Shifting security to the left with kubernetes, azure, and istio
0 likes331 views
This document discusses securing DevOps pipelines and Kubernetes clusters. It recommends practices like using multi-stage Docker builds to minimize images, running as non-root users, signing images, scanning for vulnerabilities, using Kubernetes namespaces and secrets safely, and implementing a service mesh like Istio for traffic management and encryption between services. The document emphasizes limiting attack surfaces by securing access to secrets, pods and cluster metadata, and implementing network policies and circuit breakers to control traffic.
Shifting security to the left with kubernetes, azure, and istio
- 3. $whoami
- 5. Why Shifting to the Left?
- 6. “DevOps is those set of cultural norms and technology practices that enable the fast flow of planned work from, among others, development, through tests into operations while preserving world-class reliability, operation and security. DevOps is not about what you do, but what your outcomes are.” (Gene Kim)
- 7. Products
- 8. The Three Ways of DevOps
- 9. So … DevSecOps? Guardrails! Leaning in over Always Saying “No” Data & Security Science Open Contribution & Collaboration Consumable Security Services with APIs over Mandated Security Controls & Paperwork Business Driven Security Scores over Rubber Stamp Security Red & Blue Team Exploit Testing 24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident Shared Threat Intelligence over Keeping Info to Ourselves Compliance Operations over Clipboards & Checklists
- 10. Security is not an afterthought!
- 11. Approach: Red, Green, Refactor Red: reproduce vulnerability Green: fix vulnerability Refactor: improve
- 16. “Kubernetes is insecure by design”
- 20. Mission: Limiting the Attack Surface
- 22. Yes, But … Only From Official Repositories
- 23. And … Build Your Own Images mcr.microsoft.com With Your Private Registry
- 24. Use Multi-Stage Builds Your application doesn’t need most of the compiling tooling … SSH?
- 25. Non-Root Users RUN adduser -D myuser USER myuser
- 26. Sign Your Container Images Content Trust Only release candidates export DOCKER_CONTENT_TRUST=1 docker build --disable-content-trust=false -t myacr.azurecr.io/myimage:v1 .
- 27. Run Scanners https://github.com/quay/clair Azure Security Centerhttps://github.com/docker/docker-bench-security And many more: https://techbeacon.com/security/10-top-open-source-tools-docker-security https://github.com/cilium/cilium
- 29. Mission: Limiting the Attack Surface
- 34. Managing Secrets with Azure Vault + FlexVol https://thorsten-hans.com/azure-key-vault-flexvolume-for-kubernetes
- 35. Demo: Working with Secrets Thorsten Hans post J
- 36. Security in Distributed Systems
- 37. Security in Distributed Systems
- 38. Service Mesh A Sidecar Proxy within Pods
- 39. Service Mesh Traffic Overview
- 41. Istio Network of Services Few / No Code Changes Traffic Management Encryption In-Transit Metrics, Logs, Traces Secure service-to-service
- 44. Istio Installation on AKS istioctl Helm Istio Helm
- 45. Networking Policies Services Pods Why? Tell Me More! DenyAll traffic within the mesh Block access to Instance Metadata service https://ahmet.im/blog/kubernetes-network-policy/
- 46. Circuit Breaker
- 48. Demo: Security using Istio
- 49. What’s Next for Security in Kubernetes?
- 50. You Can Only Go Deeper!
- 52. Takeaways! Be mindful about Docker / Kubernetes defaults least-privileged principle Networking plays a big role in security