Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Cloud Native Computing Foundation / Cloud Native SecurityCon EU 2022 / 19 May 2022
Cloud Native Computing Foundation / Cloud Native SecurityCon EU 2022 / 19 May 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Lightning Talk: What Have We Learned from Scanning Over 10K Unique Clusters with Ku... Shauli Rozen

Description

Lightning Talk: What Have We Learned from Scanning Over 10K Unique Clusters with Kubescape? - Shauli Rozen, ARMO

Kubescape is a K8s open-source tool providing a multi-cloud K8s single pane of glass, including risk analysis, security compliance, RBAC visualizer and image vulnerabilities scanning. Kubescape scans K8s clusters, YAML files, and HELM charts, detecting misconfigurations according to multiple frameworks (such as the NSA-CISA, MITRE ATT&CKĀ®), software vulnerabilities, and RBAC (role-based-access-control) violations at early stages of the CI/CD pipeline, calculates risk score instantly and shows risk trends over time. In the last 6 months, Kubescape scanned over 10K unique clusters and we learned a great deal about the state of Kubernetes risk, compliance, and security vulnerabilities. In this session, Shauli Rozen, ARMO CEO &Co-Founder, will share interesting insight on why and where Kubernetes deployments are failing, the weak spots, and how to get better. He will share some interesting statistics on which controls fail most and where and what are measures to take in order to prevent them.

A

Thank you so much. My name is shaoli, I'm the ceo of armo and we are the company behind the open source cubescape.

A

um I know it was mentioned in one of the earlier talks today around tools that you can use to scan your kubernetes cluster against different frameworks and misconfigurations, and it has been used quite frequently in the last year or so, and we've scanned well, we've scanned over 20 clusters to date, but when we reached the 10 000 clusters, we wanted to do this analysis of you know what we've learned, what we're seeing in the industry- and I wanted to share that with you.

A

um So, first of all, what have we looked at we've looked at the data set of 10 000 clusters, 48 of the users were in north america and 33 were in europe and the rest were in emir and apac. If we think about cluster sizes, uh we see that 35.

A

Let's say even almost 70 percent of clusters had less than 10 nodes up to 10 nodes and about 6 percent and over 50 nodes. What we see in terms of trends is that we see clusters getting larger and larger. What is not here and also we've seen is like the number of clusters per user.

A

It is also growing, um I think, like five percent of the users had more than 25 clusters, which I personally think it's it's way uh too much, but I do think like there is this kind of like notion of the trade-off between the size of the cluster and the number of clusters and how uh you wanna manage it. uh So we see that in the data.

A

Quite uh quite often in terms of job titles, we see that 57 of the users are devops users, which might be surprising to some, but I hope that it's not because it is a security tool and many people have this misconceptions: that devops don't care about security.

A

Actually, in a gartner research lately it was told that actually 30 percent of organizations when, when they were asked who is in charge of the kubernetes security, said that devops do that and we can see it in our data. 24 of the users are security, engineers, security, architects, um security, people who are hands-on and who are in the in the material and five percent uh devsecops, which is something that that we see, of course, more and more.

A

um We scan usually across different frameworks of security. uh The meter attack framework that was developed by the media organization and was adjusted to kubernetes by microsoft.

A

The nsa and cisa guidance for kubernetes security uh that was issued by the nsa, the alma best practices, which is basically a framework that we took the most important parts of those two and took them together, and then there is devote best practices which is basically an enhanced version of those security methods, but also to non-security checks. So, for example, if you're running without a liveliness probe, it's probably uh a bad practice in terms of devops, but it's not really a security issue. um So these are the type of controls that we had there.

A

What we've seen is that there is a there is a very large, of course, um correlation between your score and all of them. So it's not that the nsa and the metria are very different in what they assess. If you are bad in one you're bad in all, that's basically what we've seen um and another best practice is to keep your score below 30.. You need to fix to continue fix, fixing things and when you get below 30, that's usually a place where you're in a good position.

A

If you are below 10 you're, going to work best 10 and if you're above 60 you're in the worst five percent of clusters that we've seen in terms of the top five misconfigurations that we see in the market that we see out there.

A

It is run privileged containers, cluster admin, binding missing resources, policies, we'll talk about that in a minute and not using immutable container file systems, which is very hard to do it's hard to use- and I understand why many people don't do that and not you and not blocking the ingress and the egress of a micro service that is not supposed to be open to the internet.

A

Now 100 of clusters had at least one issue, and that's not surprising, because you know how you know complicated kubernetes configuration can be, but also it is because uh some misconfigurations are okay. You can live with them and fixing them can get you more pain than actually solving them, and that's okay, you don't have to be perfect.

A

um What is more, concerning is that at least 65 percent of clusters had at least one high severity uh misconfiguration, which is something like running in privileged mode or allowing previous escalations within the container or maybe having credentials application credentials in your file system in your container configuration.

A

So now I go into a little bit of the detail of that not having a proper limitation. 63 percent of the clusters did not have um workload limited in terms of cpu and memory and that's a bad practice both in terms of of just best practice in terms of resource utilization, but also security, wise coin miners, different applications that are going to utilize a cpu and memory, and you want to limit them as much as you can.

A

The the second part is secrets, secrets and configuration files. We see it, it's not one of the top ones. Okay, like the top ones, were all 60 or more of clusters, but but still 37 of clusters, add application credentials or misplace secrets in configuration file. Usually what we see is the aws access keys. You know s3 buckets keys and- and I understand why developers sometimes do that it's the easiest place to put it in, but of course it is a very problematic in terms of how to do it, security, wise risky capabilities.

A

What we've seen is that many many workloads uh well at least relatively 23 and 35 percent of workloads- are running with either insecure or dangerous capabilities. um We see here on the on the right. The different capabilities that we look at the most problematic ones are in this red triangles the net admin and the net row and this admin- and we see not- uh you know it's not negligible. It is a significant number of clusters that are running with workloads with these capabilities that they don't need to.

A

Finally, vulnerabilities misconfigurations always go together with vulnerabilities and what we've seen is well. 44 percent of the vulnerabilities that we've seen were medium 21 were critical. 35 percent were high um in terms of critical vulnerabilities. 35 of clusters add at least one critical vulnerability in one of the workloads and six percent at more than six.

A

um Of course, the critical vulnerabilities are the things that we are most concerned about, but we also always need to think about them in conjunction with misconfigurations, because the reality is, if you think about the vulnerability- and this is a critical vulnerability- it made a lot of noise in 2021, uh even early 2022.

A

I think, and it was about being able to escalate and penetrate kubernetes clusters via vulnerability in the container runtime.

A

The thing is that finding that vulnerability is great, but even if you are vulnerable with this vulnerability, if you put the right controls, if you didn't allow privileged container to run, if you didn't allow previous escalation within the configuration of that container, even if you have that vulnerability, you are not um it's not exploitable.

A

It's very hard to exploit by the user by by the attacker and that's why we think it is very, very important to actually take the two together and you know we are in cncf and we talk a lot about roadmap. That's exactly the next thing on our roadmap like cross referencing, your misconfigurations and vulnerabilities, and actually understanding whether that vulnerability is relevant, whether it is exploitable right now in your current system. So this is what we do, and this is how we do it. um Yes, do you have a question one minute?

A

So, let's see if in one minute I can show you how to get a scan running very, very quickly.

A

Let's go here. Don't look at my gmail for a minute.

A

No, I'm not going to do it in one minute, but okay, all you need to do is go to cubescape in github.

A

Okay, you use this one liner, you just copy it into any machine where you have a cube, ctl access to your cluster. You run it less than three minutes later. You will have your first report that tells you right there in the standard output, where you pass and fail for each one of those configuration tests and you can go into at the end. You have a link to a nice ui that you can log into and see also vulnerabilities and from there you can do many, many things. So thank you so much.

A

It was 10 minutes, but I hope I got it across. Thank you so much.