►
From YouTube: Threat Modelling: Securing Kubernetes Infrastructure & Deployments - Rowan Baker, ControlPlane
Description
Don’t miss out! Join us at our upcoming events: EnvoyCon Virtual on October 15 and KubeCon + CloudNativeCon North America 2020 Virtual from November 17-20. Learn more at https://kubecon.io. The conferences feature presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Threat Modelling: Securing Kubernetes Infrastructure & Deployments - Rowan Baker, ControlPlane
Security teams are often the last to know about an installation of Kubernetes, and are frequently concerned by its adoption. They have every right to be: poorly architected clusters can easily become exposed to unexpected threats, compromised by hostile workloads, or impossible to maintain. It doesn’t have to be this way! This talk details mechanisms for architecting Kubernetes securely in regulated organisations, and shares lessons learnt threat modelling with the CNCF Financial User Group including: - How to use threat modelling to secure clusters and workloads - Real-world examples of Kubernetes deployments, and multi-tenant security architectures from financial services - Where to apply controls to layer defence in depth - Using compliance standards to satisfy security teams - How to integrate Kubernetes with a global SOC - Gotchas, common threats, and advanced mitigations
https://sched.co/Zeow
A
Hi,
I'm
ron
welcome
to
my
talk
on
threat
modelling
securing
kubernetes
infrastructure
and
deployment,
I'm
the
head
of
security
at
control
plane
and
we're
a
consultancy
specializing
in
cloud-native
security
out
of
london.
I'm
also
a
contributor
to
the
gke
cis
benchmark
and
cncf
financial
user
group
kubernetes
detectors.
A
I
need
to
start
by
acknowledging
that
a
lot
of
the
thought
behind
codified
controls,
automated
testing
and
compliance
and
the
role
of
attack
trees
presented
here
are
those
of
john
meadows
who
founded
the
cncf
financial
services
user
group.
We
were
supposed
to
present
together
today,
but
unfortunately,
couldn't
owing
to
circumstances
beyond
our
control.
A
Well,
the
definition
of
threat
modeling
will
use,
takes
the
form
of
the
verb,
and
it's
not
just
about
defining
the
risks
to
the
system,
but
about
how
they
are
addressed.
So
why
should
we
do
any
threat
modeling
at
all,
well
threat.
Modeling
can
prevent
you
from
finding
out
about
security
issues
when
it's
too
late,
if
done
properly,
establishing
a
threat.
A
Modelling
program
provides
the
opportunity
for
the
right
kind
of
cloud:
kubernetes
migration,
where
your
developers
drive
from
a
capability
and
experience
perspective
and
security
compliance
developers
work
in
tandem
to
enable
that
to
secure
compliant
fashion,
using
the
threat
model
effectively.
This
means
shifting
security
left
in
the
development
process
and
identifying
the
security
requirements
for
the
developer.
A
A
A
A
A
After
all,
these
are
the
teams
who
are
skilled
at
breaking
into
your
systems,
who
better
to
validate
your
assumptions
on
what
is
secure.
Another
point
to
note
here
is
that,
if
you
are
threat
modelling
in
the
existing
system,
a
powerful
technique
could
be
to
take
the
threats.
You've
identified
ask
one
of
the
pen
testing
team
to
attempt
to
exploit
those
threats.
A
A
A
A
Additionally,
if
you're
at
a
large
organization,
it's
actually
likely
that
your
stakeholders
will
be
globally
distributed
anyway,
so
video
conferencing
it
is,
and
with
that
you'll
be
at
the
mercy
of
the
collaborative
tooling
that
you're
allowed
to
use
by
your
organization,
so
be
wary
of
that.
When
you're
planning
your
sessions.
A
Finally,
how
does
one
actually
perform
a
threat
model?
Well,
here's
the
basic
threat,
modeling
processes
defined
by
adam
shostak
and
adopted
by
os.
There
are
four
simple
steps:
what
are
you
building?
What
can
go
wrong
once
it's
built?
What
should
you
do
about
those
things
that
can
go
wrong
and
did
you
do
a
decent
job
of
analysis?
A
The
second
step
is
obviously
the
point
at
which
vulnerabilities
in
the
system
and
resulting
threats
are
identified
and
crucially,
prioritized
following
which
you're
going
to
create
a
backlog
of
mitigating
security
requirements,
new
architectures
bug,
fixes
and
so
forth.
In
order
to
answer
what
should
you
do
about
those
things
that
could
go
wrong?
A
The
final
step
is
to
identify
whether
you
did
a
decent
job
of
your
threat
model,
so
you're
going
to
review
the
outputs
from
the
previous
three
steps,
you're
also
going
to
incorporate
external
sources
such
as
pen
testing.
At
this
point,
once
a
threat
model
has
been
established
for
a
system,
it's
this
step.
That's
repeated
just
to
make
sure
the
answers
to
the
first
three
questions
are
relevant
to
the
system
at
the
current
point
in
time.
A
A
Well,
the
four
c's
of
cloud
native
security
are
cloud
clusters,
containers
and
code
so
to
secure
your
full
stack.
You're
gonna
obviously
need
to
consider
the
configuration
of
the
cloud
service
provider,
the
cluster,
what
the
container
is
comprised
of
and
how
they
configure
to
run
and
the
security
of
application
code
itself.
A
So
for
each
of
these
patterns,
you're
going
to
end
up
creating
reusable
threat
models
and
those
threat
models
are
going
to
generally
going
to
be
along
the
lines
of
cluster
provisioning
and
scaling
cluster
runtime
cluster
configuration
and
then
threat
models
for
the
application.
Ci
cd
pipeline
and
the
output
to
those
threat
models
will
define
the
architecture
of
the
standardized
components
and
patterns
your
application
teams
will
use
this
all
raises
a
really
important
point.
A
A
A
You
can
have
the
most
secure
system
in
the
world
at
runtime,
but
if
it's
exploited,
because
you
forgot
about
supply
chain
security
and
and
deploying
the
system
in
securely,
then
you've
wasted
your
time.
You
really
have
to
think
this
through
from
an
end-to-end
perspective,
so
defining
what
you're,
building
any
good
architectural
diagram
will
do.
You
can
also
use
open
source
tools
like
cloud
mapper
to
get
as
much
info
as
possible
on
your
environment,
but
just
to
mention
data
flow
diagrams
here.
A
Data
flow
diagrams
are
really
important,
really
useful
for
breaking
down
what
you're,
building
into
flows,
processes,
trust
boundaries
and
stores
within
a
system,
and
once
you
have
that
depiction
that
makes
a
technique
called
stride
which
I'll
describe
in
a
couple
of
slides.
That
makes
it
a
lot
easier
to
do
so
if
your
architectural
diagrams
aren't
fit
for
purpose.
A
A
You
need
to
start
identifying
what
can
go
wrong
now,
if
you're
experienced
in
the
threat,
modeling
and
security
space
then
brainstorm
to
your
heart's
content.
Annotate
your
architecture
diagrams,
make
copious
notes
as
you.
Let
your
imagination
run
wild
if
you've
not
threat
modelled
before
it
will
be
helpful
to
use
a
straight
framework
stride
and
pass
pasta
are
two
examples.
A
A
So
when
do
you
stop
if
you're
experienced
in
this
space
and
everybody
is
familiar
with
kubernetes
and
cloud-native
solutions,
you
can
time-box
your
activities
because
you'll
know
roughly
when
you're
done.
Otherwise,
if
you're
threat
modelling
for
the
first
time,
if
you
have
one
really
good
stride,
attack
per
element
represented
in
a
data
flow
diagram.
That's
an
okay
first
pass.
A
So,
in
conjunction
with
other
members
of
the
cncf
financial
user
group,
we
treat
modeled
the
whole
kubernetes
system
by
asking
what
can
go
wrong.
We
looked
at
attacks
of
the
api
server,
central
d,
cubelets,
exploiting
aspects
of
cni
or
csi.
We
looked
at
compromised
workloads
in
the
various
permission,
permissive
configurations
that
could
be
accidentally
granted.
We
also
looked
at
some
cloud:
prime
provider,
integration
and
meta
data.
Api
file,
attacks-
and
these
are
tech.
Trees
are
open
sourced
in
github
for
your
use
now.
A
A
Basically,
you
represent
attacks
against
the
system
in
a
tree
structure
with
the
goal
is
the
route
mode
and
different
ways
of
achieving
that
goal
as
leaf
notes,
attack
trees
were
coined
by
bruce
schneier
in
99,
and
we've
got
a
brief
or
simple
example
of
an
attack
tree
to
the
right
here.
It's
simplified
for
the
point
of
explanation.
A
Attack
trees
can
be
quite
large
and
squarely
difficult
to
present
on
powerpoint
slides.
So
we've
got
this
approached
version
here,
so
to
start
drawing
an
attack
tree.
You
start
with
a
negative
outcome
that
you
want
to
avoid.
So,
in
this
case,
it's
at
the
top
and
it's
malicious
code
in
the
workload
you
subsequently
ask
how
it
could
be
achieved
to
flesh
out
the
rest
of
the
tree
to
explain
the
key
on
the
right.
A
And
if
you
look
below
that
node
in
order
to
deploy
that
poison
container
image,
you
need
to
poison
the
image
within
the
container
registry
and
the
image
needs
to
be
deployed,
and
in
this
case
it
will
be
deployed
as
part
of
a
normal
release
going
further
down
the
tree.
In
order
to
poison
the
image
in
the
container
registry,
you
will
obviously
need
to
obtain
the
image,
pull
secret
and
you're,
relying
on
that
pull
secret,
having
right
and
overripe
privileges
within
the
container
registry.
A
Finally,
there
are
actually
three
different
ways
in
which
you
could
obtain
the
image
pull
secret.
You
could
make
a
commentators
api
request
or
you
could
use
a
running
container
with
host
file
system
access,
thus
accessing
the
password
on
the
host
or
you
can
obtain
it
from
a
cubelet
using
the
unauthenticated
port,
for
example,
now
attack
tray
trays
are
useful
tools
for
collaboration
between
dev
teams
and
security.
A
Now,
if
you
don't
want
to
use
the
tech
trees,
as
I
said,
create
tables
or
annotate
your
own
diagrams,
there's
a
threat
model
of
a
cluster
at
runtime.
It's
not
pretty,
but
it's
perfectly
valid.
Just
labeled
all
the
things
that
could
go
wrong
in
an
architecture:
diagram
don't
get
too
precious
about
your
diagrams
and
architectures.
You
will
be
redrawing
them
and
updating
them
countless
times
as
you
build
your
threat
model.
A
So
initially,
don't
worry
about
your
connections
being
a
little
bit
off
because
you'll
be
redrawing
those
lines
soon
enough
now
you've
got
a
whole
host
of
threats
identified.
Well,
what
are
you
going
to
do
about
that?
Well,
to
define
your
control,
sets,
evaluate
and
prioritize
your
threats.
Then
map
controls
directly
onto
them.
A
You
could
end
up
with
a
particularly
busy
architecture
diagram
like
so
or
you
could
annotate
your
attack
trees
by
breaking
different
branches
with
an
appropriate
control.
We'll
talk
a
little
bit
more
about
the
temperatures
later.
So
when
you
look
at
selecting
controls,
what
controls
do
you
have
to
choose
from?
Well,
frankly,
there's
loads,
here's,
a
here's,
a
quick
menu
of
controls,
just
like
any
good
menu,
don't
order
everything
it
will
make
you
sick,
we'll
talk
about
how
you
minimize
the
number
of
controls
you
need
to
implement
later
so
in
the
networking
space.
A
A
The
first
thing
is
just
to
get
the
basics
right,
define
a
secure
security
context
for
your
pods
and
containers.
It's
all
the
usual
stuff
run
as
non-route,
then
allow
privilege
escalation,
drop,
all
your
linux
capabilities
and
use
app,
armor
profiles
or
sc
linux.
If
you
can
container
compatible,
ids
and
ips
systems
are
pretty
prevalent
too,
to
use
them
ones
like
falcon.
A
There
are
also
paid
solutions
that
offer
a
lot
more
capability
than
just
runtime
protection,
with
container
image
scanning
and
mission
control
at
all.
So
if
your
oil
likes
to
throw
money
at
things,
then
these
are
well
worth
using
just
finally,
over
the
last
few
years,
sandbox
and
isolation
technologies
have
started
to
emerge,
their
implementations
differ,
but
the
goal
is
the
same:
it's
to
isolate
the
running
workload
from
the
host's
kernel
as
much
as
possible.
A
A
There
are
currently
a
few
limitations
to
investigate
before
you
dive
into
using
these
for
everything,
for
example,
service
mesh
compatibility
so,
whether
accidentally
or
maliciously,
your
users
are
going
to
misconfigure
your
clusters,
workloads
or
just
accidentally
break
things
again.
Getting
our
back
right
is
one
of
the
basics.
It's
not
easy,
though,
but
thankfully
there
are
plenty
of
open
source
tools
to
help
on
that
front.
A
Make
sure
you
enable
the
kubernetes
admission
controllers,
the
cis
benchmarks
have
recommendations
on
that
front
on
what
you
should
enable
and
finally,
no
talk
on
kubernetes,
our
back
or
policy
is
complete
these
days.
Without
mentioning
the
open
policy
agent
provides
the
ability
to
enforce
custom
policy
and
appears
to
be
the
future
in
the
pod
security
policy
space.
A
A
Now
the
majority
of
the
controls
that
I
just
mentioned
are
to
protect
your
cluster
from
a
compromised
container.
It
goes
without
saying
that
the
most
important
element
in
preventing
this
is
embedding
security
within
ci
cd,
which
is
a
torque
in
itself,
as
a
wealth
of
information
on
security
checks
and
tooling.
Each
stage
of
obtaining
a
build
pipeline
for
just
a
note
of
increasing
importance
and
focus,
particularly
within
financial
services,
is
the
ability
to
attest
that
a
container
image
you
have
built
has
been
subject
to
all
of
the
security
tests
implemented
as
part
of
your
pipeline.
A
A
So
you
might
read
all
of
that.
You
might
have
a
threat
model
with
loads
of
threats
in
it
and
then
you
might
pull
together.
All
of
your
controls
decide
to
enforce
the
defense
in
depth
and
end
up
with
this
an
example
cluster.
From
the
infra
perspective,
you
can
see
how
the
infrastructure
controls
segregate
nodes,
allowing
one
to
enforce
controls
on
networking
at
the
infrastructure
level
and
theoretically
segregating
the
cloud
permissions.
A
workload
can
access
at
the
instance
level,
that's
theoretical,
we'll
touch
on
that
later.
A
My
advice
is
not
to
do
all
of
this,
particularly
straight
off
the
bat,
unless
you
have
a
really
really
good
reason
to
and
your
threat
model
will
justify
it
instead.
Start
simple
after
complement
of
these
complementing
control
sets,
there's
absolutely
no
need
to
implement
an
entire
category
of
controls
to
demonstrate
defense
in
depth.
A
Your
security
architecture
needs
to
be
as
simple
as
possible
to
mitigate
the
threats.
You've
identified
to
an
acceptable
level
bear
in
mind
the
more
security
the
more
complex
your
security
architecture
becomes,
the
more
automation
you
need
to
provision
to
both
provision
and
automatically
test
clusters,
in
effect,
there's
the
ability
to
provision
a
cluster
supporting
services
and
run
a
full
suite
of
tests
from
just
one
push
of
a
button.
It's
the
only
way
to
ensure
that
a
complex
solution
is
maintainable
and
scalable.
A
That
will
help
you
go
from
a
lengthy
list
of
threats
to
understanding
where
to
start
first,
which
threats
are
significant
enough
to
eliminate
at
the
starting
set
of
controls
required
at
this
point
I'll
again
extol
the
virtue
of
the
tech
trees.
There's
controls
you
devised,
labeling
and
plotting
them
onto
your
attack.
Trees
as
a
means
of
breaking
the
branches,
are
a
great
way
of
showing
you
how
your
security
controls
can
theoretically
combine
to
stop
attacks.
A
Now,
automated
testing
is
often
overlooked
when
implementing
controls
or
codifying
controls
just
like
in
mainstream
software
engineering,
you
wouldn't
dream
of
releasing
code
without
testing.
So
too,
with
codifying
security,
you
must
write
tests
to
validate
the
efficiency
of
the
control
or
the
efficacy
of
the
control.
A
A
It's
important
to
note
you
test
the
threat
to
be
mitigated,
not
the
specific
implementation
you
have
coded
for
your
patrol,
in
other
words,
check
to
make
sure
you
can't
access
your
s3
bucket
via
http,
rather
than
validating
your
code
is
as
you
expected,
while
implementing
it.
This
is
a
common
mistake,
often
encountered
by
junior
developers
who
test
their
implementation
or
the
happy
path,
rather
than
truly
checking
the
intent
of
their
code.
A
After
all,
what
good
is
a
detective
control
if
it
isn't
written
appropriately
to
genuinely
alert
a
sock
team,
member
or
process
so
step?
One?
Do
your
threat
model
told
you
how
to
now
off
you
go
and
do
it
step
two
reproduce
the
attacks
identified
repeatedly
against
test
clusters
and
gather
the
signals
step
three
take
these
signals
and
work
with
the
sock
to
configure
their
their
seam
tool.
A
You
may
need
some
training
at
this
point.
You
may
want
to
use
your
attack
trees,
so
your
sock
has
situational
awareness
in
order
to
understand
how
the
signals
they're
receiving
relates
to
an
attacker's
path
through
your
system
and
so
forth.
You'll
probably
need
to
review
audit
configurations
during
this
step,
just
to
make
sure
logs
are
neither
sort
of
too
full
or
too
slim.
A
A
So
come
armed
with
your
security,
documentation
and
threat
model
show
them.
There's
some
precedent,
followed
in
terms
of
standards
adhered
to,
like
the
cis
benchmarks.
For
kubernetes
and
related
test
results
from
qpench
also
note
if
you're
in
gcp
is
that
google
have
open
sourced
gke
patterns
that
demonstrate
adherence
to
pci
dss,
and,
I
believe,
that's
the
subject
of
another
talk
here
at
qcon
again,
if
you're,
following
this
pattern
or
using
this
pattern,
you're
demonstrating
precedent
and
adherence
to
standards,
you
can
also
get
one
step
ahead
of
the
curve
by
mapping
controls
to
your
compliance
requirements.
A
A
She's
going
to
finish
with
a
couple
of
gotchas,
so
I
mentioned
node
segregation.
Earlier
on.
As
a
as
a
tool
for
implementing
security,
you
can
put
firewall
rules
around
your
different
nodes
at
the
infrastructure
level.
You
can
also
make
sure
that
your
nodes
have
different
instance
permissions
so
that
your
workloads
are
are
not
able
or
only
able
to
assume
a
minimal
set
of
roles.
So
you
could
keep
privileged
roles
on
different
notes.
A
Well,
that's
still
too
much
thinking
along
the
happy
path,
so
tim,
mulchler
and
greg
castle
gave
an
excellent
talk
at
cubicon
san
diego,
on
how
using
node
segregation
does
not
guarantee
security
within
a
kubernetes
cluster.
Their
demo
showed
attacks
that
included
being
able
to
reschedule
malicious
workloads
on
other
nodes.
A
So
if
you
run
a
service
mesh
in
your
cluster,
it
will
need
some
linux
capabilities
that
would
not
be
authorized
if
you
had
implemented
a
restrictive
pod
security
policy
so,
for
example,
with
istio.
If
you
have
an
installation
that
does
not
use
the
istio
cni
plug-in,
which
is
still
in
alpha,
then
istio
init
containers
will
be
run
in
each
of
the
application
pods,
and
each
of
these
require
nat
admin
and
net
raw
linux
capabilities.
A
Now,
if
I
recall
from
about
a
year
to
18
months
ago,
the
istio
containers
back
then
ran
with,
I
believe,
maybe
the
privileged
flag
and
root.
Don't
quote
me
on
that,
but
it
appears
that
things
are
much
better
now,
regardless,
you
will
still
need
to
relax
your
pods
security
policies
to
allow
these
capabilities.
A
A
Unfortunately,
the
byproducts
of
that
focus
over
many
years
within
an
on-prem
environment
have
resulted
in
the
following
practices:
heavily
manual
change,
control
processes
which
are
slow
time
and
resource
consuming
our
reliance
on
detective,
rather
than
preventive
controls
within
security
architectures.
So
an
example
of
that
would
be
the
manual
change
control
process
that
involves
admin,
click,
ops
and
then
reliance
on
the
sock
to
detect
any
misconfiguration
made
by
that
admin
after
the
event
now,
neither
of
these
practices
are
particularly
secure,
maintainable
or
scalable
within
cloud,
and
so
obviously
red
flags
to
be
wary
of.
A
So,
in
short,
I
know
we're
running
a
little
bit
over
threat
model.
Do
it
early
on
get
everyone
involved,
keep
it
up
to
date,
draw
attack,
trees,
they're,
really
useful.
They
break
down
high
level
threat
outcomes
into
discrete
steps,
providing
a
great
resource
for
security
and
for
writing
tests.
They
allow
you
to
determine
the
controls
needed
to
secure
your
solution
without
over-egging
the
cake
they
provide.
They
also
provide
a
great
source
of
situational
awareness
for
the
sock,
make
sure
you
apply
and
test
your
controls
in
an
automated
fashion,
remembering
to
test
the
threat.