logo
allArticlesConferencesPresentations

Secure Containers Deployments: Time for Refresh

Conference:  ContainerCon 2022

2022-06-21

Authors:   Ariel Shuper

Summary

The presentation discusses the use of GitOps and declarative policy engines to automate and customize Kubernetes security settings.
  • Hardening pod runtime configuration has a new and friendlier model that replaces PSP and Arbuck.
  • Port security standards and admission controllers can be highly customized to meet specific needs.
  • Using GitOps and declarative policy engines can automate the entire security model and shift the burden leftward to developers.
  • The Git repository can still be used as the source of truth for policies even in a distributed environment.
The speaker explains that using GitOps and declarative policy engines can save a lot of time and allow developers to define the required security settings. By committing code and security settings together, the policies can be automatically applied without the need for manual fine-tuning. This approach can be highly customized and can still use the Git repository as the source of truth even in a distributed environment.

Abstract

Containers deployments contains many security-sensitive attributes (e.g. privileges, OS capabilities, filesystem access rights etc.). The default settings are quite flexible which is great for smooth deployments experience but quite challenging on the security perspective, since they provide high privileges and wide access to the OS (which enlarger the threat landscape in case of a security event). There're few mechanism, popular in Kubernetes environments to control and manage these settings. Pod Security Policies were the first mechanism that was used for this purpose and it recently was replaced by a new mechanism called Pod Security Standards that changed completely the usage model. The introduction of a new method for containers' security context is also an opportunity to rethink the overall model and suggest additional enhancements options. In this talk, I'll address few topics that should be considered with the new security model, like the usage of validating admission webhook and mutating admission webhook (the benefits and drawbacks of each option), the usage of policy-as-code options comparing OPA/Gatekeeper vs. Kyverno policy engines or just a Terraform based policies( I'll also review the available rules libraries in open source) and a GitOps deployment model
Materials:
Tags:
Security
containers
Kubernetes
pod security policies
pod security standards

Post a comment

Related work

The Hitchhiker's Guide to Pod Security

Conference:  KubeCon + CloudNativeCon Europe 2022
Authors: Lachie Evenson
2022-05-18

⚡ Lightning Talk: A Secure Software Supply Chain for Open Policy Agency (OPA) Policies

Conference:  Cloud Native SecurityCon North America 2023
Authors: Omri Gazitt

Policy-Based Governance for End-to-End Integrity Control of Policies

Conference:  Cloud Native SecurityCon North America 2022
Authors: Yuji Watanabe, Jayashree Ramanathan
2022-10-25

WireGuard: Next Generation Secure Network Tunnel

Conference:  BlackHat USA 2018
Authors:
2018-08-08

LLMs at the Forefront: Pioneering the Future of Fuzz Testing in a Rapidly Changing World

Conference:  Defcon 31
Authors: Xavier Cadena
2023-08-01

Inside Out - The Cloud has Never been so Close

Conference:  BlackHat EU 2019
Authors:
2019-12-05