隨便Google就可找到好幾卡車的Kubernetes安全最佳實務/指南.... 6 ©2019 VMware, Inc. Kubernetes安全最佳實務 Kubernetes Security Best Practices ©2019 VMware, Inc. 7  關閉公開存取 (Disable public access)  實施角色型存取權控管 (Implement Kubernetes Security Best Practices Kubernetes安全性的最佳實務指導 資料來源: https://blog.sqreen.com/kubernetes-security-best-practices/ ©2019 VMware, Inc. 8 NIST在容器安全指南中揭露了五種容器應用最應關注的風險 映像風險 Image Risk 登錄風險 (Worker Node) 5. 政策 (Policies) ©2019 VMware, Inc. 10 Use Cases: Security Architecture Guidance / Replacement for Checklist / Security Training OWASP CSVS – 對Docker容器應用開發/調度平台的控制措施 組織面 基礎架構 容器 調度管理

2m v1.11.2 每个node都是ready的，说明OK。 验证2：部署⼀个NGINX # 启动⼀个单节点nginx ]# kubectl run nginx --image=nginx:1.7.9 --port=80 # 为“nginx”服务暴露端⼝ ]# kubectl expose deployment nginx --type=NodePort # 查看nginx服务详情 labels: app: nginx spec: 06-理解K8s对象 21 containers: - name: nginx image: nginx:1.7.9 ports: - containerPort: 80 使⽤该 .yaml ⽂件创建Deployment的⼀种⽅法是在 kubectl 要临时设置请求的Namespace，可使⽤ --namespace 标志。 例如： $ kubectl --namespace= run nginx --image=nginx $ kubectl --namespace= get pods 设置Namespace⾸选项 可在上下⽂中永久保存所有后续

environments（sidecar） Share files between containers, or cache build files Container Image - Image of build / dependent environment [] Command - Command to execute [] Args group of user applications Scheduling customization Cluster Resource Auto Scaling kubelet can do image GC DevOps Service DevOps Operator DevOps Operator DevOps Service DevOps Manager CronJob test - use sidecar container as dependent environment • Encapsulate API / SDK of other tools using image for better integration/ collaboration • Leverage k8s integration capabilities, such as external

called “Kubelet” • Application Deployment File = Configuration File of desired state • Container Image = Runs in a Pod (~1:1) • Replicas = QTY of Pods that must be running Worker Node Worker Node compatible with GKE Built for Day 2 Operations PKS simplifies Day 2 operations with built-in network security—powered by NSX, high availability, logging, monitoring, analytics, and automated health checks • NSX Container Plugin: NCP is a software component provided by VMware in form of a container image, runs in K8s as a Pod • Kubernetes Adapter: NCP is built in a modular way, so that individual

server中 混合云服务发现演示 本地环境 dbMysql: cap_add: [SYS_ADMIN] image:registry/db/mysql:latest ports: ['3306:3310'] security_opt: ['apparmor:unconfined'] environment: - SERVICE_NAME=oltp metadata: labels: app: is spec: containers: - name: is image: registry/infra/is:6.20.centos-20 env: - name: "MYSQL_HOST" value: "env01_db

/etc/selinux/config # setenforce 0 #关闭selinux ④ulimit设置 # cat >> vi /etc/security/limits.conf <image-repository="cof- lee.com:5443/k8s" #指定为集群内部的docker镜像源 如果指定使用集群内部的docker镜像仓库，要提前在docker的daemon com:5443/k8s/etcd:3.4.13-0 #可见镜像名已由默认的k8s.gcr.io/换成了配置文件里指定的docker镜像源 # kubeadm config images pull --image-repository="cof-lee.com:5443/k8s" #提前 下载需要的镜像 # kubeadm init --config /etc/kubeadm-init.yaml

Management - Lifecycle Management Infrastructure Services (Networking, Storage, DNS, Load Balancer, Security) master master api api © 2017 Rancher Labs, Inc. Kubernetes 1.7的扩展特性 • API aggregation(beta) own resource group, version and kind. • Your API server could be build and run now • Build as an image and run in a cluster © 2017 Rancher Labs, Inc. API Server Aggregation Architecture ETCD API Server

tokens • ssh keys etc. • Stored in etcd • distributed Key-Value data store • How about their security? • Default K8s setup • etcd contents not encrypted (only base64 encoded) • > K8s 1.7+ • at-rest scheme • DEK & KEK Motivation: K8s Secrets Protection • Performance & latency • Network • Security • DEK in the clear in memory • Secret in the clear in memory • kubeconfig in the clear in memory User access management => raw and extensive! ü Secrets management => crucial! • Financial-grade security [1] KubeCon China 2018: Node Operator: Kubernetes Node Management Made Simple - Joe Chen, Ant Financial

the way down Turtles all the way down Alex Tcherniakhovski Security Engineer, Google Cloud Maya Kaczorowski Security PM, Google Cloud @MayaKaczorowski Protecting secrets What’s a secret combination of a safe. If a safe combination is known to an adversary, the strongest safe provides no security against penetration. Similarly, poor key management may easily compromise strong algorithms.” {SECRET}DEK + {DEK}KEK Envelope Source for crypto notation: https://en.wikipedia.org/wiki/Security_protocol_notation KMS 1.10 Envelope Encryption Sequence Master kube-apiserver etcd kms-plugin

集成第三方插件 2. Feature parity with kubectl 功能与kubectl保持一致 3. Multi-cluster management 多集群管理 4. Improved security 提高安全性 Top requested changes 1. Third-party plugins or integrations 集成第三方插件 Which third-party 有多重要？ https://github.com/kubernetes/dashboard/issues /3256#issuecomment-437199403 4. Improved security “During the week of June 1st, 2018, [researchers] discovered more than 21,000 publicly facing Kubernetes represented more than 78% of all open IP's.” → Lacework: Container Security Research 4. Improved security bit.ly/securing-dashboard Securely running Dashboard is possible! “We operate