►
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Kubernetes-native Security with Starboard - Liz Rice & Daniel Pacak, Aqua Security
Starboard is an open source project that gathers security information from various different tools into Kubernetes CRDs, so users can manage & access security reports through familiar Kubernetes interfaces, like kubectl or Octant. This talk uses plenty of demos to describe the motivations behind Starboard, and design challenges such as: - how reports can relate to different resources, from pods through to entire clusters - showing security information for running workloads - extensibility and plugins Learn how to use Starboard generate to actionable security information that's visible to the people who need it. See how to extend Starboard to integrate your favourite security tool, if it isn't already covered today. This “Advanced” talk won’t hold back from showing you the code! It assumes basic familiarity with security tools like vulnerability scanning, YAML checks & CIS benchmarks.
https://sched.co/ekE7
A
So,
first
of
all,
the
the
motivation
behind
starboard
meet
our
friend
dave
lopez.
He
uses
kubernetes
and
to
do
so,
he
uses
tools
like
cubecontrol
and
perhaps
he
uses
a
dashboard
like
octan
or
another
kind
of
ide
interface
that
uses
the
kubernetes
api
to
access
the
cluster
and
manipulate
resources
within
that
cluster.
A
A
The
idea
behind
starboard
is
to
bring
all
these
disparate
tools
into
the
world
of
kubernetes,
so
we've
created
the
starboard
cli
tool
that
provides
an
interface,
a
familiar
queue,
control,
plug-in
interface.
That
dave
can
use
to
run
security
tools
and
it
creates
the
reports
in
the
form
of
kubernetes
custom
resources
that
dave
can
access
using
cubecontrol
and
the
dashboard
so
over
to
daniel
to
show
us
the
cli
in
action.
B
What
I
have
here
is
a
local
kind
cluster
with
four
nodes,
three
worker
nodes,
and
we
also
have
to
install
starboard
binary
in
here,
I'm
installing
it
from
the
crew
index
and
we
have
to
initialize
starboard
it's
one
time
command.
It
is
creating
all
the
crd
definitions
and
service
accounts
and
configuration
map,
and
with
that
we
could
trigger
cube
bench
scanner.
B
Since
we
have
four
nodes,
we
are
spawning
four
kubernetes
jobs
which
are
scanning
and
running
benchmarks
on
each
node.
Once
it's
done,
we
could
list
the
results.
So,
as
you
can
see
for
each
node,
we
do
have
all
the
checks
run,
and
we
can
see
immediately
that
there
are
some
failures
for
those
who
are
more
familiar
with
user
interfaces
or
graphical
user
interfaces.
A
So
the
cli
allows
our
friend
dave
to
run
security
tools
manually
through
cubecontrol
starboard.
The
next
step
is
to
automate
this
using
an
operator,
so
we've
created
a
starboard
operator
at
the
moment.
It
just
runs
vulnerability
scanning
on
workload
resources,
so
the
operator
watches
for
new
pods
starting
in
the
kubernetes
cluster,
and
it
runs
a
vulnerability
scanning
tool.
We
have
a
couple
of
options
already
implemented
and
we'll
be
talking
about
that
later.
B
Yeah,
so
let's
take
wordpress
as
a
sample
application.
What
you
can
see
is
a
deployment
descriptor,
but
this
time
I'm
going
to
use
a
octant
apply,
yaml
file
feature
to
create
this
deployment,
and
now,
if
we
switch
to
the
starboard
operator
nation
is
this
is
where
we
run.
This
is
the
namespace
in
which
we
run
the
operator
itself
and
in
the
same
namespace
it
spawn
immediately
a
scan
job.
B
So
we
could
also
go
and
see
what
is
going
on
and
what
is
the
descriptor
of
this
image?
There
is
an
init
container.
There
is
a
wordpress
container,
that's
actually
the
command
that
we
are
running
and
since
octant
is
automatically
refreshing,
the
ui
it
has
been
completed.
Switching
back
to
the
default
namespace
wordpress-
and
here
is
where
we
make
this
vulnerability
information
available.
There
is
a
status
card
component
and
the
plugin
displays
the
stats.
If
you
want
to
gear
down
drill
down,
we
have
the
vulnerability
tab
and
here
is
a
list
of
vulnerability
items.
B
A
Thank
you
daniel,
so
now
you've
seen
starboard
in
action.
Let's
talk
a
little
bit
about
some
of
the
design
decisions
that
we've
taken
while
building
it
and
you've
seen
how
security
report
information
is
created
and
is
associated
with
particular
resources
and
we're
trying
to
generalize
handling
different
types
of
security
report
associated
with
different
types
of
resources,
as
you
saw
we're
using
labels
on
the
security
related
resource
to
identify
which
kubernetes
resorts
it
relates
to.
A
We
simply
don't
have
to
worry
about
garbage
collection,
because
kubernetes
takes
care
of
it
for
us
deciding
to
use
this
owner.
Reference
approach
actually
settled
a
whole
other
design
decision
for
us.
We've
been
going
back
and
forth
on
whether
it
would
be
useful
to
maintain
historical
security
reports
and
by
using
this
owner
reference,
we
know
we're
going
to
be
cleaning
up
security
resources
when
the
associated
resource
is
deleted.
A
A
A
A
A
A
A
So
putting
those
reports
in
the
same
name
space
as
the
resources
can
make
our
back
configuration
pretty
straightforward,
but,
as
you
saw,
starboard
needs
to
run
jobs
and
we
have
to
decide
what
namespace
to
run
those
jobs
in,
and
we
decided
to
do
that
in
a
separate
namespace
for
starboard.
For
a
couple
of
reasons.
A
First
of
all,
it
means
starboard
doesn't
need
permission
to
run
workloads
in
your
application
namespaces
and
that's
better
from
the
point
of
view
of
the
principle
of
lease
privileges.
We
want
to
give
everything
as
limited
permissions
as
possible,
so
snowball
can
only
create
these
jobs
in
its
own
namespace.
B
Yes
notice
also
that
not
every
resource
building
in
kubernetes
is
is
scope
to
namespace.
There
are
nodes
and
for
the-
and
you
saw
in
the
demo
that
we
run
cubebench
for
each
node
and
then
we
associate
a
report
with
a
node.
So
in
this
case
we
also
distinguish
between
namespace
and
cluster
scoped
custom
security
resources.
So
vulnerability
report
would
be
a
nice
burst
report,
whereas
already
mentioned
cube
bench
report
or
cube
counter
report
is
a
cluster
scoped
resource.
A
Now,
if
he
runs
an
unmanaged
pod,
it's
pretty
straightforward
that
the
vulnerability
report
is
associated
with
that
unmanaged
pod.
But
if
we're
talking
about
deployments,
there
could
be
multiple
instances
of
each
pod
and
if
we
were
to
associate
vulnerability
reports
with
those
pods
we'd
have
duplication.
A
A
An
alternative
might
be
to
think
about
associating
the
vulnerability
report
with
the
deployment.
After
all,
that's
the
resource
that
dave
is
typically
going
to
be
manipulating,
but
there
is
a
problem
with
this:
there
isn't
always
a
single
replica
per
deployment
and
if
we're,
if
we
have
multiple
replica
sets,
they
may
have
different
images
in
their
pod
specs.
So
we
need
different
vulnerability
reports
for
those
images.
Those
different
images
that
they
refer
to
so
the
conclusion
is,
we
need
to
hold
vulnerability
reports
associated
with
replica
sets
when
you
come
to
think
of
it.
A
B
All
right
so
just
to
show
you
the
current
report
that
we
have
in
our
cluster.
We
scanned
all
the
nodes
with
cubepench
and,
as
you
can
see,
we
set
the
owner
reference
for
this
report
to
point
to
a
kind
worker,
node,
and
but
also
you
see
that
it's
because
of
this
great
control
trip
plugin.
We
see
the
whole
hierarchy
of
objects,
it's
even
more
interesting
when
we
display
it
for
the
wordpress
application.
B
Since
we
did
a
rolling
update,
we
have
two
replica
sets.
One
of
them
is
active
as
you
can
see
this
ready
status
here,
and
we
also
created
a
two
vulnerability
reports
which
are
linked
back
to
the
replica
set
and
just
to
show
you
what
we
mean
by
traversing:
the
hierarchy
of
objects.
So
remember
that,
even
though
we
don't
have
the
report
associated
with
the
deployment
object,
we
do
display
this
information
right
because
we
can
do
programmatically,
traverse
the
tree
and
display
all
the
vulnerability
information
right
in
the
user
interface.
A
A
B
This
is
where,
as
a
prerequisite,
we
expect
that
your
vulnerability
scanner
is
containerized,
so
it
could
give
us
its
image
and
then
also
build
up
the
command
that
is
used
for
scanning
in
case
of
3v,
which
is
the
default
vulnerability.
Scanner
in
starboard.
The
command
is
pretty
simple:
it's
like
a
image
reference
and
then
the
3d
output
converter.
This
is
a
piece
of
code
that
is
reading
a
controller
pod
and
it's
transforming
the
previous
model
to
the
starboard
model
right,
which,
in
this
case
is
a
vulnerability
report.
B
It
has
its
own
schema,
but
we
can't
know
what
is
the
model
of
the
third
party
tool.
So
this
is
these
two
bits
have
to
be
implemented
separately
and
if
we
move
to
the
next
slide,
you
will
see
a
simple
interface
called
vulnerability.
Scanner
with
those
two
callbacks
one
is
get
bot
template
spec,
that's
the
one
where
you
specify.
B
A
A
So
adding
in
support
for
a
new
type
of
security
tool
would
be
a
case
of
creating
a
new
custom
resource
definition
and
adding
in
the
the
definition
the
configuration
for
that
new
tool.
So
that's
the
vision
of
where
we
want
to
get
with
plugability.
Today
it
is
a
little
bit
more
complicated.
You
do
need
to
write
a
bit
of
code,
but
this
is
this
is
the
ultimate
goal,
and
we
would
also
be
very
keen
to
hear
feedback
on
the
customer
resource
definitions
that
we've
created
so
far.
A
We
hope
that
they're
flexible
enough
to
plug
in
other
alternative
tools,
but
we're
very
open
to
hearing
feedback
last
thing
that
we
wanted
to
talk
about
in
terms
of
the
future
of
starboard
is
helping
dave
lopez.
Ask
the
question:
what
are
the
most
security
most
important
security
issues
in
my
cluster
or
what
are
the
most
important
security
issues
in
the
particular
namespace
I
care
about.
A
So
if
that
sounds
interesting
to
you,
you
can
download
and
run
starboard
from
github.
It's
also
available
on
the
artifact
hub
and
the
operator
hub,
and
we
would
love
for
you
to
get
involved.
Do
you
come
and
check
out
the
starboard
repository
on
github?
You
can
get
in
touch
with
us
or
reach
out
to
us
here
at
the
conference.
We'd
love
to
hear
from
you.
Thank
you
very
much.