist in the same cluster • Namespaces are the foundation for applying other security constructs Kubernetes supports multiple virtual clusters backed by the same physical cluster. These virtual clusters are called namespaces. https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
  • 22. 22 Role-based access control (RBAC) • Users are authenticated via OIDC, X.509 certificates, tokens, etc. • The authentication result can provide user and group information. • However, Users and User Groups are managed externally (e.g. in an LDAP / AD server). • Kubernetes has a fine-grained permission model • Role (namespace) / ClusterRole • Roles are mapped to users or groups via role bindings • RoleBinding (namespace) / ClusterRoleBinding
  • 23. 23 Service Accounts • Service Accounts are meant for authenticating and authorizing processes • Each namespace has a default service account • Each Pod has a service account (default – if not specified) • A best practice is to use a service account per app • To prevent a service account token from being mounted in a Pod use “automountServiceAccountToken: false”. This can be enforced via a policy.
  • 25. 25 Network Segmentation via Network Policies • By default, Kubernetes pods are “non-isolated” • They accept network connections from any source and can initiate connection requests to any destination • Network Policies define traffic rules for Kubernetes pods • ingress (inbound traffic) • egress (outbound traffic) Network Policy Pod Selector Ingress Ingress Rule Ingress Rule Ingress Rule Egress Ingress Rule Ingress Rule Egress Rule
  • 27. 27 Resource Management • Pods can have resource requests and limits • This allows three quality of service models GuaranteedBurstable • A namespace can have limits and default allocations • Quotas and limits ensure fairness and stability https://opensource.com/article/18/12/optimizing- kubernetes-resource-allocation-production
  • 29. 29 Pod Security Policies • Controls runtime security settings for pods • Enabled at the API Controller • Requires a role binding between pod Service Account and the PSP
  • 30. 30 Use a policy engine to audit and enforce • Pod Security Policies are tricky to manage o Require a role binding to SA o Applied in alphabetical order • Kyverno supports enforcement of the important PSP checks https://github.com/nirmata/kyverno/tree/master/ examples/best_practices
  • 32. 32
  • 33. 33 Summary 1. Kubernetes provides several constructs for workload security 2. Use a Policy Engine like Kyverno to simplify management of configurations 3. Use a management plane like Nirmata to configure Kubernetes correctly https://kyverno.io/ https://nirmata.com/
  • 34. 34 Nirmata – The Kubernetes Management Plane Kubernetes Components, Services, and Workloads K8s Data Center K8s Clouds K8s Edge Service Mgmt VisibilityGovernance Compliance Optimization The Nirmata Platform Change Mgmt. Audit Logs Health Capacity Isolation Policies TuningDiscovery Any Infrastructure Nirmata Cloud or Private Edition Any App