orchestrating last privilege - diogo monica - devopsdays tel aviv 2016
TRANSCRIPT
Job of an Orchestrator
- Node management - Task assignment - Cluster state reconciliation - Resource Management
A process must be able to access only the information and resources that are necessary for its legitimate purpose.
Principle of Least Privilege
An Orchestrator that follows the principle of least privilege in the
strictest manner possible.Least Privilege Orchestrator
Mitigating External Attacker
- Externally accessible service ports are explicitly defined
- Administration endpoints are authenticated and authorized
Mitigating Internal Network Attacker
- Authentication of both network and cluster control-plane communication
- Service to service communication is authorized, with orchestrator managed ACLs
Mitigating Internal Network Attacker
[ { "permission": { "method": "GET", "resource": "/user" }, "allow": ["web", "fulfillment", "payments"] },
{ "permission": { "method": "POST", "resource": "/user" }, "allow": ["signup", "web"] },
{ "permission": { "method": "DELETE", "resource": "/user/.*" }, "allow": ["web"] }]
Mitigating Malicious Worker
‣Should only have access to resources currently in use ‣No ability to modify or access any
cluster state except their own. ‣Identity is assigned, never requested
Mitigating Malicious Manager
‣Disallow running arbitrary code ‣No access to secret material ‣No ability to spin up unauthorized
nodes/impersonate existing nodes. ‣No ability to read service-to-service
communication
Mitigating Malicious Manager
Worker
Manager
WorkerWorker
web: image: web-app expose: 443 links: - redis tls-auth: - OU: api-client redis: image: redis
web: image: web-app expose: 443 links: web:
image: web-app expose: 443 links:
web: image: web-app expose: 443 links:
The Token
SWMTKN-1-mx8susrv1etsmc8omaom825bet6-cm6zts22rl4hly2
Prefix to allow VCSsearches for leaked
Tokens
Token Version
Cryptographic Hashof the CA Root Certificate
for bootstrap
Randomly generatedSecret
Bootstrap
1. Retrieve and validate Root CA Public key material.
2. Submit new CSR along with secret token.
3. Retrieve the signed certificate.
Automatic Certificate Rotation
1. Submit new CSR using old key-pair.
2. Retrieve the new signed certificate.
SWARMweb: image: web-app expose: 443 links: - redis tls-auth: - OU: api-client redis: image: redis
web: image: web-app expose: 443 links:
web: image: web-app expose: 443 links:
web: image: web-app expose: 443 links: