owned this note owned this note

Kubernetes Security

Policy Enforcement

a kubernetes videobírója

Junius - Papp Lajos

lalyos

mar az ovodaban in balna volt a jelem (1998)
Cofounder of SequenceIQ (docker + bigdata + felho)
long time dev (java/golang)
trainer/consultant (hire me!)
docker meetup bp organizer
k8s meetup frequent speaker

Topics

Cloud Native Security Overview: 4 layers
Pick a couple
Policy Enforcement

Cloud Native ???

mit adtak nekunk a romaiak ( Docker )?

solving: "it was running on my machine" ™
packaging format (tar.gz of layers)
containerd + runc
microservices 12factor.net
k8s: run containers on a lot of servers

Cloud Native Security - 4C

Cloud Layer (1) - Infrastructure

API Server network access
Node network access
Access to etcd (relational DB)
etcd encryption

Cluster Layer (2)

Authentication (integration: OIDC,LDAP, SAML,Kerberos)
RBAC Authorization, use toos: audit-2-rbac -
more RBAC: http://rbac.dev/
App Secret management
Pod Security Policy
Network policies
TLS for ingress

Container Layer (3)

Container Vulnerability Scanning - during build
Image signing
Unprivileged users - avoid root
Alternative Runtimes - cncf landscape

Code Layer (4)

use TLS/HTTP - service mesh can help
limit port ranges
static code analysis OWASP Source Analysis
dynamic probing - automated CSRF, XSS, SQL inject (Zed Attack Proxy - ZAP)[https://owasp.org/www-project-zap/]

Cluster Layer - Secrets

bitnami sealed secrets - private key in cluster
SOPS - private key in AWS/GCP/Azure
Hashicorp Vault - use an operator: bank-vaults by BanzaCloud

Container Layer - Runtimes

Docker = dockerd + containerd + runc

k8s = CRI (containerd/crio) + runc/kata/firecracker/gvisor/wasm …

Firecracker - Amazon microVM (lambda/fargate)
gVisor - Linux system calls implemented (go) in userspace - opensourced by Google (cloudRun/cloudFn/appe)
KataContainers - lightweight VM

Policy Enforcement - best practices

There are industry wide best practices:

dont use ":latest" images
restrict image registries
use probes (readiness/liveness)
readonly root FS
drop all capabilities
require labels (owner,appname)
disallow NodePort

Policies - how to enforce them

email word doc to all devs
"please sign it on paper"
Instead: use a policy/rule engine

Policies - CNCF landscape

OPA
Kyverno
…
Full list: cncf landscape: Security and Complience

Policy Enforcement - OPA

OPA: https://www.openpolicyagent.org/
- generic (non k8s specific)
- own Domain Specific Lang (rego)
- steep learning curve
- complex

Policy Enforcement - Kyverno

Kyverno: https://kyverno.io/
- k8s specific policy engine
- no DSL: plain yaml
- easy to read (DN-RTFM)
- easy to learn
- predefined policies for best practices

Admission Controller

Builtin: DefaultIng, DefaultStorageCl, LimitRanger, NamespaceLifeCyc, ResourceQuota, ServiceAcc, …

Policies - Kyverno

require Limits and Requests
add network policy (deny all ing/egr)
add quota to each NS
add labels (mesh)
replace image registry: docker.io -> registry.mycorp.com
require probes (readiness/liveness)
readonly root FS
disallow default NS

Keep in touch

http://hwsw.lalyo.sh/

Cheatsheet

Syntax	Example	Reference
# Header	Header	基本排版
- Unordered List	Unordered List
1. Ordered List	Ordered List
- [ ] Todo List	Todo List
> Blockquote	Blockquote
Bold font	Bold font
Italics font	Italics font
~~Strikethrough~~	~~Strikethrough~~
19^th^	19^th
H~2~O	H₂O
++Inserted text++	Inserted text
==Marked text==	Marked text
[link text](https:// "title")	Link
![image alt](https:// "title")	Image
`Code`	`Code`	在筆記中貼入程式碼
```javascript var i = 0; ```	`var i = 0;`	在筆記中貼入程式碼
:smile:		Emoji list
{%youtube youtube_id %}	Externals
$L^aT_eX$	L^aT_eX
:::info This is a alert area. :::	This is a alert area.

Select a repo