Lei Tang Google April 26, 2022 Service mesh security best practices: from implementation to verification Who are we? Anthony Roman Istio Github: anthony-roman Lei Tang Istio Github: lei-tang IDS Firewall User AuthN/Z Data Loss Prevention Certificate Authority K8s Network Policy K8s RBAC Audit Logging Image Verification Admission Control Workload Identity K8s RBAC K8s

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 11.3 Test and verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 12 How suite, which can be used for application delivery, device information reporting, etc. Mandatory certificate authentication to ensure transmission security; • The official module baetyl-hub provides message subscription and publishing functions based on the MQTT protocol, and supports four access methods: TCP, SSL, WS, and WSS; • The official module baetyl-remote-mqtt is used to bridge two MQTT Servers for message

suite, which can be used for application delivery, device information reporting, etc. Mandatory certificate authentication to ensure transmission security; The official module baetyl-hub provides message oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt- v3.1.1-os.html], and supports four access methods: TCP, SSL, WS, and WSS; The official module baetyl-remote-mqtt is used to bridge two MQTT Servers for message MQTT and HTTPS channels. MQTT enforces two-way authentication for SSL/TLS certificates. HTTPS enforces one-way authentication for SSL/TLS certificates. Developers can refer to this module to implement

Because Rancher and RKE install Kubernetes services as Docker containers, many of the control verification checks in the CIS Kubernetes Benchmark don't apply. This guide will walk through the various addressing these through future enhancements to the product. 1.1.21 - Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored) 1.4.11 - Ensure that the etcd data directory match("--token-auth-file=.*").string' Returned Value: null Result: Pass 1.1.21 - Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored) Notes RKE is using the kubelet's ability to

Because Rancher and RKE install Kubernetes services as Docker containers, many of the control verification checks in the CIS Kubernetes Benchmark don't apply and will have a result of Not Applicable. chown -R root:root /etc/kubernetes/ssl Audit: stat -c %U:%G /etc/kubernetes/ssl Expected result: 'root:root' is present 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 on the file location on your system) on the master node. For example, chmod -R 644 /etc/kubernetes/ssl Audit Script: check_files_permissions.sh #!/usr/bin/env bash # This script is used to ensure the

Because Rancher and RKE install Kubernetes services as Docker containers, many of the control verification checks in the CIS Kubernetes Benchmark don't apply and will have a result of Not Applicable. chown -R root:root /etc/kubernetes/ssl Audit: stat -c %U:%G /etc/kubernetes/ssl Expected result: 'root:root' is present 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 on the file location on your system) on the master node. For example, chmod -R 644 /etc/kubernetes/ssl Audit Script: check_files_permissions.sh #!/usr/bin/env bash # This script is used to ensure the

noProxy: example.com 3 additionalTrustBundle: | 4 -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- ... OpenShift Container Platform 4.6 在 在 vSphere 上安装 上安装 48 noProxy: example.com 3 additionalTrustBundle: | 4 -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- ... OpenShift Container Platform 4.6 在 在 vSphere 上安装 上安装 78 1. API 负载均衡器：提供一个通用端点，供用户（包括人和机器）与平台交互和配置。配置以下条 件： 只适用于第 4 层负载均衡。这可被称为 Raw TCP、SSL Passthrough 或者 SSL 桥接模式。如 果使用 SSL Bridge 模式，必须为 API 路由启用 Server Name Indication（SNI）。 无状态负载平衡算法。这些选项根据负载均衡器的实现而有所不同。

directory and file ownership is set to root:root (Automated) 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Automated) 1.1.21 Ensure that the Kubernetes 2.5 Ensure that the --kubelet-client-certificate and -- kubelet-client-key arguments are set as appropriate (Automated) 1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate to true (Automated) 2.7 Ensure that a unique Certificate Authority is used for etcd (Automated) 3.1 Authentication and Authorization 3.1.1 Client certificate authentication should not be used for users

frontend.thr ift.http.ssl.keystore. password SSL certificate keystore password. strin g 1.6.0 kyuubi.frontend.thr ift.http.ssl.keystore. path SSL certificate keystore location ift.http.ssl.protocol. blacklist SSLv2, SSLv3 SSL Versions to disable when using HTTP transport mode. strin g 1.6.0 kyuubi.frontend.thr ift.http.use.SSL false Set this to true for using SSL encryption kyuubi.ha.etcd.ssl.c a.path Where the etcd CA certificate file is stored. strin g 1.6.0 kyuubi.ha.etcd.ssl.c lient.certificate.pat h Where the etcd SSL certificate file is stored

frontend.thr ift.http.ssl.keystore. password SSL certificate keystore password. strin g 1.6.0 kyuubi.frontend.thr ift.http.ssl.keystore. path SSL certificate keystore location ift.http.ssl.protocol. blacklist SSLv2, SSLv3 SSL Versions to disable when using HTTP transport mode. strin g 1.6.0 kyuubi.frontend.thr ift.http.use.SSL false Set this to true for using SSL encryption kyuubi.ha.etcd.ssl.c a.path Where the etcd CA certificate file is stored. strin g 1.6.0 kyuubi.ha.etcd.ssl.c lient.certificate.pat h Where the etcd SSL certificate file is stored