Hardening a sketchy containerized application one step at a time

Overview

Road to Secure Kubernetes

Hardening a containerized application one step at a time

This repository hosts a tutorial on security hardening a containerized workload in Kubernetes. Its a self-guided, hands on guide from the "default" settings we see in Kubernetes to a relatively well configured workload. The mitigations described are by no means exhaustive but show a lot of low hanging fruit anyone can take advantage of to harden a workload.

Prerequistes

To run through the tutorial you'll need

  • Docker
  • kind to run a Kubernetes cluster on your laptop with Docker
  • kubectl the Kubernetes CLI to interact with the cluster
  • helm to install Cilium in our cluster

Before you begin, install the kind cluster as follows:

$ cd cluster

# Install kind cluster
$ kind create cluster --config config.yaml

# Install Cilium into kind cluster
$ helm repo add cilium https://helm.cilium.io/
$ helm install cilium cilium/cilium --version 1.9.10 \
   --namespace kube-system \
   --set nodeinit.enabled=true \
   --set kubeProxyReplacement=partial \
   --set hostServices.enabled=false \
   --set externalIPs.enabled=true \
   --set nodePort.enabled=true \
   --set hostPort.enabled=true \
   --set bpf.masquerade=false \
   --set image.pullPolicy=IfNotPresent \
   --set ipam.mode=kubernetes

# Wait to be installed
$ kubectl wait --for=condition=available deployment.apps/cilium-operator -n kube-system

# Install Nginx Ingress controller
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
$ kubectl wait --for=condition=available deployment.apps/ingress-nginx-controller -n ingress-nginx

Once you can run curl http://localhost and get back a 404 like this one from Nginx, you're ready to start

<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>

How-to

The tutorial shows the step by step progression of an application configuration. Each configuration or step has a corresponding git tag from 1 to 10. Start at 1 and move from tag to tag. For every change there is a detailed explaination of whats been changed and what the change mitigates.

  • Step 1 is our starting point. If I was to hazard a guess, about 95% of Kubernetes application are deployed in this state. Its a functioning application with some vulnerabilities as you'll see.
  • Step 2 uses a non-root user in the container
  • Step 3 leverages read-only filesystems
  • Step 4 adds network policies
  • Step 5 uses a scratch container
  • Step 6 adds resource requests and limits
  • Step 7 drops linux capabilities
  • Step 8 disables privilege escalation
  • Step 9 adds seccomp profile
  • Step 10 removes service account credentials

Navigate to each tag to learn more!

Issues
Owner
Nathan Smith
Self-hosting and infrastructure enthusiast. Background in statistical physics and high performance computing
Nathan Smith
Hardening a sketchy containerized application one step at a time

Road to Secure Kubernetes Hardening a containerized application one step at a time This repository hosts a tutorial on security hardening a containeri

Nathan Smith 16 Oct 14, 2021
K8s Airgap Buddy

Meet Zarf, K8s Airgap Buddy Zarf is a static go binary that runs on various linux distros to deploy an airgap gitops service including a docker regist

null 24 Oct 22, 2021
Snowcat - A service mesh scanning tool

Snowcat - A service mesh scanning tool Snowcat gathers and analyzes the configuration of an Istio cluster and audits it for potential violations of se

Praetorian 22 Oct 14, 2021
Gokins是一个款轻量级、能够持续集成和持续交付的工具。

Gokins文档 Gokins: More Power Gokins一款由Go语言和Vue编写的款轻量级、能够持续集成和持续交付的工具. 持续集成和持续交付 作为一个可扩展的自动化服务器,Gokins 可以用作简单的 CI 服务器,或者变成任何项目的持续交付中心 简易安装 Gokins 是一个基于

Gokins 36 Oct 13, 2021
Gokins是一个款轻量级、能够持续集成和持续交付的工具。

Gokins文档 Gokins: More Power Gokins一款由Go语言和Vue编写的款轻量级、能够持续集成和持续交付的工具. 持续集成和持续交付 作为一个可扩展的自动化服务器,Gokins 可以用作简单的 CI 服务器,或者变成任何项目的持续交付中心 简易安装 Gokins 是一个基于

Gokins 36 Oct 13, 2021
Kilo is a multi-cloud network overlay built on WireGuard and designed for Kubernetes (k8s + wg = kg)

Kilo Kilo is a multi-cloud network overlay built on WireGuard and designed for Kubernetes. Overview Kilo connects nodes in a cluster by providing an e

Lucas Servén Marín 1.1k Oct 15, 2021
A curated list of awesome Kubernetes tools and resources.

Awesome Kubernetes Resources A curated list of awesome Kubernetes tools and resources. Inspired by awesome list and donnemartin/awesome-aws. The Fiery

Tom Huang 913 Oct 23, 2021
Nomad is an easy-to-use, flexible, and performant workload orchestrator that can deploy a mix of microservice, batch, containerized, and non-containerized applications

Nomad is an easy-to-use, flexible, and performant workload orchestrator that can deploy a mix of microservice, batch, containerized, and non-containerized applications. Nomad is easy to operate and scale and has native Consul and Vault integrations.

HashiCorp 10.1k Oct 16, 2021
Docker-based remote code runner / 基于 Docker 的远程代码运行器

Docker-based remote code runner / 基于 Docker 的远程代码运行器

E99p1ant 28 Oct 14, 2021
A beginner friendly introduction to prometheus 🔥

Prometheus-Basics A beginner friendly introduction to prometheus. Table of Contents What is prometheus ? What are metrics and why is it important ? Ba

S Santhosh Nagaraj 1.5k Oct 17, 2021
OpsAnt云原生开源运维平台

OpsAnt介绍 OpsAnt是全开源的云原生运维平台,致力于为全国数百万小微企业提供开源的多云管理和运维管理平台。目前提供免费下载试用,2021年年底完全开放源代码。 前端开发:Vue.js + Ant Design of Vue 后端开发:Python + Django 数据库:MySQL、Re

新运维社区 57 Sep 23, 2021
Gohalt 👮‍♀🛑: Fast; Simple; Powerful; Go Throttler library

Gohalt ??‍♀ ?? : Fast; Simple; Powerful; Go Throttler library go get -u github.com/1pkg/gohalt Introduction Gohalt is simple and convenient yet powerf

Kostiantyn Masliuk 257 Oct 19, 2021
MongoDB generic REST server in Go

Mora - Mongo Rest API REST server for accessing MongoDB documents and meta data Documents When querying on collections those parameters are available:

Ernest Micklei 293 Sep 30, 2021
A Simple and Comprehensive Vulnerability Scanner for Container Images, Git Repositories and Filesystems. Suitable for CI

A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI. Table of Contents Abstract Features Installation

Aqua Security 8.9k Oct 23, 2021
Putting serverless on your server

Matterless: putting serverless on your server Serverless computing enables you to build applications that automatically scale with demand, and your wa

Zef Hemel 21 Sep 21, 2021
Woodpecker is a community fork of the Drone CI system.

Woodpecker is a community fork of the Drone CI system.

Woodpecker CI 385 Oct 14, 2021
Mattermost outline plugin allows you to search your teams documents.

mattermost-plugin-outline Mattermost Outline plugin allows you to search your teams documents. Installation In Mattermost 5.16 and later, this plugin

Lujeni 6 Oct 22, 2021
Highly configurable prompt builder for Bash, ZSH and PowerShell written in Go.

Go Bullet Train (GBT) Highly configurable prompt builder for Bash, ZSH and PowerShell written in Go. It's inspired by the Oh My ZSH Bullet Train theme

Jiri Tyr 484 Oct 14, 2021