KubeSecOps Pipeline(Container security) in a cloudnative ecosystem
1. Growth of Cloud native Security
Cloud-native security is again top trending in 2020 as well as per gartner
Also, We have seen Many commercial enterprise security start-ups have already established their footprints and even in KubeCon 2020 as well Security was still the hot topics in cloudnative applications
Here is a glimpse of CNCF Security landscape:-
Even now After huge success of Linux Foundation CKA and CKAD certification amongst beginners, they have also understood importance of security and announced CKS Certified Kubernetes Specialist.
2. Container Security layers
- The security of the container host
- Container network Traffic
- The security of your application within the container
- Malicious behavior within your application
- Securing your container management stack
- The foundation layers of your application
- The integrity of the build pipeline
- Unsecured Kubelet API
- Unprotected Helm Tiller service, deprecated now.
- Sensitive cloud metadata unrestricted
- Secrets not protected adequately
- Lack of Network Policy
- Internal services unprotected without Ingress authentication
- Unauthenticated etcd access
- Privileged/root containers
- Excessive service account privileges
Few questions which should come in mind while building your K8s cluster:-
Do We have authentication and authorization in place?
Do we Know our Base Image while building containers?
Are we always using only official images?
Does your application need root containers?
Does containers are in the correct namespaces?
Do we have Transport Layer Security?
Do we have hardening?
Security & Network Policies:-
Does the POD have security policies implemented?
Does the ports for the services are compromised/exploited?
Do two PODs connected are needed to communicate with each other?
Have we implemented ACLs?
Do we have audit logging functionality to test any disruption?
Are we using sidecars for injections secrets?
Is our secrets stored in vault or plain text?
3. BlackHat recommendation
Below charts are recommendation made by blackhat forums for various tools for different languages as well as covering major scenarios of security.
and here is the link for registration of the upcoming event of 2020.
4. Finally Security Pipeline design
So Firstly, we saw in CNCF landscape there are variety of tools now but yes ofcourse few stand apart and we also saw recommendation from Blackhat but do we have now understanding to ingest security in Kubernetes?
So , Lets see the pipelines, I have designed here for understanding of the security implementation in a DevSecOps and KubeSecOps ecosystem.
- IDE: It could be any IDE Pycharm. IntelliJ or the recent famous which mirantis acquired i.e Lens an IDE designed for K8s.
- Open Policy Agent:- It can be integrated with IDE and can be used to define policy in the linting i.e. while writing yamls for cluster development.
- Vault:- For Secret Management , keeping credentials integrated with git
- Harbor- Image Registry again the artifactory can be any, Harbor is the popular one.
- Trivy- Docker Image scanning of all artifacts hence integrated with Harbor
- TUF- The Update framework, it is utilized for image signing and to ensure secure upgrade hence again an integration with harbor.
- Kube-Bench: It is the best tool for CIS benchmarking which also gives recommendation and warning to correct the vulnerabilties.
- Kube-Hunter: It is also one of the penetration tool which hunts for network, interface security breach/weakness remotely.
- Kube-Audit: It provides capabilities of scanning the manifests and cluster to perform an audit.
- Illuminatio: It will scan your kubernetes cluster for network policies, build test cases accordingly and execute them to determine if the policies are in effect
- Falco: Falco is a very known runtime security scanner based on kernel scanning of vulnerabilties and notify for any security attack in a live environment.
- Prometheus: Falco can provide metrics to prometheus using exporter hence alerts can be generated for any security breach.
- Grafana: Grafana is a visualization for any metrics scanned by prometheus and integrated with it and can also provide alerts to Operator and then operator can raise it to Dev Support. Well GitOps can avoid this Dev Support to match your production with the IaC.
Finally few related and popular posts:-
Kubernetes CKS 2020 Complete Course + Simulator
Use DISCOUNT CODE: YES-YES-CKS Hi there! all you need for your Certified Kubernetes Security Specialist preparation in…
Google Cloud in a Telco World
Public Cloud providers have been accelerating their efforts in Telecom Business and to much extent, telecoms all around…
PS: This article covers some specific tools which I got experienced in Cloudnative world, Otherwise Security is quite a vast topic and istio and calico is also required to establish network level security and isolations.
If you wish, Connect me over LinkedIn:-