Академический Документы
Профессиональный Документы
Культура Документы
Application Delivery
Webinar
@sublimino / https://control-plane.io
I’m:
- Andy
- Dev-like
- Sec-ish
- Ops-y
DevOps
DevOps
"DevOps, in a sense, is about setting up a value delivery factory -- a streamlined,
waste-free pipeline through which value can be delivered to the business with a
predictably fast cycle time."
https://www.slideshare.net/MichaelMan11/bringing-rapid-prototyping-to-the-threat-model-process
Kubernetes
On The Shoulders of Giants
● Continuous Integration
○ Robust build pipelines
○ Fast feedback loops
○ Dev experience focus
● Continuous Delivery
○ Safe, well-tested code
○ On-demand deployment
○ Acceleration of features
● Continuous Security
○ Sec/dev team collaboration
○ Pentest tools in pipelines
○ Furious false-positive reduction
Enabling Technologies
● Linux
○ Containers are just processes
● Docker
○ Bundling and sandboxing
○ Runtime homogeneity
● Kubernetes
○ Infrastructure abstraction
○ Cross-host networking
○ Workload orchestration
DevSecOps: Layered Defences
● Test all levels of the stack
● Run hyper-tuned, fast, and parallelised
pipelines
● Reduce reliance on one tool, vendor, or
chain
● Automate and add a human expert for
high risk applications
● Prevent failure of one element resulting in
compromise of the entire application
https://coreos.com/blog/cluster-osi-model.html (2015)
DevSecOps vs DevOps
● “Automating operational integrated security assurance”
○ So sayeth http://www.devseccon.com/
○ Development, testing, public and private cloud, operation, security
● And
○ security features as acceptance criteria
○ end-to-end security automation
○ application and runtime hardening
○ supply chain defence
○ continuous scanning, audit, and compliance
Kubernetes: Promised Benefits
● Granular per-process/container/pod policies
● Detailed runtime configuration and resource accounting
● Whitelisted system calls, file system access, binaries, libraries, and
capabilities
● Enhanced network security controls
● Application and OS chain of custody
● Enforced governance for users, file systems, namespaces, and policies
● Hardened, minimal host OS
● Overall reduction in attack surface
Secure Kubernetes
Application Delivery
● This webinar is about shipping secure
software with Kubernetes
● It assumes that everything is untrusted by
default
○ application workloads, networking, supply
chain, developers, insider threats, underlying
infrastructure, and hosting providers
○ 'You build it, you run it' (Vogels, 2006).
● This is a paranoid by default approach
● Kubernetes has been insecure by default
● But correctly configured, it can provide more
benefits than VMs
What is a supply chain?
Anything that we depend upon
○ e.g., the military need to know
where all their hardware and
software comes from and who
builds them, to protect against
state attacks
○ e.g., pharmaceutical companies
likewise need to know the
provenance of their ingredients
What is a software supply chain?
VM VM
Analysis
Build
Scan
Test
QA
Pod Pod
Microservice VM
Pod
● Vulnerabilities in
dependencies, e.g.,
open-source packages
● Deliberate backdoors
● Compromised downloads,
e.g., typosquatting
Software supply chains can be exploited
● Vulnerabilities in
Apache Struts vulnerability
dependencies, e.g.,
open-source packages
● Deliberate backdoors
● Compromised downloads,
Malicious
e.g., typosquatting signed binary
Compromised
software update
server
What's different about supply chains with containers
Debug
Patch
Update
VM VM
Restart
Monolithic
application VM
Production environment
Manual adjustment
VM based
Hard
What's different about supply chains with containers
Debug
Build & deploy
Patch
Analysis
Build
Scan
Test
QA
Update
VM VM
Monolithic Re-build & CI/CD pipeline
Restart re-deploy
application VM
VM VM
Production environment Pod Pod
Microservice VM
Pod
Manual adjustment
Production environment
VM VM
Analysis
Build
Scan
Test
QA
Pod Pod
Microservice VM
Pod
Application
Base image Code Build Deploy
image
Packages CoreOS
Alpine, CentOS,
Packages Debian, Oracle Aqua Security
Linux, RHEL, Ubuntu
Packages, files,
Anchore
software artifacts
Admission control
Kubernetes admission controllers
● Admission controllers are a concept built into Kubernetes
○ Mutating: can modify objects
○ Validating: can’t modify objects
● Can customize for whatever you want to check
kubectl
Mutating Validating
Authentication &
Authorization Deployment
Admission controllers
Kritis
● Signing and deploy enforcement tool for Kubernetes
○ Implemented as a Kubernetes admission
controller
○ Integrates with Grafeas attestation metadata APIs
● Generate attestations based on your requirements
○ Build provenance
○ Vulnerability findings
Kritis: ImageSecurityPolicy example
apiVersion: kritis.grafeas.io/v1beta1
kind: ImageSecurityPolicy
metadata:
name: my-isp
spec:
imageWhitelist:
- gcr.io/kritis-int-test/nginx-digest-whitelist:latest
- gcr.io/kritis-int-test/nginx-digest-whitelist\
@sha256:56e0af16f4a9d2401d3f55bc8d214d519f070b5317512c87568603f315a8be72
packageVulnerabilityRequirements:
maximumSeverity: HIGH # BLOCKALL|LOW|MEDIUM|HIGH|CRITICAL
whitelistCVEs:
- providers/goog-vulnz/notes/CVE-2017-1000082
- providers/goog-vulnz/notes/CVE-2017-1000081
Portieris
● Notary Admission Controller
● Portieris enforces Content Trust
○ Different levels of trust for different images
● A mutating admission webhook ensures
Kubernetes pulls the signed version
● Enforces trust pinning, and blocks the creation of
resources that use untrusted images
● Supports IBM Cloud Container Registry, Quay.io,
Docker Hub
Summary
Ideal, security-hardened container supply chain
Application
Base image Code Build Deploy
image
● @torresariass