Running at Light Speed: Cloud Native Security Patterns · 1/17/2019  · Isolating Containerized...

Preview:

Click to see full reader

Citation preview

Running at Light Speed: Cloud Native

Security Patterns

Hi, How is Everybody? Good. Great.

Cloud Native Characteristics

Cloud Native Secure Architecture

Who’s Job is it Anyway?

Isolating Containerized Workloads

https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked/

Control Plane & Core Components

Reconciler Pattern

https://freecontent.manning.com/wp-content/uploads/Luksa_IRC_02.png

Spoiler: Containers Aren’t Sandboxes

https://www.docker.com/sites/default/files/Container%402x.png

Container Privilege Escalation

The Gateway Drug

https://coreos.com/rkt/docs/latest/rkt-vs-docker-process-

model.png

Container Isolation Models

How They Stack Up

https://blog.jessfraz.com/post/containers-security-and-echo-chambers/

Just Use the Defaults != Turn It Off

Control Groups & Namespaces

https://kubernetes.io/blog/2017/11/securing-software-supply-chain-grafeas/

What Am I Shipping?

$ grep CONFIG_SECCOMP= /boot/config-$(uname -r)

$ cat /sys/module/apparmor/parameters/enabled

Base Image Management

Build Integrity & Attestation

Seccomp

AppArmor

Restricting Capabilities

docker run -d --cap-drop=all --cap-add=net_raw my-image

Limiting Privileges

User Namespaces

dockerd –userns-remap=“someuser:someuser”

Rootless Containers

Upstream Orchestration Support

No New Privileges

Authentication

Implementation Flaw - Account Reuse

Run Commands via K8s API

Fixing the Problem

kubectl create serviceaccount s1 --

namespace=”prod”

Don’t Share Anything From the Host

Authorization

Role-Based Access Control

Create Roles & Bindings

Controller Pattern

Admission Controllers

Designing a PodSecurityPolicy

Designing a PodSecurityPolicy

Apply a PodSecurityPolicy

Sidecar Pattern

https://docs.microsoft.com/en-us/azure/architecture/patterns/_images/sidecar.png

Ambassador Pattern

https://docs.microsoft.com/en-us/azure/architecture/patterns/_images/ambassador.png

Service Mesh Pattern

docker run –it –e “DBUSER=dbuser” –e “DBPASSWD=dbpasswd” mydbimage

echo <secret> | docker secret create some-secret

kubectl create secret generic db-user-pw --from-file=./username.txt --from-file=./password.txt

kubectl create –f ./secret.yaml

Secrets Management

Nothing is Perfect

Beware of Plain Text Storage

https://blog.openshift.com/vault-integration-using-kubernetes-authentication-method/

Dynamic Secrets

Example – Retrieve & Mount a Secret

Conclusion

Keep in Touch

Recommended

Linux Foundation Open Source Leadership Summit March 14, … · Why Kubernetes Kubernetes is a portable, extensible open-source platform for managing containerized workloads and services,
Documents
Containerized Shipping and
Documents
Tuning vCloud NFV for Data Plane Intensive Workloads ... · NF Network Function, a generalized term to refer to virtualized and containerized packaging. ... n Keeping the level of
Documents
A guide of PostgreSQL on Kubernetes ~ In terms of storage · • Kubernetes is a platform for managing containerized workloads and services. • “Kubernetes” is too long to type,
Documents
An Edge Computing Platform - files.devnetwork.cloud€¦ · – Policy based deployment Multi-tenant isolation at the device • Automated deployment of containerized workloads to
Documents
Continously delivering containerized microservices
Software
Containerized SUSE OpenStack Cloud Technology Preview · 1 Welcome to Containerized SUSE OpenStack Cloud Technology Preview1 2 Containerized SUSE OpenStack Cloud Tech Preview2 2.1
Documents
Containerized Ultrafiltration (UF) Water Treatment Plant · Containerized Ultrafiltration (UF) Water Treatment Plant This UF containerized water treatment plant can be used to treat
Documents
Package Containerized System
Documents
Application Consistent Backup for Containerized Workloads · §Helps in taking backup and pushing the data to the cloud provider of choice. §Backup controller watches the backup
Documents
Dynamic App Services in Containerized Environments · infrastructure, greater scalability •53% optimizing clouds 52% moving workloads to clouds •Modular application construction
Documents
Datapod Modular Containerized Solution
Technology
Containerized Energy Storage Solutions - OLIPOWER · Containerized Energy Storage Solutions . Containerized Solutions up to 2 MWh . Micro-grid . Energy storage applications . ESS
Documents
Containerized Storage
Technology
Container Security - devops.com · Securing host configurations This section provides the security recommendations necessary to ensure a host machine that runs containerized workloads
Documents
Containerized Membrane Bio Reactor (MBR) Wastewater ... · Containerized Membrane Bio Reactor (MBR) Wastewater TreatmentPlant This containerized integrated wastewater treatment plant
Documents
Running Containerized Microservices on AWS - AWS Whitepaper...Running Containerized Microservices on AWS AWS Whitepaper Abstract Running Containerized Microservices on AWS Publication
Documents
Isolating mechanisms - kashmeera
Education
Running Containerized Microservices on AWSd1.awsstatic.com/.../DevOps/running-containerized... · Amazon Web Services – Running Containerized Microservices on AWS Page 1 Introduction
Documents
CONTAINERIZED SHOOTING RANGE
Documents