►
Description
How to Secure Your Kubernetes Clusters - Cindy Blake, GitLab
About Cindy Blake
I am a solutions strategist at the core with a focus on cyber security. I'm passionate about making application security mainstream by changing the way app sec tools are used, by whom, and what outcome is expected. Ask me about pragmatic steps to truly integrate security into DevOps using workflows that are more effective, efficient, and transparent.
Join us for KubeCon + CloudNativeCon in San Diego November 18 - 21. Learn more at https://bit.ly/2XTN3ho. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy and all of the other CNCF-hosted projects.
A
Hi
happy
Holi,
I
I
know
it's
a
day.
Late,
I
had
fun
with
that.
Yesterday,
a
gitlab
reseller
of
ours
Lyra
was
kind
enough
to
take
me
into
their
office,
and
let
me
experience
the
Holi
festival
with
them,
so
I'm
happy
to
be
here
from
get
lab,
oops
wrong
direction
and
I'm
going
to
be
talking
about
how
to
secure
your
kubernetes
clusters,
but
I
also
want
to
make
sure
to
talk
more
broadly
about
cloud
security
in
general,
because
kubernetes
is
at
a
piece
of
that.
A
But
if
you're
not
looking
at
the
overall
picture,
you
won't
be
secure
and
manage
your
risk
and
I
really
believe
that
we're
into
a
new
era
where
security
is
going
to
be
much
more
of
a
software-defined
environment
and
I'll
explain
a
little
bit
about
why
that
is.
But
you
can
imagine,
applications
in
general
are
becoming
almost
a
networked
unto
themselves,
so
you've
got
pods
and
clusters
and
everything's
talking
to
each
other
within
an
environment.
It's
very,
very
different
than
the
traditional
on-premise
environment,
where
it's
much
more
about
protecting
the
perimeter.
A
So
as
an
application
moves
around
from
cloud
to
cloud
that
security
needs
to
follow
it,
and
so
it's
a
different
mindset
and
a
different
approach,
and,
along
with
that,
some
of
the
key
trends
that
kind
of
to
bear.
You
know
everyone
wants
to
shift
left
and
recognizes
that
it's
far
less
expensive
to
identify
vulnerabilities
and
remediate
them
early
in
the
lifecycle.
A
It's
been
a
hot
topic,
though
recently
I
started
by
Forrester
and
now
Gartner
and
others
are
talking
about
it,
which
kind
of
tells
you
that
it's
becoming
a
little
bit
more
mainstream
and
the
premise
is
that
there's
not
a
perimeter
to
protect
that
the
bad
guys
are
going
to
get
in.
So
you
need
to
look
at
the
security
of
your
data
and
your
applications,
assuming
that
the
bad
guys
are
going
to
get
into
your
to
your
networking
and
get
exposed.
A
Microservices
is
another
really
important
piece
as
well
as
api's
and
dependencies,
so
you've
got
there's
a
reluctance.
I
think,
in
sum
to
worry
about
scanning
for
vulnerabilities
in
dependencies
because
there's
the
thought
that
well
so
many
people
are
using
open-source.
That
surely,
is
secure
and
that's
really
not
the
case.
That's
that's
one
of
the
weakest
links,
because
if
a
bad
guy
can
get
a
vulnerability
into
an
open-source
component,
that's
used
by
lots
and
lots
of
companies.
They've
just
broadened
their
scope
and
their
reach.
So
it's
a
very
vulnerable
area
and.
A
Microphone,
allistic
application
into
many
more
applications
that
sort
of
breaks
a
traditional
application,
security
approach,
where
you're
scanning
your
applications,
usually
sometime
in
the
test,
environment
and
you're,
getting
charged
by
the
application.
Now,
if
I
talked
to
a
customer
on
Monday
and
they
were
taking
a
monolithic
application
and
breaking
it
into
42,
well
that
just
increased
their
security
cost
at
42
times
so
you've
got
to
think
about
this
a
little
bit
differently.
A
Now
cloud
requires
a
shared
accountability
and
I
created
this
slide
to
show
not
definitive
roles
and
responsibilities,
but
more
of
primary
roles
and
responsibilities.
So
the
cloud
providers
doing
some
of
this
security
vendors
are
doing
some
and
the
cloud
providers
are
starting
to
do
more.
I,
don't
know
if
you
saw
a
couple
weeks
ago
at
our
say
in
in
California,
Microsoft
and
Google,
both
announced
more
or
less
sim
capabilities,
and
so
security
information
and
event
management
capabilities.
A
So
the
landscape
here
is
changing
and
when
I
ran
this
by
our
infrastructure
people,
they
said
you
know,
we
really
deal
with
something
in
every
box
here.
So
you
know
take
this
with
a
grain
of
salt,
but
in
terms
of
primary
responsibilities.
It's
a
shared
environment.
Now,
when
you
take
the
application
layer-
and
you
wrapper
that
in
containers-
and
you
wrapper
that
in
orchestration,
it
increases
your
attack
surface.
So
now
you
need
to
think
in
the
container
space.
A
Authentication
and
access
is
really
key.
So
what
Liz
showed
around
role-based
access?
That's
really
really
important
in
in
the
kubernetes
space
and
as
well
as
network
policies,
and
you
saw
some
of
that
and
it's
really
kind
of
the
Wild
West
right
now
in
terms
of
setting
those
policies.
There
are
some
best
practices,
but
it's
still
I
think
very
early
as
an
industry.
We're
kind
of
an
alert
there,
so
I
want
to
show
you
hi
I,
attended
a
demonstration
of
a
kubernetes
attack
at
RSA
a
couple
weeks
ago
and
actually
Liz.
A
A
So
again,
it
kind
of
goes
back
to
the
wing
weak
link,
which
oftentimes
is
the
open
source
dependency.
So
you
want
to
make
sure
that
you're
scanning
those
now
in
terms
of
kubernetes
threats,
the
new
stack,
has
a
good
ebook
here.
I
get
labs.
All
about
reusing
things
when
we
can
and
giving
credit
where
it's
due.
So
this
is
a
really
good
yvette
ebook.
A
In
fact
back
here,
one
of
the
things
that
I
missed
key
point
is
90%
of
the
the
preventive
measures
here
have
to
do
with
configuration
and
configuration
is
very
challenging
right
now,
but
but
that
is
it's
very
important
as
well
and
in
fact,
there's
a
center
for
internet
security
has
a
benchmark,
and
this
I'm
told
is
one
of
the
best
places.
If
you
want
to
do
your
own
configuration
I.
A
Think
if
it
were
me,
I'd
want
to
hire
somebody
like
Karthik,
but
instead
tell
me
no,
but
if
you,
if
you're
taking
the
do-it-yourself
approach,
this
is
a
little
hard
to
find
by
the
way
so
I
start
it.
It's
under
virtualization
platforms
and
cloud,
because
there's
the
benchmarks
are
vast
and
there's
lots
of
information
here,
but
I
would
encourage
you
to
think
about
which
settings
you
need
to
make
in
order
to
really
be
secure,
because
a
lot
of
the
default
settings
are
not
the
most
secure
so
that
you
really
have
to
think
through.
A
All
of
those
which
brings
me
to
the
the
broader
picture
of
cloud
computing
and
secure
and
cloud
I
would
argue
that
there's
three
key
principles
going
forward.
I
want
to
give
you
some
thoughts
on
where
I
think
this
is.
This.
Space
is
going
to
go
so
that,
if
you're
looking
for
where
to
you
know
what
tools
to
invest
in
who
to
follow
that
sort
of
thing
will
give
you
some
direction
and
some
ideas
there
so
number
one
security
needs
to
be
an
outcome,
not
a
department.
A
Now
the
seaso
at
via
vmware
at
he
was
on
stage
at
RSA
as
a
keynote,
and
I
love
this
quote.
He
said
your
most
important
security
product
won't
be
a
security
product
and
we've
seen
that
with
451.
Also
there
are
an
analyst
company
and
they
really
felt
like
there's
the
the
new
direction
is
that
securing
your
applications
is
going
to
come
from
a
combination
of
your
cloud
provider
and
more
likely
your
software
development
lifecycle
tools,
so
you're
going
to
embed
security
into
your
development
process
and
that's
the
way
that
it's
going
to
be
successful.
A
So
key
principle
number
two
would
be
breath
before
death.
So
if
you're
focusing,
for
instance,
only
on
kubernetes
security,
you're
missing
the
container
side
of
things,
you're
missing
the
dependency
vulnerabilities,
you're
missing
a
lot
of
other
elements.
If
you
are
doing
vulnerability
scanning
and
let's
say,
you're
only
doing
SAS
tour
you're
only
doing
so
static
or
dynamic
testing
and
you're
going
really
deep
on
particular
applications.
A
You
may
be
leaving
the
window
open
here
in
terms
of
additional
applications
that
are
your
weak
link
in
the
backdoor,
and
so
you
can't
think
about
just
mission-critical
apps,
because
remember
I
can
laterally
traverse
and
go
from
one
application
to
another,
and
so
you
need
to
think
through
those
kinds
of
permissions.
So
when
you're
thinking
through
yours
to
your
kubernetes
settings,
for
instance,
if
I
have
an
application
for
HR,
probably
shouldn't
be
talking
to
my
point-of-sale
application.
A
So
those
are
the
of
settings
that
you
can
you
can
make
in
kubernetes,
but
you
want
to
make
sure
that
you're
thinking
broadly
now,
one
way
to
think
broadly
would
be
to
test
every
line
of
code.
The
traditional
application
security
approach
would
be
I'm
gonna
test,
my
mission-critical
applications
and
I'm
gonna.
A
Do
it
again
sort
of
near
the
end
of
my
development
lifecycle
and
I'm
gonna
go
really
really
deep,
but
the
problem
with
that
is
then
I've
got
to
get
that
information
back
from
security
over
to
development
and
prioritize
and
chase
down
those
vulnerabilities
and
get
them
get
them
triage.
If
you
can
do
all
of
these
tests,
so
static,
dynamic
dependency,
scanning
containers
scanning
and
license
management
all
right
within
your
pipeline.
A
When
you
commit
your
code,
then
you're,
taking
that
broad
approach
of
testing
everything
you
know
another,
a
good
analogy
to
that
would
be
when
you
go
to
the
airport
and
everybody
gets
scanned
right.
If
you
have
a
ticket
and
you're
going
in
you're
gonna
have
to
you
know,
stand
in
the
Machine
and
get
scanned
all
of
your
bags
get
scanned.
Now
some
get
pulled
aside
for
a
more
thorough
scan,
but
they're
scanning
everything.
At
least
you
know
at
least
at
some
level.
So
you
should
think
through
application
security
testing
in
a
similar
way.
A
What
this
allows
you
to
do,
then,
by
by
scanning
everything
when
you
commit
your
code,
is
have
much
faster
cycle
time.
So
we
talked
about
the
clash
between
the
iterative
development
process
and
the
security
at
the
end.
Well,
the
way
to
resolve
it
is
if
you're
testing
everything
every
time
you
commit
your
code,
then
the
developers
getting
information
back
so
I
write
this
code,
a
committed,
here's,
the
vulnerabilities
that
it
created
so
I've
removed.
All
of
that
friction
in
the
process
where
things
could
happen.
A
You
know
the
testing
happens
later
and
comes
back
maybe
a
week
later,
and
you
have
to
track
down
what
line
of
code
was
it
that
caused
the
problem?
You
know
where
was
it
that
I
need
to
go
to
fix
this,
so
if
you're
doing
it
more
iteratively
in
smaller
bites,
the
other
advantage
to
that
is
my
scans.
Take
less
time
because
I'm
doing
it
for
whatever
code
change,
I
make
not
the
whole
thing
and-
and
it
can
just
be
much
more
efficient
and
effective.
A
So
then,
what
goes
on
to
your
security
department
are
those
things
that
you,
the
developers
not
able
to
resolve,
so
maybe
you're
not
sure
if
there's
a
compensating
control
so
you're,
not
sure
if
you
should
dismiss
this
yeah
vulnerability
or
not
or
you're,
not
sure
of
the
best
way
to
resolve
it
or
it's
going
to
take
a
long
time
and
really
need
to
be
prioritized.
So
you
want
to
create
an
issue
for
that
later.
A
Now
the
last
point
that,
in
terms
of
key
directions
for
the
new
IT
and
caring,
the
new
IT
is
that
simplicity
and
integration
will
always
win.
I'd
like
to
use
the
analogy
between
your
cell
phone
and
your
camera,
and
your
other
one
would
be
your
microwave.
How
many
buttons
you
have
on
your
microwave
and
you
usually
just
use
the
one-minute
one
right
or
the
popcorn,
maybe
for
the
the
cell
phone.
You
know
you.
A
You
know
with
gitlab
we're
all
remote
and
we
have
an
employee
meetup
for
globally,
every
9
or
10
months,
and
we
were
in
South
Africa
in
August
and
I
took
my
digital
camera,
because
I
thought
I'm
gonna
get
these
spectacular
pictures,
but
in
the
end
I
realized
I,
don't
want
the
pictures
to
just
stay
on
my
phone
I
want
to
share
them,
and
so
I
have
my
cell
phone
with
me
all
the
time.
I.
Don't
necessarily
always
have
my
camera.
You
know
with
the
separate
camera
you
got
to
make
sure
it's
charged.
A
You
got
to
make
sure
it's
got.
Storage,
I,
take
the
picture,
it's
good
enough
with
my
phone
and
immediately
I
can
upload
it
to
Facebook
or
text
it
to
my
kids
or
whatever,
and
it's
that
integration
that
is
so
so
important.
So
when
you
think
about
having
one
application
across
the
entire
software
development
lifecycle
that
simplicity
and
that
integration
is
really
something
that
can
add
value
that
you
can't
get
when
you're
stitching
together
a
DevOps
tool
chain,
the
other
element
of
that
is
kind
of
a
single
source
of
truth
and
so
everybody's.
A
Looking
at
the
same
thing,
dev
SEC,
Ops,
I,
think
in
the
end
the
SEC
of
DevOps
is
going
to
disappear.
If
we're
all
successful,
suck
will
become
ubiquitous
and
just
built
into
dev
and
ops.
So
I
hope
those
are
good
thoughts
for
you
and
I
know
I'm.
The
only
thing
standing
between
you
and
lunch,
so
I
appreciate
your
your
attention
in
your
patients.
Thank
you.
So
much.