Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • Kubernetes3 Security 2020feb10

    Încărcat de

    sksundar.net396
    21 vizualizări28 pagini

    Titlu original

    kubernetes3-security-2020Feb10

    Drepturi de autor

    © © All Rights Reserved

    Formate disponibile

    PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    21 vizualizări28 pagini

    Kubernetes3 Security 2020feb10

    Încărcat de

    sksundar.net396

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 28

    Kubernetes

    #3. Security
    조대협 (http://bcho.tistory.com)
    Agenda
    ● Authentication & Authorization
    ● Network Policy
    ● Security Context
    ● Security best practice
    Authentication &
    Authorization
    User identity in k8s
    Kubernetes distinguishes between two kinds of clients connection to API Server

    ● Users (Actual human user)


    Kubernetes doesn’t have built in user account management system
    It should use integrate with external identity management system
    ○ Open ID (OAuth2)
    ○ Webhook

    ● Service account (Machine like Pod)


    ○ Identity of Pod to call API
    ■ Create : kubectl create serviceaccount {service account name}
    ■ List : kubectl list sa
    ■ Assign SA to POD
    Authenticate
    ● User identity is used for authenticate request for API Server
    ● How to authenticate user request
    ○ Basic HTTP Auth
    ○ Access token via HTTP Header
    ○ Client cert
    ○ Custom made
    RBAC (Resource based access control)
    users

    User group RoleBinding Role Resource

    Service
    account get pod
    list node
    watch service
    create :
    update
    patch
    delete
    :

    RoleBinding
    Role
    apigroups
    ● Core group, often referred to as the legacy group
    /api/v1
    ● Names group
    /apis/$GROUP_NAME/$VERSION
    ex) Create daemonSet : POST /apis/apps/v1/namespaces/{namespace}/daemonsets
    Role & namespace
    Namespace : default

    jane RoleBinding Role Pods


    Role & namespace
    Namespace : foo1 Namespace : default

    tom RoleBinding Role Pods

    - kind : User
    name : tom
    namespace : foo
    Cluster Role
    ● Role,RoleBinding : namespace d resource
    ● ClusterRole,ClusterRoleBinidng : Cluster wide
    ○ Role for all of resources in cluster (across multiple namespaces)
    ○ There are resources that are not namespaced
    Predefined Role

    From https://kubernetes.io/docs/reference/access-authn-authz/rbac/#permissive-rbac-permissions
    Network Policy
    Network Policy
    ● Network policy can control ingress & egress traffic for Pod
    ● It is based on
    ○ Label (label selector)
    ○ Protocol (TCP/UDP), Port
    ○ IP range (CIDR)

    ● Recipes
    https://github.com/ahmetb/kubernetes-network-policy-recipes
    Ingress control
    ● Deny all ingress traffic to Pod

    ● Limit ingress traffic to Pod


    Egress control
    ● Deny egress traffic

    app=foo Other Pod

    ● Limit egress traffic

    app=foo Other Pod

    UDP:53
    TCP:53
    Security Context
    Security Context
    ● Security-related feature can be configured on Pod and its container
    through-out security-Context properties
    ● It can
    ○ Specify the user under which the process in the container will run
    ○ Prevest the container from running as root
    ○ Privileged mode (full access to it’s node’s kernel)
    ○ Fine grained privileged mode (partial access for node’s kernel)
    Security context example
    ● Prevent container run as root

    ● Run container with specified user


    Security context example
    ● Run container with full kernel capabilities (Privileged mode)
    For example NFS

    ● Set capabilities for Container


    Adding individual kernel capabilities
    to a container
    Best practice
    Security best practice
    Reference

    ● https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-
    deployment/
    Container Image control
    ● Implement continuous security vulnerability scanning
    Include security scanning process in CI/CD pipeline
    ● Regularly apply security updates
    Update container image to latest version (ex node.js etc)
    ● Ensure that only authorized images are used in your environment
    Authorization control
    ● Create Administrative Boundaries between Resources

    ● Limit direct access to Kubernetes Nodes


    You should limit SSH access to Kubernetes nodes. (instead of that user to
    use kubectl exec)
    Quota control
    ● Define Resource Quota

    Give resource limit to namespace


    Network control
    ● Implement network segmentation

    POST /apis/net.alpha.kubernetes.io/v1alpha1/namespaces/tenant-a/networkpolicys
    {
    "kind": "NetworkPolicy",
    "metadata": {
    "name": "pol1"
    },
    "spec": {
    "allowIncoming": {
    "from": [{
    "pods": { "segment": "frontend" }
    }],
    "toPorts": [{
    "port": 80,
    "protocol": "TCP"
    }]
    },
    "podSelector": {
    "segment": "backend"
    }
    }
    }
    Security context for Pod
    ● SecurityContext->runAsNonRoot : Indicates that containers should run as non-root user
    ● SecurityContext->Capabilities : Controls the Linux capabilities assigned to the container.
    ● SecurityContext->readOnlyRootFilesystem : Controls whether a container will be able to write into
    the root filesystem.
    ● PodSecurityContext->runAsNonRoot: Prevents running a container with ‘root’ user as part of the
    pod
    Log Cluster
    ● Build log system (ELK) and gather Log
    End of document

    S-ar putea să vă placă și