"Secure development on Kubernetes"
With the rise of Kubernetes, the Java developer has arrived in the DevOps age as well. By the multitude of complex tasks, the necessary security is often neglected. Even in managed clusters of well-known cloud providers, there are many traps and points of attack lurking.
In this presentation, essential security-critical components of a Kubernetes cluster will be presented. Security problems and corresponding measures to mitigate these will be shown. All steps are described using live demos with an exemplary Spring Boot Java application, that is deployed as a docker container in a Kubernetes cluster, taking into account recommended security patterns.
Speaker:
Andreas Falk, Novatec Consulting
Talk language: English
About the Speaker:
*********************
Andreas Falk has been working in enterprise application development projects for more than twenty years. Currently, he is working as a managing consultant for Novatec Consulting located in Germany.
In various projects, he has since been around as consultant, architect, coach, developer, and tester. His focus is on the agile development of cloud-native enterprise java applications using the complete Spring platform. As a member of the Open Web Application Security Project (OWASP), he likes to have a closer look at all aspects of application security as well. Andreas is also a frequent speaker at conferences like Spring I/O, CloudFoundry Summit, Devoxx, and OWASP AppSec.
9. Open ETCD Portsin Kubernetes (2)
9
$ etcdctl --endpoints=http://xx.xx.xx.xx:2379
cluster-health
member b97ee4034db41d17 is healthy: got healthy
result
from http://xx.xx.xx.xx:2379
cluster is healthy
https://github.com/etcd-io/etcd/releases
17. Iteration 1: Application Security
https://github.com/andifalk/secure-development-on-kubernetes
Live Demo: Show me thecode
17
18. âȘ Input Validation for ALL types of input
âȘ Output Encoding to preventXSS
âȘ Use only Parameterized Queries/Prepared Statements
âȘ Enforce Authentication &Authorization
âȘ Never implement your own Crypto orSession-Management
âȘ Check 3rd Party Dependencies for Vulnerabilities
âȘ Use Static & Dynamic Application SecurityTesting
18
Application Security 101
https://cheatsheetseries.owasp.org
https://owasp.org/www-project-top-ten
https://owasp.org/www-project-proactive-controls
19. The Path for Secure Development on K8s
Application
Security
Container
Security
Kubernetes
Security
Kubernetes
Secrets
19
21. Virtual Machine (VM) Basics
Physical Hardware
Hypervisor (VMM)
Guest OS Guest OS
Guest Apps Guest Apps
Physical Hardware
Host OS
Guest OS Guest OS
Guest Apps Guest Apps
VMM
Type 1 Virtual MachineMonitor Type 2 Virtual MachineMonitor
ESXi
Workstation
21
22. Container (Security) Basics
Linux Namespaces
Control Groups (cgroups)
Capabilities
Mandatory Access Control
Secure Computing Mode
Secrets Management
Container
Linux Namespaces
Control Groups (cgroups)
Capabilities
Mandatory Access Control
Secure Computing Mode
Secrets Management
Container
LXD
Linux Host (LinuxKernel)
22
23. âȘ Process IDs
âȘ Network
âȘ Mount Points
âȘ Inter-Process Communications (IPC)
âȘ User & Group IDs
âȘ Unix Timesharing System (UTS): hostname & domainnames
âȘ Control groups (cgroups)
23
Linux Kernel Namespaces
$ man namespaces
$ sudo lsns
24. Linux Control Groups (cgroups)
âȘ Resource Limits
â CPU
â Memory
â Devices
â Processes
â Network
24
For Java this only works with container aware
JDK versions as of OpenJDK 8u192 or above
Recommendation: Use Java 11
25. âȘ Break up privileges into smallerunits
â CAP_SYS_ADMIN
â CAP_NET_ADMIN
â CAP_NET_BIND_SERVICE
â CAP_CHOWN
â ...
25
Linux Capabilities
http://man7.org/linux/man-pages/man7/capabilities.7.html
$ man capabilities
$ docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE
26. âȘ Restrict System Calls
â Secure Computation Mode (seccomp)
â Google gVisor
26
âȘ Linux Kernel Security Modules (MAC)
â AppArmor
â Security-Enhanced Linux (SELinux)
Linux Mandatory AccessControl & System Calls
https://docs.docker.com/engine/security/seccomp
https://apparmor.net
https://en.wikipedia.org/wiki/Security-Enhanced_Linux
https://gvisor.dev/docs
27. Docker Images
Linux Host
...
cgroups
namespaces
Base Image (Alpine, âŠ)
DockerïŹle
Application
Container Image
Base Image (Alpine, âŠ)
DockerïŹle
Application
Container Image
Container Registry
docker run
27
28. USERdirective in DockerïŹle
Say No To Root (1)
FROM openjdk:11-jre-slim
COPY hello-spring-kubernetes-1.0.0-SNAPSHOT.jar app.jar
EXPOSE 8080
RUN addgroup --system --gid 1002 app && adduser
--system --uid 1002 --gid 1002 appuser
USER 1002
ENTRYPOINT java -jar /app.jar
https://opensource.com/article/18/3/just-say-no-root-containers
28
29. Use JIB and Distroless Images
29
Say No To Root (2)
https://github.com/GoogleContainerTools/jib
plugins {
id 'com.google.cloud.tools.jib' version '...'
}
jib {
container {
user = 1002
}
}
32. Iteration 2: Container Security
https://github.com/andifalk/secure-development-on-kubernetes
Live Demo: Show me thecode
32
33. âȘ Learn Linux (Security) Basics
âȘ Load Images from Trusted RegistriesOnly
âȘ Scan Images for Vulnerabilities (inCI/CD Pipeline)
âȘ Say No To Root & Run with --security-opt=no-new-privileges
âȘ Do NOT hardcode Secrets into a ContainerImage
âȘ Limit resources (memory, CPU,processes, ...)
âȘ Use Linux Security Module (seccomp, AppArmor,SELinux)
33
Container Security 101
https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
https://docs.docker.com/engine/security
https://blog.aquasec.com/docker-security-best-practices
https://blog.aquasec.com/devsecops-with-trivy-github-actions
34. The Path for Secure Development on K8s
Application
Security Security
Security
Container Kubernetes Kubernetes
Secrets
34
35. Kubernetes Basics
Ingress Service Deployment Replica Set
Pod
Pod
Pod
https://kubernetes.io/docs/concepts
https://www.aquasec.com/wiki/display/containers/70+Best+Kube
rnetes+Tutorials
35
41. Pod Security Policy (Still In Beta!)
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: no-root-policy
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
runAsUser:
rule: 'MustRunAsNonRoot'
...
https://kubernetes.io/docs/concepts/policy/pod-security-policy
41
42. Kubernetes Role Based AccessControl (RBAC)
ClusterRole ClusterRoleBinding
Role RoleBinding
SubjectAPI Groups
Resources
Verbs
Cluster-Wide
42
Namespace
- User
- Group
- ServiceAccount
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
45. Open Policy Agent -Kubernetes Gatekeeper
45
https://github.com/open-policy-agent/gatekeeper
46. Helm 3 Is Here!
46
https://v3.helm.sh
https://helm.sh/docs/faq/#removal-of-tiller
47. Iteration 3: Kubernetes Security
https://github.com/andifalk/secure-development-on-kubernetes
Live Demo: Show me thecode
47
48. âȘ Follow Container Security 101
âȘ Use a Managed Kubernetes Cluster
âȘ Enable Audit Logs
âȘ Enforce Authentication & Role Based Access Control
âȘ Use Pod Security Policies / Open Policy Agent
âȘ Upgrade to Helm Version 3.x(Remove Tiller)
âȘ Monitor your Kubernetes Cluster
48
Kubernetes Security 101
https://cheatsheetseries.owasp.org
https://owasp.org/www-project-top-ten
https://owasp.org/www-project-proactive-controls
49. The Path for Secure Development on K8s
Application
Security
Container
Security Security
Kubernetes
Kubernetes
Secrets
49