Unsafe Defaults: Deploying Kubernetes Safer(ish) – James
Overview of Kubernetes
- A compromised container is very close to being a compromised host
- While you shouldn’t curl|bash the attacker can do it to get the latest exploits.
Three Quick things for some easy wins
- The Kubernetes API is completely open from localhost. This is no longer required but old clusters and some upgraded clusters may still have it.
- Put a Valid certificate on the cluster or at least one you can keep track of.
- Get rid of unauthenticated user roles as much as possible.
- Check you don’t still have “forever tokens”
- A Good idea not to give service tokens to most pods.
- Keep an eye on
- You need good RBAC
- Have a look at k-rail
- Can turn on authentication
- Can turn on TLS between peers and clients
- Can encrypt on disk
- Can restrict it with a firewall
Every Image Has A Purpose by Allen Shone
- What are they anyway
- A base definition to prepare a filesystem for execution as a container
- Caching mechanism
- Great way to share runtime circumstances
- A comprehensive environment structure
- image is a series of layers
- Minimizing layers makes things better
- Structure the image build process to get the best set of images
- Use the most appropriate image
- A small fix can add up
Images in Production / Customers facing envs
- When deploying containers, be precise as possible.
- The image should be ready to go without further work
- Keep image and small and simple as possible
- “FROM: golang:alpine” in testing
- “FROM: scratch” in production
- Two images but they serve different purposes
- Possible to use the same image as previously
- Bring in some extra debug tools etc, mocks for other services
Trimming the final image to be very specific
- Start with the production image and add extra layers of stuff
- Some things only come into consideration once they are deployed
- Instead of creating a big general container, create two containers in a pod that share a file system
- Configuration should be injeted, as an env-specific setup
- Images should be agnostic
- Look at using the .dockerignore file
- Use image scannign tools ( Diive and Clair)
- A little preparation up front can prevent a lot of headache later