devops
A _____ in Kubernetes is an abstraction which defines a logical set of Pods and a policy by which to access them. The set of Pods targeted by a Service is usually determined by a LabelSelector.
Service
The supporting services (e.g., authentication/authorization, security monitoring, etc.) for a microservices-based application must be tightly coordinated through a dedicated infrastructure, such as the ___ ___
Service Mesh
Kubernetes 11 Ways (Not) to Get Hacked: ____ Everywhere Enable ___ with Least Privilege, Disable ABAC, and Monitor Logs Use Third Party Auth for ___ ___ ____ Encryption Keys Use Linux Security Features and _______ Statically Analyse _____ Run Containers as a ______ User Use Network _____ Scan Images and Run ____ Run a ____ Mesh
TLS RBAC API Server Rotate PodSecurityPolicies YAML non-root policies IDS service
With ECS, ENIs can be allocated to a '_____', and an EC2 instance can support up to 120 *****. With EKS, ENIs can be allocated to and shared between Kubernetes pods, enabling the user to place up to 750 Kubernetes pods per EC2 instance (depends on instance type) which achieves a much higher container density than ECS.
Task
Running different _____ on the same Kubernetes cluster creates a risk of one compromised ***** attacking a neighboring ****. Network segmentation is important to ensure that containers can communicate only with those they are supposed to.
application
There are several options available to deploy Kubernetes: on___ ___, on-premise, and in the public cloud (custom Kubernetes build on virtual machines OR use a managed service).
bare metal
Kubernetes Security Best Practices: Runtime Phase¶ The runtime phase exposes containerized applications to a slew of new security challenges. Your goal here is to both gain visibility into your running environment and _____ and _____ to threats as they arise.
detect respond
A ___ ____ is an immutable, lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings
Container image
When you create a Service, it creates a corresponding ___ ___. <service-name>.<namespace-name>.svc.cluster.local
DNS entry
kubernetes: The name of a Secret object must be a valid ___ ___ name.
DNS subdomain
"_______" images contain only your application and its runtime dependencies. They do not contain package managers, shells or any other programs you would expect to find in a standard Linux distribution.
Distroless
Caution: Kubernetes Secrets are, by default, stored as unencrypted base64-encoded strings. By default they can be retrieved - as plain text - by anyone with API access, or anyone with access to Kubernetes' underlying data store, etcd. In order to safely use Secrets, it is recommended you (at a minimum): Enable ___ ___ ____ for Secrets. Enable or configure _____ rules that restrict reading and writing the Secret. Be aware that secrets can be obtained implicitly by anyone with the permission to create a ____.
Encryption at Rest RBAC Pod
AWS — a "serverless" container compute engine where you only pay for the resources required to run your containers. Suited for customers who do not want to worry about managing servers, handling capacity planning, or figuring out how to isolate container workloads for security.
Fargate
Advantages of Kubernetes include: Serverless infrastructure: Kubernetes containers can be operated without direct access to VMs. More than that, there are Kubernetes solutions that are real serverless and integrate with AWS _____
Fargate
A service mesh is a web of ___ ___ ___, made between high performance "sidecar" proxy servers like Envoy and Linkerd. It adds traffic management, monitoring, and policy - all without microservice changes.
encrypted persistent connections
Applications that need to access the Secret API should perform ___ requests on the secrets they need. This lets administrators restrict access to all secrets while ____ access to individual instances that the app needs.
GET whitelisting
Network segmentation policies: One of the challenges in Kubernetes deployments is creating network segmentation between pods, services and containers. This is a challenge due to the "dynamic" nature of container network identities (_____), along with the fact that containers can communicate both inside the same ____ or between ****s
IPs node
Prevent unapproved images from being used with the admission controller _____ to reject _____ that use unapproved images including: Images that haven't been scanned recently Images that use a base image that's not whitelisted Images from insecure registries
ImagePolicyWebhook pods
A Service in Kubernetes is an abstraction which defines a logical set of Pods and a policy by which to access them. The set of Pods targeted by a Service is usually determined by a _____.
LabelSelector
_____ are a feature of the Linux kernel that partitions kernel resources such that one set of processes sees one set of resources while another set of processes sees a different set of resources.
Namespaces
kubernetes: It is recommended to harden the underlying hosts by installing the latest version of _____ hardening the ****, implement necessary ____ management and _____ management system, implementing essential ____ rules and undertake specific security measures depending on the datacenter environment.
OS patch configuration firewall
Container Security: ______ are designed giving them highest level of access in the ecosystem. If the access provided to users and groups is not scoped to their specific needs, a malicious or careless user could affect or subvert the operation of other containers managed by the orchestrator. Orchestrators often include their own authentication directory service, which may be separate from the typical directories already in use within an organization. This can lead to weaker account management practices and 'orphaned' accounts in the orchestrator because these systems are less rigorously managed.
Orchestrators
Unlike _____ IP addresses, which actually route to a fixed destination, _____ IPs are not actually answered by a single host. Instead, we use _____ (packet processing logic in Linux) to define _____ IP addresses which are transparently redirected as needed. When clients connect to the VIP, their traffic is automatically transported to an appropriate endpoint.
POD service iptables virtual
________ is a cluster-level resources available in Kubernetes (via kubectl) that is highly recommended. You must enable the ***** admission controller to use it.
PodSecurityPolicy
A Service in Kubernetes is an abstraction which defines a logical set of ____ and a policy by which to access them. The set of Pods targeted by a Service is usually determined by a LabelSelector.
Pods
Kubernetes Security Best Practices: Runtime Phase¶ First, you must monitor the most security-relevant container activities, including: ____ activity _____ communications among containerized services ***** communications between containerized services and external clients and servers
Process Network
____ ____ limits the number or capacity of resources granted to a namespace. This is most often used to limit the amount of CPU, memory, or persistent disk a namespace can allocate, but can also control how many pods, services, or volumes exist in each namespace.
Resource quota
In Kubernetes, a ___ is a small object that contains sensitive data, like a password or token.
Secret
Kubernetes supports multiple authorization modules, such as ABAC mode, RBAC Mode, and ____ mode.
Webhook
______ is a Linux kernel feature that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes.
cgroups
Container Sandboxing¶ Container runtimes typically are permitted to make direct calls to the host kernel then the kernel interacts with hardware and devices to respond to the request. ____ and _____ exist to give containers a certain amount of isolation but the still kernel presents a large attack surface area.
cgroups namespaces
Logging¶ Kubernetes supplies ______-based logging, allowing to log container activity into a central log hub. When a cluster is created, the standard output and standard error output of each container can be ingested using a Fluentd agent running on each node into either Google Stackdriver Logging or into Elasticsearch and viewed with Kibana.
cluster
PodSecurityPolicy is a _____-level resources available in Kubernetes (via kubectl) that is highly recommended. You must enable the PodSecurityPolicy admission controller to use it.
cluster
Running different applications on the same Kubernetes _____ creates a risk of one compromised application attacking a neighboring application. Network segmentation is important to ensure that containers can communicate only with those they are supposed to.
cluster
cloud-controller-managerThe cloud controller manager lets you link your cluster into your cloud provider's API, and separates out the components that interact with that cloud platform from components that just interact with your ____.
cluster
Container images must be built using approved and secure base image that is scanned and monitored at regular intervals to ensure only secure and authentic images can be used within the _____. It is recommended to configure strong _____ policies regarding how images are built and stored in trusted image registries.
cluster governance
Each Pod is assigned a unique IP address. Every _____ in a pod gets the same IP address of the pod.
container
Pod Security Policies are one way to control the security-related attributes of pods, including _____ privilege levels. These can allow an operator to specify the following:
container
___ ___ is the software that is responsible for running containers.
container runtime
Complex applications that handle multiple processes and have public access are especially vulnerable in this regard. You must ensure that secrets are not being passed as ____ ____ but are instead mounted into ___ ___ ____ in your containers, for example.
environment variables read only volumes
Separate and Firewall your ____ Cluster
etcd
The _____ database in general contains any information accessible via the Kubernetes API and may grant an attacker significant visibility into the state of your cluster.
etcd
____ is a consistent and highly-available key-value store used as Kubernetes' backing store for all cluster data.
etcd
____ stores information on state and secrets, and is a critical Kubernetes component - it should be protected differently from the rest of your cluster.
etcd
Master Node(s) Responsible for managing the workload within the cluster. Services include: _____: A key-value data store for cluster configuration API server: A REST service that provides an interface into Kubernetes; state is stored in etcd _____: Intelligently determines which nodes workloads should be assigned to ______ manager: A process that controllers like the DaemonSet and Replication controller run in; controllers access the API to manage resources
etcd Scheduler Controller
Kubernetes Master has ____ + ____ server + ____ and ____ Manager
etcd api scheduler controller
To use a Secret, a Pod needs to reference the Secret. A Secret can be used with a Pod in three ways: As ____ in a volume mounted on one or more of its ____. As a container ____ ____. By the ____ when pulling images for the Pod.
files containers environment variable kubelet
Comparing Kubernetes to Amazon ECS is not entirely fair. Amazon ECS provides two elements in one product: a container orchestration platform, and a managed service that operates it and provisions _____ resources. Kubernetes offers only one of these elements.
hardware
Container runtimes typically are permitted to make direct calls to the ___ ____
host kernel
Even though a pod is not able to access the secrets of another pod, it is crucial to keep the secret separate from an _____ or ____ Otherwise, anyone with access to the image would have access to the secret as well.
image pod
Container registry is the central repository of container _____. Based on the needs, we can utilize public repositories or have a private repository as the container registry. Use private registries to store your approved images - make sure you only push approved images to these registries. This alone reduces the number of potential images that enter your pipeline to a fraction of the hundreds of thousands of publicly available images.
images
In object-oriented and functional programming, an ____ object is an object whose state cannot be modified after it is created
immutable
Traffic to a pod from an external network endpoint outside the cluster is allowed if _____ from that endpoint is allowed to the pod. Traffic from a pod to an external network endpoint outside the cluster is allowed if _____ is allowed from the pod to that endpoint.
ingress egress
_______________ runs controller processes. Logically, each controller is a separate process, but to reduce complexity, they are all compiled into a single binary and run in a single process.
kube-controller-manager
________ watches for newly created Pods with no assigned node, and selects a node for them to run on.
kube-scheduler
You should limit SSH access to Kubernetes nodes, reducing the risk for unauthorized access to host resource. Instead you should ask users to use "____ _____", which will provide direct access to the container environment without the ability to access the host.
kubectl exec
NODE COMPONENTS: ____ is an agent that runs on each node in the cluster. It makes sure that containers are running in a Pod kube-proxykube-proxy is a network proxy that runs on each _____ in your _____, implementing part of the Kubernetes Service concept Container runtime The container runtime is the _____ that is responsible for running _____.
kubelet node cluster software containers
Namespaces give you the ability to create ____ ____ and enforce separation of your resources as well as limit the scope of ____ permissions.
logical partitions user
A service mesh is an infrastructure layer for _____ applications that can help reduce the complexity of managing ****** and deployments by handling infrastructure service communication quickly, securely and reliably.
microservices
A linux _____ limits the ability of a process to see the system resources.
namespace
Resource quota limits the number or capacity of resources granted to a _____. This is most often used to limit the amount of CPU, memory, or persistent disk a ***** can allocate, but can also control how many pods, services, or volumes exist in each namespace.
namespace
Use Kubernetes ____ to properly isolate your Kubernetes resources¶ ***** give you the ability to create logical partitions and enforce separation of your resources as well as limit the scope of user permissions.
namespaces
Currently, anyone with root permission on any _____ can read any secret from the ____ ____, by impersonating the kubelet. It is a planned feature to only send secrets to nodes that actually require them, to restrict the impact of a root exploit on a single node.
node API server
A kubernetes cluser is a bunch of ____
nodes
The shorter the lifetime of a secret or credential the harder it is for an attacker to make use of that credential. Set short lifetimes on certificates and automate their rotation. Use an authentication provider that can control how long issued tokens are available and use short lifetimes where possible. If you use service account tokens in external integrations, plan to rotate those tokens frequently. For example, once the bootstrap phase is complete, a bootstrap token used for setting up _____ should be revoked or its authorization removed.
nodes
Use Kubernetes-native security controls to reduce operational risk¶ Leverage the native controls built into Kubernetes whenever available in order to enforce security policies so that your security controls don't collide with the _____. Instead of using a third-party proxy or shim to enforce network segmentation, as an example, use Kubernetes network policies to ensure secure network communication.
orchestrator
"Distroless" images contain only your application and its runtime dependencies. They do not contain ___ ___ shells or any other programs you would expect to find in a standard Linux distribution.
package managers
A user who can create a _____ that uses a secret can also see the value of that secret. Even if the API server policy does not allow that user to read the Secret, the user could run a **** which exposes the secret.
pod
By default, Kubernetes allows every ______ to contact every other ******.
pod
When creating a ____, Kubernetes automatically creates a service account Secret and automatically modifies your *** to use this Secret.
pod
kube-scheduler watches for newly created _____ with no assigned ____, and selects one for them to run on.
pod node
Container is inside of ____ which is inside of ____ which is inside of ____
pod node cluster
is necessary to access how sensitive data such as credentials and keys are stored and accessed. Even though a ____ is not able to access the _____ of another ****,
pod secrets
With EKS, ENIs can be allocated to and shared between Kubernetes pods, enabling the user to place up to 750 Kubernetes ____ per EC2 instance
pods
Use Kubernetes network policies to control traffic between ____ and _____
pods clusters
Kubernetes Security Best Practices: Deploy Phase¶ What is being deployed - including information about the image being used, such as components or vulnerabilities, and the ____ that will be deployed Where it is going to be deployed - which _____, namespaces, and nodes How it is deployed - whether it runs privileged, what other deployments it can communicate with, the pod security context that is applied, if any What it can access - including secrets, volumes, and other infrastructure components such as the host or orchestrator API Is it ____ - whether it complies with your policies and security requirements
pods clusters compliant
Built-in security: Kubernetes creates its own _____ network with its own isolated, secure networking.
private
Build a CI pipeline that integrates security assessment (like vulnerability scanning), making it part of the build process. The CI pipeline should ensure that only vetted code (approved for production) is used for building the images. Once an image is built, it should be scanned for security vulnerabilities, and only if no issues are found then the image would be pushed to a ___ ___, from which deployment to production is done. A failure in the security assessment should create a failure in the pipeline, preventing images with bad security quality from being pushed to the *** ****
private registry
Pod Security Policies address several critical security use cases, including: Preventing containers from running with ______ flag - this type of container will have most of the capabilities available to the underlying host. This flag also overwrites any rules you set using CAP DROP or CAP ADD.
privileged
kube-controller-manager runs controller processes. Logically, each controller is a separate _____, but to reduce complexity, they are all compiled into a single binary and run in a single ****.
process
A service mesh is a web of encrypted persistent connections, made between high performance "sidecar" _____ servers like Envoy and Linkerd. It adds traffic management, monitoring, and policy - all without microservice changes.
proxy
Container ____ is the central repository of container images.
registry
"Distroless" images contain only your application and its ___ ____. They do not contain package managers, shells or any other programs you would expect to find in a standard Linux distribution.
runtime dependencies
Often times in multi-tenant and highly untrusted clusters an additional layer of _____ is required to ensure ___ ____ and ____ exploits are not present. Below we will explore a few OSS technologies that help further isolate running containers from the host kernel:
sandboxing container breakout kernel
KUBERNETES: A ___ ____ defines privilege and access control settings for a Pod or Container. *** **** settings include, but are not limited to: Discretionary Access Control: Permission to access an object, like a file, is based on user ID (UID) and group ID (GID). Security Enhanced Linux (SELinux): Objects are assigned security labels. Running as privileged or unprivileged. Linux Capabilities: Give a process some privileges, but not all the privileges of the root user. AppArmor: Use program profiles to restrict the capabilities of individual programs. Seccomp: Filter a process's system calls. AllowPrivilegeEscalation: Controls whether a process can gain more privileges than its parent process. This bool directly controls whether the no_new_privs flag gets set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged OR 2) has CAP_SYS_ADMIN. readOnlyRootFilesystem: Mounts the container's root filesystem as read-only.
security context
Network ______ policies are a key security control that can prevent lateral movement across containers in the case that an attacker breaks in. One of the challenges in Kubernetes deployments is creating network segmentation between pods, services and containers. This is a challenge due to the "dynamic" nature of container network identities (IPs), along with the fact that containers can communicate both inside the same node or between nodes.
segmentation
When creating a Pod, Kubernetes automatically creates a ___ ___ ___ and automatically modifies your Pod to use this Secret. The service account token Secret contains credentials for accessing the API.
service account Secret
A ___ ____ is a web of encrypted persistent connections, made between high performance "sidecar" proxy servers like Envoy and Linkerd. It adds traffic management, monitoring, and policy - all without microservice changes.
service mesh
A ____ ____ is an infrastructure layer for microservices applications that can help reduce the complexity of managing microservices and deployments by handling infrastructure service communication quickly, securely and reliably. **** ***** are great at solving operational challenges and issues when running containers and microservices because they provide a uniform way to secure, connect and monitor microservices. Service mesh provides the following advantages:
service mesh
Kubernetes ships an integrated Role-Based Access Control (RBAC) component that matches an incoming user or group to a set of permissions bundled into roles. These permissions combine verbs (get, create, delete) with resources (pods, ____, nodes) and can be namespace or cluster scoped. A set of out of the box roles are provided that offer reasonable default separation of responsibility depending on what actions a client might want to perform. It is recommended that you use the Node and RBAC authorizers together, in combination with the NodeRestriction admission plugin.
services
Container Runtime Security¶ This is typically carried out by intercepting the low-level system calls and looking for events that may indicate compromise. Some examples of events that should trigger an alert would include: A ____ is run inside a container A _____ mounts a sensitive path from the ___ such as /proc A sensitive file is unexpectedly _____ in a running container such as /etc/shadow An outbound network connection is established Open source tools such as Falco from Sysdig are available to help operators get up an running with container runtime security by providing a large number of out-of-the-box detections as well as the flexibility to create custom rules.
shell container host read
Use minimal base images and avoid adding unnecessary components¶ Avoid using images with OS package managers or _____ because they could contain unknown vulnerabilities. If you must include OS packages, remove the package manager at a later step. Consider using minimal images such as distroless images, as an example.
shells
In case vulnerabilities are found in running containers, it is recommended to always update the ___ ___ and redeploy the _____.
source image containers
ECS and EKS, both supports IAM roles per _____/______
task container
Ansible Roles are basically made up of _____, _____, and _____,
tasks handlers configurations
When creating a Secret, you can specify its ____ using the *** field of the Secret resource
type
While Kubernetes uses ____ for access control decisions and in request logging, it does not have a User object nor does it store usernames or other information about users in its API.
usernames
The ability to ___ and ___ all secrets in a cluster should be reserved for only the most privileged, system-level components.
watch list
A security context is a property defined in the deployment yaml. It controls the security parameters that will be assigned to the pod/container/volume. Read-only root file systems, for example, can prevent any attack that depends on installing software or ____ to the file system.
writing
API Authentication¶ Choose an authentication mechanism for the API servers to use that matches the common access patterns when you install a cluster. For instance, small single user clusters may wish to use a simple certificate or static Bearer token approach. Larger clusters may wish to integrate an existing OIDC or LDAP server that allow users to be subdivided into groups. All API clients must be authenticated, even those that are part of the infrastructure like nodes, proxies, the scheduler, and volume plugins. These clients are typically service accounts or use ____ ____ certificates, and they are created automatically at cluster startup or are setup as part of the cluster installation.
x.509 client