com/ Features since 2016 KubeCon update ● Exec into pod ● Global search ● Login mechanism ● Settings page ● Support for Cron Jobs ● Redesigned resource creation ● ...and much much more. github 集成第三方插件 2. Feature parity with kubectl 功能与kubectl保持一致 3. Multi-cluster management 多集群管理 4. Improved security 提高安全性 Top requested changes 1. Third-party plugins or integrations 集成第三方插件 Which third-party 有多重要？ https://github.com/kubernetes/dashboard/issues /3256#issuecomment-437199403 4. Improved security “During the week of June 1st, 2018, [researchers] discovered more than 21,000 publicly facing

隨便Google就可找到好幾卡車的Kubernetes安全最佳實務/指南.... 6 ©2019 VMware, Inc. Kubernetes安全最佳實務 Kubernetes Security Best Practices ©2019 VMware, Inc. 7  關閉公開存取 (Disable public access)  實施角色型存取權控管 (Implement (Keep your Kubernetes version up to date) Kubernetes Security Best Practices Kubernetes安全性的最佳實務指導 資料來源: https://blog.sqreen.com/kubernetes-security-best-practices/ ©2019 VMware, Inc. 8 NIST在容器安全指南中揭露了五種容器應用最應關注的風險 (Worker Node) 5. 政策 (Policies) ©2019 VMware, Inc. 10 Use Cases: Security Architecture Guidance / Replacement for Checklist / Security Training OWASP CSVS – 對Docker容器應用開發/調度平台的控制措施 組織面 基礎架構 容器 調度管理

tokens • ssh keys etc. • Stored in etcd • distributed Key-Value data store • How about their security? • Default K8s setup • etcd contents not encrypted (only base64 encoded) • > K8s 1.7+ • at-rest scheme • DEK & KEK Motivation: K8s Secrets Protection • Performance & latency • Network • Security • DEK in the clear in memory • Secret in the clear in memory • kubeconfig in the clear in memory User access management => raw and extensive! ü Secrets management => crucial! • Financial-grade security [1] KubeCon China 2018: Node Operator: Kubernetes Node Management Made Simple - Joe Chen, Ant Financial

the way down Turtles all the way down Alex Tcherniakhovski Security Engineer, Google Cloud Maya Kaczorowski Security PM, Google Cloud @MayaKaczorowski Protecting secrets What’s a secret combination of a safe. If a safe combination is known to an adversary, the strongest safe provides no security against penetration. Similarly, poor key management may easily compromise strong algorithms.” {SECRET}DEK + {DEK}KEK Envelope Source for crypto notation: https://en.wikipedia.org/wiki/Security_protocol_notation KMS 1.10 Envelope Encryption Sequence Master kube-apiserver etcd kms-plugin

KubeVirt RancherVM Kata Container Focus : deploy REAL vm (traditional vm app) Focus : container security Virtlet Virtlet is a Kubernetes runtime server which allows you to run VM workloads, based on scale. RancherVM Architecture RancherVM Networking Container Security gVisor NFV? Kata Container The speed of containers, the security of VMs https://github.com/kata-containers Kata Container Architecture

Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential 责任共担模型 Security in the Cloud Security of the Cloud © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved Inspector AWS KMS AWS Secrets Manager AWS WAF AWS IAM Amazon GuardDuty Amazon Macie AWS Security Hub AWS CloudHSM AWS Certificate Manager AWS CloudTrail host container dependencies code

gIgnoredDuringExecution: - labelSelector: matchExpressions: - key: security operator: In values: - S1 topologyKey: failure-domain podAffinityTerm: labelSelector: matchExpressions: - key: security operator: In values: - S2 topologyKey: kubernetes preferredDuringSchedulingIgnoredDuringExecution 。Pod Affinity规则表示，只有当相同Zone中的某个Node⾄少有⼀ 个已经运⾏的、具有key=security、value=S1的Label的Pod时，该Pod才能调度到Node上。 （更准确地说，Pod会运⾏ 在这样的Node N上：Node N具有带有 failure-domain.beta.kubernetes

Kubernetes Architecture Operating Kubernetes ● Installation ● Upgrade ● Healing ● Scaling ● Security ● Monitoring ● ... Installation - SSH - Install kubelet - $pkgmanager install kubelet - Install infrastructure Workload driven Automation driven Easy to manage: self driving approach (Today’s topic) Security focused Thank you! Xiang Li xiang.li@coreos.com

遷移到 / 使用 Kubernetes 時，面臨的最大挑戰是什麼？ • In-house skills / manpower • Company culture • Tooling • Security & Compliance 10 Canonical (Ubuntu) – K8S Operation Survey @2021/Nov, 1300 受訪者 Click to edit Master 作負載策略的方法，以確保根據組織 圍繞安全性、合規性和其他最佳實踐 的策略配置 Kubernetes 和容器。 • Kubernetes-native monitoring and logging for security and availability • 中央管理面板必須包含強大的雲原 生環境監控功能 • Resource utilization tools • Kubernetes Day2 管理運營必須包

的微服务架构、容器化部署等特性对传统安全提出了新的挑战，为 保障云上安全，AWS、微软、阿里云等头部云厂商积极布局云原生 安全体系，完善云原生安全能力。目前，AWS已上线Amazon Inspector、 AWS Security Hub 等云原生安全产品，并持续在 AWS WAF、AWS Guard Duty 等产品中部署云原生安全组件；微软推出 Microsoft Defender for cloud 并持续更新云原生安全组件，为云原生安全提供 安全产品建设，云原生安全初创厂商不断涌现。Palo Alto 目前已部 署基于 Prisma Cloud 的全方位云原生安全产品；Trend Micro 在容器 防护、API 安全等领域推出了 Cloud One、Deep Security 等产品； Fortinet 推出整套云原生保护策略，包含云原生安全态势管理、 DevSecOps、云原生防火墙等。初创安全厂商 Lacework 凭借其在云 原生应用保护、容器安全等领域的云原生安全产品，已获得近