Professional Documents
Culture Documents
Operationalizing Kubernetes Security Best Practices: CNCF Webinar
Operationalizing Kubernetes Security Best Practices: CNCF Webinar
Operationalizing Kubernetes Security Best Practices: CNCF Webinar
Operationalizing Kubernetes
Security Best Practices
Connor Gilbert
26 March 2019
What we’ll cover
● How does Kubernetes change security?
● How does cooperation work in a Kubernetes
stack?
● What can I do to improve the security of:
○ My infrastructure?
○ My applications?
● What are some Kubernetes controls I could
consider adopting?
How does Kubernetes
change security?
“Move fast,” they said
http://www.newseum.org/exhibits/current/conus-1-satellite-truck/
“Move fast,” they said
Personal photo
“Move fast,” they said
Personal photo
Most people use defaults —
but you don’t have to.
Test your security like your app
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
spec: spec:
replicas: 1 replicas: 1
template: template:
spec: spec:
containers: containers:
- name: server - name: server
image: my-app:1.0.0-1-g123456 image: my-app:1.0.0-1-g123456
+ securityContext:
+ capabilities:
+ drop: ["NET_RAW"]
+ readOnlyRootFilesystem: true
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: allow-server-https
+spec:
+ ingress:
+ - ports:
+ - port: 443
+ protocol: TCP
How does cooperation work
in a Kubernetes stack?
“Things move too fast for my
security team to keep up!”
“Things move too fast for my
security team to keep up!
I’m afraid we’ll miss something.”
“I don’t want this security feature
deployed in my cluster!”
“I don’t want this security feature
deployed in my cluster!
I’m afraid it will stop me from
recovering from an outage.”
What can I do to improve the
security of my infrastructure?
Caveat: There’s a lot out there
https://landscape.cncf.io
Good infrastructure habits
● Be ready to upgrade
○ You may need to do this on short notice!
● Automate, automate, automate
● Keep the abstractions tight — no leaks
● Think carefully about API access control
What can I do to improve the
security of my applications?
Workload data
Who runs this?
What is it?
How is it exposed?
Workload data, zooming in
What will run?
Any guardrails?
● Network Policies
● Storage
● Configuration Maps
● Health Check Procedures
● Custom Resources
● More?
Kubernetes context
Good application habits
● Have a “style guide”
● Apply metadata consistently
● Know your images
● Plan for replicas to be killed in case of
compromise
● Establish secure practices early
○ Workload configurations
○ Network policies
...and how to enforce them
Options include:
minerd
tar: minerd: Cannot change ownership to uid 1000, gid 1000: Operation not permitted
tar: Exiting with failure status due to previous errors
Network policies
Configurations to explore
● Read-only root file system
● Linux capabilities
● Network policies
● Host mounts
● Disable service account auto-mount
● Environment
● Resource requirements
What next?
Have a question now?
Ask in Zoom!
Think of one later?
c@stackrox.com
@connorgilbert
Want to learn more?
https://stackrox.com/cncf/