Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Cloud Native Computing Foundation / KubeCon + CloudNativeCon Europe 2018 (Copenhagen) / 3 May 2018
Cloud Native Computing Foundation / KubeCon + CloudNativeCon Europe 2018 (Copenhagen) / 3 May 2018
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Lightning Talk: Why you Should Really Pay Attention to K8S Security Best Practices - Benjy Portnoy

Description

Want to view more sessions and keep the conversations going? Join us for KubeCon + CloudNativeCon North America in Seattle, December 11 - 13, 2018 (http://bit.ly/KCCNCNA18) or in Shanghai, November 14-15 (http://bit.ly/kccncchina18).

Lightning Talk: Why you Should Really Pay Attention to K8S Security Best Practices - Benjy Portnoy, Aqua Security (Intermediate Skill Level)

Some time ago, the CIS published a security benchmark for Kubernetes deployments. It's easy to regard this as a checkbox process, but what can actually happen if you neglect to follow only a few of its recommendations? In this lightning talk, I will demonstrate how Kubernetes configuration issues that may seem trivial make it possible for an attacker to exfiltrate data from a production environment.

About Benjy
Benjy is a seasoned cyber security professional with over 15 years experience in consulting, designing, and implementing strategic information security projects for organizations across EMEA. He is currently the director of DevSecOps at Aqua Security, helping enterprises streamline security into their DevOps processes to help secure their containerized applications. Prior to joining Aqua Security, Benjy held senior security architect roles at CA, BlueCoat, and Symantec where he worked closely with CSO’s and security operations teams focusing on vulnerability management, datacenter security, and incident response. Benjy holds both CISA (Certified Information Systems Auditor) and CISSP (Certified Information Systems Security) certifications and is currently completing his master's degree in Information Security and Digital Forensics.
Join us for KubeCon + CloudNativeCon in Barcelona May 20 - 23, Shanghai June 24 - 26, and San Diego November 18 - 21! Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy and all of the other CNCF-hosted projects.

A

Thank you second afternoon. Everyone I am Benji from Akua security. Our topic today is why you should care about kubernetes best practices. If you don't. My hope is that in the next four minutes and 53 seconds, you will so at the end of 2017. Cn CF did a survey where they asked the participants. What was the most important or most the key challenges around the kubernetes deployments and conveniently for the topic of my talk today, security was the number one topic.

A

If you, google, today, kubernetes security you'll find that there are approximately seven million results back from Google. In contrast, if you Google window 2019 security, which isn't GA it there's almost double that amount. This is representative of a certain gap, knowledge gap in the information security industry regarding not just kubernetes but in general containerized applications, especially how do organizations secure their kubernetes environments? Because of this, if you ask your average chief information, security officer or even a standard information security professional, how do I secure my kubernetes cluster? What are the best practices?

A

Their facial expression will probably be something similar to this, and the reason is: is that security? Folks are still trying to kind of get to terms and understand. How do you containers work, what is kubernetes and take their existing security tools and procedures and apply them to something like a kubernetes cluster?

A

So, as it happens, kubernetes has done an amazing job of documenting how to secure your kubernetes cluster. Some of the just some of the topics that are covered in this very I would say. Extensive document are things like ensuring authentication is enabled. How do you enforce segregation of duties, and you do that, obviously using authorization ensuring that every all communication with your API server is authenticated encryption of secrets recently even encryption of objects in the HDD database and obviously ensuring that there is constant visibility of everything that happens within the cluster environment.

A

Failing to do this, there are many many risks from a security standpoint, some of the top ones you can see on the slide. They are things like privilege escalation. So within my kubernetes cluster, how do I ensure that I don't get if one node is compromised that doesn't allow me to see all the nodes, all the nodes or get access to all the images within that cluster exfiltration of sensitive information that can be secrets. Those can be. You know, manifest information.

A

We want to ensure that even if a particular component of the cluster is compromised, that the damage is minimal, C is the center of Internet. Security has done an incredible job. They've created a standard both the doctor and kubernetes, which defines how should my kubernetes be secured. It's a two hundred plus page document, very detailed with step-by-step examples, and most organizations should be using this to gauge.

A

You know how secure that kubernetes cluster is or not so, if there's so much around, if there's great documentation from kubernetes, if there's things like the CIS benchmark, why are we hearing more and more frequently about high profile cyber breaches that are happening via kubernetes?

A

This is an example from Tesla at the end of 2017 Tesla had a publicly internet-facing kubernetes cluster, the particular instance that they used had the kubernetes dashboard enabled with anonymous authentication, meaning that all the hackers had to do was accessed that dashboard and from the dashboard they had visibility to the secrets, the nodes, the pods and everything within that cluster. Obviously, that is not something we want to happen so to understand why this is happening.

A

I asked a friend of mine, Johnny English, to try and get some kind of insight into why companies are still not securing their clusters.

A

So that's a very profound insight from this very wise gentleman, but that is something that we should all be aware of. Yes, you can secure your kubernetes clusters. However, many flavors that are that are being used under the ubiquitous today are not secured by default or every information security. Professional knows, one of the key I would say, and the key tenets of security is to secure things. By default, three tools then I'm going to leave with you in the next 30 seconds. These are all free. You can get them from the Aqua github page.

A

The first one is Q bench by our very own Liz rice. This will take the CIA s. Benchmark and automate it'll, basically do an assessment of your kubernetes cluster and tell you for each check whether you pass or fail very, very important tool. The second one is Cube hunter. This allows you to do a essentially penetration test against your communities. Cluster. The third one is a micro scanner. It secures your payload, ok, so within the image when you build the image and being kicked off, but when you build the image, essentially, we can check.

A

What are the contents in that image? Is that image doesn't contain vulnerabilities or knots, and you can see here as an example, the build will actually fail. So if you go to our github page, you can try the micro scanner it's completely free. In this example, here we've identified a venerable version of nginx inside that image. Okay, and we give you the MVD score, the vent, the score and the information. You need to remediate this image to ensure that it is not expose you to unnecessary risks. Thank you very much for your time.