SlideShare a Scribd company logo

Securing your Kubernetes cluster_ a step-by-step guide to success !

K
Katia Himeur Talhi

The document provides a comprehensive, step-by-step guide to securing Kubernetes clusters, focusing on various attack vectors and security best practices. It emphasizes the importance of implementing strategies like zero trust architecture, role-based access control, and securing secrets to mitigate risks. The guide also covers essential tools and methodologies to enhance security posture within managed and unmanaged Kubernetes environments.

Technology
Related topics:
Cloud Computing Insights
1 of 99
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
Securing your Kubernetes cluster: Your step-by-step guide to success! 25/04/2024 Katia HIMEUR
2 Who am I?
Who am I? • 🪪 Katia HIMEUR • 💻 Computer scientist • ☁ CTO & co-founder of Cockpit io, cloud & DevOps specialist • 󰟲 SRE/Cloud/DevOps consultant for several years ❤ #Cloud #DevOps #Containers #Serverless #GitOps #IaC #CICD ❤ Securing your Kubernetes cluster: a step-by-step guide to success! 3 25/04/2024
4 Introduction
Kubernetes, the leading container orchestrator 25/04/2024 Source : https://marketsnresearch.com/report/1649/global-kubernetes-market 5 Securing your Kubernetes cluster: a step-by-step guide to success!
The new cloud OS 25/04/2024 Source : https://www.dynatrace.com/news/blog/kubernetes-in-the-wild-2023/ 6 Securing your Kubernetes cluster: a step-by-step guide to success!
25/04/2024 Attackers on the lookout 7 Securing your Kubernetes cluster: a step-by-step guide to success!
Safety not always a priority 25/04/2024 8 Securing your Kubernetes cluster: a step-by-step guide to success!
9 Why is it important to secure your cluster?
K8s's popularity increases attacker interest 25/04/2024 10 Securing your Kubernetes cluster: a step-by-step guide to success!
Flexibility ⥤ Complexity ⥤ Errors 25/04/2024 Configuration errors are a security risk Complexity can lead to configuration errors Its flexibility leads to complex configurations Kubernetes is extremely flexible 11 Securing your Kubernetes cluster: a step-by-step guide to success!
Extended attack surface 25/04/2024 https://kubernetes.io/docs/concepts/overview/components/ 12 Securing your Kubernetes cluster: a step-by-step guide to success!
Scalability and resilience can be a vector for vulnerability propagation 25/04/2024 13 Securing your Kubernetes cluster: a step-by-step guide to success!
Company background Need : ● Compliance with specific standards and regulations ● Protect sensitive and critical applications and infrastructure ● Secure the sensitive data that may pass through 25/04/2024 14 Securing your Kubernetes cluster: a step-by-step guide to success!
15 Community and ecosystem support
Community and ecosystem support ● Strong focus on safety ● Continuous improvement and disclosure of vulnerabilities ● Goals : ○ Share security best practices ○ Encouraging corrective action ○ Stay ahead of potential threats 25/04/2024 16 Securing your Kubernetes cluster: a step-by-step guide to success!
17 What will we see during this talk?
What will we see during this talk? ● Understand the different types of attackers and attack vectors ● A non-exhaustive list of concrete actions you can take to secure your cluster ● Focus on managed Kubernetes clusters ● The list of tools provided is for information only. 25/04/2024 18 Securing your Kubernetes cluster: a step-by-step guide to success!
19 Attacker types
Attacker types External attackers Compromised users Internal attackers Compromised containers 25/04/2024 20 Securing your Kubernetes cluster: a step-by-step guide to success!
21 Main attack vectors
Main attack vectors 25/04/2024 Insecure Server API Misconfigured access controls Compromised containers Exposed dashboards Incorrect network configuration Compromised nodes Compromised secrets Supply chain (dependencies...) … 22 Securing your Kubernetes cluster: a step-by-step guide to success!
23 API server focus
API server focus ● Critical cluster component ● External and internal communications gateway ● Manage ○ authentication and authorization ○ Data validation and storage in etcd ○ Orchestration and resource management ○ Scalability and performance 25/04/2024 24 Securing your Kubernetes cluster: a step-by-step guide to success!
25 How do you secure your Kubernetes cluster?
Zero trust architecture 26 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
Zero trust architecture ● Approach to designing and implementing IT systems where trust is totally eliminated ● Never trust, always verify 25/04/2024 27 Securing your Kubernetes cluster: a step-by-step guide to success!
Zero trust architecture Source : https://blog.cockpitio.com/cloud/approche-zero-trust-dans-le-cloud/ 25/04/2024 28 Securing your Kubernetes cluster: a step-by-step guide to success!
Limiting API Server exposure 25/04/2024 29 Securing your Kubernetes cluster: a step-by-step guide to success!
Limit API Server exposure? ● Restrict access ● Encrypt all flows with API Server 25/04/2024 30 Private clusters Security groups Endpoint access control Network ACLs Securing your Kubernetes cluster: a step-by-step guide to success!
Authentication 25/04/2024 31 Securing your Kubernetes cluster: a step-by-step guide to success!
Authentication ● Use a strong authentication mechanism to control access to Kubernetes ● Use an SSO portal to connect to your clusters (oAuth2, OpenID Connect or LDAP). ● Enable multifactor authentication 25/04/2024 32 Securing your Kubernetes cluster: a step-by-step guide to success!
Authentication 25/04/2024 33 Securing your Kubernetes cluster: a step-by-step guide to success!
Using RBAC 34 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
Using RBAC ● What is it? ○ RBAC: Role-Based Access Control ○ Resource access control based on user roles and service accounts ○ Defines who can do what 35 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
Using RBAC ● Good practice ○ Apply the principle of least privilege to users and service accounts 36 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
Example of an RBAC role 37 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
Pod Security Admission 25/04/2024 38 Securing your Kubernetes cluster: a step-by-step guide to success!
Pod Security Standards Policies 39 Restricted ● Very restrictive policy ● Follows good curing practices Privileged ● No restrictions ● Climbing possibilities Baseline ● Minimum restriction policy ● Prevents the most common climbs 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
Pod Security Admission ● Kubernetes native admission controller to enforce Pod Security standards policies ● Pod security restrictions are applied at the namespace level ● Enabled by default in the latest versions of Kubernetes 40 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
Apply a safety policy 41 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
Alternatives 42 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
Using network policies 43 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
Network status report ● Default : pods are not isolated, all traffic flows are allowed (ingress and egress). ● Best practice: Restrict pod-to-pod communication to the strict minimum 44 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
What are network policies? ● Allows you to define how pods are authorized to communicate with : ○ Other pods ○ Other namespaces ○ IP blocks 45 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
Example of a policy that prohibits all outbound flow 46 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
Alternatives 47 25/04/2024 Network policies Security Network Observability Performance Securing your Kubernetes cluster: a step-by-step guide to success!
Securing your secrets 48 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
Secrets... Not very secret 😱 ● A Kubernetes secret is an object used to store sensitive data (passwords, tokens, SSH keys, etc.). ● Default : ○ No encryption ○ Stored unencrypted ○ Base64 encoded value 49 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
Securing your secrets ● Use RBAC to secure access ● Rotate secret ● Audit access to secrets ● Regularly review and update access policies ● Prevent secrets from ending up in logs ● Don't hard code secrets 50 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success! Gitleaks
Enable encryption at REST 51 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
Turn secrets into volume 👍 Exposing them as environment variables👎 52 25/04/2024 ServiceAccount secrets can only be mounted on specific resource types. Securing your Kubernetes cluster: a step-by-step guide to success!
Use external secret management tools 53 AWS Secrets Manager Azure Key Vault Google Cloud Secret Manager 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
Securing your secrets ● The Secrets Store CSI Driver enables integration of external secrets managers with Kubernetes ● Integration is via a CSI (Container Storage Interface) volume. ● This driver allows you to mount several secrets, keys, certificates, etc. stored in these external secret managers. ● Once the volume has been attached, the data is mounted in the container's file system. 54 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
Audit logging 55 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
Audit logging ● Record every request made to the API server ● Analyze logs to detect suspicious and unusual activity ● Use security tools to analyze and react to logs in real time ● Define audit policies to fine-tune the configuration of events to be recorded 25/04/2024 56 Securing your Kubernetes cluster: a step-by-step guide to success!
Example of an audit policy 25/04/2024 57 Securing your Kubernetes cluster: a step-by-step guide to success!
Update and patch management 25/04/2024 58 Securing your Kubernetes cluster: a step-by-step guide to success!
Update and patch management ● Apply update and security patches, automatically if possible, and quickly : ○ Kubernetes clusters ○ all components deployed on clusters ○ nodes ● Use tools that scan all Kubernetes cluster components, including images ● Respect best operating system practices 25/04/2024 59 Securing your Kubernetes cluster: a step-by-step guide to success!
Securing containers 25/04/2024 60 Securing your Kubernetes cluster: a step-by-step guide to success!
Securing containers ● Use only trusted images ● Reduce image size to reduce attack surface ● Use immutable containers to avoid runtime changes 25/04/2024 61 Securing your Kubernetes cluster: a step-by-step guide to success!
Securing containers ● Scanning your container images: before and after deployment ● Sign your container images ● Secure and protect your containers using tools that react to the detection of abnormal events 25/04/2024 62 Securing your Kubernetes cluster: a step-by-step guide to success!
Securing containers 25/04/2024 63 Securing your Kubernetes cluster: a step-by-step guide to success!
Securing containers 25/04/2024 64 Securing your Kubernetes cluster: a step-by-step guide to success!
Admission controllers 25/04/2024 65 Securing your Kubernetes cluster: a step-by-step guide to success!
Admission controllers ● Controllers that intercept requests to the API server before objects are persisted in the etcd database ● Two types of controller : ○ Validating admission controller : Validates or rejects requests ○ Mutating admission controller : Modifies the requests it accepts 25/04/2024 66 Securing your Kubernetes cluster: a step-by-step guide to success!
Configuration example 25/04/2024 67 This admission controller prevents the API server from being overloaded by requests applying rate limiting. Securing your Kubernetes cluster: a step-by-step guide to success!
68 Service mesh
What is a service mesh? 25/04/2024 69 Securing your Kubernetes cluster: a step-by-step guide to success!
● Dedicated infrastructure layer added to applications ● Designates both the tools and the network domain created ● Allow us to : ○ understand traffic ○ make decisions based on traffic type or origin ○ reduce the complexity of network management in a microservice context What is a service mesh? 25/04/2024 70 Securing your Kubernetes cluster: a step-by-step guide to success!
Service Mesh functionalities 25/04/2024 71 Securing your Kubernetes cluster: a step-by-step guide to success!
Service mesh functionalities 25/04/2024 72 Securing your Kubernetes cluster: a step-by-step guide to success! ● Observability ● Traffic management ● Security ● A/B testing ● Canary deployment ● Rate limiting ● Access control ● Encryption (including mTLS) ● End-to-end authentication ● Service discovery
25/04/2024 73 Securing your Kubernetes cluster: a step-by-step guide to success! Some services mesh
Using services mesh 25/04/2024 74 Securing your Kubernetes cluster: a step-by-step guide to success!
75 Container-specific operating systems for Kubernetes
Container-specific operating systems for Kubernetes 25/04/2024 76 Securing your Kubernetes cluster: a step-by-step guide to success! ● Operating systems optimized for running containers and Kubernetes ● Minimize attack surfaces ● Increase cluster security ● Based on READ-ONLY systems
Container-specific operating systems for Kubernetes Talos Linux Elemental 25/04/2024 77 Securing your Kubernetes cluster: a step-by-step guide to success!
78 Requests & limits
Requests & limits 25/04/2024 79 Securing your Kubernetes cluster: a step-by-step guide to success! ● Best practices ○ Set memory requests lower than or equal to limits ○ Limit CPU on sensitive workloads
Requests & limits 25/04/2024 80 Securing your Kubernetes cluster: a step-by-step guide to success! ● Why? ○ Restrict resources used by pods on nodes ○ Avoid the effects of a denial-of-service attack
81 Linux kernel security modules
Linux kernel security modules (1/3) 25/04/2024 82 ● Defining security profiles ● Mechanisms for controlling access and limiting the functionality of processes running on the host system ● Damage limitation for compromised accounts Securing your Kubernetes cluster: a step-by-step guide to success!
Linux kernel security modules (2/3) 25/04/2024 83 Securing your Kubernetes cluster: a step-by-step guide to success! ● Increase insulation between containers ● Defense in depth ● Audit and ensure compliance of our environments
Linux kernel security modules (3/3) SELinux AppArmor 25/04/2024 84 Securing your Kubernetes cluster: a step-by-step guide to success!
85 Seccomp (Linux only)
Seccomp 25/04/2024 86 Securing your Kubernetes cluster: a step-by-step guide to success! ● Abbreviation for Secure computing mode ● Linux kernel security features ● Limits the number of system calls (Syscalls) containers can make ● Reduces attack surface ● Kubernetes automatically applies seccomp profiles loaded on a node to pods and containers
Seccomp - Example 25/04/2024 87 Securing your Kubernetes cluster: a step-by-step guide to success!
88 Real-time protection
Real-time protection 25/04/2024 89 Securing your Kubernetes cluster: a step-by-step guide to success! ● Detect abnormal behavior, security threats and compliance violations ● Be alerted in real time. ● Some tools rely on kernel events, enriched with container and Kubernetes metadata, to succeed in their protection missions.
Real-time protection 25/04/2024 90 Securing your Kubernetes cluster: a step-by-step guide to success!
91 Further information
Follow best practices and recommendations 25/04/2024 92 Securing your Kubernetes cluster: a step-by-step guide to success!
Follow best practices and recommendations 25/04/2024 93 Securing your Kubernetes cluster: a step-by-step guide to success! ● Follow recommendations and best practices ○ Security Checklist from the Kubernetes community: https://kubernetes.io/docs/concepts/security/security-checklist/ ○ CIS (Center for Internet Security (CIS) ) Kubernetes Benchmark ○ Recommendations from cloud providers ○ Keeping up to date
94 Some resources
● Introduction to Vault (FR) ○ https://blog.cockpitio.com/devops/vault-overview/ ● Managing secrets in Kubernetes with Vault Agents (FR) ○ https://blog.cockpitio.com/devops/vault-agent-kubernetes/ ● Securing the API server in Kubernetes with Keycloak(FR) ○ https://blog.cockpitio.com/devops/kubernetes-secure-access-using-keycloak-oidc/ ● Introduction to the zero trust approach (FR) ○ https://blog.cockpitio.com/cloud/approche-zero-trust-dans-le-cloud/ ● Right-sizing your Kubernetes deployments (FR) ○ https://presentations.verchere.fr/Requests_Limits_OSXP_2023/ ● Kubernetes security checklist ○ https://kubernetes.io/docs/concepts/security/security-checklist/ 25/04/2024 95 Some resources Securing your Kubernetes cluster: a step-by-step guide to success!
96 Conclusion
Conclusion ● Securing Kubernetes environments is fundamental to protecting your company's interests, ensuring compliance and maintaining trust. ● As Kubernetes continues to evolve, so will security strategies, requiring constant attention and adaptation. ● Today's list is not exhaustive. No list can be, as attackers show their creativity. ● Safety is a matter of continuous improvement and constant attention 25/04/2024 97 Securing your Kubernetes cluster: a step-by-step guide to success!
Thank you @katia_tal /in/katiahimeur / 🔗 blog.cockpitio.com 🔗 www.cockpitio.com @cockpitio42 /company/cockpit-io/ Keep in touch 17/04/2024 98 Securing your Kubernetes cluster: a step-by-step guide to success!
A team of enthusiasts, guided by DevOps culture, to bring you the best of the Cloud!

More Related Content

PDF
Securing your Kubernetes cluster : a step-by-step guide to success! (v2)
Katia Himeur Talhi
 
PPTX
meetup devops aix-marseille - 2025-01 --
Frederic Leger
 
PDF
Attacking and Defending Kubernetes - Nithin Jois
OWASP Hacker Thursday
 
PDF
Kubernetes Administration Certification Cost-Register Now(7262008866)
Novel Vista
 
PDF
Virtual Kubernetes Clusters on Amazon EKS
Jim Bugwadia
 
PDF
Operationalizing Amazon EKS
Jim Bugwadia
 
PDF
5 Kubernetes Security Tools You Should Use
DevOps.com
 
PPTX
Building an Enterprise CaaS with Kubernetes and Rancher 2.0
Shannon Williams
 
Securing your Kubernetes cluster : a step-by-step guide to success! (v2)
Katia Himeur Talhi
 
meetup devops aix-marseille - 2025-01 --
Frederic Leger
 
Attacking and Defending Kubernetes - Nithin Jois
OWASP Hacker Thursday
 
Kubernetes Administration Certification Cost-Register Now(7262008866)
Novel Vista
 
Virtual Kubernetes Clusters on Amazon EKS
Jim Bugwadia
 
Operationalizing Amazon EKS
Jim Bugwadia
 
5 Kubernetes Security Tools You Should Use
DevOps.com
 
Building an Enterprise CaaS with Kubernetes and Rancher 2.0
Shannon Williams
 

Similar to Securing your Kubernetes cluster_ a step-by-step guide to success ! (20)

PPTX
Supply chain security - Develop quickly without inviting The Nefarious.pptx
IvanMilchev1
 
PDF
Integration in the Cloud, by Rob Davies
Judy Breedlove
 
PDF
ultimate guide to kubernetes deployment.pdf
Anshulkichara3
 
PDF
Cloud Native Engineering with SRE and GitOps
Weaveworks
 
PPTX
Kubernetes security with AWS
Kasun Madura Rathnayaka
 
PDF
Moving a Monolith to Kubernetes
M. Scott Ford
 
PDF
Securing Kubernetes Workloads
Jim Bugwadia
 
PDF
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
Mirantis
 
PDF
Managing Kubernetes operating Kubernetes clusters in the real world First Edi...
jayedmonotbp
 
PPTX
Kubernetes Security
Karthik Gaekwad
 
PDF
Container Days: Hijack a Kubernetes Cluster - a Walkthrough
Nico Meisenzahl
 
PPTX
ThousandEyes New Product Features and Release Highlights: June 2024
ThousandEyes
 
PPTX
Kubernetes Security Act Now Before It’s Too Late
Michael Furman
 
PPTX
Kubernetes and container security
Volodymyr Shynkar
 
PDF
KCD Indonesia 2024 - Letting Hacker Into Your Kubernetes Cluster
Muhammad Yuga Nugraha
 
PDF
Best online kubernetes course in H2KInfosys.pdf
abhayah2k
 
PPTX
10 tips for Cloud Native Security
Karthik Gaekwad
 
PDF
Dynatrace - Red Hat workshop : Monolith to Microservices
Steve Caron
 
PPTX
Supply chain security with Kubeclarity.pptx
Knoldus Inc.
 
PDF
Introduction of Kubernetes - Trang Nguyen
Trang Nguyen
 
Supply chain security - Develop quickly without inviting The Nefarious.pptx
IvanMilchev1
 
Integration in the Cloud, by Rob Davies
Judy Breedlove
 
ultimate guide to kubernetes deployment.pdf
Anshulkichara3
 
Cloud Native Engineering with SRE and GitOps
Weaveworks
 
Kubernetes security with AWS
Kasun Madura Rathnayaka
 
Moving a Monolith to Kubernetes
M. Scott Ford
 
Securing Kubernetes Workloads
Jim Bugwadia
 
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
Mirantis
 
Managing Kubernetes operating Kubernetes clusters in the real world First Edi...
jayedmonotbp
 
Kubernetes Security
Karthik Gaekwad
 
Container Days: Hijack a Kubernetes Cluster - a Walkthrough
Nico Meisenzahl
 
ThousandEyes New Product Features and Release Highlights: June 2024
ThousandEyes
 
Kubernetes Security Act Now Before It’s Too Late
Michael Furman
 
Kubernetes and container security
Volodymyr Shynkar
 
KCD Indonesia 2024 - Letting Hacker Into Your Kubernetes Cluster
Muhammad Yuga Nugraha
 
Best online kubernetes course in H2KInfosys.pdf
abhayah2k
 
10 tips for Cloud Native Security
Karthik Gaekwad
 
Dynatrace - Red Hat workshop : Monolith to Microservices
Steve Caron
 
Supply chain security with Kubeclarity.pptx
Knoldus Inc.
 
Introduction of Kubernetes - Trang Nguyen
Trang Nguyen
 
Ad

Recently uploaded (20)

PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Cloud computing and distributed systems.
kkkkkhan
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
KodekX | Application Modernization Development
KodekX
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Ad

Securing your Kubernetes cluster_ a step-by-step guide to success !

  • 1. Securing your Kubernetes cluster: Your step-by-step guide to success! 25/04/2024 Katia HIMEUR
  • 3. Who am I? • 🪪 Katia HIMEUR • 💻 Computer scientist • ☁ CTO & co-founder of Cockpit io, cloud & DevOps specialist • 󰟲 SRE/Cloud/DevOps consultant for several years ❤ #Cloud #DevOps #Containers #Serverless #GitOps #IaC #CICD ❤ Securing your Kubernetes cluster: a step-by-step guide to success! 3 25/04/2024
  • 5. Kubernetes, the leading container orchestrator 25/04/2024 Source : https://marketsnresearch.com/report/1649/global-kubernetes-market 5 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 6. The new cloud OS 25/04/2024 Source : https://www.dynatrace.com/news/blog/kubernetes-in-the-wild-2023/ 6 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 7. 25/04/2024 Attackers on the lookout 7 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 8. Safety not always a priority 25/04/2024 8 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 9. 9 Why is it important to secure your cluster?
  • 10. K8s's popularity increases attacker interest 25/04/2024 10 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 11. Flexibility ⥤ Complexity ⥤ Errors 25/04/2024 Configuration errors are a security risk Complexity can lead to configuration errors Its flexibility leads to complex configurations Kubernetes is extremely flexible 11 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 13. Scalability and resilience can be a vector for vulnerability propagation 25/04/2024 13 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 14. Company background Need : ● Compliance with specific standards and regulations ● Protect sensitive and critical applications and infrastructure ● Secure the sensitive data that may pass through 25/04/2024 14 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 16. Community and ecosystem support ● Strong focus on safety ● Continuous improvement and disclosure of vulnerabilities ● Goals : ○ Share security best practices ○ Encouraging corrective action ○ Stay ahead of potential threats 25/04/2024 16 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 17. 17 What will we see during this talk?
  • 18. What will we see during this talk? ● Understand the different types of attackers and attack vectors ● A non-exhaustive list of concrete actions you can take to secure your cluster ● Focus on managed Kubernetes clusters ● The list of tools provided is for information only. 25/04/2024 18 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 22. Main attack vectors 25/04/2024 Insecure Server API Misconfigured access controls Compromised containers Exposed dashboards Incorrect network configuration Compromised nodes Compromised secrets Supply chain (dependencies...) … 22 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 24. API server focus ● Critical cluster component ● External and internal communications gateway ● Manage ○ authentication and authorization ○ Data validation and storage in etcd ○ Orchestration and resource management ○ Scalability and performance 25/04/2024 24 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 25. 25 How do you secure your Kubernetes cluster?
  • 26. Zero trust architecture 26 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 27. Zero trust architecture ● Approach to designing and implementing IT systems where trust is totally eliminated ● Never trust, always verify 25/04/2024 27 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 28. Zero trust architecture Source : https://blog.cockpitio.com/cloud/approche-zero-trust-dans-le-cloud/ 25/04/2024 28 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 29. Limiting API Server exposure 25/04/2024 29 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 30. Limit API Server exposure? ● Restrict access ● Encrypt all flows with API Server 25/04/2024 30 Private clusters Security groups Endpoint access control Network ACLs Securing your Kubernetes cluster: a step-by-step guide to success!
  • 31. Authentication 25/04/2024 31 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 32. Authentication ● Use a strong authentication mechanism to control access to Kubernetes ● Use an SSO portal to connect to your clusters (oAuth2, OpenID Connect or LDAP). ● Enable multifactor authentication 25/04/2024 32 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 33. Authentication 25/04/2024 33 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 34. Using RBAC 34 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 35. Using RBAC ● What is it? ○ RBAC: Role-Based Access Control ○ Resource access control based on user roles and service accounts ○ Defines who can do what 35 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 36. Using RBAC ● Good practice ○ Apply the principle of least privilege to users and service accounts 36 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 37. Example of an RBAC role 37 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 38. Pod Security Admission 25/04/2024 38 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 39. Pod Security Standards Policies 39 Restricted ● Very restrictive policy ● Follows good curing practices Privileged ● No restrictions ● Climbing possibilities Baseline ● Minimum restriction policy ● Prevents the most common climbs 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 40. Pod Security Admission ● Kubernetes native admission controller to enforce Pod Security standards policies ● Pod security restrictions are applied at the namespace level ● Enabled by default in the latest versions of Kubernetes 40 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 41. Apply a safety policy 41 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 42. Alternatives 42 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 43. Using network policies 43 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 44. Network status report ● Default : pods are not isolated, all traffic flows are allowed (ingress and egress). ● Best practice: Restrict pod-to-pod communication to the strict minimum 44 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 45. What are network policies? ● Allows you to define how pods are authorized to communicate with : ○ Other pods ○ Other namespaces ○ IP blocks 45 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 46. Example of a policy that prohibits all outbound flow 46 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 48. Securing your secrets 48 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 49. Secrets... Not very secret 😱 ● A Kubernetes secret is an object used to store sensitive data (passwords, tokens, SSH keys, etc.). ● Default : ○ No encryption ○ Stored unencrypted ○ Base64 encoded value 49 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 50. Securing your secrets ● Use RBAC to secure access ● Rotate secret ● Audit access to secrets ● Regularly review and update access policies ● Prevent secrets from ending up in logs ● Don't hard code secrets 50 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success! Gitleaks
  • 51. Enable encryption at REST 51 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 52. Turn secrets into volume 👍 Exposing them as environment variables👎 52 25/04/2024 ServiceAccount secrets can only be mounted on specific resource types. Securing your Kubernetes cluster: a step-by-step guide to success!
  • 53. Use external secret management tools 53 AWS Secrets Manager Azure Key Vault Google Cloud Secret Manager 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 54. Securing your secrets ● The Secrets Store CSI Driver enables integration of external secrets managers with Kubernetes ● Integration is via a CSI (Container Storage Interface) volume. ● This driver allows you to mount several secrets, keys, certificates, etc. stored in these external secret managers. ● Once the volume has been attached, the data is mounted in the container's file system. 54 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 55. Audit logging 55 25/04/2024 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 56. Audit logging ● Record every request made to the API server ● Analyze logs to detect suspicious and unusual activity ● Use security tools to analyze and react to logs in real time ● Define audit policies to fine-tune the configuration of events to be recorded 25/04/2024 56 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 57. Example of an audit policy 25/04/2024 57 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 58. Update and patch management 25/04/2024 58 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 59. Update and patch management ● Apply update and security patches, automatically if possible, and quickly : ○ Kubernetes clusters ○ all components deployed on clusters ○ nodes ● Use tools that scan all Kubernetes cluster components, including images ● Respect best operating system practices 25/04/2024 59 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 60. Securing containers 25/04/2024 60 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 61. Securing containers ● Use only trusted images ● Reduce image size to reduce attack surface ● Use immutable containers to avoid runtime changes 25/04/2024 61 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 62. Securing containers ● Scanning your container images: before and after deployment ● Sign your container images ● Secure and protect your containers using tools that react to the detection of abnormal events 25/04/2024 62 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 63. Securing containers 25/04/2024 63 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 64. Securing containers 25/04/2024 64 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 65. Admission controllers 25/04/2024 65 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 66. Admission controllers ● Controllers that intercept requests to the API server before objects are persisted in the etcd database ● Two types of controller : ○ Validating admission controller : Validates or rejects requests ○ Mutating admission controller : Modifies the requests it accepts 25/04/2024 66 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 67. Configuration example 25/04/2024 67 This admission controller prevents the API server from being overloaded by requests applying rate limiting. Securing your Kubernetes cluster: a step-by-step guide to success!
  • 69. What is a service mesh? 25/04/2024 69 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 70. ● Dedicated infrastructure layer added to applications ● Designates both the tools and the network domain created ● Allow us to : ○ understand traffic ○ make decisions based on traffic type or origin ○ reduce the complexity of network management in a microservice context What is a service mesh? 25/04/2024 70 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 71. Service Mesh functionalities 25/04/2024 71 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 72. Service mesh functionalities 25/04/2024 72 Securing your Kubernetes cluster: a step-by-step guide to success! ● Observability ● Traffic management ● Security ● A/B testing ● Canary deployment ● Rate limiting ● Access control ● Encryption (including mTLS) ● End-to-end authentication ● Service discovery
  • 73. 25/04/2024 73 Securing your Kubernetes cluster: a step-by-step guide to success! Some services mesh
  • 74. Using services mesh 25/04/2024 74 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 76. Container-specific operating systems for Kubernetes 25/04/2024 76 Securing your Kubernetes cluster: a step-by-step guide to success! ● Operating systems optimized for running containers and Kubernetes ● Minimize attack surfaces ● Increase cluster security ● Based on READ-ONLY systems
  • 77. Container-specific operating systems for Kubernetes Talos Linux Elemental 25/04/2024 77 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 79. Requests & limits 25/04/2024 79 Securing your Kubernetes cluster: a step-by-step guide to success! ● Best practices ○ Set memory requests lower than or equal to limits ○ Limit CPU on sensitive workloads
  • 80. Requests & limits 25/04/2024 80 Securing your Kubernetes cluster: a step-by-step guide to success! ● Why? ○ Restrict resources used by pods on nodes ○ Avoid the effects of a denial-of-service attack
  • 82. Linux kernel security modules (1/3) 25/04/2024 82 ● Defining security profiles ● Mechanisms for controlling access and limiting the functionality of processes running on the host system ● Damage limitation for compromised accounts Securing your Kubernetes cluster: a step-by-step guide to success!
  • 83. Linux kernel security modules (2/3) 25/04/2024 83 Securing your Kubernetes cluster: a step-by-step guide to success! ● Increase insulation between containers ● Defense in depth ● Audit and ensure compliance of our environments
  • 84. Linux kernel security modules (3/3) SELinux AppArmor 25/04/2024 84 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 86. Seccomp 25/04/2024 86 Securing your Kubernetes cluster: a step-by-step guide to success! ● Abbreviation for Secure computing mode ● Linux kernel security features ● Limits the number of system calls (Syscalls) containers can make ● Reduces attack surface ● Kubernetes automatically applies seccomp profiles loaded on a node to pods and containers
  • 87. Seccomp - Example 25/04/2024 87 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 89. Real-time protection 25/04/2024 89 Securing your Kubernetes cluster: a step-by-step guide to success! ● Detect abnormal behavior, security threats and compliance violations ● Be alerted in real time. ● Some tools rely on kernel events, enriched with container and Kubernetes metadata, to succeed in their protection missions.
  • 90. Real-time protection 25/04/2024 90 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 92. Follow best practices and recommendations 25/04/2024 92 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 93. Follow best practices and recommendations 25/04/2024 93 Securing your Kubernetes cluster: a step-by-step guide to success! ● Follow recommendations and best practices ○ Security Checklist from the Kubernetes community: https://kubernetes.io/docs/concepts/security/security-checklist/ ○ CIS (Center for Internet Security (CIS) ) Kubernetes Benchmark ○ Recommendations from cloud providers ○ Keeping up to date
  • 95. ● Introduction to Vault (FR) ○ https://blog.cockpitio.com/devops/vault-overview/ ● Managing secrets in Kubernetes with Vault Agents (FR) ○ https://blog.cockpitio.com/devops/vault-agent-kubernetes/ ● Securing the API server in Kubernetes with Keycloak(FR) ○ https://blog.cockpitio.com/devops/kubernetes-secure-access-using-keycloak-oidc/ ● Introduction to the zero trust approach (FR) ○ https://blog.cockpitio.com/cloud/approche-zero-trust-dans-le-cloud/ ● Right-sizing your Kubernetes deployments (FR) ○ https://presentations.verchere.fr/Requests_Limits_OSXP_2023/ ● Kubernetes security checklist ○ https://kubernetes.io/docs/concepts/security/security-checklist/ 25/04/2024 95 Some resources Securing your Kubernetes cluster: a step-by-step guide to success!
  • 97. Conclusion ● Securing Kubernetes environments is fundamental to protecting your company's interests, ensuring compliance and maintaining trust. ● As Kubernetes continues to evolve, so will security strategies, requiring constant attention and adaptation. ● Today's list is not exhaustive. No list can be, as attackers show their creativity. ● Safety is a matter of continuous improvement and constant attention 25/04/2024 97 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 98. Thank you @katia_tal /in/katiahimeur / 🔗 blog.cockpitio.com 🔗 www.cockpitio.com @cockpitio42 /company/cockpit-io/ Keep in touch 17/04/2024 98 Securing your Kubernetes cluster: a step-by-step guide to success!
  • 99. A team of enthusiasts, guided by DevOps culture, to bring you the best of the Cloud!