|
| 1 | +# Hardening Your First Cluster |
| 2 | + |
| 3 | +This talk is by some SecOps guy from Palo Alto and some Kubernetes guy from Nutanix, seems interesting. |
| 4 | + |
| 5 | +## Step 1: It works |
| 6 | + |
| 7 | +Junior developer, Dave, builds some internal support tool by Friday. Lil' Dave has a problem, because he has |
| 8 | +no clue on how to deploy on Kubernetes and even less of an idea on how to make it secure. `kubectl expose deployment/poc` |
| 9 | +is happy and the application is running. |
| 10 | + |
| 11 | +## Step 2: Next Monday Morning |
| 12 | + |
| 13 | +Lil' Dave is happy to go into work and get back to Kubernetes. Except he finds an email from finance on exploding |
| 14 | +bills and some security colleague. So what happened over the weekend? |
| 15 | + |
| 16 | +- First rule of network security: don't open ports that you don't need |
| 17 | + |
| 18 | +Note to Dave: Don't expose applications with a service of type `LoadBalancer`. |
| 19 | + |
| 20 | +But how will an attacker move from a single compromised container to taking over the cluster? |
| 21 | + |
| 22 | +- Frist rule of credentials: use least privilege credentials |
| 23 | + |
| 24 | +Secrets in Kubernetes are not encrypted, they're just encoded. Any attacker that can retrieve a service |
| 25 | +token to list secret, can read your secrets. |
| 26 | + |
| 27 | +The "make it work" often wins the race against "make it secure" in Kubernetes, because most defaults |
| 28 | +aren't very secure. |
| 29 | + |
| 30 | +### Security Fundamentals |
| 31 | + |
| 32 | +Security is a spectrum. You're never going to be 100% secure, you can only make it harder for attackers so they |
| 33 | +move on to the next target. |
| 34 | + |
| 35 | +Don't rely on a single strategy, do defense in depth. Layer your defenses so you can stop an attacker once they're in. |
| 36 | + |
| 37 | +1. Limit your attack surface |
| 38 | +2. Use least privilege and RBAC |
| 39 | +3. Contain workloads and limit impact |
| 40 | + |
| 41 | +## Security Tricks |
| 42 | + |
| 43 | +Set `--anonymous-auth=false` on your api server, otherwise anyone can talk to your control plane. Build your cluster |
| 44 | +as private as you can. Use IP allow lists, use a VPN. Patrol the perimeter and scan for vulnerabilities before |
| 45 | +components get into your environments. |
| 46 | + |
| 47 | +Set `automountServiceAccountToken: false` to avoid the auto-mounting of service account tokens into Pods. |
| 48 | + |
| 49 | +Don't ever ever ever bind Service Accounts to the ClusterAdmin Role, it just doesn't make sense. Create specific |
| 50 | +Service Accounts and Roles for your use case. In the Role, limit the scope to only what the application needs. |
| 51 | + |
| 52 | +Role number 1, never run as `root`: |
| 53 | + |
| 54 | +```yaml |
| 55 | +securityContext: |
| 56 | + runAsNonRoot: true |
| 57 | + runAsUser: 1000 |
| 58 | + readOnlyRootFilesystem: true |
| 59 | + allowPrivilegeEscalation: false |
| 60 | + capabilities: |
| 61 | + drop: ['ALL'] |
| 62 | +``` |
| 63 | +
|
| 64 | +### Daves Security Toolkit |
| 65 | +
|
| 66 | +- Build before you ship: <https://trivy.dev/> |
| 67 | +- Gate what gets deployed: <https://kyverno.io/> and <https://www.openpolicyagent.org/ecosystem/entry/gatekeeper> |
| 68 | +- Watch what happens: <https://falco.org/> and <https://grafana.com/docs/loki/latest/> |
| 69 | +- Check the rules: <https://github.com/aquasecurity/kube-bench> and <https://github.com/aquasecurity/kubectl-who-can> |
| 70 | +
|
| 71 | +## Takeaways |
| 72 | +
|
| 73 | +- Wall 1: defend the perimeter |
| 74 | +- Wall 2: defend the endpoint |
| 75 | +- Wall 3: defend outbound traffic |
| 76 | +- Wall-E |
0 commit comments