kubernetes security best practices cncf webinar series · cncf webinar series kubernetes security...

CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

Upload: others

Post on 25-Jun-2020




0 download


Page 1: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

CNCF Webinar Series

Kubernetes Security Best PracticesConnor Gorman, Principal Engineer, StackRox11 March 2020

Page 2: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

2©2020 StackRox. All rights reserved.

What we’ll cover

• General Kubernetes hygiene

• Workload best practices

• Demo

• Questions?

Page 3: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

3©2020 StackRox. All rights reserved.

What are we doing here?

Page 4: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

4©2020 StackRox. All rights reserved.

Scratch that … Kubernetes is here!

Page 5: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

5©2019 StackRox. All rights reserved.

Kubernetes Hygiene

Page 6: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

6©2020 StackRox. All rights reserved.

Upgrade to a current version!

Page 7: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

7©2020 StackRox. All rights reserved.

Keep up to date with Security and major API announcements https://groups.google.com/forum/#!forum/kubernetes-announce

Kubernetes-Announce Google Group

Page 8: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

8©2020 StackRox. All rights reserved.

Harden Node Security

Control network access to sensitive ports.

Make sure that your network restricts access to ports used by kubelet, including 10250 and 10255. Consider limiting access to the Kubernetes API server except from trusted networks.

Page 9: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

9©2020 StackRox. All rights reserved.

Harden Node Security

Minimize administrative access to Kubernetes nodes.

Access to the nodes in your cluster should generally be restricted — debugging and other tasks can usually be handled without direct access to the node.

Page 10: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

10©2020 StackRox. All rights reserved.

Enable Role-Based Access Control

Control who can access the Kubernetes API and what permissions they have.

Page 11: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

11©2019 StackRox. All rights reserved.

Workload Best Practices

Page 12: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

12©2020 StackRox. All rights reserved.

Contextualizing Risk

Page 13: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

13©2020 StackRox. All rights reserved.

How can we think about Risk?

Page 14: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

14©2020 StackRox. All rights reserved.

Leverage Namespaces

• Great for resource usage tracking

• Allows RBAC to be finely-tuned

• Allows for generic network policies and network segmentation

• Makes kubectl results more sane

Page 15: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

15©2020 StackRox. All rights reserved.

Leverage Network Policies

• Pod-centric firewalling - Pod A can/can’t talk to Pod B

• Generic policies on Ingress/Egress can help ensure fine-grained connections

• Namespace isolation helps ensure compliance especially in multi-tenant environments


• What if my environment already exists?

• How can I scale network policies at my organization?

• How do I make sure that developers are enabled to build their own network policies?

Page 16: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

16©2020 StackRox. All rights reserved.

Visualize Network Traffic and Policies

Page 17: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

17©2020 StackRox. All rights reserved.

Slim down your images

• Go distroless or use lightweight base images

• Remove package managers and network utilities

• Remove filesystem modification utilities (chmod, chown)

• Scan and enforce to prevent them from entering your environment again

...how do I debug now?

Page 18: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

18©2020 StackRox. All rights reserved.

• Alpha as of 1.16! So use with caution

• Allows binding of a new container to an existing Pod to facilitate the execution of debugging commands, network utilities, etc

• Images no longer have to include: curl, apt, bash, or other utilities

Looking ahead to Ephemeral Containers!

Page 19: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

19©2019 StackRox. All rights reserved.


Page 20: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

20©2020 StackRox. All rights reserved.

Configurations to explore

• Read-only root file system

• Linux capabilities

• Network policies

• Host mounts

• Disable service account auto-mount

• Environment

• Resource requirements

Page 21: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

21©2020 StackRox. All rights reserved.

Read-only filesystem

securityContext: readOnlyRootFilesystem: true

volumes: - emptyDir: {} name: varlog

Specifies read-only FS

Creates RAM based empty-dir

Page 22: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

22©2020 StackRox. All rights reserved.

Example: Stopping a Struts exploit

Deploying a vulnerable container (with R/W root FS)

Page 23: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

23©2020 StackRox. All rights reserved.

Example: Stopping a Struts exploit

The exploit works — we can download and run minerd.

Page 24: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

24©2020 StackRox. All rights reserved.

Can my app be read-only?

$ docker diff k8s_nginx_nginx-7db9fccd9b-xyzC /runA /run/nginx.pidA /run/secretsA /run/secrets/kubernetes.ioA /run/secrets/kubernetes.io/serviceaccountC /varC /var/cacheC /var/cache/nginxA /var/cache/nginx/client_tempA /var/cache/nginx/fastcgi_tempA /var/cache/nginx/proxy_tempA /var/cache/nginx/scgi_tempA /var/cache/nginx/uwsgi_temp

Page 25: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

25©2020 StackRox. All rights reserved.

Example: Stopping a Struts exploit

After declaring a VOLUME for /usr/local/tomcat,and opting-in for a read-only root FS:

Page 26: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

26©2020 StackRox. All rights reserved.

Linux Capabilities

Split root superpowers into a series of capabilities such as

- CAP_FOWNER (used by chmod)

- CAP_CHOWN (used by chown)

- CAP_NET_RAW (used by ping)

Page 27: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

27©2020 StackRox. All rights reserved.

Linux Capabilities

Page 28: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

28©2020 StackRox. All rights reserved.

securityContext: capabilities: drop: - all

minerdtar: minerd: Cannot change ownership to uid 1000, gid 1000: Operation not permittedtar: Exiting with failure status due to previous errors

Example: Capabilities dropped

Page 29: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

29©2020 StackRox. All rights reserved.

Network Policies

kind: NetworkPolicyapiVersion: networking.k8s.io/v1metadata: name: web-allow-all-ns-monitoringspec: podSelector: matchLabels: app: web ingress: - from: - namespaceSelector: matchLabels: team: operations podSelector: matchLabels: type: monitoring

Page 30: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

30©2019 StackRox. All rights reserved.

Security is Hard!

Page 31: Kubernetes Security Best Practices CNCF Webinar Series · CNCF Webinar Series Kubernetes Security Best Practices Connor Gorman, Principal Engineer, StackRox 11 March 2020

31©2019 StackRox. All rights reserved.

Let’s chat

Think of a question [email protected]

Want to learn more?https://www.stackrox.com/

We’re hiring!