Cloud conf keynote - Orchestrating Least Privilege
1 like657 views
The document discusses the concept of least privilege orchestration, emphasizing the need for orchestrators to manage tasks and resources while adhering to the principle of least privilege. It outlines the roles and responsibilities involved in managing cluster operations and mitigating potential security threats from internal and external attackers. Additionally, it highlights the implementation of mutual TLS for secure communications and the management of permissions within a system.
![Mitigating Internal Network Attacker
[ { "permission":
{ "method": "GET", "resource": "/user" },
"allow": ["web", "fulfillment", "payments"] },
{ "permission":
{ "method": "POST", "resource": "/user" },
"allow": ["signup", "web"] },
{ "permission":
{ "method": "DELETE", "resource": "/user/.*" },
"allow": ["web"]
}]](https://image.slidesharecdn.com/cloudconfkeynote-170316175522/85/Cloud-conf-keynote-Orchestrating-Least-Privilege-33-320.jpg)
Cloud conf keynote - Orchestrating Least Privilege
- 2. ~2000 Today
- 3. What is an Orchestrator?
- 4. What is an Orchestra?
- 10. SWARM
- 11. Job of a Conductor - Casting - Assign sheet music - Unify performers - Set the tempo
- 12. Job of an Orchestrator - Node management - Task assignment - Cluster state reconciliation - Resource Management
- 13. What is a Least Privilege Orchestrator?
- 14. What is Least Privilege?
- 16. A process must be able to access only the information and resources that are necessary for its legitimate purpose. Principle of Least Privilege
- 17. An Orchestrator that follows the principle of least privilege in the strictest manner possible. Least Privilege Orchestrator
- 20. Cluster Internet
- 24. M M M AA A
- 26. M M M WW W
- 28. M M M WW W
- 29. How far away are we right now?
- 31. How do we achieve Least Privilege Orchestration?
- 32. Mitigating External Attacker web: image: web-app expose: 443 links: - redis redis: image: redis
- 33. Mitigating Internal Network Attacker [ { "permission": { "method": "GET", "resource": "/user" }, "allow": ["web", "fulfillment", "payments"] }, { "permission": { "method": "POST", "resource": "/user" }, "allow": ["signup", "web"] }, { "permission": { "method": "DELETE", "resource": "/user/.*" }, "allow": ["web"] }]
- 34. Mitigating MiTM Attacker rails-app: image: rails-app links: - mysql mysql: image: mysql MTLS
- 36. Mitigating Malicious Manager Worker Manager WorkerWorker web: image: web-app expose: 443 links: - redis tls-auth: - OU: api-client redis: image: redis web: image: web-app expose: 443 links: web: image: web-app expose: 443 links: web: image: web-app expose: 443 links:
- 37. SWARM
- 39. Mutual TLS by default • First node generates a new self-signed CA.
- 40. Mutual TLS by default • New nodes can get a certificate issued w/ a token.
- 41. Mutual TLS by default • Workers and managers identified by their certificate.
- 42. Mutual TLS by default • Communications secured with Mutual TLS.
- 44. Secrets
- 45. Secrets
- 49. Thank you