Security as Code in Docker Ecosystem for Cloud Native Apps
0 likes538 views
The document is a presentation from a meetup focused on cloud-native security, particularly using Docker. It outlines various vulnerabilities and best practices for securing applications in a cloud-native ecosystem, emphasizing actionable security measures. Key topics include authentication, vulnerability management, role-based access control, and the importance of a declarative and immutable approach to infrastructure security.
![CILIUM SOFTWARE DEFINED NETWORK POLICY
[{
"labels": [{"key": "name", "value": "l7-rule"}],
"endpointSelector": {"matchLabels":{"id":"app1"}},
"ingress": [{
"fromEndpoints": [
{"matchLabels":{"id":"app2"}}
],
"toPorts": [{
"ports": [{"port": "80", "protocol": "TCP"}],
"rules": {
"HTTP": [{
"method": "GET",
"path": "/public"
}]
}
}]
}]
}]
$ cilium policy import L7_aware_policy.json
Revision: 3](https://image.slidesharecdn.com/docker-meetup-casablanca-2018-02-21-180226115102/85/Security-as-Code-in-Docker-Ecosystem-for-Cloud-Native-Apps-28-320.jpg)
![TWITTER.COM/ENLAMP
GITHUB.COM/DJALAL
HI [AT] DJAL.AL
THANKS](https://image.slidesharecdn.com/docker-meetup-casablanca-2018-02-21-180226115102/85/Security-as-Code-in-Docker-Ecosystem-for-Cloud-Native-Apps-55-320.jpg)
Security as Code in Docker Ecosystem for Cloud Native Apps
- 1. CLOUD NATIVE SECURITY CASABLANCA DOCKER MEETUP, 21/02/18
- 2. WHO AM I? ▸ “dev with ops skills” and “sysop with dev skills” ▸ ex founder, manager, project leader ▸ continuous learner by nature ▸ helping developers help companies since 1999 CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18
- 3. THIS TALK IS ABOUT… ▸ docker ecosystem ▸ actionable security ▸ a one-team experience …AND NOT ABOUT ▸ cloud specifics ▸ language specifics ▸ vendor products CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18 THIS TALK IS REALLY ABOUT YOU AND INTRUDERS
- 4. CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18 your team(s) INTRUDER(s) hundreds a day LET’S TURN YOUR APP PLAYGROUND INTO INTRUDER HELL
- 5. TOI QUI ENTRE ICI, ABANDONNE TOUT ESPOIR dante alieghieri, la divine comédie CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18
- 7. CERCLE #1 LIMBES ceux se trouvant privés de la foi, ne peuvent jouir de la vision de Dieu
- 8. CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18
- 9. SECURITY HELL - FIRST CIRCLE - VISION-IMPAIRED ▸ vulnerability ▸ find an entry(point), sniffing, MITM ▸ security best practice ▸ authentication and identification, HTTPS only ▸ implementation ▸ Traefik w/ Let’s Encrypt Certs, auto-renewed (and free!) ▸ encrypted internal network (more next slides) CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18
- 10. CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18
- 11. CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18
- 12. CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18 ONE LINER ENABLER
- 13. CERCLE #2 âmes balayées par des vents sans relâche
- 14. CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18
- 15. SECURITY HELL - CIRCLE #2 - STAYING OUT OF WINDS ▸ vulnerability ▸ flood servers with too many requests a.k.a (D)DOS ▸ security best practice ▸ know your platform, what’s really yours? what’s not? ▸ isolate static content on separate infra (assets, client side js) ▸ keep dynamic content scalable ▸ easiest path ▸ choose a CDN, the fewer the better (b/c HTTP/2) ▸ deploy assets on Netlify (like official docker documentation) CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18
- 16. CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18
- 17. CERCLE #3 immergés dans une fange puante
- 18. CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18
- 19. SECURITY HELL - CIRCLE #3 - STICKING IN ▸ vulnerability ▸ credentials hijacking, phishing ▸ security best practice ▸ short life tokens ▸ rate-limit, ip ban, intrusion detection ▸ implementation ▸ JWT ▸ traefik rate-limit, circuit breaking CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18
- 20. CERCLE #4 les eaux boueuses du Styx où sont punis les coléreux et les indifférents qui rêvent de n'être jamais nés
- 21. CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18
- 22. SECURITY HELL - CIRCLE #4 - STUCK IN A SMALL CIRCLE ▸ vulnerability ▸ any leaked token has full access ▸ security best practice ▸ define roles and scopes ▸ easiest path ▸ Identity Access Management ▸ RBAC / Namespaces / Micro segmentation (one service==one net) CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18
- 23. CERCLE #5 avares et les prodigues, divisés en deux groupes destinés à s'affronter éternellement en roulant des tas de pierres tout autour du cercle
- 24. CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18
- 25. SECURITY HELL - CIRCLE #5 - BOUNCED OFF ▸ vulnerability ▸ fortress metaphor (clever cloud), reads data/secrets ▸ security best practice ▸ deny everything, unless white-listed ▸ implementation ▸ public cloud : vpc, network policies, cilium ▸ private cloud : iptables, cilium, software defined layer7 CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18
- 26. DOCKER SWARM STRONGEST SECURITY DEFAULTS
- 28. CILIUM SOFTWARE DEFINED NETWORK POLICY [{ "labels": [{"key": "name", "value": "l7-rule"}], "endpointSelector": {"matchLabels":{"id":"app1"}}, "ingress": [{ "fromEndpoints": [ {"matchLabels":{"id":"app2"}} ], "toPorts": [{ "ports": [{"port": "80", "protocol": "TCP"}], "rules": { "HTTP": [{ "method": "GET", "path": "/public" }] } }] }] }] $ cilium policy import L7_aware_policy.json Revision: 3
- 29. CERCLE #6 hérétiques enterrés et brûlés sans fin dans des cercueils de pierre
- 30. CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18
- 31. SECURITY HELL - CIRCLE #6 - BURIED IN STONE CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18 ▸ vulnerability ▸ shell access to the container ▸ security best practice ▸ minimal image / dropped capabilities ▸ non-privileged user / read-only FS ▸ implementation ▸ build time : Dockerfile USER keyword ▸ run time : docker service create —read-only ▸ bonus : docker run has sane security profiles for 99% apps (thx @jessfraz)
- 32. CERCLE #7 les suicidés transformés en arbustes secs, éternellement déchirés par les Harpies
- 33. CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18
- 34. SECURITY HELL - CIRCLE #7 - DRIED OUT OF OPTIONS CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18 ▸ vulnerability ▸ on breaking out of container, user has access to all worker processes and resources ▸ security best practice ▸ minimal nodes workers ▸ implementation ▸ packer, linuxkit, see j.cormack slides
- 35. CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18
- 36. CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18
- 37. CERCLE #8 Traîtres, Fourbes et Hypocrites, couverts de chapes de plomb et dont le poids les écrase
- 38. CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18
- 39. SECURITY HELL - CIRCLE #8 - OVERWHELMED BY TEAM PLAY CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18 ▸ vulnerability ▸ social engineering, phishing leading to security intrusion ▸ security best practice ▸ adding code should be a vetted process ▸ “in God we trust, all others must bring data”, W. Edwards Deming ▸ implementation ▸ signed commits and images ▸ scan images before deploying and after deployment ▸ encrypted secrets instead of env. vars / built-in secrets
- 40. git config --global commit.gpgsign true CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18 https://help.github.com/articles/signing-commits-using-gpg/ git commit -S -m your commit message
- 41. CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18 docker trust key generate NAME docker trust signer add —key KEY NAME REPO export DOCKER_CONTENT_TRUST=1 docker trust sign IMAGE:TAG
- 42. CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18
- 43. CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18
- 44. CERCLE #9 divisé en quatre « zones » couvertes par les eaux gelées du Cocyte.
- 45. SECURITY HELL - CIRCLE #9 - FREEZED IN DESPAIR CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18 ▸ vulnerability ▸ changing state, altering any layer of the infra or app, to read/write data ▸ security best practice ▸ declarative and pro-active layers ▸ achieve immutability everywhere ▸ implementation : enabling “everything as code” ▸ infrakit : JSON-based declarative infrastructure ▸ linuxkit : minimal small linux distribution ▸ cilium : network, inter and intra ▸ DTR : image scanning, vulnerability detection ▸ secrets : private keys, credentials, passwords, tokens ▸ pipelines : jenkins blue ocean, gitlab, concourse, etc.
- 46. CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18
- 47. CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18
- 48. GOLANG JAVA PHP LINUXKIT INFRAKIT DOCKER COMPOSE DOCKERFILE CILIUM.IO JENKINS PIPELINE network topology system cluster stack image domain logic inspired by WeaveWorks’ “GitOps”, Git as the Source of Truth 7 LEVELS OF GIT-BASED DEV/OPS @enlamp CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18
- 49. TOO LONG; DID NOT LISTEN (TL;DL) ▸ use declarative + immutable style everywhere ▸ enforce stateless / read-only where possible ▸ sign images, scan images (“docker trust” + CoreOS Clair) ▸ sign commits, use secrets ▸ no fortress metaphor: setup JWT/RBAC between services ▸ secure networking : traefik w/ let’s encrypt + cilium.io ▸ offload static content to netlify/cdn CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18
- 50. ONE MORE THING
- 51. CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18
- 52. CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18
- 53. CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18
- 54. CLOUD NATIVE SECURITY - CASABLANCA DOCKER MEETUP, 21/02/18 SIMPLE USE-CASE : FILE UPLOADING SERVICE (3 FUNCTIONS)