Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

DevSecCon Singapore 2019: Preventative Security for Kubernetes

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Nächste SlideShare
Kubernetes security
Kubernetes security
Wird geladen in …3
×

Hier ansehen

1 von 25 Anzeige

DevSecCon Singapore 2019: Preventative Security for Kubernetes

Herunterladen, um offline zu lesen

Liz Rice

The latest Kubernetes version provides many security-related enhancements and controls, but it is far from being secure by default. Kubernetes is a complex orchestration platform with many different implementations, across multi-cloud/hybrid environments. Configuring it to comply with security best practices and specific security requires time and expertise that most organizations don’t possess.

Aqua’s open source tools arm Kubernetes administrators and developers with an easy way to identify weaknesses in their deployments so that they can address those issues before they are exploited by attackers.

During this presentation, we’ll review how these open source tools offer preventive security for Kubernetes:

Kube-Bench: checks a Kubernetes cluster against 100+ checks documented in the CIS Kubernetes Benchmark.

Kube-Hunter: conducts penetration tests against Kubernetes clusters that hunt for exploitable vulnerabilities and misconfiguration - both from outside the cluster as well as inside it (running as a pod)

Liz Rice

The latest Kubernetes version provides many security-related enhancements and controls, but it is far from being secure by default. Kubernetes is a complex orchestration platform with many different implementations, across multi-cloud/hybrid environments. Configuring it to comply with security best practices and specific security requires time and expertise that most organizations don’t possess.

Aqua’s open source tools arm Kubernetes administrators and developers with an easy way to identify weaknesses in their deployments so that they can address those issues before they are exploited by attackers.

During this presentation, we’ll review how these open source tools offer preventive security for Kubernetes:

Kube-Bench: checks a Kubernetes cluster against 100+ checks documented in the CIS Kubernetes Benchmark.

Kube-Hunter: conducts penetration tests against Kubernetes clusters that hunt for exploitable vulnerabilities and misconfiguration - both from outside the cluster as well as inside it (running as a pod)

Anzeige
Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)

Ähnlich wie DevSecCon Singapore 2019: Preventative Security for Kubernetes (20)

Anzeige

Weitere von DevSecCon (20)

Aktuellste (20)

Anzeige

DevSecCon Singapore 2019: Preventative Security for Kubernetes

  1. 1. © 2018-19 Aqua Security Software Ltd., All Rights Reserved Preventative Security for Kubernetes Liz Rice @lizrice | @aquasecteam
  2. 2. @lizrice Agenda ■ Kubernetes configuration for security ■ CIS benchmarks – testing the configuration ■ Penetration testing – testing for vulnerabilities
  3. 3. 3 Authored by Liz Rice from Aqua Security and Michael Hausenblas from Red Hat https://info.aquasec.com/kubernetes-security
  4. 4. @lizrice ▪ Secure the CI/CD pipeline ▪ “Shift left” security, fix issues early and fast ▪ Accelerate app delivery with security automation Aqua: our approach ▪ Enforce immutability – no patching, no drift ▪ Whitelist good behavior, preventing anomalies ▪ Prevent lateral movement ▪ Secure apps regardless of platform, cloud, or OS ▪ Enable hybrid cloud and cloud migration ▪ Avoid cloud lock-in and security reconfiguration Automate DevSecOps Modernize security through containers Secure once, run anywhere
  5. 5. @lizrice Create software Build Deploy Code quality Security testing Vulnerability scanning Image policies Runtime protection Artifacts free of security defects Only expected code & config Detect anomalous behaviour Host configuration Automating Security at Every Stage
  6. 6. @lizrice Kubernetes Host Configuration
  7. 7. @lizrice ■ Kubernetes components installed on your servers ■ Master & node components ■ Many configuration settings have a security impact ■ Example: open Kubelet port = root access ■ Defaults depend on the installer Kubernetes configuration What config settings should I use?
  8. 8. @lizrice CIS Kubernetes Benchmark
  9. 9. @lizrice ■ Open source automated tests for CIS Kubernetes Benchmark ■ Tests for Kubernetes Masters and Nodes ■ Available as a container kube-bench github.com/aquasecurity/kube-bench
  10. 10. @lizrice
  11. 11. @lizrice ■ Job configuration YAML ■ Run regularly to ensure no configuration drift ■ Tests defined in YAML ■ Released code follows the CIS Benchmark ■ Modify for your own purposes kube-bench github.com/aquasecurity/kube-bench
  12. 12. @lizrice ■ Built into the Aqua CSP ■ Provides a scored report of the results ■ Can be scheduled to run daily Kubernetes & Docker CIS Benchmarks
  13. 13. @lizrice Kubernetes penetration testing
  14. 14. @lizrice ■ Open source penetration tests for Kubernetes ■ See what an attacker would see ■ github.com/aquasecurity/kube-hunter ■ Online report viewer ■ kube-hunter.aquasec.com kube-hunter How do I know the config is working to secure my cluster?
  15. 15. @lizrice kube-hunter.aquasec.com
  16. 16. 16
  17. 17. 17
  18. 18. @lizrice kube-hunter with kube-bench
  19. 19. 19
  20. 20. 20
  21. 21. 21
  22. 22. @lizrice kube-hunter inside a pod
  23. 23. @lizrice Kubernetes cluster pod kube-hunter inside a pod What if my app gets compromised? token API server
  24. 24. @lizrice ■ Results depend on RBAC settings ■ and the service account you use for the pod kube-hunter inside a pod What if my app gets compromised?
  25. 25. © 2018-19 Aqua Security Software Ltd., All Rights Reserved github.com/aquasecurity/kube-bench github.com/aquasecurity/kube-hunter @lizrice | @aquasecteam

×