![Page 1: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/1.jpg)
Deploying Kuberneteswithout scaring away your security team
Paul Czarkowski, Pivotal Software (@pczarkowsi)Major Hayden, Rackspace (@majorhayden)
![Page 2: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/2.jpg)
Deploying KubernetesWithout Scaring Away Your Security Team
Principal Technologist @ Pivotal
Always doing things and promoting agile synergistic principles that resonate down
the value chain
Principal Architect @ Rackspace
Secures OpenStack/Kubernetes clouds and owns far too many domain names
(including icanhazip.com)
![Page 4: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/4.jpg)
Your first day back at the office talking about Kubernetes feels like this
Photo credit: Pixabay
![Page 5: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/5.jpg)
Talking to your corporate security team about Kubernetes feels more like this
Photo credit: Breaking Bad Wikia
![Page 6: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/6.jpg)
Deploying KubernetesWithout Scaring Away Your Security Team
Enterprise security teams demandsecurity layers that are:
• Valuable• Non-disruptive• Documented• Auditable• Easily understood
![Page 7: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/7.jpg)
Deploying KubernetesWithout Scaring Away Your Security Team
DevOps
SecurityAutomatedInfrastructure
Find a way to get here
![Page 8: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/8.jpg)
Security requirements and restrictionsshould be guardrails, not roadblocks
Photo credit: Wikipedia
![Page 9: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/9.jpg)
PUBLIC SERVICE ANNOUNCEMENT:Always enable Linux Security Modules
in your container deployments.(like SELinux or AppArmor)
![Page 10: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/10.jpg)
SERIOUSLY.STOP DISABLING SELINUX.
![Page 11: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/11.jpg)
Deploying KubernetesWithout Scaring Away Your Security Team
Luckily, there are tools that helpwith many of these challenges.
![Page 12: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/12.jpg)
Deploying KubernetesWithout Scaring Away Your Security Team
• Orchestration• Configuration management• Software deployment• Stackable building blocks• Everything as codehttps://www.ansible.com/
![Page 13: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/13.jpg)
Deploying KubernetesWithout Scaring Away Your Security Team
Tasks
RoleTasks
Tasks
Tasks
RoleTasks
Tasks
Tasks
RoleTasks
Tasks
Playbook
Ansible explainedin three bullets:
• Each task does one thing• Tasks are grouped into roles• Playbooks apply one or more roles
to one or more servers
![Page 14: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/14.jpg)
Deploying KubernetesWithout Scaring Away Your Security Team
• Tasks are read one at a time, top-down• Tasks are written in YAML• No need for dependency chaining
or complex ordering• Simple inventory system
Ansible is simple
![Page 15: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/15.jpg)
Deploying KubernetesWithout Scaring Away Your Security Team
• Automates containers, virtual machines, servers, network devices, clouds, laptops
• No daemons or complex dependencies• Got Python installed on your nodes?
You’re ready.
Ansible is versatile
![Page 16: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/16.jpg)
Deploying KubernetesWithout Scaring Away Your Security Team
• A playbook can be run repeatedly with the same results
• Ansible can audit a system and show potential changes before making them
Ansible is repeatable
![Page 17: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/17.jpg)
Deploying KubernetesWithout Scaring Away Your Security Team
Ansible playbook
![Page 18: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/18.jpg)
Deploying KubernetesWithout Scaring Away Your Security Team
Networkingas code
![Page 19: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/19.jpg)
Deploying KubernetesWithout Scaring Away Your Security Team
Infrastructure as code
![Page 20: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/20.jpg)
Deploying KubernetesWithout Scaring Away Your Security Team
Infrastructure as Code
![Page 21: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/21.jpg)
Deploying KubernetesWithout Scaring Away Your Security Team
Ansible Tower
● Adds reporting/accountability● Dashboards● Scheduled Jobs● Multi-Playbook Workflows
![Page 22: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/22.jpg)
Deploying KubernetesWithout Scaring Away Your Security Team
• Applies and audits over 180 controls from the STIG* in a few minutes.
• Supports CentOS/RHEL 7, Debian, Fedora, OpenSUSE, and Ubuntu 16.04.
• Fully open source and looking for new contributors/testers
https://github.com/openstack/ansible-hardening
* The Security Technical Implementation Guide (STIG) is a set of hardening configurations for various systems published by the US Department of Defense.
![Page 23: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/23.jpg)
Deploying KubernetesWithout Scaring Away Your Security Team
• Compliance as Code• Ruby DSL for testing desired state• Ansible to install Inspec• Ansible to deploy Inspec Rules• Sensu Check / Pagerduty Alert• Inspec logs to ELK for Audit
https://www.inspec.io
![Page 24: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/24.jpg)
Deploying KubernetesWithout Scaring Away Your Security Team
![Page 25: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/25.jpg)
Deploying KubernetesWithout Scaring Away Your Security Team
Example INSPEC rulehttps://github.com/inspec-stigs/inspec-stig-rhel7
![Page 26: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/26.jpg)
Deploying KubernetesWithout Scaring Away Your Security Team
Compliance as Code
![Page 27: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/27.jpg)
Deploying KubernetesWithout Scaring Away Your Security Team
Ops Platform [as code]
• 2FA SSH Bastion• OAuth Web Portal• Centralized Logging (ELK)• Centralized Monitoring (Sensu)• Builds / Tests / Jobs ( Jenkins )• Mirrors ( ubuntu, pypi, rubygems )• and a LOT MORE!https://github.com/sitectl/cuttle
Cuttle (pronounced Cuddle)
![Page 28: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/28.jpg)
Deploying KubernetesWithout Scaring Away Your Security Team
![Page 29: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/29.jpg)
Deploying KubernetesWithout Scaring Away Your Security Team
![Page 30: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/30.jpg)
Deploying KubernetesWithout Scaring Away Your Security Team
![Page 31: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/31.jpg)
Deploying KubernetesWithout Scaring Away Your Security Team
Cuttle - Bastion● SSH ( obviously! ) ● 2FA ( Google Authenticator or Yubikey )
○ https://github.com/blueboxgroup/yubiauthd○ Each user has own user + pubkey + second factor.
● SSH Agent Auth Proxy○ https://github.com/blueboxgroup/sshagentmux○ Adds keys to user’s Agent based on group membership
● ttyspy○ https://github.com/ibm/ttyspy○ emulates `script | curl -XPOST https://log-server`
![Page 32: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/32.jpg)
Deploying KubernetesWithout Scaring Away Your Security Team
• Ansible Playbooks to deploy Kubernetes
• Official(ish)• Install K8s on any Infrastructure
• Bare Metal• private cloud• public cloud• VMWare
https://github.com/kubernetes-incubator/kubespray
![Page 33: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/33.jpg)
Deploying KubernetesWithout Scaring Away Your Security Team
Kubespray is production ready!
• Continuous integration• High availability• Upgrades!
https://github.com/kubernetes-incubator/kubespray
![Page 34: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/34.jpg)
Deploying KubernetesWithout Scaring Away Your Security Team
![Page 35: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/35.jpg)
Deploying KubernetesWithout Scaring Away Your Security Team
Other Considerations:
• Build Pipeline - ConcourseCI, Jenkins, etc• Registry - Quay.io or vmware/harbor• extra secure containers - Clear Linux and Kata Containers• Secret Management - Vault• k8s auth/acls - openpolicyagent
![Page 36: Deploying Kubernetes without scaring off your security team - KubeCon 2017](https://reader034.vdocument.in/reader034/viewer/2022051521/5a6d17907f8b9a10428b4c03/html5/thumbnails/36.jpg)
Deploying KubernetesWithout Scaring Away Your Security Team
Thank you!Paul Czarkowski@pczarkowski
Major Hayden@majorhayden