This repository has been archived by the owner on Oct 13, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.html
233 lines (206 loc) · 6.4 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
<title>kind: NetworkPolicy</title>
<link rel="stylesheet" href="css/reveal.css">
<link rel="stylesheet" href="css/theme/black.css">
<!-- Theme used for syntax highlighting of code -->
<link rel="stylesheet" href="lib/css/zenburn.css">
<!-- Printing and PDF exports -->
<script>
var link = document.createElement( 'link' );
link.rel = 'stylesheet';
link.type = 'text/css';
link.href = window.location.search.match( /print-pdf/gi ) ? 'css/print/pdf.css' : 'css/print/paper.css';
document.getElementsByTagName( 'head' )[0].appendChild( link );
</script>
</head>
<body>
<div class="reveal">
<div class="slides">
<section>
<h4>Kubernetes Security Primer</h4>
<a href="https://ochienged.github.io/kubernetes-network-policies/">https://ochienged.github.io/kubernetes-network-policies/</a><br />
Edmund Ochieng<br />
Michael Saenz
</section>
<section>
<h4>Overview</h4>
<ul>
<li>Network Policies</li>
<li>kube-bench</li>
</ul>
</section>
<section>
<h4>Network Policy</h4>
<ul>
<li>A <b>Network Policy</b> governs traffic flow between pods and other network resources</li>
<li>traffic not explicitly allowed will be denied</li>
</ul>
</section>
<section>
<h4>About Policies</h4>
<ul>
<li>Can only allow traffic</li>
<li>Use labels to select pods to be affected by policy</li>
<li>They are namespaced resources</li>
</ul>
</section>
<section>
<h4>Prerequisites</h4>
You need a network provider/plugin that can implement network policies
</section>
<section>
<h4>Network Plugins</h4>
Some network plugins that have support are:
<ul>
<li>Weavenet</li>
<li>Calico</li>
<li>Cilium</li>
<li>kube-router</li>
<li>Romana</li>
</ul>
</section>
<section>
<h4>Isolated Pods</h4>
<ul>
<li>These are pods targeted by one or more network policies</li>
</ul>
<pre><code>
$ kubectl get netpol
NAME POD-SELECTOR AGE
allow-dns-policy <none> 1d
nginx-allow-mongo-egress app=nginx 1d
$
</code></pre>
</section>
<section>
<h4>Non-Isolated pods</h4>
<b>Non-isolated pods</b> on the contrary have unrestricted traffic flow
</section>
<section>
<h4>Pod Selector</h4>
<ul>
<li>an empty pod selector selects all pods</li>
</ul>
</section>
<section>
<h4>Ingress/Egress Selectors</h4>
Selectors used for Ingress/Egress rules<br>
<ul>
<li>podSelector</li>
<li>ipBlock</li>
<li>namespaceSelector</li>
</ul>
</section>
<section>
<h4>IP Block</h4>
Allows you to allow traffic from a cidr block
<pre><code>
ingress:
- from:
- ipBlock:
cidr: 172.14.0.0/16
except:
- 172.14.1.0/24
</code></pre>
</section>
<section>
<h4>Namespace Selector</h4>
<ul>
<li>Allows traffic from entire namespace</li>
<li>Requires namespaces have labels</li>
</ul>
<pre><code>
$ kubectl create namespace production
namespace/production created
$ kubectl label namespace/production workload=prod
namespace/production labeled
$
</code></pre>
</section>
<section>
<h4>Kube-Bench</h4>
</section>
<section>
<h4>What is Kube-Bench?</h4>
<ul>
<li>Security scanner</li>
<li>Checks if Kubernetes is setup with security best practices</li>
<li>Based on CIS Benchmark for Kubernetes</li>
</ul>
</section>
<section>
<h4>What is CIS</h4>
<ul>
<li>CIS is the Center for Internet Security</li>
<li>They write guidelines and benchmark tests for security best practices</li>
</ul>
</section>
<section>
<h4>Running kube-bench</h4>
I recommend running the container with a defined configuration
<pre><code>
$ sudo docker run --pid=host -v /etc:/etc:ro -v
/var:/var:ro -t -v /home/guest/kube-bench/cfg/1.11/master.yaml:/opt/kube-bench/cfg/config.yaml
aquasec/kube-bench:latest master --version 1.11
</code></pre>
</section>
<section>
<h4>Kube-Bench Results</h4>
<pre><code>
[INFO] 1 Master Node Security Configuration
[INFO] 1.1 API Server
[FAIL] 1.1.1 Ensure that the --anonymous-auth argument is set to false (Scored)
[PASS] 1.1.2 Ensure that the --basic-auth-file argument is not set (Scored)
[PASS] 1.1.3 Ensure that the --insecure-allow-any-token argument is not set (Scored)
[PASS] 1.1.4 Ensure that the --kubelet-https argument is set to true (Scored)
[PASS] 1.1.5 Ensure that the --insecure-bind-address argument is not set (Scored)
[FAIL] 1.1.6 Ensure that the --insecure-port argument is set to 0 (Scored)
[PASS] 1.1.7 Ensure that the --secure-port argument is not set to 0 (Scored)
[FAIL] 1.1.8 Ensure that the --profiling argument is set to false (Scored)
</code></pre>
</section>
<section>
<h4>Kube-Bench Results</h4>
<pre><code>
== Remediations ==
1.1.1 Edit the API server pod specification file $apiserverconf
on the master node and set the below parameter.
--anonymous-auth=false
1.1.6 Edit the API server pod specification file $apiserverconf
apiserver.yaml on the master node and set the below parameter.
--insecure-port=0
1.1.8 Edit the API server pod specification file $apiserverconf
on the master node and set the below parameter.
--profiling=false
</code></pre>
</section>
<section>
<h4>Conclusion</h4>
<ul>
<li>Make sure you have a way back in before locking down the system</li>
<li>Read and understand documentation before making changes to the system</li>
</ul>
</section>
</div>
</div>
<script src="lib/js/head.min.js"></script>
<script src="js/reveal.js"></script>
<script>
// More info about config & dependencies:
// - https://github.com/hakimel/reveal.js#configuration
// - https://github.com/hakimel/reveal.js#dependencies
Reveal.initialize({
dependencies: [
{ src: 'plugin/markdown/marked.js' },
{ src: 'plugin/markdown/markdown.js' },
{ src: 'plugin/notes/notes.js', async: true },
{ src: 'plugin/highlight/highlight.js', async: true, callback: function() { hljs.initHighlightingOnLoad(); } }
]
});
</script>
</body>
</html>