K8s Security Tools Karthik Gaekwad @iteration1 The Dog Days of Devops, August 2018
A presentation at 12 Clouds of Christmas in December 2018 in Austin, TX, USA by Karthik Gaekwad
K8s Security Tools Karthik Gaekwad @iteration1 The Dog Days of Devops, August 2018
Karthik Gaekwad @iteration1 • Used to be a dev. • Cloud Native Evangelist, Oracle Cloud Infrastructure • My worlds are colliding… • Reading K8s hardening docs. • Here’s what I have
https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked/
3 tools you should know • Kube-bench • Kubesec • KubeAudit
Kube-bench • https://github.com/aquasecurity/kube-bench • “The Kubernetes Bench for Security is a Go application that checks whether Kubernetes is deployed according to security best practices.” • Defined by the CIS Benchmarks Docs: https:// www.cisecurity.org/cis-benchmarks/ • Run it against your Kubernetes Master, or Kubernetes node.
Kube-bench Example
Kubesec • https://kubesec.io/ from controlplane • Helps you quantify risk for K8s resources. • Run against your K8s applications (deployments/pods/ daemonsets etc) • Can be used standalone, or as a kubectl plugin (https:// github.com/stefanprodan/kubectl-kubesec)
Kubesec Example
KubeAudit • Opensourced from Shopify. • https://github.com/Shopify/kubeaudit • Helps with auditing your applications in your K8s cluster. • Little more targeted than Kubesec.
Kubeaudit Example
Moar! • Check the resources from this talk by Michael Hausenblas: https://speakerdeck.com/mhausenblas/ kubernetes-security-from-image-hygiene-to-networkpolicies
Fin • More cool tools? Tweet me @iteration1
