preventing kubernetes misconfiguration: static matt johnson · 2020. 12. 9. · matt johnson...

M att J o h n s o nD e v e l o p e r A d v o c a t e L e a d

Preventing Kubernetes Misconfiguration: Static Analysis and Beyond

2

Misconfiguration challenges

Write policy as code

AGENDAAutomate in our CI Pipeline

Runtime analysis of k8 cluster

Helm chart analysis

3

Matt Johnson

@Metahertzmetahertz

4

As an engineerI want to move fast

5

I DO NOTwant to break things

6

The thing I have love/hate relationship with is…

7

8

9

10

11

And this is where our story begins…

12

13

So let’s open our eyes and look at some…

14

…data

15

0 10 20 30 40 50 60 70

Ensure Kubernetes Clusters are configured with Labels

Ensure a client certificate is used by clients to authenticate to Kubernetes…

Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters

Ensure Network Policy is enabled on Kubernetes Engine Clusters

Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters…

Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters

Ensure 'Automatic node repair' is enabled for Kubernetes Clusters

Ensure Amazon EKS public endpoint disabled

Ensure Amazon EKS control plane logging enabled for all log types

Ensure EKS Cluster has Secrets Encryption Enabled

Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0

Top Failing Kubernetes checks

16

Infrastructure as code (IaC) presents a new risk and a new opportunity

17

18

https://github.com/bridgecrewio/checkov

19

• Released publicly in December 2019

• Apache 2.0 license• 50+ contributors• >800K downloads • >1400 stars• Written in Python

20

Checkov statically analyzes for known best practices

implemented in IaCmanifests like k8s YAML

21

• Version controlled• Peer reviewed• Can utilize inheritance and

have code reuse (python)• Part of SDLC• Continuous integration

Policy as code

22

Policy as code

23

Brace for live demo

24

Destination Account

ChangeRequest

Infrastructure security tests

Deployment Trigger

Deploy/ Apply changes

1

2

3

4

25

Brace for live demo

26

27

Another one!

28

Keep your manifests secure

Monitor both Build-time and Runtime

Have a fast feedback loop on configuration changes

Runtime analysis of K8s cluster

Version control your policies

29

Destination Account

ChangeRequest

Infrastructure security tests

Deployment Trigger

Deploy/ Apply changes1

2

3

Runtime Config Analysis

Notify

5

6

4

30

Pre-commit Continuous Integration

RunningCluster

Misconfig Analysis

31

Infrastructure is developed and secured in the same place

Issues are automatically prevented from being deployed

Security is a business enabler rather than a hindrance

A WORLD WHERE:

32

Keep your Kubernetes manifests and Helm charts secure

Monitor both build-time and runtime

Have a fast feedback loop on configuration changesTAKEAWAYS

Version control your policies

33

Tr y C h e c k o v a n d j o i n o u r S l a c k s l a c k . b r i d g e c r ew. i o

C O N TA C T M E ma t t@b r i d g e c r ew. i o