隨便Google就可找到好幾卡車的Kubernetes安全最佳實務/指南.... 6 ©2019 VMware, Inc. Kubernetes安全最佳實務 Kubernetes Security Best Practices ©2019 VMware, Inc. 7  關閉公開存取 (Disable public access)  實施角色型存取權控管 (Implement controllers)  實施 Kubernetes 網路政策 (Implement networking policies)  對容器設置資安規則 (Configure secure context for containers)  分隔敏感的工作負載 (Segregate sensitive workloads)  掃描容器映像 (Scan container images) (Keep your Kubernetes version up to date) Kubernetes Security Best Practices Kubernetes安全性的最佳實務指導 資料來源: https://blog.sqreen.com/kubernetes-security-best-practices/ ©2019 VMware, Inc. 8 NIST在容器安全指南中揭露了五種容器應用最應關注的風險

pods 设置Namespace⾸选项 可在上下⽂中永久保存所有后续 kubectl 命令的Namespace。 $ kubectl config set-context $(kubectl config current-context) --namespace= # Validate it $ kubectl config view gIgnoredDuringExecution: - labelSelector: matchExpressions: - key: security operator: In values: - S1 topologyKey: failure-domain podAffinityTerm: labelSelector: matchExpressions: - key: security operator: In values: - S2 topologyKey: kubernetes

/etc/selinux/config # setenforce 0 #关闭selinux ④ulimit设置 # cat >> vi /etc/security/limits.conf <context上下文 # kubectl config set-context kube-user01@kubernetes --cluster=kubernetes -- user=kube-user01 # kubectl config use-context kube-user01@kubernetes #切换上下文（指定使用 #切换上下文（指定使用 kube-user01用户去访问k8s集群，此用户目前没有访问集群的权限 # kubectl config use-context kubernetes-admin@kubernetes #切换回管理员用 户 # kubectl --context=kube-user01@kubernetes get pods #临时使用某用户上下 文 ②创建服务账号ServiceAccount

compatible with GKE Built for Day 2 Operations PKS simplifies Day 2 operations with built-in network security—powered by NSX, high availability, logging, monitoring, analytics, and automated health checks VMware vRealize Operations Capacity, Performance and Configuration Management Events Launch in Context Unstructured Data Logs Messages VMware vRealize Log Insight Log analytics, aggregation, and

tokens • ssh keys etc. • Stored in etcd • distributed Key-Value data store • How about their security? • Default K8s setup • etcd contents not encrypted (only base64 encoded) • > K8s 1.7+ • at-rest scheme • DEK & KEK Motivation: K8s Secrets Protection • Performance & latency • Network • Security • DEK in the clear in memory • Secret in the clear in memory • kubeconfig in the clear in memory User access management => raw and extensive! ü Secrets management => crucial! • Financial-grade security [1] KubeCon China 2018: Node Operator: Kubernetes Node Management Made Simple - Joe Chen, Ant Financial

the way down Turtles all the way down Alex Tcherniakhovski Security Engineer, Google Cloud Maya Kaczorowski Security PM, Google Cloud @MayaKaczorowski Protecting secrets What’s a secret combination of a safe. If a safe combination is known to an adversary, the strongest safe provides no security against penetration. Similarly, poor key management may easily compromise strong algorithms.” {SECRET}DEK + {DEK}KEK Envelope Source for crypto notation: https://en.wikipedia.org/wiki/Security_protocol_notation KMS 1.10 Envelope Encryption Sequence Master kube-apiserver etcd kms-plugin

集成第三方插件 2. Feature parity with kubectl 功能与kubectl保持一致 3. Multi-cluster management 多集群管理 4. Improved security 提高安全性 Top requested changes 1. Third-party plugins or integrations 集成第三方插件 Which third-party 有多重要？ https://github.com/kubernetes/dashboard/issues /3256#issuecomment-437199403 4. Improved security “During the week of June 1st, 2018, [researchers] discovered more than 21,000 publicly facing Kubernetes represented more than 78% of all open IP's.” → Lacework: Container Security Research 4. Improved security bit.ly/securing-dashboard Securely running Dashboard is possible! “We operate

KubeVirt RancherVM Kata Container Focus : deploy REAL vm (traditional vm app) Focus : container security Virtlet Virtlet is a Kubernetes runtime server which allows you to run VM workloads, based on scale. RancherVM Architecture RancherVM Networking Container Security gVisor NFV? Kata Container The speed of containers, the security of VMs https://github.com/kata-containers Kata Container Architecture

Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential 责任共担模型 Security in the Cloud Security of the Cloud © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved Inspector AWS KMS AWS Secrets Manager AWS WAF AWS IAM Amazon GuardDuty Amazon Macie AWS Security Hub AWS CloudHSM AWS Certificate Manager AWS CloudTrail host container dependencies code

Kubernetes Architecture Operating Kubernetes ● Installation ● Upgrade ● Healing ● Scaling ● Security ● Monitoring ● ... Installation - SSH - Install kubelet - $pkgmanager install kubelet - Install infrastructure Workload driven Automation driven Easy to manage: self driving approach (Today’s topic) Security focused Thank you! Xiang Li xiang.li@coreos.com