KubeHuddle NA 2023 - Why should devs care about container security - Eric Smalling.pdf
- 2. Eric Smalling ● Senior Developer Advocate @ Snyk ● Based in Dallas/Fort Worth, Texas ● 20+ years enterprise software development ● 10+ years build/test/deploy automation (CI/CD) ● Docker user since 2013 (v0.6) ● Docker Captain ● CKA, CKAD & CKS Certified @ericsmalling
- 3. Container Challenges Historically, developers have owned the security posture of their own code and the libraries used. Containers add security concerns at the operating-system level such as base-image selection, package installation, user and file permissions, and more. Increased Scope of Responsibility These additional technologies used to be owned by other teams such as system engineers or middleware teams. Many developers have never had to deal with securing these layers of the stack. Lack of Expertise While shifting security left adds responsibilities to developer teams, the business owners have expectations that pipeline velocity will not be negatively impacted. Maintaining Velocity
- 4. Ownership of developers What does my service contain? ● Source code of my app ● 3rd party dependencies ● Dockerfile ● IaC files (eg. Terraform) ● K8s files
- 6. Defence in Depth Further practices and tech to consider. Images Runtime Kubernetes
- 7. Defence in Depth Further practices and tech to consider. Images Runtime Kubernetes Minimize Footprint Don’t give hackers more tools to expand their exploits Layer Housekeeping Understand how layers work at build and run-time Build strategies Multi-Stage, repeatable builds, standardized labeling, alternative tools Secure Supply Chain Know where images come from. Only CI should push to registries.
- 8. Defence in Depth Further practices and tech to consider. Images Runtime Kubernetes Don’t run as root You probably don’t need it. Privileged Containers You almost definitely don’t need it. Drop capabilities Most apps don’t need even Linux capabilities; dropping all and allow only what’s needed. Read Only Root Filesystem Immutability makes exploiting your container harder. Deploy from known sources Pull from known registries only.
- 9. Defence in Depth Further practices and tech to consider. Images Runtime Kubernetes Secrets Use them but make sure they’re encrypted and have RBAC applied RBAC Hopefully everybody is using this. SecurityContext Much of the Runtime practices mentioned can be enforced via SC Network Policy Start with zero-trust and add allow rules only as necessary. Enforcement Use OPA (Gatekeeper), Kyverno, etc
- 10. Key Takeaways Just like unit tests, fast, actionable security feedback is critical. Working security into a developer’s workflow without slowing them down drives adoption. Feedback Loop Giving developers tools that provide actionable information can allow them to deal with security issues as they are introduced. Empower developers to be proactive Implementing known secure practices for building and running your container images and IaC configurations can mitigate vulnerabilities that slip into deployments as well as zero-day vulnerabilities that may exist. Defence in depth
- 11. References: ● Kubernetes SecurityContext Cheatsheet: https://snyk.co/udW5K ● Dockerfile Best Practices: https://docs.docker.com/develop/develop-images/dockerfile_best-practices ● Using multi-stage builds: https://docs.docker.com/develop/develop-images/multistage-build ● OPA Gatekeeper: https://open-policy-agent.github.io/gatekeeper/website/docs ● Kyverno: https://kyverno.io ● PodSecurityPolicy Deprecation: Past, Present, and Future: https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future ● CNCF Certification Curriculum: https://github.com/cncf/curriculum ● Snyk Kubernetes “Quick hit” videos: https://youtube.com/playlist?list=PLQ6IC7glz4-UA4uKQOhmAxh6Mhvr3m4g- Thank you! @ericsmalling