This workshop will teach you security principles and practices to secure a Kubernetes cluster. The only secure computer is in a secure building, locked in a guarded vault, inside a Faraday cage, has biometric login, and not connected to the internet. And those precautions may not be enough. To that point Software and DevOps engineers need to understand how to secure the systems they work with.
As Kubernetes has become the defacto container platform we need to be reasonable and make security decisions based on business needs. With some simple practices you can reduce the blast radius of security risk. The phrase ‘blast radius’ refers to the breadth and depth of a security intrusion.
Kubernetes was built with tooling that allows for users to harden and secure their clusters and applications, but since Kubernetes is a complex system, security is not done for you automatically. If you use Kubernetes as a Developer or an Operator you need to understand Kubernetes Security best Practices.
The workshop is a combination of short lecture sessions followed by an associated demo. With each demo topic we will provide a short session outlining the demo topic and concept.
The class will walk through demos covering these topics:
- Role Based Access Control (RBAC)
- Intrusion Example
- Binary Authorization
The RBAC demo will cover usage and debugging of role-based access control in a Kubernetes Engine (GKE) cluster. RBAC resource definitions are standard across all Kubernetes platforms. The demo also utilizes authentication and authorization that is tied into Google Cloud Platform.
The intrusion demo covers some of the security concerns relevant with many Kubernetes cluster configurations. It also covers and the preventative hardening measures to prevent the attack paths of pod escape and cluster privilege escalation.
Container have created a unique challenge with security, which is called container provenance. Provenance is the place of origin and history of something, and with containers provenance is where the container was downloaded from and the corresponding history of the container. We can then ensure that the container we are running is the container we expect. Google Cloud Platform offers a service called Binary Authorization. Binary Authorization works closely with GKE, and allows GKE to enforce deploy-time security rules to ensure that authorized containers are deployed on GKE.
Who Should Attend
A practical knowledge of Kubernetes is helpful to take this class. A participant should understand the basic controller types such as deployments, and have a basic understanding of containers. The class demos will be done in a linux shell, so an understanding of Linux is needed.
- Bring your laptop
- Have a basic understanding of Linux
- Have a basic understanding of Kubernetes
- Some hands on experiences with Kubernetes
- And you always need an active GCP subscription so you can a GKE cluster