Kubernetes security and you

A presentation at 12 Clouds of Christmas in December 2018 in Austin, TX, USA by Karthik Gaekwad

Slide 1

Slide 1

K8s Security Tools Karthik Gaekwad @iteration1 The Dog Days of Devops, August 2018

Slide 2

Slide 2

Karthik Gaekwad @iteration1 • Used to be a dev. • Cloud Native Evangelist, Oracle Cloud Infrastructure • My worlds are colliding… • Reading K8s hardening docs. • Here’s what I have

Slide 3

Slide 3

https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked/

Slide 4

Slide 4

3 tools you should know • Kube-bench • Kubesec • KubeAudit

Slide 5

Slide 5

Kube-bench • https://github.com/aquasecurity/kube-bench • “The Kubernetes Bench for Security is a Go application that checks whether Kubernetes is deployed according to security best practices.” • Defined by the CIS Benchmarks Docs: https:// www.cisecurity.org/cis-benchmarks/ • Run it against your Kubernetes Master, or Kubernetes node.

Slide 6

Slide 6

Kube-bench Example

Slide 7

Slide 7

Kubesec • https://kubesec.io/ from controlplane • Helps you quantify risk for K8s resources. • Run against your K8s applications (deployments/pods/ daemonsets etc) • Can be used standalone, or as a kubectl plugin (https:// github.com/stefanprodan/kubectl-kubesec)

Slide 8

Slide 8

Kubesec Example

Slide 9

Slide 9

KubeAudit • Opensourced from Shopify. • https://github.com/Shopify/kubeaudit • Helps with auditing your applications in your K8s cluster. • Little more targeted than Kubesec.

Slide 10

Slide 10

Slide 11

Slide 11

Kubeaudit Example

Slide 12

Slide 12

Moar! • Check the resources from this talk by Michael Hausenblas: https://speakerdeck.com/mhausenblas/ kubernetes-security-from-image-hygiene-to-networkpolicies

Slide 13

Slide 13

Fin • More cool tools? Tweet me @iteration1