From e9ccc1bf59c1b41840c8d12a103270a84ee9f64a Mon Sep 17 00:00:00 2001 From: Zach Arnold Date: Thu, 23 May 2019 18:45:36 +0200 Subject: [PATCH 1/4] initial aggregation of security recommendations --- content/en/docs/concepts/security/_index.md | 4 + content/en/docs/concepts/security/overview.md | 151 ++++++++++++++++++ static/images/docs/4c.png | Bin 0 -> 21381 bytes 3 files changed, 155 insertions(+) create mode 100644 content/en/docs/concepts/security/_index.md create mode 100644 content/en/docs/concepts/security/overview.md create mode 100644 static/images/docs/4c.png diff --git a/content/en/docs/concepts/security/_index.md b/content/en/docs/concepts/security/_index.md new file mode 100644 index 0000000000000..aecc16eee7a1d --- /dev/null +++ b/content/en/docs/concepts/security/_index.md @@ -0,0 +1,4 @@ +--- +title: "Security" +weight: 81 +--- diff --git a/content/en/docs/concepts/security/overview.md b/content/en/docs/concepts/security/overview.md new file mode 100644 index 0000000000000..336b4712ee61f --- /dev/null +++ b/content/en/docs/concepts/security/overview.md @@ -0,0 +1,151 @@ +--- +reviewers: +- zparnold +title: Overview of Cloud Native Security +content_template: templates/concept +weight: 1 +--- + +{{< toc >}} + +{{% capture overview %}} +Kubernetes Security (and security in general) is an immense topic that has many +highly interrelated parts. In today's era where open source software is +integrated into many of the systems that help web applications run, +we need some overarching concepts to help guide our intuition about how we can +think about security holistically. This guide will define a thought-framework for +what we think of when we imagine "Kubernetes Security." The thought framework we selected is completely arbitrary +and you should only use it if it helps you think about where to secure your software +stack. +{{% /capture %}} + +{{% capture body %}} + +## The 4C's of Cloud Native Security +Let's start with a diagram that may help you understand how we think about security in layers. +{{< note >}} +This layered approach augments the [defense in depth](https://en.wikipedia.org/wiki/Defense_in_depth_(computing)) +approach to security, which is widely regarded as a best practice for securing +software systems. The 4C's are Cloud, Clusters, Containers, and Code. +{{< /note >}} + +{{< figure src="/images/docs/4c.png" title="The 4C's of Cloud Native Security" >}} +


+ +As you can see from the above figure of increasingly smaller areas of focus that +each one of of the 4C's depend on the security of the squares in which they fit. It +is nearly impossibly to safeguard against poor security standards in Cloud, Containers, and Code +by only addressing security at the code level. However, when these areas are dealt +with appropriately, then adding security to your code augments an already strong +base. Each of areas of focus will now be described in more detail below. + +## Cloud + +In many ways, the Cloud (or Co-Located Servers, or Corporate Datacenter) is the +[trusted computing base](https://en.wikipedia.org/wiki/Trusted_computing_base) +of a Kubernetes cluster. If these components themselves are vulnerable (or +configured in a vulnerable way,) then there's no real way to guarantee the security +of any components built on top of this base. Each cloud provider has numerous +security recommendations they make to their customers on how to run workloads securely +in their environment. It is out of the scope of this article to give recommendations +on cloud security since every cloud provider and workload is different. We will +however provide links to some of the popular cloud providers' own documentation +for security as well as give general guidance for securing the infrastructure that +makes up a Kubernetes cluster. + +### Cloud Provider Security Table + + + +IaaS Provider | Link | +-------------------- | ------------ | +Amazon Web Services | https://aws.amazon.com/security/ | +Google Cloud Platform | https://cloud.google.com/security/ | +Microsoft Azure | https://docs.microsoft.com/en-us/azure/security/azure-security | +IBM Cloud | https://www.ibm.com/cloud/security | +Alibaba Cloud | https://www.alibabacloud.com/trust-center | + +If you are running on your own hardware or a different cloud provider you will need to +consult your documentation for security best practices. + +### General Infrastructure Guidance Table + +Area of Concern for Kubernetes Infrastructure | Recommendation | +--------------------------------------------- | ------------ | +Network access to API Server (Masters) | Ideally all access to the Kubernetes Masters is not allowed publicly on the internet and is controlled by network access control lists restricted to the set of IP addresses needed to administer the cluster.| +Network access to Nodes (Worker Servers) | Nodes should be configured to _only_ accept connections (via network access control lists) from the masters on the specified ports, and accept connections for services in Kubernetes of type `NodePort` and `LoadBalancer`. If possible, this nodes should not exposed on the public internet entirely. +Kubernetes access to Cloud Provider API | Each cloud provider will need to grant a different set of permissions to the Kubernetes Masters and Nodes, so this recommendation will be more generic. It is best to provide the cluster with cloud provider access that follows the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege) for the resources it needs to administer. An example for Kops in AWS can be found here: https://github.com/kubernetes/kops/blob/master/docs/iam_roles.md#iam-roles +Access to etcd | Access to etcd (the datastore of Kubernetes) should be limited to the masters only. Depending on your configuration you should also attempt to use etcd over TLS. More info can be found here: https://github.com/etcd-io/etcd/tree/master/Documentation#security +etcd Encryption | Wherever possible it's a good practice to encrypt all drives at rest, but since etcd holds the state of the entire cluster (including Secrets) its disk should especially be encrypted at rest. + +## Cluster + +This section will provide links to more exploration for securing the aspects of +workloads in Kubernetes. There are essentially two areas of concern for securing +Kubernetes: + +* Securing the components that are configurable which _make up_ the cluster +* Securing the components which run _in_ the cluster + + +### Components _of_ the Cluster +For more information on securing the components of the cluster, go [here](/docs/tasks/administer-cluster/securing-a-cluster). + +### Components _in_ the Cluster (your application) +Depending on the attack surface of your application, you may want to focus on specific +aspects of security. For example, if you are running a service (Service A) that is critical +in a chain of other resources and a separate workload (Service B) which is +vulnerable to a resource exhaustion attack, by not putting resource limits on +Service B you run the risk of also compromising Service A. Below is a table of +links of things to consider when securing workloads running in Kubernetes. + +Area of Concern for Workload Security | Recommendation | +------------------------------ | ------------ | +RBAC Authorization (Access to the Kubernetes API) | https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +Authentication | https://kubernetes.io/docs/reference/access-authn-authz/controlling-access/ +Application secrets management (and encrypting them in etcd at rest) | https://kubernetes.io/docs/concepts/configuration/secret/
https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/ +Pod Security Policies | https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +Quality of Service (and Cluster resource management) | https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/ +Network Policies | https://kubernetes.io/docs/concepts/services-networking/network-policies/ +TLS For Kubernetes Ingress | https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + + + +## Container + +The price of admission to a Kubernetes cluster is a container. Because of this, +there are certain security considerations that must be taken into account in order +to benefit from the workload security primitives of Kubernetes. Container security +is also outside the scope of this article, but we will provide a table of general +recommendations and links for further exploration of this topic. + +Area of Concern for Containers | Recommendation | +------------------------------ | ------------ | +Container Vulnerability Scanning and OS Dependency Security | As part of an image build step or on a regular basis you should scan your containers for known vulnerabilities with a tool such as [CoreOS's Clair](https://github.com/coreos/clair/) +Image Signing and Enforcement | Two other CNCF Projects (TUF and Notary) are useful tools for signing container images and maintaining a system of trust for the content of your containers. If you use Docker, it is built in to the Docker Engine as [Docker Content Trust](https://docs.docker.com/engine/security/trust/content_trust/). On the enforcement piece, [IBM's Portieris](https://github.com/IBM/portieris) project is a tool that runs as a Kubernetes Dynamic Admission Controller to ensure that images are properly signed via Notary before being admitted to the Cluster. +Disallow privileged users | When constructing containers, consult your documentation for how to create users inside of the containers that have the least level of operating system privilege necessary in order to carry out the goal of the container. + +## Code + +Finally moving down into the application code level, this is one of the primary attack +surfaces over which you have the most control. This is also outside of the scope +of Kubernetes but we recommend a few of the following: + +### General Code Security Guidance Table + +Area of Concern for Code | Recommendation | +--------------------------------------------- | ------------ | +Access over TLS only | If your code needs to communicate via TCP, ideally it would be performing a TLS handshake with the client ahead of time. With the exception of a few cases, the default behavior should be to encrypt everything in transit. Going one step further, even "behind the firewall" in our VPC's it's still a good idea to encrypt network traffic between services. This can be done through a process known as mutual or [mTLS](https://en.wikipedia.org/wiki/Mutual_authentication) which performs a two sided verification of communication between two certificate holding services. There are numerous tools that can be used to accomplish this in Kubernetes such as [Linkerd](https://linkerd.io/) and [Istio](https://istio.io/). | +Limiting port ranges of communication | This recommendation may be a bit self-explanatory, but wherever possible you should only expose the ports on your service that are absolutely essential for communication or metric gathering. | +3rd Party Dependency Security | Since our applications tend to have dependencies outside of our own codebases, it is a good practice to ensure that a regular scan of the code's dependencies are still secure with no CVE's currently filed against them. Each language has a tool for performing this check automatically. | +Static Code Analysis | Most languages provide a way for a snippet of code to be analyzed for any potentially unsafe coding practices. Whenever possible you should perform checks using automated tooling that can scan codebases for common security errors. Some of the tools can be found here: https://www.owasp.org/index.php/Source_Code_Analysis_Tools | +Dynamic probing attacks | There are a few automated tools that are able to be run against your service to try some of the well known attacks that commonly befall services. These include SQL injection, CSRF, and XSS. One of the most popular dynamic analysis tools is the OWASP Zed Attack proxy https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project | + + +## Pipeline security + +Most of the above mentioned suggestions can actually be automated in your code +delivery pipeline as part of a series of checks in security. To learn about a +more "Continuous Hacking" approach to software delivery click (or tap) [this link](https://thenewstack.io/beyond-ci-cd-how-continuous-hacking-of-docker-containers-and-pipeline-driven-security-keeps-ygrene-secure/). + +{{% /capture %}} \ No newline at end of file diff --git a/static/images/docs/4c.png b/static/images/docs/4c.png new file mode 100644 index 0000000000000000000000000000000000000000..100a1567420fdb9b63aae09a8aaae22ff8730784 GIT binary patch literal 21381 zcmeFZcT`i|(=d7vk={jm69EMY0wTQ#N)=EPA`n2j^w6aUC;_A+i1eZ~X+e7E8bCTo z4ILv*x|GmEzQgnU-uvBu@4EM{``-0^u7xCf&z_kxZO@)Phlt0z>eLi$6aWBFYic~u z2Y@Rm03iNFMhuRaIY(E3zb@O|*SQY>6>*ej79`+z9xDxf9RTnX0Dxcw0GxnB!G8e2 z>ka^{y#N5&6aZj`XEZ#K2LPhp$B&*pBoGK7%vrniN|i)qlwgn*2lN3WGXu%sCy3KC z77;#*qi<5Vfj3yLQnGV$l3-eVM2h;rQsP^W9c}$a$f%b#@GBwE5HS7<o=b-&)$HobHZ)Z*En55IH&0_1NHj)z|u@q_Y05cHHLZ z;%t9tSmAI_MO$?+B_*Y?v9X+-91jmqK|#Ug%a@s$nD+PgYiep178U{n1M~CqPft%> zTwD?p6X)mWSy)(xhK5#FR-BxihKGkC5XhT1Z?v?uL_|d1zklD@*hpA-OIXV#{7EBV z0|*;sguQ;k=?-D%J7M0VuJ6DvXX{<@->!)x!Y?1~pjC0_WsBJLsl^k*R$X$)c2f#ZLP7Ux2Ib6fY0{~dkFMfzLy+S^K zgQT9CIuA(~NSNu!$oI)BuK>W~&zcYJKYKN`IU5mlwe!;-|D=zsB7Btg06Po$CRxby zK3k_d_i7hd%B5l#G^7&Z-LJ1MXWbUm{YLXE{u|Lo?rGMIxyD0$eR+vr_Uh{D&?7w` zFG5SU2glFbY=gq_D1>2LKvwT|4pf-(^Ogzp)%P_XWOv zr#`5uH(jN{Jk~UDJW6`6nhOB^9Bi!YhMPhw0x%(y@HmdwOh8UiZaHV->e}E#R8Po{ zY}`>qUh6UtJRTj(sx&~E)EDmfGQ){TS?!A_&PE=l@R0Y1TH?7rF)+38Q;hdVcqIq2 za;QvIGboh^*z|zC`(E28`p6C?fMBuJx&m1D(DO!arkJJlz*%Qy`zA$zu9P7Q-l;o{ zcVe(Ylw#iEtL36V&a5uSwT|()YXx^e0&XcTM9Nnl1loj`|V$!VJVb`e_{Fkq?2{EPp3f4&!A0+@Ww+pBZ^y?BhO^382evv;0~U5^7Hg z)g(LU1%j#AnLdBWhf_0k?Bul;0Kw9nu5Pv#J!l&$RLT=FAl3VG2QRb--4RR)h;O4< z`gBnztZ*XbWlm>jON$1yBoB=s9(NgN-+Zp^SU=2!{4AZYpUeo*)zLrc(?a=8+$9Fw ze|@17*{De`hT|f!d97(c@DX*?Tr{FYuPI@l8H8=EFw}L=7lM(9{pUOVlP(R^ggG9U*F!s&|i5J0&T{O^ASOUK4? z`8qp22Y@N-R~tv~a}mNwcnp`)$9*3bpz_be&b6tBs5RNo#ga0T3KEpS%f$NCBF!TX6IXb0AWFWLp@`U1ddj@?8gYDMQ{R zK%vk!@x1nu^2Z`iPC?k_>bM2(@}K}-ge15$J)QaYUrqE_LvEYOZ2|n||q<$a*IK|~|JxHvgBu}0nvT)l97@k)L zy5ja$+TkAR;NW1lRdgMYlY32|1O8OvE?M%R1#b!oEx;)`y*Q(SUc#~Mi32$c%V{Q{ zZ_4Z5q2&S?zD|tB!O=@%0s^8p@SDWJ9I}G350##4pkTQiH!lZ2=%Wx*LDAg(m8N&% zPYN7YPqg=en51u9X1{t#`TBsA*y43q77^yz@VpGrRr1g+8ZNnh*$xHph*1s&MKVIB z=?g$W_hr8FrR%U-v2oA^+zUGHU>z9LDTsLPQ>r|eaZH9AsfE6Pz5+A`@}yNzY3_)J zFd#m!=!;-IS@M#kKpU}gLO}-$)}bdwI%!{u8rXG$tZh)Cmk^G!tFCOo;$$fuqU2UM zIWur00xlU917d!nhWfl&rH#rEZFd@;zYBC#Q9cQZWrTpCzDOAb#&j^&gGLXA{p+xc z9pEAAVl#+>6J59gxD|l09|Q%r0nlZ@9pV3r1xZe*Yqr-4F9VC6i=)5$E@6iyVRnO$ z1n@MMf^YPR*8YT`lb)dxY}<*g(@y$61i zUEI`;JXsB!mM+y|CpE8m(o76!*1L}#iAj6qaDPDvzk!=dtJeaHSz4Iu*x~Ci%0v}d zbHcvK6(GU;IE-!uLWkTBcO3XLzLYl)0phPng{HXr1@dCoJW;yjZtrig0y#~$+O4Zb zKno6Uv+-PKv#SHXxi5XD(;0x=fMrr+GU%YL{CGv8;Qd!CX(>)yFTuqxQJ|?xHjn^Z z7}3b?0^65#NZqh?bRMb;jL(1ThcB#ltQ(%m_|}&dc)aB9v0hIGC2f=Jlz#<~!K;e6 z%Mc|Y*feHnVxSM8%x22CH$;1l0XY!rX#7u%2B3%(0oW=fCREc+V)gI}kT=pVU<*RT zhW4_+#d7I@OU)zg@lkNE+b}8=kb_LO%!22O!0av}wJ9c-;K>imq`ET%Trv4jOckZi zgnYQ8Htb3PXjGLv(Q~Iq(u6u{!L&|vhyZ(U%}4aeXQ5GeFCw1Nr7u+yWYA7@hhiu| z_dAmAAA3~%*B)80k+p-63u}$PQup~hfd9fW_22w=H{$<>e)Ydu`tK3n{0{%owp=#Ztg{60q+w zybYdK-@)zakt}*}a5jw>CJW9^G=k_}hQL?pAlrS>adW3lI)ZsFPr=pKFXoA*MC+6s zrw`BXS^YD_hUoRk`@3*Ym(bWhq;dhohFJHg6UnaI@i%WY6$RNLLg(K{%{+v0*X;Ro ze;t%xx)dLX&<=suH(s4{SvgevbLrLxO64_r2>OEZMefi;@=wBGkX(|LN z$9{NQ3n04><_jRsi>%@%^FOJ?e- zK4;KR0f&2R+~AS5NF7zlh#Yhwwe5Vpf66VDwiuWWC(=+rC#AyiXSs*$q3ifVCCVT< z5Ox)WWk6D;+y^>y$;FDTO^<*3!3ajVI7gR$UWm^qKFU5me*Akk7D*d$r9Nrsva4-B}g zjuO9yq-C3Z0}6%XLMSfW`!whNAflp&C^G2JW^l#mbr?eUj~Rke*#Q(Olcy;7Fg2iB zC>p?wF5Vd2O-W`icoYHk@^ZAtttSTOnGnK^*ppHV_{@6Nnf&6W^1pmPK+W_zk2UHphEsQ1Gk|b`2w_U>E{t&0 z<~MI&r@1};U(yz*LuS9eY9Wo2kaAHf@fZ9@-pL2plV7jnP6WRyo=tev(XK@|{44dT z@ZRaNLzR}XZNKd!-@mW_9W|oB_RkDZhxT|40X@dU(UWd6#_Ay`<{t+5Gwt-UyW}!|2=IGRP$PC0fCHUlgWKdnS z7igSaWdA3XT!-C11c~WK!Re7X|JO7uY=u3k9^zcv<|bUjUdkc9FvizIH>J5B2>nMZ z>{tgBlf{2oAZSx@Z_AxG%nldrEdI;*@1b$NA-@BD&v1FmTzDoi0<;NtQTW+;X0TZD zDb=Us1(3bF%Aoy1e7t|0ZU>!pb8dUZ&o}SQb#BFQBU&!Z_aC3Z*l{;+y9xdsvKU#? z`Bzxch~D`^Ih@PU&9ncq9xc?|iL@3V7 zrbgp-8e`^Y{>8I_STC!a!{4|8Ge2wEnFjsh!uRswtaJGNflN^se_HZDztbo=A4Pl< zmX9ADY77mf(`>!+EedXP8&<{(WA$F&?Jto+p!{&l$^8oPa9(H7S9U@2xPksCwA;?6 zPui=SSd}R-RxRB}Rj%n^eJUcJF#pey)p7P>L#a8G=Tfis_|NtJt~ddh20N%pc{1p| zA{WytTH3jWydE$9wOn%M;V>}H(V~+yg`TG*P3n3f=!O)=ON8Q@lrRL9ehYbcJL?!1M4i1uC=bCsSb8vM2 zmiuOmb~3U^U9yUW>LuU54}7J&h}Ctp*`W4MnvA!8jkum?x8dxw)`omGn=tK%180BJ z-7~yzttzqYM*fE*XdA;`{V&-gF6%0PkZF9?+9R;IG#f7xAy=sks}nZ%(=F z{`@xfwd04l*4B-v^l?+y=R{9is@uG}l{_gGE|IrK!0qXfgR@x=Pz8pRfodr6o3~-m zGs^e#)mQA?#Xp@sk%LL$^*n1LB>R+2=pmr#rA{ZtDMs(~|D9CNWSjaFf(+vrDWSkH zIX+qtd_Mff`&09RnP%J@_7AjkF`LbQ>;1#l@uCTVR-c{cXi_tF@(H!V z%NtR`-?0t64ma?2s=D+LPV~~iz@4T;dydVMvk|?fY(zclq+7QH^Vg~L8f=5H6znaW zm!B+|279uBr-{P7yCK`F#QOE1c8VS&_Z^!cLD$;!J8?goTIM0jlMG{$T|M`?U`F%g zb;Lc2rm$`sNyoo_RVyeBCjDR6E{?Zz_Kci=#fXu&>sjH{jC@a|Y#Pp_Ox^968q|sA zizG_uG$MBnnw3$*+>mX3B+Uy*Kmn|X)4eDrWAS{8`Sm(#?(5d8vB}d_k@erEyUYgb zsNg&n*VQjddgRaq?Ao92=xly`?F0XA8q@uj@@I7}T`!Igx={S`a(2?`&P~`^nKsio zuXTo8(HjVOz9`J=DQMjv93OF|JUYWiNRVYl{BC0=S)t=q-)Zjf(V zYQ(EaiEVu3ikoZI0waURzb8(|igUe??4TLHB(_MmHxdaR9cJ8J-Y0bq*L7L09{9}YQud_lsu4AZFBHbEJ-fg?+rtjHZx^J*os4|ASTRCX z59Gx9ToedyffC@@hA}46`(XHC5s3BuTQ#CmfO5V2 zlXq49cn%OdP4aEbL)(`?@NNNJqKD2o3s}XV!K~J6+IA2JyFYz*yd2BOfV_d`w|n`n zWaASN&mm;~rMn_8R!az0D4M~j0{>(L9D6@Bd)1hV15<|Y@JvMoDZK_@F|B8O^i5z6 z1M&gd>tugFZ%3i=Kw#u9u=o>K=gOjVX(c^FM+3zG5~CC{{r#Ig8Dd`V9$I4xma;$Y zENt!OmoP8swI16Fg7n+lY^43wYAAtS+rWy|dIUn41e>OH5*^5HZlr3)>0nJ#1(_ zARN31r&u8YPY;d=?JBrVdWb|12~QnavKdy^mD?~627uvzl?nNDfLsjJP}eOqc$iwA zE#l~lB#qZYXqUh<5Bu(Cw8rnJlL86KsA>vKw9kQjVLhmn|%Iv1v3ti!1CWEGf z()PKE^LomMEDpaC>L^t0x#!_jK*V$U&s@@BXyDkW%s+GMAIPL+bQ%Ebe;D(ijuRd5 z_(rGvgC0_buK9V?$Ku!sSaV!3O>Z0YHT_C(G#|__)Uo18oi0B<_EK;PJ){}!)pEZM zrNJEBcQIEo6u<5??0OS;$BrGo4a2HJAfA^%%E`9a1~??o#4aIFj!60JLdoWl>V&Fm zyXdFv%aO~Vy|o7A8DtotZ8x(N^2Q z>Sf{L&~qj**e)q_9R{A)hVQ}lG+TY>O7^1WilkS5%Y2(S><~3Pv>dwkl)AERz`CxZ^X*Xu34tp-ip&CzVWS=` zPY%$Ns}fJ6MzThpR#jEG2i$WEIP0sfk+rliRCE|Zb!+_!WnEYGmY$7Qb7;hE#<_$>TYUtcrcgeqO)P7is%KM?(dT=689m z`WFshhf1N$wy9*2T)C6^T-0rLMx_TapFkt{m(z;A6w}>9eAGBag!#O^KJ{u$A`3)YQqq%xzh_aV?$6JK^`&oW<&Y&9ntH*}dNJJ)D&gr|aJ`gwomUiHPUS+h(?LYqItHU}C(;+m9jje=Ij87!v(q+l z4T_HGU!~l|3`iJZ({@JToD72b_YNn#XpV{(XK*tnt7FKiAT=bxrQ% z-x;xfum%}P+?MiTq)ug#e8e!<`Dl_*yMu7VZdA*q!{@d#MPZ5Fv@08NvLsd6h6)bj z>@qw=7iO;`NQVp!d0q7>{3rG0!Q&Q!t|dZBtnd)EWI6*7HlIU!z=jy-Mz4ORY;R2o;X z4l*##)&y&LW|Xo+Uns)j)7rg8tCorJZa$bu__~T+TgMypMmhtLhtP80*!RSP zN8U?K@IklZHUr6$$DBA1+e?uzvBioIBQJ^gtLQOzlx}u}VTSoxCFiWAngz|5`vGH@ z=JygU%?f&1Z{Moqb>IsB%VkPMhN=FWbvcR!xt7Xvpv?=@0I#+bVDDp@&QGA)y###8 z$HopbJzqMw5hHFew`gR{@vR-gjx%|0C>Y*->pvN28s;U}X$zV|}^+UE9oM!EgU#@qw)Q>H$+EUwk>x@`%0U%D(Wxwvf1_5i#-WH>zjE*66W~b7xU%ti>x7vr##Ry zE)Oi*ar{Z;hC-Lcl|->Bm1Lm8C{nn@#!xbZT8pz47e~Q*+cd%z)u+r3VLJmm_a)iV zl_V7MV~>n_Pu{lKn2Wef`NipG$?_?=ACw+nU11MfKWoBwHxb;g!!*V-SOj1?z9N6h zH;jgUZr`hGKNuD@ULCjGn>YXC_`@e+*mv;d>9cQ2wrhy>4~)pYt&#prMOUO+mNN_F z6!m%UE(OTbzxR^wzbQ}`uo}M{inOvJd~NiLW&^c(}5@+kd+V8x~Md9Hfg1!fDgL?BU-h847oD17335o*zfY& zVK?@js&5rkc^q(x_6@wsy8XMYOwYSEqLElE{i-?{)Z=ZTMth(E1iVNaeoLoL4)yr) zmR&z6?#MNe;13Qui*tIpT*10?kk2i9TZr>WwVt1p5RSJ^O$p<}8B`JLdBnl?ifgyP zYll92?o575p5^K%67#IAMI8%tMqvNWrAhQ zT>?5kv&7c6L9n~5Wp(yBw=vM~qQ`Zluy)Bo3l#v~cTeosb=WyC#`-T-&IoCKZt}}f zapF7rDTlyi03+jedp9@=?wk3g5vlcY9n(r3Fhp1Y?CNaOPh&4B*NWW3@nyh$n+*>s z_}o=du7S))#X*zSwE~k=TtL(EgGEUgqU49gU~HbjBGYLL4Tq;B6cWpDDR{7yE}rwgM-B!i|1=5&w`Q&cah5cTfounNB6{XIORdvq6Glyg>O}Lq}wYOI2pTpKu zA3_vCrz>Z@k0V3`_)>GTz2cvAURjWqQY@(UoY~J}sA;rYsujvCRe_&|zFAF!$!pgD zJl|#l68Ff-p?G&rskahL-cH*apFL8Mt}W*$hs%pkHeQW*fQ&vdMUV?2UeTr^d16e z@S$xe`mTXP`@Asy*?)%E(PKO&d6d9#C|qXJ4<`7}=NsGDlaEK3L3oNKVc2_hlfk8CHVzHX z5!^~%YZMUA=SzW^KW7p%`4Ox=w;h=4FSB}LH$1NfHk@#Tt`E+u^&5`D>sL?I|7k*r zIYX>x&#MiLw}tC1y$*_Y9~3;y?mj(Vchw9MB;pZtXGAJ}8Km=4eHP1_v;vdU0zYFJ~49T{nJqxitD^9o)VDd7sVzJ zBRhw*N3Fr3Zx=&11hFSo0VlTiUWso7mPa%yiEj}wd9BGnJf#ddCOeG-USt$XoA&Bk z6%y&1c+ph@S-b%Y+KiNLoc(++*wwa+pZnVtHsB|b40-a*+O6NC(SmVX1Zy+Y;$-t_ z+~?Sa#YmfjK_Hl>OC5C%$yU$`$_hGsJ?7|lAU(`+LTc)i4YuXHkAvf()x<$@fn)(j zgV$j$yPWjQE_v4+aaH3*cYm{WeHf8e8solB%93_g2Upt;Chi{h-dD0ul{VHUCBq|(- z#{G@hzWw|cGW_=aE5Wf{s;EmJxu>%lvS;M{a|K{6$LwAQqShCzs&Juk7)W87nl-+Ej6w z6}$>0#Zo*E+(>^yPnVYlZ~lv1DXv1tz^E9k=Z{&Me%om zorfFY+KO&}cdZ;-3s+pcROH?d;{_I<7b;t()zGYWLdD&Os+3wTy; zlEoKdySeu0=|4l>aHf%@C4LOy+7+gWz*7T-+YX8%K=u{2!R`gkX5>as$G zdG~9d2Zp#;j?WB(8c0Dc@faG>Cc^?@D~QpMDWOSBQuTpfo&l+2)4`ef^JfGU>rmhXn4U> zUnM6}$%o{&QsDWoA-um*^@(v~3t{zqgj8}peo5A^i{q6NP&{(-TaX28>rhYD@NxP=RkG&N9YDo^Jl$MQYCfoHm z&6juc5!!cRwdvRhk1xCd1L(>(!q+u5Y)U1Jw}!rTjtl#4D9kRwfJw#JqnnGjw!xdu zcLud>xN>B1H`D#pRdCfX{noltR-29wQ3UB9uq8F!{y zeA>cZMl?xzdIs%ch2W^>{|_;rZ*l69_)RT|U=CaK4LI2XW|p|K#uN^Y;__OHfOwlp zn&gI3&1O7YXPo~=b~mHZ!6?-V(YQ60q{2cYBxvkXH)+6W-M_G`wBQE(RMB;!Lg5tn zRaH2U(vx}jrCw0b`QK2Fn8iX~y@KCAmj42Dh0)>Ko3z}D8kL1G&)K>{+gAeAQal)geMoJI&wxEjl?2 z7S2=mrLM9{2p}|0B!OFrczE;4p=)EQQAo_72W#NbkOxNauvv$av#w|}_ndEaThR01 zq-&?5qT>B~i~=_wOgV-Fu|7u7SD;|Otq}0Lv1PH!Uum{Ah_KUK9Hl!)>wiTu>D*j1 zNbXa4ZfAJt=7gjACM_c*M~w?@gIuOC4c~x_6tAED6iZKg-$eo8m~cdIORg`Fl4I7b ztklzAQ{}vefdpFba@>&-e!or;RGlV82nRRMpJNeiw#Xl`V76%++w?=X*o1}wiBTck z1EzY_QEcU^-uDDbh4&xx3C9gZCKel%KX1!R4390EFP`VP0kc9-PJWDo8?DEy)=e8& z6@2r<|GWb$l~>cY&TOYYJQRG^rM8)#_FDEnD&AR!9J=7u<>1~?wIa%;5V-8GGd~~X z!u60!X1J@zs@nR2ZI6$k!!yp?A6g?Bkcqjux$1aYF5JALxVW+Z_h*2*6iml#& zE{Bv}95uI6-ausio?Krmy`VX3ZK04~7Ocr{7d5MM6c%;vi-vY0bo+}mz!E(25`1`knvm)v5qjE}S5WTSQ83R|{M%gw4 z!rk$O_|D2*mNM2o$y>kFj#~vo+Pof6*ZxrJvl#pOq@Y4fre@)9iVXkxJEOaMA-0o! z@YKQ~GUnUqWYH|>Qu?p{zPT?(bl-!z}WQHyu|JaS`l+YTP>_cJ(VL3Pu?P$3l)l8hw-9?Yh(qX)#wR{`m|%we-tzZ$ zt6kaVftH%T~MRJ>t7BTVM)&wz!ezxLYDu>r-#ySoG19Oay2zy=tn0nuzfA zJhGd~>`2ut9a`#6g@wBXHp*7V6v;I-_1*~`A=xUT6ZyXno^IY(Gvvzk%KfyEePsmO zKlwM@e6Qtn7T#^%EdKj1*NalQ7b)V9!&cB;{`q1M*8@~(Lpd8v$5ha=*CHYjzCbd^_rtp#(AYeLD41V-Z!y}ekV3> zqoekkedkKXwWqz`i?8u;lPjh^MCC{=l=tb*fiACljvRx7I@%OBlv|W_$UfQ)>#ZM* z$T{Xv-{6!!TSvuW0u|9D%`vs(6bfwyKAi3n;KS8EnQl9!S>^OXdj6i>?KUcqw+vrj z{PV8SVCs1hCg_}1ommeWr{#PHsd{1L@@rIILSCzr1<0r={^gbD0GybJNQHK_G%w`2`s^;Z(0 z2Uo=zkZ*FVj=hS!x|BFk|41|Qt6+6pOiU^?kfWC7wH#KTT2_AdF#PCBQ>_I&sx2OXUqG*CHpR-Zq-hvULw!#9KLX^y{tZ|DFQ z&p#Qw#~eQE?4clBYvz%A?{~mHuFYj|Lp@V^BW!&vw{s>_vUHl9x!U`4k_~u`2lYv0 zW&v$ZYQ|XV-OSA_Q0a|{;cBsQF`V2oi?f8)KYzYRn0t?+@JaN?(~MbhSuDOb8-FJz zy4G9l*!(x+@uKy)<#AnwUarY;F3Z`z%EcTGVodfF(C?XMOcBQ69IuSJudLJsCd64S zi2*k(OOu|$Zc#!fvox5J(sG7y8*_NlA%&AIf7};WBVQ^&Q=0dIj0Bd=;p8ixoAykF zkOyaYV zDDVxVE&VR0pF}`|+>HmWj+q*!sAyhj)t&_S29~r?`zyy(4Rch3KSKIZJ;0NwOI7EW z1HS5%P!ccGPXZWu?tZ0HC^Nhsie1ZsBNZ>A|G@}=O7_X}ka0at7>SsrN&o7(`&=^4_H2Nj_u z>JD_sEv+Z-+H%W+$^aljPR5d|?uSVxY4!o!Yx^pK&I&AIRQt4d8CKjKEs)QXg3Zq2 zL)02#!L}=R;OE59f?DkZ^Tx`gEx4CYvQ0yK#X`7RsudY9B_rdv$YdlU_Ol=t!GL4LHl)e348Kv5 z?sK@LLjqP;WRf1C{CXJAJ)j|>5taTd&mf9(&&|sASU-MT`sUcQsSdX1%l-*KdHYd% z4PukVCQ6*F9c?5x5;r#44qbMp1_40COByEEJg%&r*;u(y-O^H7xt`IoCe?te94efg zc{wQ12I|@KE=*x|dH$?h zk>LAzihy#V*G-s>70OEromx`RboFx`Y)zO&Kx;|s)SC-@^#N*!9%DXkH+Xu0A6X?m z^^0HztWDL?lDyY-t~yOs&M-PScYJMZwD{3$OmPM1D%M4m+-^6fnp|5m#>M_N#Prv^ z*lg?)0C+-W>5y8F7RquGHp_}U`SAuMKzji(mhGwu=i0~W>VCB_Fwxx!FM+l!Ay=zz-G2k@lO=MH$I^t^lG*0JCVcuzL4Z13#VEQqI7 zsBYkEK&(7laO#LJCbYG!u#A;U!BmlQFuW$mt!Lwin}YZ;un=fEgB6OvTQ`i=G>ArK zEUTobeEPYe>PJCxnszx!<&#ovvTXp@`7FsOeGtmK(Q+dH&deP0?1QMxbF%DD?)Ev4 zZ{oHlxaqK%bsBwobnGmG?m%L5|06}{8~r@|4{xn}GR-w6H1hZ3@|{XPMVWX?x9}3Z zGbMM`?>{iu;)BXizG&g)o{GjT+G{Vql)rTCly{N*R0F4uyuWTmJfJp69FyGQpT&#V z`C$8{uQx1R&nyD(_{?He(UZ;<<*h|1Z}MA2(oO3q4Qlmbjc0#pC4M#Nb28cyPd=`> zisU>s(n9a`b%f;>y~I{-KRamNm`iEZ$iFE{tpUrx7GGVQuOZClLkt6;`R%i+3;D9a zf6fAH)?WSA7KW9q4|F+pv(y++x0xZ!$K}5_FhZ=lBvbY=%(tExraxy>{rKs;<$fbf zB(%hdvoDeF^G>Ch{^}}c{A+v9IbnU2(74-Hg2ShsN}rxJo6dm0jmoH;&?9t>71!@O zjJxiq`DcS+6R1=DFdJX(cQN_Njh0qMUbeof8?qf@=Z%(%&lFWmyB#00a2uH?Ot)^& z)hLZsHht)xO7QzO7d9cDRqW`h?X)?G^_x5@B-_1j_Qrok5iWn@^g3;0%~iC1+Vpx!iOTKrc_#KX$mz7UPYkWgR+P@^aqT^+x~0c1 z51lq$*bXHc_}hEt#>1NBeqZaP_!NEmcG!x#J_Amj^g2;ki{Ib+>8+%`8EV`C(-l8| z`N><6J1$<|ex3>>^5s?Hg2|6R)DYY$C@`^29@#4c3!f*PuZ?@mS9*MX+&uSo1;@sX z+-D2Qs|;xV@w5ES6YqiT6Z42PcJXJoQp06Vmq^-4`zXJ%)v=iK`>$!lHPyZ<%C2hH z$W1{@KD(o)C2Z=`Y*+luDw@`r?UR^aZLylwfNPBTW<7SzI5}>Hv3D)Zh83~^ZB(0X zFoc$dyj`EJe6f3Fk9@JLvDjgtw#Da|^hO>R)_e?_^*E7k1CFDbs=C)#Prjv5YE9GM z;Qyn{!%ElNuW!LSzxc^dgrr@?d=|O589rBu2iAO$Nm^RSCN33t%Y;ugU4d8p7mkLy znA!QPx#ZFFm6=lCYX;@*H=XZ~8@|deoN#Qp^RT6X*I!FR?0}qCdG9wlCVmGK;9~%} zbl{X;QQ}_dvgr7b|IzC;CcekQ4r@OO8oo0loh#~FT3o1FO4T_jRA4cawBH?ykp17&El!()-Nok_&VEn zh4Z+OE&DO9xGUdkVb^y_R`Qtnc{KB)-3wMF{hJ@*-61>frPlo2mTESd8*JPk6`r=; zkbw0Tzib@CPJKNet8>iP+*-JCuz9Um!VE3H|5B;%Y@u`#Yh1T-m2aNnyKluMo3ll( zMlDIKkP$Hpj=1@SLcVMYR8pX_>t~Ub+b)p-v(OiEOsoR*!FjWoxoviRLhgV( zItOFIQT{yW@m^BTN*Y-JzZ&Pm`!PSPM-~g;SAF^MTC~i%IWJRXqi`&k_#Gc?xBQ(^ zvW^!*Z^}fHcHii=@lLqo!`ZLSOn;D^NRf&;-klOtN zzcfhKVx#($lQQ4Lp55BcuExfe^gVqb=Zz{2@nxb%J^yN*^erHmKqHA=^OzcUrKKw4 zxBPBE70^7+X@m0H@Mr3W>i=zJz&3q;i;p-hQ~HV@4$FAkbL%EmeY~t2!tvYWb04p^ zG|dXTXAVYqKO;~)?zBuuuT;V6z6#7oPNeCI#zLfjpWEb|i%=ZE2rIvs9p62G-h zD5LL^L4ujS5c&8$%swV=l!Ym5k#5}AZIxjuzO47?HcDx$vqW7-61)58Q=Lk+Rm{f> zisQ>IbN5#mO**Q7ysasJ@G4emD}`vLLh(I*SZM40Smho<*$?c=SSSm`ltoX>ZWtSX z49QKlB-mh1TGB$EFd<`_k@>H4@1=`t`KyFFLeCw1iX2}%T8#v>Crp?pqdS1!bW_TVkrhEVz9 zUf zLP(i2@4*-sn)#B6%Pep%E%i)onK~|wt@UhG zX5>`V3Dcf!ZW*`UjjU>@ED)$Khp@Lo{TEwcMn=%q`8kss?x7lApCF%(Nh>Q4=l)l+ z3xUf84F^GWQvK#$Mc++^&0pl*H=mG!493|?Tu)kqC(Y2m8@prIT4?#$M1CnT1ohT; zt2-@(iw?4KXo!j&xE!Cuw4ddc!lYo1+ED)zHrB#0$nDcLYc<4;eEV1Pq>=Pl6d$Zn zN71?i+Td-;$^1dTe@3x`JX!E^=r6cI465gV4)Rq*?%Ykc3S0b2fceV)xWsI(W!9VB z&|WU%VmOFU4>fwV`@APs;$4-wR(8hewk5szus|$a(!YBF+zERJSmPZ82)@ibaZql* zlB2*{QZ6CSd#>4EdVcEKe`!1cOpj!coLJ<&yV?eoE7tq6d!#z5jB@wOF^QFF9BcG5(6f&FX&v-PTTu%Jb5u$X;V#;gwQeXao z%-(_Sn#^K&5})%6+8Y94@XdRt@wlXG$Yv(nI7;{Li}UhD=C6Xn^iWSc?4qGfw0pOI z2u+Ph$x93?G|J*qY5(>;=Pp(J_?!`We`OxJe0Iot7;W4=TVFIiNhbCeXUu(5T8vHH z++$PNZEJ%|X|sd^8h7~8dU#$o$B+%plrDKbOQ!ujQydBDm;A#uH0`$b(`u8^f*YP_ z;!@0guy7DZF!LaC@9xiuHXhO)LDVd{bjbXGA}5`S1z}meq^#%zMs5^ z3?exdY@G?Q|5E2Y_UxhacbBSzrTE6Bt^G9OY{kJhZv*#il7*RYi?+W;*Ex5a%z{u4 zw&PbAF-;7I1G}_#XP>lwaF5T-L!G_M#o}TjTR7_<%9|+i##oYJX7fU9Oe_jjq{Es# zn(&R^N;t{-qo~p+Su2^Pa7K)5VLvjRM-5N`>GOtH6b7BBpY_cyk}7b!ZEvMJK(b9A z);zBclKazmsTXx(5sqdN{ww6`_K^x}v@rc!60Q)L>`yFTeMsZK zQgI8xX2~)x#Wbzeu-|zZ_a-A7JD#MRq3XGeQ;Z}Y$WV6d9(j?k9#%5n8Z+_}k%@fk zq1I)_XHc4Y+ngOz7!@)esMm7n-0karSX69QF4wF&u=PiZ`_7Yl zM&wLe&~GpKlPw=obkHI3WQWE^Vuf7yQ_$6axbd;O~Wh1BzQN;y=Y#d zmZf-D(@%fN3yYt4vA4(hE9B&^l zX8b(XJe$;yMBI%H(Hzm%99!$Jo8mNeN>%Np@L#(LGIsbi?XbYzJRZwwEu`~NU0RldU`l7 zx#c)x71SGT&RJq|zUdyk!3XOKWkDN6-&tf3R)d-uCtrWUygpTjm4K5Z@$SmR2CTyz#zG1GE4$2*vM^^#${+mb8M=9Y_n4?cZ+ploeU zg5uEoukGKDgu1kSo~)2i}O>IOY)nDO+r-D+$9Somz0XM8CfQpRc^)BV!8aPbzzI2uzt0c zOUY%(gs;mem+Z>FZyMKVAc9^xWZwaHMx6uFs?x?ITGP?4HcDJ*#u**?yn&~ z-fEey8Lb)@-2V6mW8UJsZ=R%^2LAR!vTodx)Fhj#Qd7_ap#Y}&=4tUp%?75krT>>N zyrmM}I6)?D*AR&&EXz*!G3vWB6FTKB=e;DNkw{dBALq^o8!22kaYJ4sn~IKC)oj+K z`Qo_+C*2h#g$u3}flby(n$)8ia_nFk$f6C~QE#&uoTg}?69cGc`{iYzft-LYGLS`2 z&faGBNNEG!cS^uI^gi5J5ZXo_00fy|bj4+)=HuYe+s=)7e?1_V_Fk9CnQ83p0%(?b zw%?`U#?D0c$v;S67tQv~-BI48d&SrEyZ%=8)^EB{yLtu5rzeeTAfZ^Xb93b5Gnf`iq0hgJ^7pIGg8 z*<2XC_v}MQy4`$Hy0*7}GIYV<&eR8AJt&}J%>KX&+mWk%%bA-tXf5W{dyKi>ZL!bl znWFGCK7O4-ZMfHNSRQSHn#3GSgnB@sEFZ?e_2^1vPpqupMW#n~INClV>zGbod{&Ca z7m|N}we*ya21c6l_YY#pCf%gSW@n>onQN*hr6uwu%jX>KK^r&ck%O_r*c~rx?s&y| z=I+s}J)u2akP5mSP}3K2BP2iQ-IB~zWLqQ%Xm%p|FSva1J*^W_6tv?mV&X82|&XU3Do=|r9@|cKl;Fl0n;k+-gUo6Ao$pu z2(MG;{}fJ2-Gme3UK_O1q={#pa^nZ=upi)jhLe zZ7-o{XSq+PX@os1@l&_n)p=S^tuTX-rUeywErjIt7BJo%_o;~QsThMG_66Rulhvhi z37QE#e=#Tm_fHtDTsQbOizSDOz9+bSQCHdwCB>?!TGAv3@hV!^K6$tD(>@H}WN=li zS7I<{ZF(N#%iZxjaJ@w3W2M%2?QRAFQnuiWW}9P}lXW(tT0S zg!;evem~0{myjj#-TfM+~^UX0VKYM>%jTQsH@g8!dh3xb*68P+C-;me$jrwEC zV-;;48WvRt4;B$?$BH);Dw~8eu4v2;iIPcly{U~pz!+?GVL6PDMt2x%3-6ff%>}X6 zLNUoiB%s!>1%) zewJv^6+Ew#bu3f1S?BoW6eL7^z@|;IO=$ zLFAhW5#ZY2#X)zNLG?sVdz2EJOQ$gSO*aX+IokjqcG!$e>_l7YZE>GBNP&2np+{yb z&SBnyVWODV`Q=Y*!8S+3VlZn3S?pJeJMaFfMhjhO?L&<0tajw~U+dlVfOnDrjiiGD z6*9cL?wGp|Lei)CBSA#7#%45z&v)p+tsYAjC@6G!MFC?USFUPZY@|I5QpgChmS10{ z9FUXmQ~ZY@@&*0>Remk5E1q7-c$~1NB9#YXiuVY>UpSA)!oy;*a-(2lW$g&FvWMB& zBCPkrtq#c5+{y}WWu@A5TmI_rzW`A&7cPaz|8D?E=(OQKsUGt< Date: Mon, 27 May 2019 04:10:42 +0200 Subject: [PATCH 2/4] Update content/en/docs/concepts/security/overview.md Co-Authored-By: Jim Angel --- content/en/docs/concepts/security/overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/docs/concepts/security/overview.md b/content/en/docs/concepts/security/overview.md index 336b4712ee61f..5cafac0e9bd35 100644 --- a/content/en/docs/concepts/security/overview.md +++ b/content/en/docs/concepts/security/overview.md @@ -44,7 +44,7 @@ base. Each of areas of focus will now be described in more detail below. In many ways, the Cloud (or Co-Located Servers, or Corporate Datacenter) is the [trusted computing base](https://en.wikipedia.org/wiki/Trusted_computing_base) of a Kubernetes cluster. If these components themselves are vulnerable (or -configured in a vulnerable way,) then there's no real way to guarantee the security +configured in a vulnerable way) then there's no real way to guarantee the security of any components built on top of this base. Each cloud provider has numerous security recommendations they make to their customers on how to run workloads securely in their environment. It is out of the scope of this article to give recommendations @@ -148,4 +148,4 @@ Most of the above mentioned suggestions can actually be automated in your code delivery pipeline as part of a series of checks in security. To learn about a more "Continuous Hacking" approach to software delivery click (or tap) [this link](https://thenewstack.io/beyond-ci-cd-how-continuous-hacking-of-docker-containers-and-pipeline-driven-security-keeps-ygrene-secure/). -{{% /capture %}} \ No newline at end of file +{{% /capture %}} From 4bec9a09b38d30c4ec31497a34a81e1005d4389a Mon Sep 17 00:00:00 2001 From: Zach Arnold Date: Thu, 30 May 2019 10:58:35 -0700 Subject: [PATCH 3/4] Update content/en/docs/concepts/security/overview.md Co-Authored-By: Tim Bannister --- content/en/docs/concepts/security/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/concepts/security/overview.md b/content/en/docs/concepts/security/overview.md index 5cafac0e9bd35..08af05b971b47 100644 --- a/content/en/docs/concepts/security/overview.md +++ b/content/en/docs/concepts/security/overview.md @@ -142,7 +142,7 @@ Static Code Analysis | Most languages provide a way for a snippet of code to be Dynamic probing attacks | There are a few automated tools that are able to be run against your service to try some of the well known attacks that commonly befall services. These include SQL injection, CSRF, and XSS. One of the most popular dynamic analysis tools is the OWASP Zed Attack proxy https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project | -## Pipeline security +## Robust automation Most of the above mentioned suggestions can actually be automated in your code delivery pipeline as part of a series of checks in security. To learn about a From 25f79ec0717b0b24d4075ea84856cb2b7f6a06be Mon Sep 17 00:00:00 2001 From: Zach Arnold Date: Thu, 30 May 2019 10:59:53 -0700 Subject: [PATCH 4/4] address concerns in PR comments --- content/en/docs/concepts/security/overview.md | 52 ++++++++++--------- 1 file changed, 27 insertions(+), 25 deletions(-) diff --git a/content/en/docs/concepts/security/overview.md b/content/en/docs/concepts/security/overview.md index 5cafac0e9bd35..d3f3a9333cd4a 100644 --- a/content/en/docs/concepts/security/overview.md +++ b/content/en/docs/concepts/security/overview.md @@ -12,9 +12,9 @@ weight: 1 Kubernetes Security (and security in general) is an immense topic that has many highly interrelated parts. In today's era where open source software is integrated into many of the systems that help web applications run, -we need some overarching concepts to help guide our intuition about how we can -think about security holistically. This guide will define a thought-framework for -what we think of when we imagine "Kubernetes Security." The thought framework we selected is completely arbitrary +there are some overarching concepts that can help guide your intuition about how you can +think about security holistically. This guide will define a mental model for +for some general concepts surrounding Cloud Native Security. The mental model is completely arbitrary and you should only use it if it helps you think about where to secure your software stack. {{% /capture %}} @@ -22,7 +22,7 @@ stack. {{% capture body %}} ## The 4C's of Cloud Native Security -Let's start with a diagram that may help you understand how we think about security in layers. +Let's start with a diagram that may help you understand how you can think about security in layers. {{< note >}} This layered approach augments the [defense in depth](https://en.wikipedia.org/wiki/Defense_in_depth_(computing)) approach to security, which is widely regarded as a best practice for securing @@ -30,26 +30,26 @@ software systems. The 4C's are Cloud, Clusters, Containers, and Code. {{< /note >}} {{< figure src="/images/docs/4c.png" title="The 4C's of Cloud Native Security" >}} -


-As you can see from the above figure of increasingly smaller areas of focus that -each one of of the 4C's depend on the security of the squares in which they fit. It + +As you can see from the above figure, +each one of the 4C's depend on the security of the squares in which they fit. It is nearly impossibly to safeguard against poor security standards in Cloud, Containers, and Code by only addressing security at the code level. However, when these areas are dealt with appropriately, then adding security to your code augments an already strong -base. Each of areas of focus will now be described in more detail below. +base. These areas of concern will now be described in more detail below. ## Cloud -In many ways, the Cloud (or Co-Located Servers, or Corporate Datacenter) is the +In many ways, the Cloud (or co-located servers, or the corporate datacenter) is the [trusted computing base](https://en.wikipedia.org/wiki/Trusted_computing_base) of a Kubernetes cluster. If these components themselves are vulnerable (or configured in a vulnerable way) then there's no real way to guarantee the security -of any components built on top of this base. Each cloud provider has numerous +of any components built on top of this base. Each cloud provider has extensive security recommendations they make to their customers on how to run workloads securely -in their environment. It is out of the scope of this article to give recommendations -on cloud security since every cloud provider and workload is different. We will -however provide links to some of the popular cloud providers' own documentation +in their environment. It is out of the scope of this guide to give recommendations +on cloud security since every cloud provider and workload is different. Here are some +links to some of the popular cloud providers' documentation for security as well as give general guidance for securing the infrastructure that makes up a Kubernetes cluster. @@ -59,11 +59,13 @@ makes up a Kubernetes cluster. IaaS Provider | Link | -------------------- | ------------ | +Alibaba Cloud | https://www.alibabacloud.com/trust-center | Amazon Web Services | https://aws.amazon.com/security/ | Google Cloud Platform | https://cloud.google.com/security/ | -Microsoft Azure | https://docs.microsoft.com/en-us/azure/security/azure-security | IBM Cloud | https://www.ibm.com/cloud/security | -Alibaba Cloud | https://www.alibabacloud.com/trust-center | +Microsoft Azure | https://docs.microsoft.com/en-us/azure/security/azure-security | +VMWare VSphere | https://www.vmware.com/security/hardening-guides.html | + If you are running on your own hardware or a different cloud provider you will need to consult your documentation for security best practices. @@ -73,23 +75,23 @@ consult your documentation for security best practices. Area of Concern for Kubernetes Infrastructure | Recommendation | --------------------------------------------- | ------------ | Network access to API Server (Masters) | Ideally all access to the Kubernetes Masters is not allowed publicly on the internet and is controlled by network access control lists restricted to the set of IP addresses needed to administer the cluster.| -Network access to Nodes (Worker Servers) | Nodes should be configured to _only_ accept connections (via network access control lists) from the masters on the specified ports, and accept connections for services in Kubernetes of type `NodePort` and `LoadBalancer`. If possible, this nodes should not exposed on the public internet entirely. +Network access to Nodes (Worker Servers) | Nodes should be configured to _only_ accept connections (via network access control lists) from the masters on the specified ports, and accept connections for services in Kubernetes of type NodePort and LoadBalancer. If possible, this nodes should not exposed on the public internet entirely. Kubernetes access to Cloud Provider API | Each cloud provider will need to grant a different set of permissions to the Kubernetes Masters and Nodes, so this recommendation will be more generic. It is best to provide the cluster with cloud provider access that follows the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege) for the resources it needs to administer. An example for Kops in AWS can be found here: https://github.com/kubernetes/kops/blob/master/docs/iam_roles.md#iam-roles Access to etcd | Access to etcd (the datastore of Kubernetes) should be limited to the masters only. Depending on your configuration you should also attempt to use etcd over TLS. More info can be found here: https://github.com/etcd-io/etcd/tree/master/Documentation#security etcd Encryption | Wherever possible it's a good practice to encrypt all drives at rest, but since etcd holds the state of the entire cluster (including Secrets) its disk should especially be encrypted at rest. ## Cluster -This section will provide links to more exploration for securing the aspects of -workloads in Kubernetes. There are essentially two areas of concern for securing +This section will provide links for securing +workloads in Kubernetes. There are two areas of concern for securing Kubernetes: -* Securing the components that are configurable which _make up_ the cluster -* Securing the components which run _in_ the cluster +* Securing the components that are configurable which make up the cluster +* Securing the components which run in the cluster ### Components _of_ the Cluster -For more information on securing the components of the cluster, go [here](/docs/tasks/administer-cluster/securing-a-cluster). +For more information on securing the components of the cluster, [here is a link](/docs/tasks/administer-cluster/securing-a-cluster) to the associated documention. ### Components _in_ the Cluster (your application) Depending on the attack surface of your application, you may want to focus on specific @@ -113,10 +115,10 @@ TLS For Kubernetes Ingress | https://kubernetes.io/docs/concepts/services-networ ## Container -The price of admission to a Kubernetes cluster is a container. Because of this, +In order to run software in Kubernetes, it must be in a container. Because of this, there are certain security considerations that must be taken into account in order to benefit from the workload security primitives of Kubernetes. Container security -is also outside the scope of this article, but we will provide a table of general +is also outside the scope of this guide, but here is a table of general recommendations and links for further exploration of this topic. Area of Concern for Containers | Recommendation | @@ -129,7 +131,7 @@ Disallow privileged users | When constructing containers, consult your documenta Finally moving down into the application code level, this is one of the primary attack surfaces over which you have the most control. This is also outside of the scope -of Kubernetes but we recommend a few of the following: +of Kubernetes but here are a few recommendations: ### General Code Security Guidance Table @@ -146,6 +148,6 @@ Dynamic probing attacks | There are a few automated tools that are able to be ru Most of the above mentioned suggestions can actually be automated in your code delivery pipeline as part of a series of checks in security. To learn about a -more "Continuous Hacking" approach to software delivery click (or tap) [this link](https://thenewstack.io/beyond-ci-cd-how-continuous-hacking-of-docker-containers-and-pipeline-driven-security-keeps-ygrene-secure/). +more "Continuous Hacking" approach to software delivery, [this article](https://thenewstack.io/beyond-ci-cd-how-continuous-hacking-of-docker-containers-and-pipeline-driven-security-keeps-ygrene-secure/) provides more detail. {{% /capture %}}