Author: John Naulty Date: August 12, 2019
Hour-long Dive into Kubernetes
Introduction into containers and kubernetes with an emphasis on security.
Note on Author:
Will be talking at 2019 CCCamp: Lecture: Hacking Containers and Kubernetes
FIrst 20 minutes are basic infrastructure and containers info ("the layers below").
Root Isolation
They use ROOT, which is not actually necessary
6:56
(really good example of how to pronounce ROOT in english capitalized form)
3 month release cycle. new stable major version
strictest governance of an opensource project I've seen
[PODS]...live together, die together
a pod is a bunch of containers...I will talk about this in a few seconds
(but first, security) the docker hub-image-by-default warning
"one interesting part" statefulsets, 31:46
Design patterns for container-based distributed systems no-excuse-to-read-paper-because-its-only-six-pages ([clicker caveat], it is a random url ending in a pdf...so, up to you)
Reference to paper in video: 35:11
37:40
"PodDisruptionBudget"
How expensive to recreate on another machine
"Configuration as volumes in containers" (what we [should be doing] in devops)
39:00
DB password changes
(might require a little translation regarding the violation of certain principles at 39:23 (in german))
44:15
simplest form:
related to pods by the app
selector
type (load balancer, etc), ports can easily be exposed to outside world (caution)
if not using service of cloud owners, must implement on own
side note:(check out chick-fil-A at scale)
Microservice spahghetti is on its way...higher layers should only use the lower layers
Mindeset change
points crowd to 12 factor app for microservice compliance exclaims these are the 12 commandments
pay a price for anything you violate here
End Notes
pay attention to lifecycle maintenance
G10 Compliance? Every connection must be encrypted, by a HSM under their control (using hashicorp vault)
Change code in config maps (for machine learning, but also applicable to other places)
Great Audit
Trail of Bits and Atredis Partners, in collaboration with the Security Audit Working Group, have released the following documents which detail their assessment of Kubernetes security posture and their findings.