《20230201 - CloudNativeSecurityCon NA 2023 - Securing user to server access in Kubernetes.pdf》由会员分享,可在线阅读,更多相关《20230201 - CloudNativeSecurityCon NA 2023 - Securing user to server access in Kubernetes.pdf(22页珍藏版)》请在三个皮匠报告上搜索。
1、Maisem Ali&Maya KaczorowskiSecuring user to server access in Kubernetes maisem_ali,MayaKaczorowski ,MayaKaczorowskiinfosec.exchangeMaya KaczorowskiHead of Productshe/herMaisem AliMember of Technical Staffhe/himAgendaKubernetes traffic and use casesUser access to internal servicesSecurity properties
2、you wantWhat options you haveHow these options stack upSummarymaisem_ali MayaKaczorowski maisem_ali MayaKaczorowski UserAdminControl planeServiceWorker nodeLoad balancerWorker nodeWorker nodeService1234Kubernetes ClusterKubernetes cluster trafficTraffic between the components of Kuberneteshttps:/ Tr
3、affic from a service to a serviceTraffic from a user to the Kubernetes control planeTraffic from a user to a servicePublic serviceInternal servicemaisem_ali MayaKaczorowski Batteries includedService meshBastionLoad balancer?TrafficTypical securityBut does it do its own authentication?maisem_ali Maya
4、Kaczorowski https:/kubernetes.io/docs/tasks/access-application-cluster/access-cluster-services/Internal services you can run on KubernetesTools run alongside your serviceDatabases:PostgresMonitoring,logging and tracing:Grafana,PrometheusBI:MetabaseInternal applicationsmaisem_ali MayaKaczorowski Secu
5、rity properties for internal servicesVisibility:the service isnt publicly accessibleAuthentication:verify the user connecting to the serviceAuthorization:only the right user can access the serviceEncryption:if traffic is intercepted,its still protectedLoad balancing:share traffic between multiple in
6、stancesTraffic filtering:limit traffic flowsAuditability:monitor and log traffic flowsmaisem_ali MayaKaczorowski Options to considerKubernetes cluster serviceKubernetes load balancerKubernetes IngressKubernetes network policyService meshBastionIPsecWireGuardmaisem_ali MayaKaczorowski maisem_ali Maya
7、Kaczorowski Exposes pods inside a cluster as single addressable unitLoad balances across replicas of a podOnly reachable from inside the clusterBYO encryption,authentication and authorizationNo traffic filteringVisibilityAuthenticationAuthorizationEncryptionLoad balancingTraffic filteringAuditabilit
8、yKubernetes Cluster Servicesmaisem_ali MayaKaczorowski Exposes pods inside a cluster as single addressable unitLoad balances across replicas of a podPublicly reachableBYO encryption,authentication and authorizationcloud provider may allow traffic filtering at the infrastructure layerVisibilityAuthen
9、ticationAuthorizationEncryptionLoad balancingTraffic filteringAuditabilityKubernetes load balancersmaisem_ali MayaKaczorowski(everything that cluster IP gives you,plus)Provides L7 HTTP load balancingTLS EncryptionTargets ClusterIP servicesVisibilityAuthenticationAuthorizationEncryptionLoad balancing
10、Traffic filteringAuditabilityKubernetes Ingresshttps:/kubernetes.io/docs/concepts/services-networking/ingress/maisem_ali MayaKaczorowski Restricts network access to pods and servicesOnly provides L3/L4 filteringCan be paired with LoadBalancers to restrict which external IPs can access servicesVisibi
11、lityAuthenticationAuthorizationEncryptionLoad balancingTraffic filteringAuditabilityKubernetes Network Policymaisem_ali MayaKaczorowski Uses a sidecar proxyProvides authentication and e2e encryption between services using mTLSLoad Balances among service instancesProvide observability via metrics,tra
12、cing and loggingVisibilityAuthenticationAuthorizationEncryptionLoad balancingTraffic filteringAuditabilityService meshBastionPoint of entry to your network through your firewallTypically OpenSSH running on a hostGives you a single place where you can enforce access policiesSits on the public webAuth
13、entication and authorization based on SSH username/password,keys,or certsmaisem_ali MayaKaczorowski VisibilityAuthenticationAuthorizationEncryptionLoad balancingTraffic filteringAuditabilitymaisem_ali MayaKaczorowski IPsec&IPsec-based VPNLayer 3 encryption protocol between two IPsJust a protocol,so
14、you are probably using it as part of an IPsec-based VPNIPsec provides authentication and encryptionVPN should provide authorization and logsVPN concentrator might allow you to manage trafficVisibilityAuthenticationAuthorizationEncryptionLoad balancingTraffic filteringAuditabilitymaisem_ali MayaKaczo
15、rowski Layer 3 encryption protocol between two peers,identified by their public keysCompared to IPsec,less configuration thanks to opinionated cryptographyWireGuard provides authentication and encryptionVPN should provide authorization and logsVPN concentrator might allow you to manage trafficVisibi
16、lityAuthenticationAuthorizationEncryptionLoad balancingTraffic filteringAuditabilityWireGuard&WireGuard-based VPNDemo:connect to an internal application running in a cluster using TailscaleSet up Tailscale for a service running in a Kubernetes cluster using LoadBalancer typeConnect to the service di
17、rectly using its service nameExpose the service to the wider internet using Tailscale Funnelmaisem_ali MayaKaczorowski VisibilityAuthenticationAuthorizationEncryptionLoad balancingTraffic filteringAuditabilityKubernetes load balancerKubernetes IngressService meshBastionIPsecIPsec-based VPNWireGuardW
18、ireGuard-based VPNKubernetes Network Policymaisem_ali MayaKaczorowski Learn moreAccessing services run on clusters:https:/kubernetes.io/docs/tasks/access-application-cluster/access-cluster-services/Tailscale Kubernetes operator:https:/ these slides:bit.ly/3wH2lFT maisem_ali MayaKaczorowski Please scan the QR Code aboveto leave feedback on this session