docs(day3): First talk of the day 🎉
Some checks failed
Build latest image / build-container (push) Failing after 34s
Some checks failed
Build latest image / build-container (push) Failing after 34s
This commit is contained in:
parent
39d92acdb4
commit
6bf47e49c5
52
content/day3/01_day-two.md
Normal file
52
content/day3/01_day-two.md
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
---
|
||||||
|
title: Surviving Day2: Picking the right tool to secure your kubernetes habitat
|
||||||
|
weight: 1
|
||||||
|
tags:
|
||||||
|
- kubecon
|
||||||
|
---
|
||||||
|
|
||||||
|
<!-- {{% button href="https://youtu.be/rkteV6Mzjfs" style="warning" icon="video" %}}Watch talk on YouTube{{% /button %}} -->
|
||||||
|
<!-- {{% button href="https://docs.google.com/presentation/d/1nEK0CVC_yQgIDqwsdh-PRihB6dc9RyT-" style="tip" icon="person-chalkboard" %}}Slides{{% /button %}} -->
|
||||||
|
|
||||||
|
Premise: The CNCF landscape includes a huuuge number (80+) of security(related) projects.
|
||||||
|
Analogy: Animal kingdom (includes simmilar-ish animals that might do some of the same stuff but not entirely the same)
|
||||||
|
|
||||||
|
## Build Phase
|
||||||
|
|
||||||
|
- How can i scan my container for vulnerabilities? -> Well you probably mean your image
|
||||||
|
- The image itself is just a bunch of static layerns and we kinda have to trust the layers you didn't build yourself
|
||||||
|
- The main tool used is still trivy with some easy steps
|
||||||
|
1. Extract layers
|
||||||
|
2. Build FS
|
||||||
|
3. Identify OS and Non-OS Packages
|
||||||
|
4. Compare with vuln-db
|
||||||
|
- The animal in our analogy: Racoon
|
||||||
|
|
||||||
|
## Deploy Phase
|
||||||
|
|
||||||
|
- Kubernetes Native: Admission Controller
|
||||||
|
- Tool used: Kyverno (integrates as an admission controller with yaml/crd based configuration)
|
||||||
|
1. Modify (e.g. add default resource limits)
|
||||||
|
2. Validate (check policies)
|
||||||
|
- The animal is actually a human: The forrest guard
|
||||||
|
|
||||||
|
## Start Phase
|
||||||
|
|
||||||
|
- Before the pod itself is running CSI, CNI and secret related processes (the once we want to look into) happen
|
||||||
|
- Problems: Secrets have no rotation or versioning mechanism, there is no default integration for external kms
|
||||||
|
- Project: External Secrets -> Get secrets from external kms, automaticly sync (e.g. new versions)
|
||||||
|
- The chosen animal: Capricorn
|
||||||
|
|
||||||
|
## Run Phase
|
||||||
|
|
||||||
|
- Goal: Runtime scannning without including specialized instrumentation in each application
|
||||||
|
- Tool: Falco utilizing eBPF to check system calls against rules
|
||||||
|
- Idea: Detect dangerous behaviour (e.g. check for someone trying to exploit a fresh CVE)
|
||||||
|
- The analogy: Falcon
|
||||||
|
|
||||||
|
## TL;DR
|
||||||
|
|
||||||
|
1. Scan images (trivy)
|
||||||
|
2. Enforce best pracices (kyverno)
|
||||||
|
3. Use an external kms (external secrets)
|
||||||
|
4. Scan at runtime (falco)
|
||||||
Loading…
x
Reference in New Issue
Block a user