DevSecOps to help protect your Kubernetes environment

It was a great session today by Brendan Burns, Kubernetes Co-Founder where he explained best practices for hardening security for your Kubernetes resources in general and Azure.

Below are some notes and QnA from the session.

  • We can use Role Based Access Control. Define roles as below and these roles can be given to different individuals or can be provided to same individual.
  1. Deployer – Service Accounts
  2. Developer – Only Read Access to Cluster no access to secrets.
  3. Operator – Ability to delete pods
  4. Cluster-Admin – Built in role with access to Nodes
  • It is a good practice to have Container Build and Container Deployment as separate process. Only the Container Deployment pipeline should be able to deploy or make changes to Kubernetes Cluster. This is usually achieved by using Service Accounts or Deployer Role.
  • Define policies to control access to resources.
  • Use Cluster Services – XSS Scanning, Intrusion detection, Vulnerability Scanning

QnA from the session

Any offline offerings for secrets (ie other than using Azure KeyVault in the cloud)?
There a few on prem options like Hashicorp’s Vault

How do you define WebOps. this seems to have come bout in the last few years?
It’s loosely defined around deployment, operation, maintenance, tuning, and repair of web-based applications and systems

What are the minimum licensing requirements required to use the functionality being presented today? As an example, in order to use these services, are you required to have Azure Active Directory Premium or Enterprise Mobility Suite?
Standard Azure AD including the free tier is ok. If you want additional features to this flow, like MFA you might need different tiers of AAD

AAD integration with AKS RBAC requires tenant admin to grant consent to your app. This is so that is can look up your group memberships.Why can’t we use Service Principal roles instead? It would not require tenant admin help then?
AAD integration is for User based auth and relies on the user’s token, we’re working to simplify the flow so the tenant admin involvement would not be needed.

How to monitor application deployed in kubernetes 24/7?
Azure Monitor for Containers and Application Insights is our recommended option

What is pricing for canary environment?
Depends on how big the environment (# of Vms) and size of those VMs

How to monitor security events of kubernetes?
Audit Logs, API logs, from the Azure Monitor blade in the Azure Portal

How to make kubernetes cluster ssl secure…as we have in Service fabric cluster?
What do you mean by cluster ssl? Kubernetes already secures communications via TLS service to service TLS requires a component for it, like istio

Any recommendations around using a web application firewall with managed Kubernetes?
https://docs.microsoft.com/en-us/azure/aks/operator-best-practices-network#secure-traffic-with-a-web-application-firewall-waf https://aka.ms/secureaks

In Ci/cd is there any different way we can handle app upgrade without zero downtime?
In kubernetes with rolling updates, you don’t need to incur in any downtime

Any recommendations on what role should Tiller & Kubernetes Dashboard service accounts have?
Minimal to the needed function. Dashboard should leverage token auth instead. Tiller should have access only the required namespaces

Is kubernetes nodes are automically handle security patch updates is there any tradeoff with avaibality of apps?
In HA setup there should be no downtime

Here Kubernetes policy generator is similar to Azure policy we have ?Can please share any refrences?
Stay tuned for Build// event for the launch of Azure policy integration with kubernetes policies and open policy agent

Is there a way to rotate the key of the Service Principal used for AKS?
Yes: https://docs.microsoft.com/en-us/azure/aks/update-credentials

Is there documentation about using a certificate vs token to authenticate robot accounts?
What are robot accounts in this context? Authenticate to the kubernetes API? Using token auth requires AAD integration, cert is by default

Any best practices to handle DDos on kubernetes app?
Azure Infra has DDoS basic protection and DDoS standard protection via DDoS protection service. AKS inherits that, other than that common best practices apply.

What are examples of policy controllers?
https://www.openpolicyagent.org/

Does Azure provide any intrusion detection services for K8?
Azure has generic intrusion detection services for all its services, eg. via Azure Security Center

What are some vulnerability scanning tools for Kubernetes clusters?
Aqua, twistlock, neuvector, sysdig have solutions for that for example

When granting access to an ACR registry for an instance to AKS it seems that it grants all AKS instances deployed by that Azure user access.
Is this the proper behavior, it seems to be opposite what the documentation indicates?
The access is granted to the AKS SP. If multiple clusters use the same SP they will have the same permissions.

IS there in built service which we can used for choas testing kubernetes ..like we have in service fabric?
There are many Open Source projects to do chaos testing in kubernetes like Seal

If you are attending Build this year, then you can expect something with respect to integrating Azure Policies and Kubernetes Policies. I am waiting to hear more updates from Microsoft Build, What about you ?

I will be updating the link to the actual video here once I receive it.

Happy Reading!!!!

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s