Security hardening enhancements for Kubernetes
RuncyOommen
133 views
46 slides
Aug 19, 2024
Slide 1 of 46
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
About This Presentation
The default security settings of a Kubernetes deployment is not hardened and fine tuned for security. Let's walk through what enhancements and config changes can be done to make it robust and ready for production.
Slide Content
Kubernetes Security Hardening
01 C loud native security intro 02 Shared responsibility model The next 30 mins... 04 K ubernetes security improvements 03 Journey from VMs to Microservices
Engineering Leader with 2 decades of primary exp in systems, cloud, security, networking Special interest in serverless, containers and cloud-native offerings. Firm believer of a multi-hybrid cloud future Career Community Organizer of GDG Cloud; Former co-organizer of AWS UG Bangalore Google Developer Expert (GDE) in cloud Multiple hackathon wins in cloud/security topics Recognized by Google as a community influencer runcyoommen https://runcy.me
What being “Cloud Native” means ? A cloud computing approach to build & run scalable apps in modern environments such as public, private and hybrid clouds . Technologies such as containers, microservices and serverless are elements of this architecture. Reference: https://en.wikipedia.org/wiki/Cloud_native_computing
So, how exactly should cloud native security differ from traditional network security ?
Cloud Features v/s Security Balances Agility Self service Scale Automation Gatekeeper Standards Control Centralized Pay as you go Timely alerts
Shared Responsibility Model
MONOLITH M-I-C-R-O-S-E-R-V-I-C-E-S Let’s begin the journey… f rom to
VM Container
Portability – A bstract apps from host ; easy to run on any platform Scalability – Containerized apps can handle increasing workload Security – App isolation ensures separate containers run independently Continuity – Failure of one will not influence the state of others Easy Management – Performs orchestration, workload management, automated installation
How did we get here?
LET'S FIX THE BREAKING K8s
Ensure each container has a configured... Hardening #1 Memory request & limit CPU request & limit Liveness probe Readiness probe
Overview of hardening Mem requests allocate guaranteed memory to pods in the cluster Mem limits restrict max memory resources to pods in the cluster Memory requests & limits CPU requests enable guaranteed computing to pods in the cluster CPU limits restrict max computing resources to pods in the cluster CPU requests & limits Liveness probe determines when a pod should be replaced (resiliency) Readiness probe determines when a pod is ready to accept traffic Liveness & Readiness probe
Remediation Set memory requests & limits Set CPU requests & limits
Remediation Configure liveness probe with HTTP req, TCP protocol or exec command Configure readiness probe with HTTP req, TCP protocol or exec command
Hardening #2 Prevent deploying naked pods
Overview of hardening It's preferable to manage services and applications using higher-level resources like Deployments, StatefulSets and DaemonSets instead of raw Pod resources These are necessary to configure & maintain a stable cluster
Remediation Deploy pods using higher-level resources
Use images only with... Hardening #3 Pinned (tag) version Digest (checksum)
Overview of hardening When an image tag is not descriptive, every time that image is pulled, version will be different and might break your code Non-descriptive image tag does not allow to easily roll back to different image version
Remediation Each container image should have a pinned version tag or image ID
Prevent containers from... Hardening #4 Accessing underlying host Allowing command execution Escalating privileges Running with root privileges
Overview of hardening Pods can use host bind mounts ( dirs and vols mounted on container host) Using hostPath may enable to break from container and gain host access Prevent access to underlying host As an example ' kubectl exec' allows to execute a command in container Prevent command execution Containers allow privilege escalation by default Attackers may utilise this to manipulate app or process Prevent privilege escalation Having non-root execution provides better assurance that apps will function correctly without root privileges Recommended to run with least privileges possible Prevent running with root
Remediation Refrain from using hostPath mount Refrain from setting exec, create in your Role
Remediation Set the allowPrivilegeEscalation to false Set runAsNonRoot to true
Configure HPA with... Hardening #5 Minimum replicas Maximum replicas
Overview of hardening When auto-scaling resource utilization is triggered with Horizontal Pod Autoscaler , acceptable values must be set to prevent unintended scale HPA doesn't have min replicas HPA doesn't have max replicas
Remediation Configure HPA with minReplicas and maxReplicas value
CronJob has... Hardening #6 Deadline configured Concurrent execution forbidden
Overview of hardening By default, cron job allows concurrently running jobs, but would be more deterministic if prevented Allowing concurrency requires locking to avoid race conditions When CronJob controller miss more than 100, job is no longer scheduled Counts how many missed schedules since lastScheduleTime
Remediation Set deadline to reduce number of missed schedules and increase CronJob reliability Set concurrencyPolicy to either Forbid or Replace
runcyoommen https://runcy.me
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 133
- Slides 46
- Age 469 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views