It was a great session today by Brendan Burns, Kubernetes Co-Founder where he explained best practices for hardening security for your Kubernetes resources in general and Azure.
Below are some notes and QnA from the session.
- We can use Role Based Access Control. Define roles as below and these roles can be given to different individuals or can be provided to same individual.
- Deployer – Service Accounts
- Developer – Only Read Access to Cluster no access to secrets.
- Operator – Ability to delete pods
- Cluster-Admin – Built in role with access to Nodes
- It is a good practice to have Container Build and Container Deployment as separate process. Only the Container Deployment pipeline should be able to deploy or make changes to Kubernetes Cluster. This is usually achieved by using Service Accounts or Deployer Role.
- Define policies to control access to resources.
- Use Cluster Services – XSS Scanning, Intrusion detection, Vulnerability Scanning
QnA from the session
Any offline offerings for secrets (ie other than using Azure KeyVault in the cloud)?
There a few on prem options like Hashicorp’s Vault
How do you define WebOps. this seems to have come bout in the last few years?
It’s loosely defined around deployment, operation, maintenance, tuning, and repair of web-based applications and systems
What are the minimum licensing requirements required to use the functionality being presented today? As an example, in order to use these services, are you required to have Azure Active Directory Premium or Enterprise Mobility Suite?
Standard Azure AD including the free tier is ok. If you want additional features to this flow, like MFA you might need different tiers of AAD
AAD integration with AKS RBAC requires tenant admin to grant consent to your app. This is so that is can look up your group memberships.Why can’t we use Service Principal roles instead? It would not require tenant admin help then?
AAD integration is for User based auth and relies on the user’s token, we’re working to simplify the flow so the tenant admin involvement would not be needed.
How to monitor application deployed in kubernetes 24/7?
Azure Monitor for Containers and Application Insights is our recommended option
What is pricing for canary environment?
Depends on how big the environment (# of Vms) and size of those VMs
How to monitor security events of kubernetes?
Audit Logs, API logs, from the Azure Monitor blade in the Azure Portal
How to make kubernetes cluster ssl secure…as we have in Service fabric cluster?
What do you mean by cluster ssl? Kubernetes already secures communications via TLS service to service TLS requires a component for it, like istio
Any recommendations around using a web application firewall with managed Kubernetes?
In Ci/cd is there any different way we can handle app upgrade without zero downtime?
In kubernetes with rolling updates, you don’t need to incur in any downtime
Any recommendations on what role should Tiller & Kubernetes Dashboard service accounts have?
Minimal to the needed function. Dashboard should leverage token auth instead. Tiller should have access only the required namespaces
Is kubernetes nodes are automically handle security patch updates is there any tradeoff with avaibality of apps?
In HA setup there should be no downtime
Here Kubernetes policy generator is similar to Azure policy we have ?Can please share any refrences?
Stay tuned for Build// event for the launch of Azure policy integration with kubernetes policies and open policy agent
Is there a way to rotate the key of the Service Principal used for AKS?
Is there documentation about using a certificate vs token to authenticate robot accounts?
What are robot accounts in this context? Authenticate to the kubernetes API? Using token auth requires AAD integration, cert is by default
Any best practices to handle DDos on kubernetes app?
Azure Infra has DDoS basic protection and DDoS standard protection via DDoS protection service. AKS inherits that, other than that common best practices apply.
What are examples of policy controllers?
Does Azure provide any intrusion detection services for K8?
Azure has generic intrusion detection services for all its services, eg. via Azure Security Center
What are some vulnerability scanning tools for Kubernetes clusters?
Aqua, twistlock, neuvector, sysdig have solutions for that for example
When granting access to an ACR registry for an instance to AKS it seems that it grants all AKS instances deployed by that Azure user access.
Is this the proper behavior, it seems to be opposite what the documentation indicates?
The access is granted to the AKS SP. If multiple clusters use the same SP they will have the same permissions.
IS there in built service which we can used for choas testing kubernetes ..like we have in service fabric?
There are many Open Source projects to do chaos testing in kubernetes like Seal
If you are attending Build this year, then you can expect something with respect to integrating Azure Policies and Kubernetes Policies. I am waiting to hear more updates from Microsoft Build, What about you ?
I will be updating the link to the actual video here once I receive it.