►
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from April 17-21, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Putting Hackers Breaching Your Cluster In Automatic Quarantine - Ziv Nevo, IBM
Speakers: Ziv Nevo
Engineers can’t really prevent hackers form eventually breaching Apps. It is not a question of IF but of WHEN. And unfortunately, a question of how much damage was done to our or our users’ resources, data and reputation. This does not happen only to small Apps and companies with small budgets and limited resources but to huge companies and government agencies (see SolarWinds attack). The solution - automatically isolating attackers when they breach one of the Apps in your cluster (or the App you develop), keeping the rest of the cluster’s components safe. This session will present a survey encompassing many commonly used cloud native apps, engineers all love and need (like Prometheus, Kafka, Jenkins, ClearML and much more) and demonstrate the built-in vulnerability most cluster deployments exercise and how to secure it. State of the art practices leave several, rather easily breached, back doors in many clusters. We will deep dive into several real-world scenarios and see the simple, yet very often missed, blueprint for making our cluster or our App-users’ clusters much more malicious-resistant.
A
So
I'm
Dave
I'm
a
senior
research
scientist
in
IBM
research
in
Israel,
and
this
talk
was
proposed
by
my
colleague,
shmulich
voimovic,
who
unfortunately
couldn't
be
here
today,
and
the
title
of
this
talk
is
putting
hackers
breaching
your
cluster
in
automatic
quarantine.
So
you
can
see
this
is
a
talk
about
security
and
I
was
told
that
talks
about
security
should
start
with
scaring
the
audience
that
something
frightening
is
going
to
happen.
Sir,
here
is
a
scary
thing.
Really,
it
is
I
have
some
of
these
in
my
backyard
and
they
are
nasty.
A
They
are
very
quick
and
when
they
bite
it
really
hurts
so
don't
mess
with
these
creatures.
However,
I
got
used
to
them,
and
now
what
really
scares
me
is
that
too
many
Cloud
applications
do
not
apply.
Now.
That's
scary,
you
don't
seem
scared
enough.
So
let
me
explain
why
this
is
so
scary,
mainly
because
without
a
gas
control,
your
application
is
exposed
to
many
many
attacks
and,
for
example,
reverse
shell
attacks
data
leaks.
A
So
previously
it
was
thought
that
if
I
protect
my
English
good
enough,
this
is
well.
This
should
be
enough,
but
there
are
Insider
threats
there
always
have
been,
and
we
know
that
social
engineering
and
spear
phishing
attacks
are
getting
more
and
more
sophisticated,
and
this
also
allows
hackers
to
get
into
your
application,
and
those
of
you
who
attended
the
security
cone
may
have
heard
the
very
frightening
number
of
742
percent
rise
in
supply
chain
attacks
in
the
last
three
years.
So
this
is
really
scary.
A
Oh-
and
there
is
also
compliance
so
and
these
days
you
have
standards
so
and
the
nist
sc7
tells
you
that
you
should
deny
network
communications
traffic
by
default
and
allow
natural
Communications
traffic
by
exception
and
manage
interfaces,
and
only
those
system,
connections
which
are
essential
and
approved
order
and
are
allowed-
and
you
may
say:
okay
but
I,
closed
the
interest
side
matte.
This
doesn't
mean
that
a
micro
service
of
yours
cannot
talk
to
the
outside
internet,
and
so
you
must
control
also
its
igles.
A
A
A
A
Is
considered
hard
to
configure
and
to
maintain-
and
this
is
actually
true-
this
is
not
reveal,
and
also
sometimes
you
do
have
rigorous
control
and
you
do
have
you
do
limit
your
connections,
but
the
configuration
is
not
really
what
you
meant.
So
the
configuration
is
wrong,
and
maybe
you
are
not
even
aware
that
this
is
the
case.
A
Finally,
in
a
development
team,
it
is
really
unclear
whose
task
is
it
to
put
the
Protections
in
place?
Is
it
the
development
people
Developers?
Well,
they
usually
don't
care
much
about
security.
They
just
want
their
code
to
work
place.
Is
it
that
devops
people
well,
they
are
not
really
aware
of
which
connections
should
be
in
your
application,
and
so
they
may
not
be
the
right
people,
maybe
the
security
people.
A
Well,
they
don't
really.
They
know
the
rules,
they
are
not
always
sure
how
this
all
should
be
applied.
So
my
claim
is
that
for
the
last
three
bullets,
actually
automation
can
help.
You
can
help
us
here
and
basically
this
is
John.
This
is
the
agenda
for
the
rest
of
my
talk.
I
will
show
you
why
trusting
third-party
components
may
not
be
such
a
good
idea
and
I'll
show
you
how
automation
can
help
just
one
word
before
I
continue
into
that.
So
where
is
the
best
place
actually
to
control
egos?
A
A
Well,
it
may
be
too
too
late
to
stop
data
leaks
at
higher
levels,
because
they
are
not
specific
enough
for
the
kind
of
Communications
that
are
really
allowed,
so
in
kubernetes
based
application.
This
actually
means
that
you
want
to
control
pod
traffic
and
the
way
to
do
it
in
kubernetes
natively
is
Network
policies,
the
also
a
cni
specific
Network
policies
like
psyllium
Network
policies
or
Calico
Network
policies,
but
these
are
cni
specific,
and
if
one
day
you
want
to
migrate
from
one
cni
to
the
other,
then
you'll
have
to
migrate.
A
A
The
good
news
is
that
most
come
with
some
index
control,
and
this
is
good,
although
typically,
you
are
required
to
put
some
flag
some
non-default
flag,
you
have
to
put
it
on,
but
that's
the
good
news.
The
bad
news
is
that
only
four
of
these
packages,
out
of
the
15
that
we
looked
at
only
four
included
some
sort
of
legal
control
and
to
remind
you,
this
includes
databases.
So
if
your
database
has
no
egos
control
might
be
that
your
ports
can
send
data
directly
to
a
to
the
to
the
internet
outside
to
hackers
yeah.
A
It's
not
a
good
idea,
so
never
trust
other
security,
oh
as
we
call
it
zero
trust
not
to
be
too
pessimistic.
Here
is
one
example
where
things
are
done
right,
so
you
can
see
here
that
the
true
stateful
sets,
in
that
case
talk
to
each
other
in
restricted
in
a
restricted
way
and
are
connected
to
ultra
involved
only
through
UDP
53.
So
this
is
the
only
Ingress
that
is
allowed.
This
is
DNS.
This
is
considered
fine.
A
A
A
A
Now,
entry
guard
can
also
look
at
your
repo
and
tell
you
what
is
the
expected
connectivity
posture
for
your
application,
given
the
yaml
Manifest
that
live
in
Europe,
so
this
actually
supports
shift
life
methodologies,
so
this
is
about
knowing
where
to
stand,
but
how
do
I
get
to
the
place
where
my
connectivity
is
done
right
in
here?
Automation
can
help
once
again,
automation
can
help
you
synthesize
Network
policies,
and
there
are
two
kinds
of
tools
here.
A
The
other
type
of
tools
is
tools
that
are
analyzing.
Your
yaml
manifests
and
understand.
What
is
the
required
connectivity
from
disable
manifests
and
when
they
know
their
report
connectivity,
they
can
synthesize
nephron
policies
that
will
only
allow
this
required
connectivity
and
nothing
more
so
NP
guard
is
all
once
again
one
one
of
these
tools
and
the
technology
used
by
npguard.
A
So
there
is
the
analysis
and
synthesis
and
synthesis
phase
in
which
Network
policies
are
being
synthesized,
and
this
is
proposed
as
a
network
configuration
for
the
user
to
review
now,
net
NP
guard
will
not
just
provide
yamlers
to
the
users
and
say
well.
These
are
network
policies.
Take
a
look.
We
want
more
than
that,
so
we
can
provide
the
connectivity
maps
that
we've
seen
before
we
can
provide
connectivity
diffs.
A
Both
in
the
synthesis
part,
so
we
don't
synthesize
anything
that
is
not
compliant
and
they
can.
They
will
be
rechecked
at
the
review
process.
Even
if
the
user
chooses
to
add
more
connections,
because
maybe
the
synthesis
missed
something,
then
any
change
to
the
network
policies
will
be
rechecked
against
the
organizational
rules
and
only
when
the
neutral
configuration
is
compliant.
Only
then
can
it
be
deployed
to
to
the
live
cluster.
A
A
A
Yeah,
okay,
so
this
is
the
online
boutique
example
made
by
Google
a
very
popular
example,
so
this
basically
this
is
basically
an
online
shop
for
vintage
products,
and
here
is
the
architecture
for
in
this
application.
It
is
made
of
11,
also
microservices,
that
talk
to
each
other
in
a
non-trivial
way.
A
A
A
So
we
want
to
apply
Network
policies,
so
we
have
your
integration.
We
integrated
it
with
GitHub
actions.
In
that
case
there
are
also
Integrations
with
tecton
tasks
and
can
also
be
consumed.
The
components
can
also
be
consumed
as
Docker
containers.
I
will
go
to
the
synthesis
workflow
here
and
I'm
going
to.
Maybe
we
first
take
a
look
at
the
workflow
and
see
what
we
have
here,
so
basically,
what
this
workflow
is
doing.
A
A
A
So
we
can
see
here
we
have
one
network
policy
per
micro
service.
So
for
the
checkout
service
we
have
this
network
policy
saying
that
it
can
connect
to
the
image
service,
the
payment
service,
the
product
and
so
on,
and
so
on
and
so
on,
and
it
can
get
Ingress
from
the
front
end
and
the
email
service
here
can
get
connections
from
the
checkout
service
and
so
on.
A
But
no
one
likes
to
look
at
Germans
right,
Amazon,
not
easy
to
understand
so,
hopefully,
I
should
have
here
if
I,
refresh,
I,
guess
yeah
cool,
so
I
got
a
few
pull
request
comments
here
that,
let
me
know
what
is
my
current
status,
so
here's
the
all
the
allowed
connections
I,
have
here
a
pull
request
comment
with
all
the
allowed
Connections.
In
my
application
now
so
I
can
set
up
the
checkout
service.
A
The
front-end
and
the
recommendation
service
can
connect
to
the
product
catalog
service
by
using
TCP
3550
and
the
checkout
service,
and
the
front
end
can
talk
to
the
shipping
service
using
this
part,
and
we
can
also
see
that
it
is
only
the
front
end
that
is
exposed
to
the
outside
world,
which
is
called.
This
is
really
what
we
want
and
we
can
also
get
a
connectivity
map
like
that,
which
is
much
easier
to
understand,
but
tables
are
also
useful,
especially
for
audits,
okay,
so
that's
cool.
What
else
have
you
got.
A
So
there
is
also
this
diff
here,
so
another
pull
request
comments.
That
is
telling
me
the
difference
between
the
previous
state
of
my
application
and
what's
in
this
pull
request
now,
since
the
previous
date
was
that
everything
was
allowed,
all
connections
were
allowed
in
the
cluster,
so
many
many
removed
connections
when
I
apply
this
network
policies.
So
you
can
see
here
that
many
connections
are
no
longer
available,
both
in
cluster
and
also
from
outside
of
the
cluster
to
the
cluster.
So
all
these
connections
are
no
longer
available,
which
is
good.
This
is
what
I
wanted.
A
A
Another
pull
request
comment:
this
is
checking
that
my
connectivity
is
compliant
with
several
high-level
rules,
so
my
ciso,
for
example,
told
me
that
no
FTP
is
allowed
in
the
cluster
or
no
telnet,
no
SMTP,
no
non-secure
protocols
and
all
these
walls
actually
pass,
which
is
nice,
but
I
have
here
a
failing
goal.
So
there
is
another
rule
that
every
micro
service
that
would
like
to
access.
The
payment
service
should
have
a
specific
label,
and
this
rule
is
failing
here
and
we
can
see
in
the
details
here.
A
The
checkout
service
is
trying
to
access
the
payment
service
using
this
protocol
in
Port,
but
it
doesn't
have
the
required
label.
So
you
may
ask:
why
did
synthesis?
Allow
such
failure?
Well,
the
reason
is
that
I
didn't
provide
the
soul
to
the
synthesis
to
the
synthesis
workflow,
because
I
wanted
to
show
you
a
failing
goal
and
this
roller
actually
blocks
this
pull
request
from
being
merged,
which
is
what
I
want
I
don't
want.
A
A
Okay,
so
once
again,
this
was
like
a
green
field,
use
case,
I
started
and
and
I
had
an
application
with
no
network
policies
and
I
started.
The
analysis
and
synthesis
workflow
which
generated
Network
policies,
put
them
into
a
pull
request
and
other
workflows
put
a
pull
request
comments
to
show
me:
the
connectivity
map,
the
connectivity,
diff
and
the
organizational
policy
validity.