CNCF Webinar:

Operationalizing Kubernetes
Security Best Practices
Connor Gilbert
26 March 2019
What we’ll cover
● How does Kubernetes change security?
● How does cooperation work in a Kubernetes
stack?
● What can I do to improve the security of:
○ My infrastructure?
○ My applications?
● What are some Kubernetes controls I could
consider adopting?
How does Kubernetes
change security?
“Move fast,” they said

http://www.newseum.org/exhibits/current/conus-1-satellite-truck/
“Move fast,” they said

Personal photo
“Move fast,” they said

Personal photo
Most people use defaults —
but you don’t have to.
Test your security like your app
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
spec: spec:
replicas: 1 replicas: 1
template: template:
spec: spec:
containers: containers:
- name: server - name: server
image: my-app:1.0.0-1-g123456 image: my-app:1.0.0-1-g123456
+ securityContext:
+ capabilities:
+ drop: ["NET_RAW"]
+ readOnlyRootFilesystem: true
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: allow-server-https
+spec:
+ ingress:
+ - ports:
+ - port: 443
+ protocol: TCP
How does cooperation work
in a Kubernetes stack?
“Things move too fast for my
security team to keep up!”
“Things move too fast for my
security team to keep up!
I’m afraid we’ll miss something.”
“I don’t want this security feature
deployed in my cluster!”
“I don’t want this security feature
deployed in my cluster!
I’m afraid it will stop me from
recovering from an outage.”
What can I do to improve the
security of my infrastructure?
Caveat: There’s a lot out there

https://landscape.cncf.io
Good infrastructure habits
● Be ready to upgrade
○ You may need to do this on short notice!
● Automate, automate, automate
● Keep the abstractions tight — no leaks
● Think carefully about API access control
What can I do to improve the
security of my applications?
Workload data
Who runs this?
What is it?

What code is it?

What can it access?

How is it exposed?
Workload data, zooming in
What will run?
Any guardrails?

With which privileges?

With a writable FS?
What’s the env like?
Any disk or secrets?
“Not pictured”
A complete spec may also include:

● Network Policies
● Storage
● Configuration Maps
● Health Check Procedures
● Custom Resources
● More?
Kubernetes context
Good application habits
● Have a “style guide”
● Apply metadata consistently
● Know your images
● Plan for replicas to be killed in case of
compromise
● Establish secure practices early
○ Workload configurations
○ Network policies
...and how to enforce them
Options include:

● Pod Security Policies

● Custom admission controllers
● Ongoing monitoring and analysis

But, remember the user experience when

choosing what to enforce, and where.
What are some specific
security controls I might consider?
Configurations to explore
● Read-only root file system
● Linux capabilities
● Network policies
● Host mounts
● Disable service account auto-mount
● Environment
● Resource requirements
Demo: Stopping a Struts exploit
Deploying a vulnerable container (with R/W root FS)
Demo: Stopping a Struts exploit
The exploit works — we can download and run minerd.
Can my app be read-only?
Demo: Stopping a Struts exploit
After declaring a VOLUME for /usr/local/tomcat,
and opting-in for a read-only root FS:
Linux capabilities
Demo: Capabilities dropped
securityContext:
capabilities:
drop:
- all

minerd
tar: minerd: Cannot change ownership to uid 1000, gid 1000: Operation not permitted
tar: Exiting with failure status due to previous errors
Network policies
Configurations to explore
● Read-only root file system
● Linux capabilities
● Network policies
● Host mounts
● Disable service account auto-mount
● Environment
● Resource requirements
What next?
Have a question now?
Ask in Zoom!
Think of one later?
c@stackrox.com
@connorgilbert
Want to learn more?
https://stackrox.com/cncf/