Docker Meetup Marseille/Aix-en-Provence, South France, May 28th 2018
and
Docker Meetup Nice, South France, May 29th 2018
Using Kubernetes in production brings us great benefits with flexible deployments for scaling our applications. But we’re facing some new challenges to secure our clusters, harden our Container Images and protect the live system against possible network attacks from the outside and inside.
In this talk we’re covering hot topics like Securing Kubernetes cluster and nodes, Image Hardening and Image Scanning, and protecting the Kubernetes network against typical attacks. With a few slides and more live demo we’ll dig into todays security challenges and present solutions to integrate into your CI/CD workflow and even to protect your Kubernetes workload actively with a Container Firewall.
1. real-time & run-time
Container Security
for Kubernetes and Docker
Dieter Reuter, Docker Captain
@Quintus23M - dieter@neuvector.com
+
Docker Meetup Aix-en-Provence - May 28th, 2018
2. About Me
Name: Dieter Reuter
started using Docker five years ago
Docker Captain since April’2016
Docker Pirate @HypriotTweets,
building an OS for running Docker on Raspberry Pi
- we pushed Docker to ARM!
Container Security Expert &
Chief Solutions Architect @NeuVector Inc.,
(btw. the coolest container security startup,
based in Silicon Valley - San Jose,CA)
Contact me:
Twitter: @Quintus23M
eMail: dieter@neuvector.com
LinkedIn: dieter-reuter
Credits: Drawings by Laurel from @laurelcomics
4. Why should we care about Security?
We are responsible for the systems we ship
We have to protect customers sensible data
We have to secure the container run-time
environment (Host OS, Docker engine,
Kubernetes system)
But, we still ship (old) vulnerable software
We use vulnerable base images, not really
optimised or hardened for security
Every day new Open Source vulnerabilities
will be disclosed
New risks and new attacks arising daily
“Containers are already secure by default!” - really?
8. How to improve security?
Prevent & Report
- establish Image Scanning (Docker EE DTR, Clair, …), Integration in CI/CD
- hardening Hosts OS and Container Run-Time (Docker/Kubernetes CIS Bench)(*)
- secure and harden your Docker Images
Detect & Alert
- continuous Vulnerability Scanning of Hosts and all running Containers(*)
- regain Visibility into your Container Workloads(*)
- observe Container Activities in Real-Time (processes, files, network, use DPI)(*)
- Alerting threads and violations to SIEM systems like Splunk or ELK(*)
Enforce & Protect
- lockdown Container Behaviour to whitelisted activities only(*)
- inspect Network Traffic (w/ Layer-7 DPI) and block suspicious Connections(*)
- pro-active Real-Time Protection w/ IDS like Container Firewall(*)
(*)Features from NeuVector Multi-Vector Container Security Platform
12. Key Take-Aways
Run Docker & Kubernetes CIS Benchmark and adapt your systems security
Use RBAC, TLS certificates and rotate keys regularly
Apply AppArmor, Seccomp & Cgroup limits (even if this is time consuming)
Privileged Containers with root process means literally “root access” to the Host
Accessing the Docker socket (aka Docker API) is also “root access” to the Host
Container Security tooling is essential, standard Docker and Kubernetes are too short
Use different Security Tools to double check, don’t rely on a single vendor
Prevention with Image Scanning is great, but really not enough
- it just makes sure, you are immune against the known/published attacks
- hardening/lockdown your Images makes you stronger, still room for improvement
Most important step is supervising the Run-Time and Production Environment
- detection, alerting and active protection is key to fight against all unknown/new attacks!