running at light speed: cloud native security patterns · 1/17/2019 · isolating containerized...
TRANSCRIPT
![Page 1: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/1.jpg)
Running at Light Speed: Cloud Native
Security Patterns
![Page 2: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/2.jpg)
Hi, How is Everybody? Good. Great.
![Page 3: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/3.jpg)
Cloud Native Characteristics
![Page 4: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/4.jpg)
Cloud Native Secure Architecture
![Page 5: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/5.jpg)
Who’s Job is it Anyway?
![Page 6: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/6.jpg)
Isolating Containerized Workloads
https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked/
![Page 7: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/7.jpg)
Control Plane & Core Components
![Page 8: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/8.jpg)
Reconciler Pattern
https://freecontent.manning.com/wp-content/uploads/Luksa_IRC_02.png
![Page 9: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/9.jpg)
Spoiler: Containers Aren’t Sandboxes
https://www.docker.com/sites/default/files/Container%402x.png
![Page 10: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/10.jpg)
Container Privilege Escalation
![Page 11: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/11.jpg)
The Gateway Drug
https://coreos.com/rkt/docs/latest/rkt-vs-docker-process-
model.png
![Page 12: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/12.jpg)
Container Isolation Models
![Page 13: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/13.jpg)
How They Stack Up
https://blog.jessfraz.com/post/containers-security-and-echo-chambers/
![Page 14: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/14.jpg)
Just Use the Defaults != Turn It Off
![Page 15: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/15.jpg)
Control Groups & Namespaces
![Page 16: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/16.jpg)
https://kubernetes.io/blog/2017/11/securing-software-supply-chain-grafeas/
What Am I Shipping?
![Page 17: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/17.jpg)
$ grep CONFIG_SECCOMP= /boot/config-$(uname -r)
$ cat /sys/module/apparmor/parameters/enabled
Base Image Management
![Page 18: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/18.jpg)
Build Integrity & Attestation
![Page 19: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/19.jpg)
Seccomp
![Page 20: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/20.jpg)
AppArmor
![Page 21: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/21.jpg)
Restricting Capabilities
![Page 22: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/22.jpg)
docker run -d --cap-drop=all --cap-add=net_raw my-image
Limiting Privileges
![Page 23: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/23.jpg)
User Namespaces
dockerd –userns-remap=“someuser:someuser”
![Page 24: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/24.jpg)
Rootless Containers
![Page 25: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/25.jpg)
Upstream Orchestration Support
![Page 26: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/26.jpg)
No New Privileges
![Page 27: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/27.jpg)
Authentication
![Page 28: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/28.jpg)
Implementation Flaw - Account Reuse
![Page 29: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/29.jpg)
Run Commands via K8s API
![Page 30: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/30.jpg)
Fixing the Problem
kubectl create serviceaccount s1 --
namespace=”prod”
![Page 31: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/31.jpg)
Don’t Share Anything From the Host
![Page 32: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/32.jpg)
Authorization
![Page 33: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/33.jpg)
Role-Based Access Control
![Page 34: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/34.jpg)
Create Roles & Bindings
![Page 35: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/35.jpg)
Controller Pattern
![Page 36: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/36.jpg)
Admission Controllers
![Page 37: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/37.jpg)
Designing a PodSecurityPolicy
![Page 38: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/38.jpg)
Designing a PodSecurityPolicy
![Page 39: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/39.jpg)
Apply a PodSecurityPolicy
![Page 40: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/40.jpg)
Sidecar Pattern
https://docs.microsoft.com/en-us/azure/architecture/patterns/_images/sidecar.png
![Page 41: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/41.jpg)
Ambassador Pattern
https://docs.microsoft.com/en-us/azure/architecture/patterns/_images/ambassador.png
![Page 42: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/42.jpg)
Service Mesh Pattern
![Page 43: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/43.jpg)
docker run –it –e “DBUSER=dbuser” –e “DBPASSWD=dbpasswd” mydbimage
echo <secret> | docker secret create some-secret
kubectl create secret generic db-user-pw --from-file=./username.txt --from-file=./password.txt
kubectl create –f ./secret.yaml
Secrets Management
![Page 44: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/44.jpg)
Nothing is Perfect
![Page 45: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/45.jpg)
Beware of Plain Text Storage
![Page 46: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/46.jpg)
https://blog.openshift.com/vault-integration-using-kubernetes-authentication-method/
Dynamic Secrets
![Page 47: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/47.jpg)
Example – Retrieve & Mount a Secret
![Page 48: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/48.jpg)
Conclusion
![Page 49: Running at Light Speed: Cloud Native Security Patterns · 1/17/2019 · Isolating Containerized Workloads](https://reader033.vdocuments.mx/reader033/viewer/2022042806/5f756bc93f4ac25a0a177cfb/html5/thumbnails/49.jpg)
Keep in Touch