How to Secure OpenShift Environments and What Happens If You Don´t
Jan Harrie, ERNW GmbH, Germany
Slides: https://cutt.ly/HeNpUtD
@NodyTweet
$ whoami – Jan Harrie
@NodyTweet
Agenda
@NodyTweet
OpenShift & Kubernetes
Introduction & Differences
@NodyTweet
Introduction OpenShift
@NodyTweet
OpenShift vs. K8s – Differences
Kubernetes
@NodyTweet
OpenShift vs. K8s – Differences
Kubernetes
OpenShift
@NodyTweet
Cluster Threats
@NodyTweet
What kind of threat model exist
for a cluster?
@NodyTweet
Cluster Threats
External Attacker
ETCD
Master
Worker
Pod
@NodyTweet
Cluster Threats
Internal Attacker
ETCD
Master
Worker
Pod
@NodyTweet
Internal are External Attackers one Step ahead
ETCD
Master
Worker
Pod
@NodyTweet
Internal are External Attackers one Step ahead
Internal Attacker
ETCD
Master
Worker
Pod
@NodyTweet
(In-)Security of Clusters
@NodyTweet
Source: KubeCon NA 2017 by Brad Geesaman [7]
@NodyTweet
Source: KubeCon NA 2017 by Brad Geesaman [7]
@NodyTweet
(In-)Security of Clusters
User Management
Network Security
A dive into Security Context Constraints (SCC’s)
@NodyTweet
(In-)Security of Clusters
User Management
Network Security
A dive into Security Context Constraints (SCC’s)
@NodyTweet
User Management in OpenShift
@NodyTweet
User Management in OpenShift
@NodyTweet
User Management in OpenShift
@NodyTweet
User Management in OpenShift
@NodyTweet
Role Based Access Control
A lot of default cluster-roles are shipped with OpenShift
Authenticated User:
@NodyTweet
Role Based Access Control
A lot of default cluster-roles are shipped with OpenShift
Authenticated User:
@NodyTweet
Role Based Access Control
Demo 1: https://asciinema.org/a/281016
@NodyTweet
What can probably go wrong?
If IdP is wrong configured:
and
Inspection of resolv.conf of the Pods:
$ cat /etc/resolv.conf�nameserver 172.30.0.2�search user1-p0.svc.cluster.local svc.cluster.local cluster.local�options ndots:5
@NodyTweet
What can probably go wrong?
If IdP is wrong configured:
and
$ cat /etc/resolv.conf�nameserver 172.30.0.2�search user1-p0.svc.cluster.local svc.cluster.local cluster.local�options ndots:5
@NodyTweet
What can probably go wrong?
Demo 2: https://asciinema.org/a/281704
@NodyTweet
Mitigation Strategy
$ oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated�clusterrolebinding.rbac.authorization.k8s.io/self-provisioners patched��$ oc login -u user1�$ oc new-project user1-p1�Error from server (Forbidden): You may not request a new project via this API.
@NodyTweet
(In-)Security of Clusters
User Management
Network Security
A dive into Security Context Constraints (SCC’s)
@NodyTweet
Network Security
Software Defined Networking build on Open vSwitch
Three plugins available:
@NodyTweet
Network Security – Open vSwitch Subnet
Configuration of Open vSwitch Subnet is not recommended
@NodyTweet
Network Security – Open vSwitch Subnet
Demo 3: https://asciinema.org/a/280323
@NodyTweet
Network Security – Open vSwitch Multitenant
Setup Plugin Open vSwitch Multitenannt to “prevent” cross-project communication
BUT !
Side reference: TR19 – VXLAN Security or Injection [8]
@NodyTweet
Network Security – Open vSwitch Multitenant
Setup Plugin Open vSwitch Multitenannt to “prevent” cross-project communication
BUT !
Side reference: TR19 – VXLAN Security or Injection [8]
@NodyTweet
Network Security – Open vSwitch Networkpolicy
Alternatively: stick to Open vSwitch Networkpolicy which allows you to deploy NetworkPolicies, and bock all ingress traffic [9] and add explicit whitelistings.
Further more, the plugin allows White- an Black-Listing on Layer3 [10] with CIDR notation or DNS
Configuration of Egress IP’s and Egress Proxies is possible [11]
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector: {}
policyTypes:
- Ingress
https://twitter.com/JackKleeman/status/1190354757308862468
@NodyTweet
(In-)Security of Clusters
User Management
Network Security
A dive into Security Context Constraints (SCC’s)
@NodyTweet
Security Context Constraints
@NodyTweet
Security Context Constraints
Predefined Profiles
$ oc get scc�NAME PRIV CAPS SELINUX RUNASUSER [...]�anyuid false [] MustRunAs RunAsAny [...]�hostaccess false [] MustRunAs MustRunAsRange [...]�hostmount-anyuid false [] MustRunAs RunAsAny [...]�hostnetwork false [] MustRunAs MustRunAsRange [...]�nonroot false [] MustRunAs MustRunAsNonRoot [...]�privileged true [*] RunAsAny RunAsAny [...]�restricted false [] MustRunAs MustRunAsRange [...]
@NodyTweet
Security Context Constraints
Predefined Profiles – that allow privileged
$ oc get scc�NAME PRIV CAPS SELINUX RUNASUSER [...]�anyuid false [] MustRunAs RunAsAny [...]�hostaccess false [] MustRunAs MustRunAsRange [...]�hostmount-anyuid false [] MustRunAs RunAsAny [...]�hostnetwork false [] MustRunAs MustRunAsRange [...]�nonroot false [] MustRunAs MustRunAsNonRoot [...]�privileged true [*] RunAsAny RunAsAny [...]�restricted false [] MustRunAs MustRunAsRange [...]
@NodyTweet
Security Context Constraints
Demo 4: https://asciinema.org/a/280383
@NodyTweet
Security Context Constraints
Predefined Profiles – that allow hostPath, hostIPC, hostPID
$ oc get scc�NAME PRIV CAPS SELINUX RUNASUSER [...]�anyuid false [] MustRunAs RunAsAny [...]�hostaccess false [] MustRunAs MustRunAsRange [...]�hostmount-anyuid false [] MustRunAs RunAsAny [...]�hostnetwork false [] MustRunAs MustRunAsRange [...]�nonroot false [] MustRunAs MustRunAsNonRoot [...]�privileged true [*] RunAsAny RunAsAny [...]�restricted false [] MustRunAs MustRunAsRange [...]
@NodyTweet
Security Context Constraints
Demo 5: https://asciinema.org/a/280388
@NodyTweet
Security Context Constraints
Predefined Profiles – that allow root in container
$ oc get scc�NAME PRIV CAPS SELINUX RUNASUSER [...]�anyuid false [] MustRunAs RunAsAny [...]�hostaccess false [] MustRunAs MustRunAsRange [...]�hostmount-anyuid false [] MustRunAs RunAsAny [...]�hostnetwork false [] MustRunAs MustRunAsRange [...]�nonroot false [] MustRunAs MustRunAsNonRoot [...]�privileged true [*] RunAsAny RunAsAny [...]�restricted false [] MustRunAs MustRunAsRange [...]
@NodyTweet
Security Context Constraints
Predefined Profiles
$ oc get scc�NAME PRIV CAPS SELINUX RUNASUSER [...]�anyuid false [] MustRunAs RunAsAny [...]�hostaccess false [] MustRunAs MustRunAsRange [...]�hostmount-anyuid false [] MustRunAs RunAsAny [...]�hostnetwork false [] MustRunAs MustRunAsRange [...]�nonroot false [] MustRunAs MustRunAsNonRoot [...]�privileged true [*] RunAsAny RunAsAny [...]�restricted false [] MustRunAs MustRunAsRange [...]
@NodyTweet
Security Context Constraints
Predefined Profiles
$ oc get scc�NAME PRIV CAPS SELINUX RUNASUSER [...]�anyuid false [] MustRunAs RunAsAny [...]�hostaccess false [] MustRunAs MustRunAsRange [...]�hostmount-anyuid false [] MustRunAs RunAsAny [...]�hostnetwork false [] MustRunAs MustRunAsRange [...]�nonroot false [] MustRunAs MustRunAsNonRoot [...]�privileged true [*] RunAsAny RunAsAny [...]�restricted false [] MustRunAs MustRunAsRange [...]
@NodyTweet
Security Context Constraints – Summary
@NodyTweet
Security Context Constraints – Summary
Demo 6: https://asciinema.org/a/280392
@NodyTweet
Conclusion & Future Work
@NodyTweet
Conclusion & Future Work
@NodyTweet
Thanks for your Attention
and take care of your defaults ;)
Slides: https://cutt.ly/HeNpUtD
@NodyTweet
References
[1] https://blog.openshift.com/introducing-red-hat-openshift-4-2-developers-get-an-expanded-and-improved-toolbox/�[2] https://twitter.com/bradgeesaman/status/1188541320626921473�[3] https://blog.openshift.com/red-hat-chose-kubernetes-openshift/�[4]https://kubernetes.io/blog/2015/04/borg-predecessor-to-kubernetes/�[5] https://ai.google/research/pubs/pub43438�[6] https://twitter.com/iancoldwater/status/1174793280011325456�[7] https://goo.gl/TNRxtd�[8] https://troopers.de/downloads/troopers19/TROOPERS19_AR_VXLAN_Security.pdf�[9] https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-ingress-traffic�[10] https://docs.openshift.com/container-platform/3.11/admin_guide/managing_networking.html#admin-guide-limit-pod-access-egress�[11] https://docs.openshift.com/container-platform/3.11/admin_guide/managing_networking.html#admin-guide-limit-pod-access-egress-router�[12] https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy�[13] https://cookbook.openshift.org/users-and-role-based-access-control/how-can-i-enable-an-image-to-run-as-a-set-user-id.html�
@NodyTweet