Kubernetes Security Best Practices 2021 (From Container Specialist)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello guys and girls raj here back with another video in this video we are going to learn about kubernetes security best practices so these best practices could be difficult to remember so i'm also gonna tell you a technique on how to remember the best practices i'm also gonna give you some of the interview tips so for some of these best practices you can expect that the interviewer will ask some deep dive questions so i'm gonna point those out as well all right with that being said let's get started for those of you who are new to this channel my name is raj i'm a senior specialist architect for serverless and containers working at aws before joining aws i was a distinguished class architect at verizon and before that i used to work in mainframe at jp morgan chess i'm also a published udemy and pluralsight author and i have multiple courses on kubernetes serverless infrastructures code etc so let's first take a look for the end to end flow for kubernetes so you the almighty developer has some code and a docker file and using this docker file you dockerize your code and you save that container image into a container image repository so at this point you are ready to deploy that container image as a container in a kubernetes cluster but not so fast someone needs to create the cluster for you so generally that would be infrastructure folks so they will create the cluster but they will say i am watching you guys in case you guys do something bad i know how it works i used to work both as a developer as well as the infrastructure so this infrastructure folks spin up the kubernetes cluster and the worker node of the cluster will be running on some sort of virtual machines such as amazon ec2 so once this cluster is up and running your container will run in this cluster inside a pod so for security best practices we will divide this whole end-to-end flow in four different areas so this is how you remember it so the first phase is the development phase where you code and dockerize your application the next phase will be infrastructure phase where the infrastructure guys or girls spin up the cluster for you and select the amazon ec2 etc and the next phase is the application phase where the application folks deploy the containers and run the containers and the last phase will be where the infrastructure folks are saying i am watching you so it will be detection phase so remember this logical flow uh development phase then the infrastructure phase then the application phase and then the detection phase so the security best practices i have divided into these four different categories so as long as you can remember these four phases you can mention the related best practices all right so let's start with the development phase security best practices so you should always create minimal images for your application you remove unnecessary softwares and packages from your container image to reduce the size and as you take unnecessary packages it reduces the attack surface and another technique to create a minimal image is using multi-stage builds to reduce size so let's take a brief look at this multi-stage build so generally each line in your docker file creates a layer in the docker image so it starts with the layer one as the base image and then each command adds a layer on top of each other but if you think about it let's say you have a code and the dependencies so you compile all that stuff and you create a executable so you really don't need your code and dependencies in the container image right because the executable is sufficient enough to run your application so using multi-stage build you can create a lightweight container just with the executable so a sample docker file for multi-stage build will be like this so as you can see uh instead of just saying from golang as usual we are saying as builder as soon as you put as an name that means that's a stage so in this stage we are compiling all the stuff and creating the executable and then you can see there is a gap and we have this from alpine colon latest so in the next stage we are grabbing the alpine base image instead of the golang base image because alpine is very lightweight and then we are simply copying the compile code from builder stage to this stage and when you run multi-stage docker file only the last stage is responsible for creating the final container image so this is how we create multi-stage minimal container images all right going back to our best practices next security best practice is run static scan on the container image for vulnerabilities so keep some scanning tool names handy for interview for example if you are using ecr which is amazon's container repository it uses clear free of charge or you can use twist lock aquasec etc also next best practice is use private repository instead public all right moving on to the next phase which is infrastructure phase where the infrastructure team creates the cluster so the first infrastructure phase security best practice is to use hard end amis don't get confused between ami and the container image so when you run your worker plane on the virtual machine such as amazon ec2 you need a application machine image for that ec2 and then your container image runs on that worker node right so when you say ami this is the ami or the image that your ec2 needs to use so how do you use a hydrogen ami same concept as container as well you remove unnecessary packages from the ami to make it more hardened as you reduce the number of packages it reduces the attack surface so you can get a question like where can you get these hardened amis so you can of course make it yourself but this could be a little tedious you can also get hydrant ami out of the box from aws marketplace but you do have to pay a little bit of fee for this next infrastructure phase security best practice is run latest kubernetes version as kubernetes moves to newer versions it actually adds lots of security patches so always make sure your cluster is up to date the next and this one is important make sure you mention this in your interview run cube bench for cis benchmark periodically so cis benchmark has the list of cves or vulnerabilities for particular amis based on the operating system so if you are running let's say amazon linux 2 or ubuntu or something the cis benchmark will have the vulnerabilities listed and as new vulnerability comes in this benchmark will be updated so this cube bench is a tool uh open source which you can install on your cluster it will run as demand set and you can run this cube bench periodically which will check for the application parts if they are okay as per cis benchmark you can also use amazon inspector if you are running on aws all right so the next phase is application phase so this has the most amount of security best practices as you can imagine at the end of the day in the shared responsibility model a lot of things comes down to the application that's all right so let's take a look so use namespaces to divide the cluster and not only this helps you in the multi-tenancy by separating different applications you can also have separate resource quota for each namespace resource quota specifies how much maximum cpu and memory can this namespace allocate so even in case of security attacks such as ddos attacks it is not going to exhaust the cpu and memory of the entire cluster only the specific namespace will be impacted and other name space can work normally but remember by default all parts can talk to each other so uh the pods in namespace a can talk to pods in namespace b in the same cluster so which brings us to the next best practice which is use network policy to control pod traffic so network policy works in osi layer 3 and 4 which means it can control traffic uh by ip address of the pod or port of the pod and it can also control traffic using label of the pod as well as namespace so using network policy and namespace you can totally segregate traffic for each namespace taking a quick look at a network policy manifest file the kind network policy signifies that this is a manifest for network policy under metadata name is just the name for this network policy but more importantly the namespace namespace-b and under spec the part selector with match level environment colon test signifies that this network policy is implemented for the pods with the label environment colon test within the namespace namespace dash b now under ingress under the from statement we are specifying the clause namespace selector so this network policy only allowed traffic coming from the pods running in a namespace with a label myspace colon namespace a which is in this case namespace dash a and after you deploy this network policy this part in namespace b will not accept traffic from any other part which doesn't match this ingress criteria so the parts running within namespace c should not be able to communicate with the pods in namespace b so network policy is becoming quite important and i'm seeing that in more and more interviews it is being asked so i have a separate video on network policy with a demo on kubernetes with calico i'll give the link up top so please check it out if interested so the next best practice for application phase is implement rbac or role based access control so this also kind of ties back to kubernetes version if you are beyond kubernetes version 1.16 you have to use arbuck but make sure that you utilize our back like with a role based access control you can have separate roles for separate groups so admin can have access to let's say uh create namespace delete parts etc developer can have a specific roles tester kind of specific roles so even though it is convenient do not give admin role to everybody so create separate roles and apply this um appropriately so again are back super important both for interview as well as your real world project so if you don't know what is our back and you want to understand it from a basic so please watch my kubernetes security video on our back and irsa i'll give a link up top so the next best practice is do not allow privileged escalation and on this best practice uh prepare for questions for privilege versus root access so one big difference is with root you are still confined to your current container you cannot impact other namespaces other containers but privilege access allows you to access other containers other name spaces so this is a strict no no so in your pod manifest file you should always put a privilege escalation as false so that it's not possible so we are talking about a lot of best practices but is there a way to declare all this using some sort of policy engine yes which brings us to the next best practice use oppa or open policy agent to enforce restrictions so you can do multiple things using this oppa using oppa you can make sure that the container images only comes from approved repository or you can enforce that every namespace should have a label with point of contact etc so you might get a question on this that how would you implement oppa or open policy agent so you do that by using either a gatekeeper which is open source uh project or kyberno gatekeeper is based on a rego syntax programming language and kaibarno is based on yaml so kaibanu is getting a lot of traction but keep these two names in mind all right now moving on to i am watching you from the infrastructure group uh so this is the detection phase so this detection phase security best practice is run dynamic scan on running containers so you did the static scan on your container image but maybe uh after you deployed it some new vulnerability came on right so but at this point you already deployed your container image so you have to run scan on the running container to find that so this one is highly recommended as well make sure you mention this in your interview keep some scanning tool names handy such as twist lock aquasec sneak etc the next best practice is enable audit logs uh so your control plane sends the logs for eks it sends to a cloud watch so make sure you create alarms on some of the suspicious things you can run insights on the logs etc all right guys and girls so these are the 10 kubernetes security best practices that you should implement in your real world application as well as prepare them for your interviews uh let me know if you want to dive deep into some specific security best practices with demo and stuff happy to do that let me know in the comment section also if you found this video helpful if you learned something new uh please subscribe click that like button smash it if that's something you are into each like really helps youtube algorithm it suggests this video to new viewers this is still a small channel we are trying to grow all right guys and girls that's it for this one i'll see you in the next one bye

Info

Channel: Cloud With Raj

Views: 15,170

Rating: undefined out of 5

Keywords: kubernetes, kubernetes security best practices, kubernetes security, agent of change

Id: XUFVT8bGJhw

Channel Id: undefined

Length: 17min 0sec (1020 seconds)

Published: Fri Jul 02 2021