SlideShare ist ein Scribd-Unternehmen logo

Monitoring & Securing Microservices in Kubernetes

Michael Ducy
Michael Ducy

Application running in containers provide a myriad of choices to the end developer. But how do you provide the necessary services to monitor and secure these applications running in platforms such as Kubernetes. This presentation covers some common sense principles to monitor and secure your Kubernetes based applications.

Technologie
1 von 48
Downloaden Sie, um offline zu lesen
Monitoring & Securing Microservices in Kubernetes Michael Ducy - @mfdii - Sysdig
5 Principles 1. Monitor containers and what’s inside them. 2. Alert on service performance, not container performance. 3. Monitor APIs. 4. Secure the container runtime environment. 5. Provide incident and forensic analysis for containers.
Let’s talk about Microservices
A quick refresher • Let’s define microservices: The term "Microservice Architecture" has sprung up over the last few years to describe a particular way of designing software applications as suites of independently deployable services. While there is no precise definition of this architectural style, there are certain common characteristics around organization around business capability, automated deployment, intelligence in the endpoints, and decentralized control of languages and data. http://www.martinfowler.com/articles/microservices.html
Stop, It’s not SOA • Services tend to have smaller concerns than SOA Services • Architectural Concepts incorporates Innovations: – In Infrastructure – In Automation – In Continuous Delivery – In Development – In Monitoring http://www.martinfowler.com/articles/microservices.html
What you think it looks like http://microservices.io/i/Microservice_Architecture.png
What it really looks like. https://www.appcentrica.com/wp-content/uploads/2016/11/Microservices-Architecture-1.png
But it’s probably more like https://i.stack.imgur.com/y27IV.png
Let’s talk about Containers
What’s a Container? Containers ARE NOT lightweight VMs.
What’s a Container? A combination of: ● An image ● Cgroups ● Namespaces ● Linux Security Modules: ○ SELinux, App armor, seccomp
Containers vs. Zones vs. Jails vs. VMs Thanks to Jessie Frazelle (@jessfraz) for this slide https://goo.gl/7fVKFa Containers Cgroups Namespaces LSMs Zones First class concept Jails First class concept VMs First class concept Read more about this here: https://blog.jessfraz.com/post/containers-zones-jails-vms/
What’s a Container The Old Way The New Way Heavy, Non Portable Light, Easily Portable
What’s a Container The Old Way The New Way Heavy, Non Portable Light, Easily Portable Application Artifact Virtual Machine Artifact Container Artifact
cgroups Control Groups Limits the quantity of a resource that can be consumed. Memory, CPU, Net, etc
namespaces namespaces Limits what resources can be accessed Cgroup CLONE_NEWCGROUP Cgroup root directory IPC CLONE_NEWIPC System V IPC, POSIX message queues Network CLONE_NEWNET Network devices, stacks, ports, etc. Mount CLONE_NEWNS Mount points PID CLONE_NEWPID Process IDs User CLONE_NEWUSER User and group IDs UTS CLONE_NEWUTS Hostname and NIS domain name
Linux Security Modules SELinux System wide execution policy AppArmor System wide execution policy, focused on processes Seccomp Per process system call isolation
Why is it magic? Container Image Container Runtime cgroup namespace LSM
Containers + Microservices
Containers + Microservices Containers Limited scope Easily deployable Immutable Versionable Microservices Limited Scope CD used for deployment Service Guarantees Versionable API
Containers make Microservices easier.
https://i.stack.imgur.com/y27IV.png
https://www.appcentrica.com/wp-content/uploads/2016/11/Microservices-Architecture-1.png
The Five Principles
5 Principles 1. Monitor containers and what’s inside them. 2. Alert on service performance, not container performance. 3. Monitor APIs. 4. Secure the container runtime environment. 5. Provide incident and forensic analysis for containers.
5 Principles 1. Monitor containers and what’s inside them. 2. Alert on service performance, not container performance. 3. Monitor APIs. 4. Secure the container runtime environment. 5. Provide incident and forensic analysis for containers.
A Paradigm Shift Traditional management focuses on apps running on VMs and Hosts. Containers shift the management focus to apps running as isolated process. vs.
Monitor Containers & What’s Inside Monitoring needs to focus on: ● Isolated processes in the context of the container ○ Resource limits ● Isolated processes in the context of the orchestrator ○ Resource limits ○ Scaling limits
Monitor Containers & What’s Inside Monitoring needs to focus on: ● Monitoring the application itself. ● Discovery of metrics for your language runtime, application services, database, etc ● Discovery of metrics exposed by developers ○ Prometheus, JMX, etc
5 Principles 1. Monitor containers and what’s inside them. 2. Alert on service performance, not container performance. 3. Monitor APIs. 4. Secure the container runtime environment. 5. Provide incident and forensic analysis for containers.
Average VM life: 23 Days Average container life: 2.5 Days Alert on service performance, not container performance.
Alert on service performance, not container performance. ● Containers don’t last long. ● Orchestration systems should monitor individual containers and take action. ○ Resource limits are important! ● Operators and Developers should worry about: “Is the thing doing the thing it’s supposed to be doing, and in a timely manner”
5 Principles 1. Monitor containers and what’s inside them. 2. Alert on service performance, not container performance. 3. Monitor APIs. 4. Secure the container runtime environment. 5. Provide incident and forensic analysis for containers.
Monitor your APIs
Monitor your APIs ● APIs are the primary communication path for your Microservices ● Monitoring API health is important to: ○ Catch bottlenecks in certain methods/functions/endpoints ○ See frequently used methods/functions/endpoints ○ Trace behavior of your application through multiple systems
5 Principles 1. Monitor containers and what’s inside them. 2. Alert on service performance, not container performance. 3. Monitor APIs. 4. Secure the container runtime environment. 5. Provide incident and forensic analysis for containers.
Secure the Runtime Environment Current container security paradigms: ● Image Based ○ Image Scanning ○ Trusted Images ● Orchestrator Security ○ RBAC ● Service Based ○ SPIFFE, Cilium, Service Mesh ● Runtime Security ○ Sysdig Secure, Sysdig Falco
Image Based Security Image Scanning: ● Scan image for known vulnerabilities ● Still requires process for bringing in upstream security releases ● “Point in Time Compliance” ● Integrate into container build process ● Clair & Anchore Trusted Images/Registries: ● Cryptographically Sign Images ○ Still “Point in Time” ● Only trust particular container registries. ○ Only as good as your container build process
Orchestrator Security Kubernetes RBAC: ● Stable as of Kubernetes 1.8 ● Rich ability to limit users access to Kubernetes resources Securing APIs, Dashboards, etc: ● Common exploitation point ● Open API ports to internet ● Exposed dashboards
Service Based Service Mesh ● Ingress, Egress, Service Discovery, Failure Handling, Service Identity Admittance Control ● Service Mesh, SPIFFE Kernel Level Access Control ● API Level Access Control ● Cilium
Runtime Security ● What happens when a container starts/runs? ● Container Images are Immutable ● Runtime environments often aren’t
Runtime Security ● Watches Containers for “Abnormal Behavior” ○ Rules defined by policy ■ CIS, PCI, Organizational Best Practice, etc ○ Rules defined by container baselining ● Action taken based on severity ○ Stop/Kill container ● Should be part of your CD pipeline ○ Ensure developers haven’t added anything new that voilates runtime policy.
5 Principles 1. Monitor containers and what’s inside them. 2. Alert on service performance, not container performance. 3. Monitor APIs. 4. Secure the container runtime environment. 5. Provide incident and forensic analysis for containers.
Incident & Forensics Analysis Incident & Forensics traditionally difficult: ● Bare Metal - Save the Drives ● VM - Snapshot VM state, Keep VM Containers make Incident & Forensics easier: ● Smaller footprint ● Limited objects in the container Orchestrators make Incident & Forensics difficult: ● Ephemeral nature of containers ● Rapid deploy cycles
Incident & Forensics Analysis Container Incident & Forensics Analysis requires: ● Capturing the container before it’s gone ● Capturing the system activity for analysis ● Correlation between abnormal behavior and system activity
To recap. Containers change how we monitor applications. Microservices change how we monitor services. 1. Monitor containers and what’s inside them. 2. Alert on service performance, not container performance. 3. Monitor APIs. 4. Secure the container runtime environment. 5. Provide incident and forensic analysis for containers.
Thank You! Twitter: - @sysdig - @mfdii Sysdig Blog: - https://sysdig.com/blog/ Sysdig Container Intelligence Platform: - https://sysdig.com/ Sysdig Trial: - https://sysdig.com/sign-up
Thank You

Empfohlen

Principles of Monitoring Microservices
Principles of Monitoring MicroservicesPrinciples of Monitoring Microservices
Principles of Monitoring Microservices
Michael Ducy
 
Securing your Container Environment with Open Source
Securing your Container Environment with Open SourceSecuring your Container Environment with Open Source
Securing your Container Environment with Open Source
Michael Ducy
 
Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Open source security tools for Kubernetes.
Open source security tools for Kubernetes.
Michael Ducy
 
Automating Security Response with Serverless
Automating Security Response with ServerlessAutomating Security Response with Serverless
Automating Security Response with Serverless
Michael Ducy
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
Michael Ducy
 
DevOps in a Cloud Native World
DevOps in a Cloud Native WorldDevOps in a Cloud Native World
DevOps in a Cloud Native World
Michael Ducy
 
Evaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkEvaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK Framework
Sandeep Jayashankar
 
Container security
Container securityContainer security
Container security
Anthony Chow
 

Empfohlen

Principles of Monitoring Microservices
Principles of Monitoring MicroservicesPrinciples of Monitoring Microservices
Principles of Monitoring Microservices
Michael Ducy
 
Securing your Container Environment with Open Source
Securing your Container Environment with Open SourceSecuring your Container Environment with Open Source
Securing your Container Environment with Open Source
Michael Ducy
 
Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Open source security tools for Kubernetes.
Open source security tools for Kubernetes.
Michael Ducy
 
Automating Security Response with Serverless
Automating Security Response with ServerlessAutomating Security Response with Serverless
Automating Security Response with Serverless
Michael Ducy
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
Michael Ducy
 
DevOps in a Cloud Native World
DevOps in a Cloud Native WorldDevOps in a Cloud Native World
DevOps in a Cloud Native World
Michael Ducy
 
Evaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkEvaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK Framework
Sandeep Jayashankar
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
An In-depth look at application containers
An In-depth look at application containersAn In-depth look at application containers
An In-depth look at application containers
John Kinsella
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
John Kinsella
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
Thomas Fricke
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container Security
Shea Stewart
 
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security
DevOps.com
 
Serverless Security: What's Left To Protect
Serverless Security: What's Left To ProtectServerless Security: What's Left To Protect
Serverless Security: What's Left To Protect
Guy Podjarny
 
Securing Serverless - By Breaking In
Securing Serverless - By Breaking InSecuring Serverless - By Breaking In
Securing Serverless - By Breaking In
Guy Podjarny
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
Tim Mackey
 
Microservices: A Security Nightmare?
Microservices: A Security Nightmare?Microservices: A Security Nightmare?
Microservices: A Security Nightmare?
Container Solutions
 
Barbican 1.0 - Open Source Key Management for OpenStack
Barbican 1.0 - Open Source Key Management for OpenStackBarbican 1.0 - Open Source Key Management for OpenStack
Barbican 1.0 - Open Source Key Management for OpenStack
jarito030506
 
Container Security Mmanagement
Container Security MmanagementContainer Security Mmanagement
Container Security Mmanagement
Suresh Thivanka Rupasinghe
 
What's New in Kubernetes 1.18 Webinar Slides
What's New in Kubernetes 1.18 Webinar SlidesWhat's New in Kubernetes 1.18 Webinar Slides
What's New in Kubernetes 1.18 Webinar Slides
Mirantis
 
All Your Containers Are Belong To Us
All Your Containers Are Belong To UsAll Your Containers Are Belong To Us
All Your Containers Are Belong To Us
Lacework
 
penetration test using Kali linux seminar report
penetration test using Kali linux seminar reportpenetration test using Kali linux seminar report
penetration test using Kali linux seminar report
AbhayNaik8
 
Securing Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container DataSecuring Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container Data
Mirantis
 
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
Lacework
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop
Cisco Canada
 
Kube Apps in action
Kube Apps in actionKube Apps in action
Kube Apps in action
Karthik Gaekwad
 
Integration in the Cloud, by Rob Davies
Integration in the Cloud, by Rob DaviesIntegration in the Cloud, by Rob Davies
Integration in the Cloud, by Rob Davies
Judy Breedlove
 
Azure meetup cloud native concepts - may 28th 2018
Azure meetup cloud native concepts - may 28th 2018Azure meetup cloud native concepts - may 28th 2018
Azure meetup cloud native concepts - may 28th 2018
Jim Bugwadia
 

Weitere ähnliche Inhalte

Was ist angesagt?

360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security
DevOps.com
 
Serverless Security: What's Left To Protect
Serverless Security: What's Left To ProtectServerless Security: What's Left To Protect
Serverless Security: What's Left To Protect
Guy Podjarny
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
Tim Mackey
 
Microservices: A Security Nightmare?
Microservices: A Security Nightmare?Microservices: A Security Nightmare?
Microservices: A Security Nightmare?
Container Solutions
 
Barbican 1.0 - Open Source Key Management for OpenStack
Barbican 1.0 - Open Source Key Management for OpenStackBarbican 1.0 - Open Source Key Management for OpenStack
Barbican 1.0 - Open Source Key Management for OpenStack
jarito030506
 

Was ist angesagt? (20)

An In-depth look at application containers
An In-depth look at application containersAn In-depth look at application containers
An In-depth look at application containers
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container Security
 
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security
 
Serverless Security: What's Left To Protect
Serverless Security: What's Left To ProtectServerless Security: What's Left To Protect
Serverless Security: What's Left To Protect
 
Securing Serverless - By Breaking In
Securing Serverless - By Breaking InSecuring Serverless - By Breaking In
Securing Serverless - By Breaking In
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Microservices: A Security Nightmare?
Microservices: A Security Nightmare?Microservices: A Security Nightmare?
Microservices: A Security Nightmare?
 
Barbican 1.0 - Open Source Key Management for OpenStack
Barbican 1.0 - Open Source Key Management for OpenStackBarbican 1.0 - Open Source Key Management for OpenStack
Barbican 1.0 - Open Source Key Management for OpenStack
 
Container Security Mmanagement
Container Security MmanagementContainer Security Mmanagement
Container Security Mmanagement
 
What's New in Kubernetes 1.18 Webinar Slides
What's New in Kubernetes 1.18 Webinar SlidesWhat's New in Kubernetes 1.18 Webinar Slides
What's New in Kubernetes 1.18 Webinar Slides
 
All Your Containers Are Belong To Us
All Your Containers Are Belong To UsAll Your Containers Are Belong To Us
All Your Containers Are Belong To Us
 
penetration test using Kali linux seminar report
penetration test using Kali linux seminar reportpenetration test using Kali linux seminar report
penetration test using Kali linux seminar report
 
Securing Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container DataSecuring Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container Data
 
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop
 
Kube Apps in action
Kube Apps in actionKube Apps in action
Kube Apps in action
 

Ähnlich wie Monitoring & Securing Microservices in Kubernetes

Simplify Your Way To Expert Kubernetes Management
Simplify Your Way To Expert Kubernetes ManagementSimplify Your Way To Expert Kubernetes Management
Simplify Your Way To Expert Kubernetes Management
DevOps.com
 
CloudHealth: A Model-Driven Approach to Watch the Health of Cloud Services
CloudHealth: A Model-Driven Approach to Watch the Health of Cloud ServicesCloudHealth: A Model-Driven Approach to Watch the Health of Cloud Services
CloudHealth: A Model-Driven Approach to Watch the Health of Cloud Services
Anas Shatnawi
 
stackconf 2023 | Infrastructure-From-Code and the end of Microservices by Ala...
stackconf 2023 | Infrastructure-From-Code and the end of Microservices by Ala...stackconf 2023 | Infrastructure-From-Code and the end of Microservices by Ala...
stackconf 2023 | Infrastructure-From-Code and the end of Microservices by Ala...
NETWAYS
 

Ähnlich wie Monitoring & Securing Microservices in Kubernetes (20)

Integration in the Cloud, by Rob Davies
Integration in the Cloud, by Rob DaviesIntegration in the Cloud, by Rob Davies
Integration in the Cloud, by Rob Davies
 
Azure meetup cloud native concepts - may 28th 2018
Azure meetup cloud native concepts - may 28th 2018Azure meetup cloud native concepts - may 28th 2018
Azure meetup cloud native concepts - may 28th 2018
 
Webinar : Microservices and Containerization
Webinar : Microservices and ContainerizationWebinar : Microservices and Containerization
Webinar : Microservices and Containerization
 
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...
 
Node.js Service - Best practices in 2019
Node.js Service - Best practices in 2019Node.js Service - Best practices in 2019
Node.js Service - Best practices in 2019
 
How to Monitor Microservices
How to Monitor MicroservicesHow to Monitor Microservices
How to Monitor Microservices
 
Simplify Your Way To Expert Kubernetes Management
Simplify Your Way To Expert Kubernetes ManagementSimplify Your Way To Expert Kubernetes Management
Simplify Your Way To Expert Kubernetes Management
 
CloudHealth: A Model-Driven Approach to Watch the Health of Cloud Services
CloudHealth: A Model-Driven Approach to Watch the Health of Cloud ServicesCloudHealth: A Model-Driven Approach to Watch the Health of Cloud Services
CloudHealth: A Model-Driven Approach to Watch the Health of Cloud Services
 
Cloud native microservices for systems and applications ieee rev2
Cloud native microservices for systems and applications ieee rev2Cloud native microservices for systems and applications ieee rev2
Cloud native microservices for systems and applications ieee rev2
 
Open Source KMIP Implementation
Open Source KMIP ImplementationOpen Source KMIP Implementation
Open Source KMIP Implementation
 
Microservice Architecture
Microservice ArchitectureMicroservice Architecture
Microservice Architecture
 
Micro Front-End & Microservices - Plansoft
Micro Front-End & Microservices - PlansoftMicro Front-End & Microservices - Plansoft
Micro Front-End & Microservices - Plansoft
 
AWS Well-Architected Framework
AWS Well-Architected FrameworkAWS Well-Architected Framework
AWS Well-Architected Framework
 
Do You Need A Service Mesh?
Do You Need A Service Mesh?Do You Need A Service Mesh?
Do You Need A Service Mesh?
 
MuleSoft Manchester Meetup #4 slides 11th February 2021
MuleSoft Manchester Meetup #4 slides 11th February 2021MuleSoft Manchester Meetup #4 slides 11th February 2021
MuleSoft Manchester Meetup #4 slides 11th February 2021
 
Best Practices To Secure Kubernetes Cluster
Best Practices To Secure Kubernetes ClusterBest Practices To Secure Kubernetes Cluster
Best Practices To Secure Kubernetes Cluster
 
stackconf 2023 | Infrastructure-From-Code and the end of Microservices by Ala...
stackconf 2023 | Infrastructure-From-Code and the end of Microservices by Ala...stackconf 2023 | Infrastructure-From-Code and the end of Microservices by Ala...
stackconf 2023 | Infrastructure-From-Code and the end of Microservices by Ala...
 
CI/CD Pipeline with Kubernetes
CI/CD Pipeline with KubernetesCI/CD Pipeline with Kubernetes
CI/CD Pipeline with Kubernetes
 
Monitoring Containerized Micro-Services In Azure
Monitoring Containerized Micro-Services In AzureMonitoring Containerized Micro-Services In Azure
Monitoring Containerized Micro-Services In Azure
 
Meetup Openshift Geneva 03/10
Meetup Openshift Geneva 03/10Meetup Openshift Geneva 03/10
Meetup Openshift Geneva 03/10
 

Mehr von Michael Ducy

Rethinking Open Source in the Age of Cloud
Rethinking Open Source in the Age of CloudRethinking Open Source in the Age of Cloud
Rethinking Open Source in the Age of Cloud
Michael Ducy
 
The Road to Hybrid Cloud is Paved with Automation
The Road to Hybrid Cloud is Paved with AutomationThe Road to Hybrid Cloud is Paved with Automation
The Road to Hybrid Cloud is Paved with Automation
Michael Ducy
 
DevOpsDays Amsterdam - DudeOps: Why The Big Lebowski is About Your IT Project
DevOpsDays Amsterdam - DudeOps: Why The Big Lebowski is About Your IT ProjectDevOpsDays Amsterdam - DudeOps: Why The Big Lebowski is About Your IT Project
DevOpsDays Amsterdam - DudeOps: Why The Big Lebowski is About Your IT Project
Michael Ducy
 
DudeOps - Why The Big Lebowski is About Building a Cloud
DudeOps - Why The Big Lebowski is About Building a CloudDudeOps - Why The Big Lebowski is About Building a Cloud
DudeOps - Why The Big Lebowski is About Building a Cloud
Michael Ducy
 

Mehr von Michael Ducy (20)

Rethinking Open Source in the Age of Cloud
Rethinking Open Source in the Age of CloudRethinking Open Source in the Age of Cloud
Rethinking Open Source in the Age of Cloud
 
Sysdig Open Source Intro
Sysdig Open Source IntroSysdig Open Source Intro
Sysdig Open Source Intro
 
Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27
 
Survey of Container Build Tools
Survey of Container Build ToolsSurvey of Container Build Tools
Survey of Container Build Tools
 
Monoliths, Myths, and Microservices - CfgMgmtCamp
Monoliths, Myths, and Microservices - CfgMgmtCampMonoliths, Myths, and Microservices - CfgMgmtCamp
Monoliths, Myths, and Microservices - CfgMgmtCamp
 
Monoliths, Myths, and Microservices
Monoliths, Myths, and MicroservicesMonoliths, Myths, and Microservices
Monoliths, Myths, and Microservices
 
Why Pipelines Matter
Why Pipelines MatterWhy Pipelines Matter
Why Pipelines Matter
 
The Future of Everything
The Future of EverythingThe Future of Everything
The Future of Everything
 
Improving Goat Production
Improving Goat ProductionImproving Goat Production
Improving Goat Production
 
Changing the Way Development and Operations Works
Changing the Way Development and Operations WorksChanging the Way Development and Operations Works
Changing the Way Development and Operations Works
 
CloudStack Day 14 - Automation: The Key to Hybrid Cloud
CloudStack Day 14 - Automation: The Key to Hybrid CloudCloudStack Day 14 - Automation: The Key to Hybrid Cloud
CloudStack Day 14 - Automation: The Key to Hybrid Cloud
 
The Road to Hybrid Cloud is Paved with Automation
The Road to Hybrid Cloud is Paved with AutomationThe Road to Hybrid Cloud is Paved with Automation
The Road to Hybrid Cloud is Paved with Automation
 
The Velocity of Bureaucracy
The Velocity of BureaucracyThe Velocity of Bureaucracy
The Velocity of Bureaucracy
 
The Goat and the Silo
The Goat and the SiloThe Goat and the Silo
The Goat and the Silo
 
Little Tech, Big Impact - Monktoberfest 2013
Little Tech, Big Impact - Monktoberfest 2013Little Tech, Big Impact - Monktoberfest 2013
Little Tech, Big Impact - Monktoberfest 2013
 
Object, measure thyself
Object, measure thyselfObject, measure thyself
Object, measure thyself
 
DevOps Columbus Meetup Kickoff - Infrastructure as Code
DevOps Columbus Meetup Kickoff - Infrastructure as CodeDevOps Columbus Meetup Kickoff - Infrastructure as Code
DevOps Columbus Meetup Kickoff - Infrastructure as Code
 
DevOpsDays Amsterdam - DudeOps: Why The Big Lebowski is About Your IT Project
DevOpsDays Amsterdam - DudeOps: Why The Big Lebowski is About Your IT ProjectDevOpsDays Amsterdam - DudeOps: Why The Big Lebowski is About Your IT Project
DevOpsDays Amsterdam - DudeOps: Why The Big Lebowski is About Your IT Project
 
I've Got 99 Problems But DevOps Ain't One
I've Got 99 Problems But DevOps Ain't OneI've Got 99 Problems But DevOps Ain't One
I've Got 99 Problems But DevOps Ain't One
 
DudeOps - Why The Big Lebowski is About Building a Cloud
DudeOps - Why The Big Lebowski is About Building a CloudDudeOps - Why The Big Lebowski is About Building a Cloud
DudeOps - Why The Big Lebowski is About Building a Cloud
 

Kürzlich hochgeladen

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Kürzlich hochgeladen (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

Monitoring & Securing Microservices in Kubernetes

  • 1. Monitoring & Securing Microservices in Kubernetes Michael Ducy - @mfdii - Sysdig
  • 2. 5 Principles 1. Monitor containers and what’s inside them. 2. Alert on service performance, not container performance. 3. Monitor APIs. 4. Secure the container runtime environment. 5. Provide incident and forensic analysis for containers.
  • 3. Let’s talk about Microservices
  • 4. A quick refresher • Let’s define microservices: The term "Microservice Architecture" has sprung up over the last few years to describe a particular way of designing software applications as suites of independently deployable services. While there is no precise definition of this architectural style, there are certain common characteristics around organization around business capability, automated deployment, intelligence in the endpoints, and decentralized control of languages and data. http://www.martinfowler.com/articles/microservices.html
  • 5. Stop, It’s not SOA • Services tend to have smaller concerns than SOA Services • Architectural Concepts incorporates Innovations: – In Infrastructure – In Automation – In Continuous Delivery – In Development – In Monitoring http://www.martinfowler.com/articles/microservices.html
  • 6. What you think it looks like http://microservices.io/i/Microservice_Architecture.png
  • 7. What it really looks like. https://www.appcentrica.com/wp-content/uploads/2016/11/Microservices-Architecture-1.png
  • 8. But it’s probably more like https://i.stack.imgur.com/y27IV.png
  • 9. Let’s talk about Containers
  • 10. What’s a Container? Containers ARE NOT lightweight VMs.
  • 11. What’s a Container? A combination of: ● An image ● Cgroups ● Namespaces ● Linux Security Modules: ○ SELinux, App armor, seccomp
  • 12. Containers vs. Zones vs. Jails vs. VMs Thanks to Jessie Frazelle (@jessfraz) for this slide https://goo.gl/7fVKFa Containers Cgroups Namespaces LSMs Zones First class concept Jails First class concept VMs First class concept Read more about this here: https://blog.jessfraz.com/post/containers-zones-jails-vms/
  • 13. What’s a Container The Old Way The New Way Heavy, Non Portable Light, Easily Portable
  • 14. What’s a Container The Old Way The New Way Heavy, Non Portable Light, Easily Portable Application Artifact Virtual Machine Artifact Container Artifact
  • 15. cgroups Control Groups Limits the quantity of a resource that can be consumed. Memory, CPU, Net, etc
  • 16. namespaces namespaces Limits what resources can be accessed Cgroup CLONE_NEWCGROUP Cgroup root directory IPC CLONE_NEWIPC System V IPC, POSIX message queues Network CLONE_NEWNET Network devices, stacks, ports, etc. Mount CLONE_NEWNS Mount points PID CLONE_NEWPID Process IDs User CLONE_NEWUSER User and group IDs UTS CLONE_NEWUTS Hostname and NIS domain name
  • 17. Linux Security Modules SELinux System wide execution policy AppArmor System wide execution policy, focused on processes Seccomp Per process system call isolation
  • 18. Why is it magic? Container Image Container Runtime cgroup namespace LSM
  • 20. Containers + Microservices Containers Limited scope Easily deployable Immutable Versionable Microservices Limited Scope CD used for deployment Service Guarantees Versionable API
  • 25. 5 Principles 1. Monitor containers and what’s inside them. 2. Alert on service performance, not container performance. 3. Monitor APIs. 4. Secure the container runtime environment. 5. Provide incident and forensic analysis for containers.
  • 26. 5 Principles 1. Monitor containers and what’s inside them. 2. Alert on service performance, not container performance. 3. Monitor APIs. 4. Secure the container runtime environment. 5. Provide incident and forensic analysis for containers.
  • 27. A Paradigm Shift Traditional management focuses on apps running on VMs and Hosts. Containers shift the management focus to apps running as isolated process. vs.
  • 28. Monitor Containers & What’s Inside Monitoring needs to focus on: ● Isolated processes in the context of the container ○ Resource limits ● Isolated processes in the context of the orchestrator ○ Resource limits ○ Scaling limits
  • 29. Monitor Containers & What’s Inside Monitoring needs to focus on: ● Monitoring the application itself. ● Discovery of metrics for your language runtime, application services, database, etc ● Discovery of metrics exposed by developers ○ Prometheus, JMX, etc
  • 30. 5 Principles 1. Monitor containers and what’s inside them. 2. Alert on service performance, not container performance. 3. Monitor APIs. 4. Secure the container runtime environment. 5. Provide incident and forensic analysis for containers.
  • 31. Average VM life: 23 Days Average container life: 2.5 Days Alert on service performance, not container performance.
  • 32. Alert on service performance, not container performance. ● Containers don’t last long. ● Orchestration systems should monitor individual containers and take action. ○ Resource limits are important! ● Operators and Developers should worry about: “Is the thing doing the thing it’s supposed to be doing, and in a timely manner”
  • 33. 5 Principles 1. Monitor containers and what’s inside them. 2. Alert on service performance, not container performance. 3. Monitor APIs. 4. Secure the container runtime environment. 5. Provide incident and forensic analysis for containers.
  • 35. Monitor your APIs ● APIs are the primary communication path for your Microservices ● Monitoring API health is important to: ○ Catch bottlenecks in certain methods/functions/endpoints ○ See frequently used methods/functions/endpoints ○ Trace behavior of your application through multiple systems
  • 36. 5 Principles 1. Monitor containers and what’s inside them. 2. Alert on service performance, not container performance. 3. Monitor APIs. 4. Secure the container runtime environment. 5. Provide incident and forensic analysis for containers.
  • 37. Secure the Runtime Environment Current container security paradigms: ● Image Based ○ Image Scanning ○ Trusted Images ● Orchestrator Security ○ RBAC ● Service Based ○ SPIFFE, Cilium, Service Mesh ● Runtime Security ○ Sysdig Secure, Sysdig Falco
  • 38. Image Based Security Image Scanning: ● Scan image for known vulnerabilities ● Still requires process for bringing in upstream security releases ● “Point in Time Compliance” ● Integrate into container build process ● Clair & Anchore Trusted Images/Registries: ● Cryptographically Sign Images ○ Still “Point in Time” ● Only trust particular container registries. ○ Only as good as your container build process
  • 39. Orchestrator Security Kubernetes RBAC: ● Stable as of Kubernetes 1.8 ● Rich ability to limit users access to Kubernetes resources Securing APIs, Dashboards, etc: ● Common exploitation point ● Open API ports to internet ● Exposed dashboards
  • 40. Service Based Service Mesh ● Ingress, Egress, Service Discovery, Failure Handling, Service Identity Admittance Control ● Service Mesh, SPIFFE Kernel Level Access Control ● API Level Access Control ● Cilium
  • 41. Runtime Security ● What happens when a container starts/runs? ● Container Images are Immutable ● Runtime environments often aren’t
  • 42. Runtime Security ● Watches Containers for “Abnormal Behavior” ○ Rules defined by policy ■ CIS, PCI, Organizational Best Practice, etc ○ Rules defined by container baselining ● Action taken based on severity ○ Stop/Kill container ● Should be part of your CD pipeline ○ Ensure developers haven’t added anything new that voilates runtime policy.
  • 43. 5 Principles 1. Monitor containers and what’s inside them. 2. Alert on service performance, not container performance. 3. Monitor APIs. 4. Secure the container runtime environment. 5. Provide incident and forensic analysis for containers.
  • 44. Incident & Forensics Analysis Incident & Forensics traditionally difficult: ● Bare Metal - Save the Drives ● VM - Snapshot VM state, Keep VM Containers make Incident & Forensics easier: ● Smaller footprint ● Limited objects in the container Orchestrators make Incident & Forensics difficult: ● Ephemeral nature of containers ● Rapid deploy cycles
  • 45. Incident & Forensics Analysis Container Incident & Forensics Analysis requires: ● Capturing the container before it’s gone ● Capturing the system activity for analysis ● Correlation between abnormal behavior and system activity
  • 46. To recap. Containers change how we monitor applications. Microservices change how we monitor services. 1. Monitor containers and what’s inside them. 2. Alert on service performance, not container performance. 3. Monitor APIs. 4. Secure the container runtime environment. 5. Provide incident and forensic analysis for containers.
  • 47. Thank You! Twitter: - @sysdig - @mfdii Sysdig Blog: - https://sysdig.com/blog/ Sysdig Container Intelligence Platform: - https://sysdig.com/ Sysdig Trial: - https://sysdig.com/sign-up