Securing Self-Hosted GitHub Actions with Kubernetes and Actions-Runner-Controller
Conference: Cloud Native SecurityCon North America 2023
Authors: Natalie Somersall
Summary
Unique security challenges in GitHub Actions and Kubernetes
- GitHub has 100 million developers, making it hard to provide opinionated guidance
- Containers are used in a VM way, increasing vulnerability and noise from container scanners
- Economic incentives encourage poor security posture
- Poorly scoped permissions and deployments are common threat models
- Sharing mounts is popular but can lead to rate limiting and accidental data persistence
- Building and tagging by semantic version and date is effective
- Reducing friction in the software supply chain makes everyone happier and safer
Abstract
Self-hosted GitHub Actions runners and Kubernetes are a natural fit, but there's not a lot of guidance on how to put the two together. The leading solution is actions-runner-controller, an open-source community project which provides a controller for autoscaling, ephemeral, and version-controlled compute. It does not, unfortunately, show off how to design and deploy it securely. Natalie leverages her experience building, securing, and advising others in regulated environments to highlight key places where security can be compromised unwittingly. Natalie will overview typical deployment architectures, then cover 3 distinct places where security risk and ease of use collide with insight and resources for navigating these design choices. First the cluster settings are examined to show methods to limit the "blast radius" of a potential bad actor and provide insight into the why and how of using privileged pods. Next, the controller settings are reviewed for how to scope runner deployments and grant permissions within GitHub to provide least-privilege. Lastly, the runner pod is taken apart to show how to build supply chain security into the image and the software it builds for you.
Materials:
Tags: