logo

Tutorial: Reducing the Sticker Price Of Kubernetes Security

2022-10-28

Authors:   Pushkar Joglekar


Summary

The presentation discusses how to secure Kubernetes clusters using built-in security features and open-source tools.
  • Verifying signed container images
  • Using package name registry.k8s.io to get all images in a release
  • Running vulnerability scans with Trivy
  • Enabling network policies to control traffic flow
  • Using RBAC to control access to resources
  • Implementing pod security policies to restrict container behavior
  • Using audit logging to monitor cluster activity
The speaker emphasizes the importance of secure design and transparent security measures. They highlight the need for security to be built into systems rather than bolted on. The presentation focuses on using open-source tools and built-in Kubernetes security features to secure clusters without incurring additional costs. The speaker also warns against running the scripts on production servers or shared computers.

Abstract

NOTE: To have the best experience during the tutorial, please download the tools in this section of the README: https://github.com/PushkarJ/kccncna-22-tutorial#pre-requisites prior to the session. Further Reading is on Slide 52 of the attached slide deck PDF. “Securing Kubernetes is full of landmines with Dragons lurking everywhere you see _yaml_.” Sounds familiar? This statement captures the general feeling of many years of many End User admins who are tasked with managing Kubernetes clusters. In the last couple of years, however, the community has worked on several incremental changes that have improved the security posture of Kubernetes significantly. Good news is that they are simple and do not require weeks to get them right! In this tutorial, Pushkar Joglekar will take you on a journey of learning hands-on techniques, open source tools, and newer security enhancements that will make deploying a secure kubernetes cluster faster and a little bit easier. We will start with verifying signed kubernetes release images for any version of your choice, applying Pod Security Standards at cluster or namespace level and configuring Runtime SecComp Profile by default for all workloads in a cluster running on your own system. At the end we will tie all these security features to real world vulnerabilities and known attacks to get that fuzzy and warm feeling, on a cold October day in Detroit, of being able to prevent vulnerability exploits in your clusters because you applied what you learnt in this tutorial. Happy Honking Defensively !!!

Materials: