Kubernetes is fundamentally a complex system with lots of different potential attack vectors aimed at data theft, currency mining and other threats. During this webinar, Aqua Security and Weaveworks will provide an overview of the current state of security-related features in Kubernetes, demonstrate how you can build a secure and reliable Kubernetes deployment pipeline with GitOps best practices, and explore how to best prevent common Git attacks. In addition we will show image scanning and briefly explore how to best prevent common Git attacks.
14. 14
1 The entire system is described declaratively.
2 The desired system state is versioned
3 Approved changes to the desired state are
automatically applied to the system
4 Software agents ensure correctness
and alert on divergence
20. Typical CICD pipeline
Continuous Integration
Cluster API
Continuous Delivery/Deployment
Container
Registry
CI
Code
Repo
Dev RW
CI credsGit creds
RW
CR creds3
RO
RW
API creds
CR creds1
Shares credentials cross several logical security boundaries.
Boundary
RO RW
Container
Registry (CR)
creds2
21. Cluster API
GitOps pipeline
Container
Registry
CI
Code
Repo
Dev RO
CR creds2CI credsGit creds
RO
Deploy
CR creds3
RO
RW
Config repo
creds
CR creds1
Credentials are never shared across a logical security boundary.
RW RW
RW
Cluster API
creds
Canonical desired
state store
Config Repo
22. Cluster API
GitOps pipeline
Container
Registry
CI
Code
Repo
Dev RO
CR creds2CI credsGit creds
RO
Deploy
CR creds3
RO
RW
Config repo
creds
CR creds1
Credentials are never shared across a logical security boundary.
RW RW
RW
Cluster API
creds
Operator RW Config Repo
23. Cluster API
GitOps pipeline
Container
Registry
CI
Code
Repo
Dev RO
CR creds2CI credsGit creds
RO
Deploy
CR creds3
RO
RW
Config repo
creds
CR creds1
Credentials are never shared across a logical security boundary.
RW RW
RW
Cluster API
creds
Operator RW Config Repo
Process & constraints
enforcement
24. Cluster API
GitOps pipeline
Container
Registry
CI
Code
Repo
Dev RO
CR creds2CI credsGit creds
RO
Deploy
CR creds3
RO
RW
Config repo
creds
CR creds1
Credentials are never shared across a logical security boundary.
RW RW
RW
Cluster API
creds
Operator RW Config Repo
Exceptional auditing
and attribution*
26. Move from access to cluster to access to
repository.
...So how to secure your repository?
Moving the burden of security
26
27. Mitigating user impersonation
27
1. Enforce Strong Identity in VCS (GitHub/GitLab)
with GPG Signed Commits *
1. Use Physical GPG Keys to increase security
1. Run GPG-Validating Code in CI
28. 28
Signing each commit is [a bad idea]. It just
means that you automate it, and you make the
signature worth less. It also doesn't add any real
value, since the way the git DAG-chain of SHA1's
work, you only ever need one signature to make
all the commits reachable from that one be
effectively covered by that one. So signing each
commit is simply missing the point.
* A word from above
42. 43
Don’t allow privileged containers
„ Except that it’s needed for some components like kube-dns
Don’t allow anonymous API access
„ Health checks
„ Current thinking is to rely on RBAC
@lizrice Photo by Nik Shuliahin on Unsplash43
Control plane conundrums
45. 46
Node (kubelet)
ABAC - outdated!
RBAC
Webhook
l Open Policy Agent
@lizrice Photo by Belinda Fewings on Unsplash46
Authorization
46. 47 @lizrice Photo by Belinda Fewings on Unsplash47
Authorization - RBAC
Entity
l Service account, User,
Group
Scope
l Namespace / Cluster
Roles and bindings
53. Secrets
@lizrice Photo by Sai De Silva on Unsplash54
Namespaced objects
Access via volume or env var
Data in tmpfs volumes
Per-secret size limit of 1MB
Default: base64 encoded
§ Enable encryption at rest, or
§ Use third-party tool
54. Additional considerations
Stay safe!
@lizrice Photo by Piotr Chrobot on Unsplash55
Stay up to date
Check configuration
Image scanning
Don’t run as root
Use RBAC
Manage secrets carefully