Kubernetes Security Extravanganza
A minimal walkthrough on Kubernetes security features and controls.
Introduction • Hand Holding Kubernetes Hardening • Simpler Hardening • TLS Certification Rotation • Linux Kernel Filtering • Pod Security • NetSec • Cluster • Admission Controller • Workload Integrity • Backups • Secrets • Isolated Kernel • Image Pulling
Intro
Hardening an application server that was never intended to be hardened (wrapped by private R&D security tooling not made publicly available) is always a challenge. Especially in light of everything else one must consider and engineer around;
- Cluster Architecture
- Containers
- Workloads
- Services, Load Balancing, and Networking
- Storage
- Configuration
- Policies
- Scheduling, Preemption and Eviction
- Cluster Administration
- Extending Kubernetes
Which is why it is worthwhile to view my lecture on the project that became Kubernetes. Design decisions were made of that era's philosophy. Hence this walkthrough to right the sins that were made.
Hand Holding Kubernetes Hardening
Interesting manual techniques to harden kubernetes core
Simpler Hardening
Semi-automated techniques to harden kubernetes core
TLS Certification Rotation
X.509 builds the internal communication assurance and integrity checks between different Kubernete's services
Linux Kernel Filtering
SECCOMP goes a long way but is difficult to master
Pod Security
Pod Security is the new hotness
NetSec
Service Mesh, DNS, autodiscovery - oh my!
Cluster
The root of all governance
Admission Controller
The Gatekeeper of Xul
Workload Integrity
I think, therefore I am because my identity is mathematicaly proven.
Backups
You are only as available as your last successful restoration
Secrets
Touching other people's underwear
Isolated Kernel
I heard you like kernels so I put a kernel in your kernel
Image Pulling
Or why DockerHub had to make money
Credits
License
MIT
k8s.haxx.ninja · GitHub @cloudsriseup · Keyoxide John Menerick