Kubernetes Security Extravanganza

A minimal walkthrough on Kubernetes security features and controls.

Introduction • Hand Holding Kubernetes Hardening • Simpler Hardening • TLS Certification Rotation • Linux Kernel Filtering • Pod Security • NetSec • Cluster • Admission Controller • Workload Integrity • Backups • Secrets • Isolated Kernel • Image Pulling

Intro

Hardening an application server that was never intended to be hardened (wrapped by private R&D security tooling not made publicly available) is always a challenge. Especially in light of everything else one must consider and engineer around;

Cluster Architecture
Containers
Workloads
Services, Load Balancing, and Networking
Storage
Configuration
Policies
Scheduling, Preemption and Eviction
Cluster Administration
Extending Kubernetes

Which is why it is worthwhile to view my lecture on the project that became Kubernetes. Design decisions were made of that era’s philosophy. Hence this walkthrough to right the sins that were made.

Hand Holding Kubernetes Hardening

Interesting manual techniques to harden kubernetes core

Simpler Hardening

Semi-automated techniques to harden kubernetes core

TLS Certification Rotation

X.509 builds the internal communication assurance and integrity checks between different Kubernete’s services

Linux Kernel Filtering

SECCOMP goes a long way but is difficult to master

Pod Security

Pod Security is the new hotness

NetSec

Service Mesh, DNS, autodiscovery - oh my!

Cluster

The root of all governance

Admission Controller

The Gatekeeper of Xul

Workload Integrity

I think, therefore I am because my identity is mathematicaly proven.

Backups

You are only as available as your last successful restoration

Secrets

Touching other people’s underwear

Isolated Kernel

I heard you like kernels so I put a kernel in your kernel

Image Pulling

Or why DockerHub had to make money

Credits

John Menerick

Kubernetes

Hashicorp

License

MIT

k8s.haxx.ninja · GitHub @w8mej · Keyoxide John Menerick