major hayden, rackspace paul czarkowski, pivotal … kubernetes without scaring away your security...
TRANSCRIPT
Deploying Kuberneteswithout scaring away your security team
Paul Czarkowski, Pivotal SoftwareMajor Hayden, Rackspace
Deploying KubernetesWithout Scaring Away Your Security Team
Enterprise security teams demand security layers that are:
• Valuable• Non-disruptive• Documented• Auditable• Easily understood
Ansible can do all of these!
Deploying KubernetesWithout Scaring Away Your Security Team
• Orchestration• Configuration Management• Easy yet Powerful• **** as Code
https://www.ansible.com/
Deploying KubernetesWithout Scaring Away Your Security Team
What is Ansible ?• Why Ansible is a perfect fit for Enterprise with silos (system,network,security)
• Ansible is fairly easy to read and understand ( YAML )• Ansible runs “tasks” in a declarative and predictable way.• Tasks -> Plays -> Playbooks | Inventory• Ansible not just for systems, but for networks and containers as well.• Ansible becomes the common language between your silos and even helps remove the walls.
Deploying KubernetesWithout Scaring Away Your Security Team
Why Ansible* ?
In modern DevOps / SRE practices we need to treat everything as Code.• infrastructure as code• security as code• compliance as code• ….. as code
* Or Chef, Puppet, BOSH, etc, etc.
Deploying KubernetesWithout Scaring Away Your Security Team
Why Ansible* ?
• Winning the Configuration Management [war].• Defacto for Openstack installations• Lots of prior art• All the tooling already exists in Ansible ecosystem to deploy and
maintain a secure/compliant Kubernetes Infrastructure.
Deploying KubernetesWithout Scaring Away Your Security Team
Ansible Inventory
• Hosts and Variables• Store in git!• use Ansible-Vault for secrets!
Deploying KubernetesWithout Scaring Away Your Security Team
Ansible Tower● Adds reporting/accountability● Dashboards● Scheduled Jobs● Multi-Playbook Workflows
Deploying KubernetesWithout Scaring Away Your Security Team
• Applies and audits over 180 controls from the STIG* in a few minutes.
• Supports CentOS/RHEL 7, Debian, Fedora, OpenSUSE, and Ubuntu 16.04.https://github.com/openstack/ansible-hardening
* The Security Technical Implementation Guide (STIG) is a set of hardening configurations for various systems published by the US Department of Defense.
Deploying KubernetesWithout Scaring Away Your Security Team
• Compliance as Code• Ruby DSL for testing desired state• Ansible to install Inspec• Ansible to deploy Inspec Rules• Sensu Check / Pagerduty Alert• Inspec logs to ELK for Audit
https://www.inspec.io
Deploying KubernetesWithout Scaring Away Your Security Team
Example INSPEC rulehttps://github.com/inspec-stigs/inspec-stig-rhel7
Deploying KubernetesWithout Scaring Away Your Security Team
Ops Platform [as code]
• 2FA SSH Bastion• OAuth Web Portal• Centralized Logging (ELK)• Centralized Monitoring (Sensu)• Builds / Tests / Jobs ( Jenkins )• Mirrors ( ubuntu, pypi, rubygems )• and a LOT MORE!https://github.com/sitectl/cuttle
Cuttle (pronounced Cuddle)
Deploying KubernetesWithout Scaring Away Your Security Team
Cuttle - Bastion● SSH ( obviously! ) ● 2FA ( Google Authenticator or Yubikey )
○ https://github.com/blueboxgroup/yubiauthd○ Each user has own user + pubkey + second factor.
● SSH Agent Auth Proxy○ https://github.com/blueboxgroup/sshagentmux○ Adds keys to user’s Agent based on group membership
● ttyspy○ https://github.com/ibm/ttyspy○ emulates `script | curl -XPOST https://log-server`
Deploying KubernetesWithout Scaring Away Your Security Team
• Ansible Playbooks to deploy Kubernetes• Official(ish)• Install K8s on any Infrastructure
• Bare Metal• private cloud• public cloud• VMWare https://github.com/kubernetes-incubator/kubespray
Deploying KubernetesWithout Scaring Away Your Security Team
Kubespray Networking
• flannel• calico• canal• weave• cloud providerhttps://github.com/kubernetes-incubator/kubespray
Deploying KubernetesWithout Scaring Away Your Security Team
Kubespray is Production Ready
• Continuous Integration• High Availability• Upgrades!
https://github.com/kubernetes-incubator/kubespray
Deploying KubernetesWithout Scaring Away Your Security Team
Getting started with Kubespray
$ vagrant up
$ kubespray deploy --aws -u centos -n calico
$ contrib/inventory_builder/inventory.py help
$ ansible-playbook -i my_inventory/inventory.cfg cluster.yml
Deploying KubernetesWithout Scaring Away Your Security Team
Other Considerations:
• Build Pipeline - ConcourseCI, Jenkins, etc• extra secure containers - Clear Linux• k8s auth/acls - openpolicyagent• Registry - Quay.io or vmware/harbor• Secret Management - Vault