title
Kubernetes Security Best Practices you need to know | THE Guide for securing your K8s cluster!
description
Secure your K8s cluster with this Top 10 Kubernetes Security Best Practices | Kubernetes Security 101
💙 Become a Kubernetes Administrator ► https://bit.ly/420TrA7
💚 Become a DevOps Engineer - full educational program ► https://bit.ly/3q7Ir6X
💛 Follow me on IG for behind-the-scenes-content ► https://bit.ly/2F3LXYJ
✅ Learn more about Kubernetes Backup and Restore with Kasten: https://youtu.be/01qcYSck1c4
#kubernetes #devops #techworldwithnana
► Thank you Kasten for sponsoring this video 🙌
► Free Kubernetes Backup and Migration - Download Free Kasten K10 #1 Kubernetes Backup: https://www.kasten.io/nana
In this video I talk about a super important topic, which is security in Kubernetes and what are some of the best practices for securing your Kubernetes cluster.
The big challenge that we see in terms of Kubernetes security is that it's already so challenging to set up a Kubernetes cluster and to configure it to deploy the applications in it, that security often becomes the afterthought, adding on top of that already complex configuration. However we can't deny the importance of security, especially when the systems are so complex!
Cloud applications actually become a very attractive target to a lot of hackers and this growing number of cloud native applications mostly use Kubernetes as a platform and that's where the relevance of knowing how to secure Kubernetes clusters comes into play.
▬▬▬▬▬▬ L I N K S 🔗▬▬▬▬▬▬
Sign up to get notified about new upcoming courses ► https://www.techworld-with-nana.com/course-roadmap
▬▬▬▬▬▬ T I M E S T A M P S ⏰ ▬▬▬▬▬▬
0:00 - Intro
00:33 - Security in Cloud in general
01:39 - Security in Kubernetes
02:26 - Security as a Spectrum
04:39 - BP 1 - Image Scanning
09:45 - BP 2 - Run as Non-Root User
11:08 - BP 3 - Users & Permissions with RBAC
15:44 - BP 4 - Use Network Policies
18:18 - BP 5 - Encrypt Communication
19:06 - BP 6 - Secure Secret Data
20:34 - BP 7 - Secure etcd
22:05 - BP 8 - Automated Backup & Restore
24:54 - BP 9 - Configure Security Policies
26:50 - BP 10 - Disaster Recovery
▬▬▬▬▬▬ Want to learn more? 🚀 ▬▬▬▬▬▬
Full Python course ► https://youtu.be/t8pPdKYpowI
Full Docker course ► https://youtu.be/3c-iBn73dDE
Full K8s course ► https://youtu.be/X48VuDVv0do
DevOps Tools explained ► https://bit.ly/2W9UEq6
▬▬▬▬▬▬ Connect with me 👋 ▬▬▬▬▬▬
INSTAGRAM ► https://bit.ly/2F3LXYJ
TWITTER ► https://bit.ly/3i54PUB
LINKEDIN ► https://bit.ly/3hWOLVT
FB group ► https://bit.ly/32UVSZP
DEV ► https://bit.ly/3h2fqiO
▬▬▬▬▬▬ Courses & Bootcamp & Ebooks 🚀 ▬▬▬▬▬▬
► Become a DevOps Engineer - full educational program 👉🏼 https://bit.ly/45mXaer
► High-Quality and Hands-On Courses 👉🏼 https://bit.ly/3BNS8Kv
► Kubernetes 101 - compact and easy-to-read ebook bundle 👉🏼 https://bit.ly/3Ozl28x
detail
{'title': 'Kubernetes Security Best Practices you need to know | THE Guide for securing your K8s cluster!', 'heatmap': [{'end': 1776.841, 'start': 1761.667, 'weight': 1}], 'summary': "Covers the increasing attractiveness of cloud applications as hacker targets, vulnerabilities and misconfigurations in kubernetes clusters, 10 kubernetes security best practices, image scanning for secure container images, managing users' roles and permissions in kubernetes, and emphasizing securing kubernetes through encryption, securing secrets, and protecting etcd store, with a focus on kasten's k10 tool for disaster recovery mechanisms.", 'chapters': [{'end': 226.854, 'segs': [{'end': 33.521, 'src': 'embed', 'start': 10.551, 'weight': 4, 'content': [{'end': 23.893, 'text': "The big challenge that we see in terms of Kubernetes security is that it's already so challenging to set up a Kubernetes cluster and to configure it to deploy the applications in it that security often becomes the afterthought,", 'start': 10.551, 'duration': 13.342}, {'end': 26.894, 'text': 'adding on top of that already complex configuration.', 'start': 23.893, 'duration': 3.001}, {'end': 33.521, 'text': "However, we can't deny the importance of security, especially when the systems are so complex.", 'start': 27.634, 'duration': 5.887}], 'summary': "Setting up kubernetes is complex, making security an afterthought, but it's crucial for complex systems.", 'duration': 22.97, 'max_score': 10.551, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/oBf5lrmquYI/pics/oBf5lrmquYI10551.jpg'}, {'end': 93.583, 'src': 'embed', 'start': 51.075, 'weight': 0, 'content': [{'end': 60.181, 'text': "But it's important to understand that you have to secure and manage the infrastructure and your applications on the cloud just the way you manage them on premise.", 'start': 51.075, 'duration': 9.106}, {'end': 67.806, 'text': 'The difference is that on cloud, you simply have different tools and technologies to configure that security.', 'start': 60.541, 'duration': 7.265}, {'end': 78.894, 'text': "And often, many organizations aren't aware of those tools or aren't using the tools that are available for making your cloud environment secure.", 'start': 68.307, 'duration': 10.587}, {'end': 86.779, 'text': 'So with all these things combined, cloud applications actually become a very attractive target to a lot of hackers.', 'start': 79.634, 'duration': 7.145}, {'end': 93.583, 'text': 'And this growing number of cloud native applications mostly use Kubernetes as a platform.', 'start': 87.539, 'duration': 6.044}], 'summary': 'Securing cloud infrastructure and applications is crucial, utilizing available tools to prevent hacking. kubernetes is widely used.', 'duration': 42.508, 'max_score': 51.075, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/oBf5lrmquYI/pics/oBf5lrmquYI51075.jpg'}, {'end': 132.708, 'src': 'embed', 'start': 109.894, 'weight': 2, 'content': [{'end': 123.919, 'text': 'So what are we starting from and what are the vulnerabilities or security gaps that we have in Kubernetes and what are the security best practices to protect and close those gaps in Kubernetes to secure our systems?', 'start': 109.894, 'duration': 14.025}, {'end': 132.708, 'text': 'The common number one issue is when someone gets access from Kubernetes platform to the underlying operating system,', 'start': 124.739, 'duration': 7.969}], 'summary': 'Identify kubernetes vulnerabilities and implement security best practices to protect systems.', 'duration': 22.814, 'max_score': 109.894, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/oBf5lrmquYI/pics/oBf5lrmquYI109894.jpg'}, {'end': 226.854, 'src': 'embed', 'start': 201.876, 'weight': 3, 'content': [{'end': 209.459, 'text': 'So while coding best practice is not to repeat logic, security best practice generally is actually to be redundant.', 'start': 201.876, 'duration': 7.583}, {'end': 215.542, 'text': 'So use many security mechanisms in place to protect every attack point.', 'start': 210.139, 'duration': 5.403}, {'end': 216.684, 'text': 'So this way,', 'start': 216.163, 'duration': 0.521}, {'end': 226.854, 'text': 'an attacker will have to do multiple things in order to get into your system or access your valuable resources and basically do some damage to your whole environment.', 'start': 216.684, 'duration': 10.17}], 'summary': 'Security best practice recommends redundancy in multiple security mechanisms to protect against attacks.', 'duration': 24.978, 'max_score': 201.876, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/oBf5lrmquYI/pics/oBf5lrmquYI201876.jpg'}], 'start': 0.249, 'title': 'Securing kubernetes clusters', 'summary': 'Discusses the increasing attractiveness of cloud applications as hacker targets, vulnerabilities and misconfigurations in kubernetes clusters, and the need for multiple security mechanisms to protect against attacks.', 'chapters': [{'end': 67.806, 'start': 0.249, 'title': 'Kubernetes security best practices', 'summary': 'Discusses the importance of security in kubernetes, highlighting the common misconception of cloud security and emphasizing the need to manage infrastructure and applications in the cloud similar to on-premise, using different tools and technologies for configuration.', 'duration': 67.557, 'highlights': ['The misconception that cloud is secure by default is addressed, emphasizing the need to manage infrastructure and applications in the cloud similar to on-premise, using different tools and technologies for configuration.', 'The video emphasizes the importance of security in Kubernetes due to the complexity of setting up and configuring a Kubernetes cluster, making it an afterthought for many. This highlights the challenge of prioritizing security in complex systems.']}, {'end': 226.854, 'start': 68.307, 'title': 'Securing kubernetes clusters', 'summary': 'Discusses the increasing attractiveness of cloud applications as hacker targets, the vulnerabilities and misconfigurations in kubernetes clusters, and the need for multiple security mechanisms to protect against attacks.', 'duration': 158.547, 'highlights': ['The growing number of cloud native applications mostly use Kubernetes as a platform, making it an attractive target for hackers.', 'Common number one issue is when someone gets access from Kubernetes platform to the underlying operating system, in which case an attacker can do a lot of damage to the whole system.', 'Security best practice generally is to be redundant, using many security mechanisms in place to protect every attack point.']}], 'duration': 226.605, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/oBf5lrmquYI/pics/oBf5lrmquYI249.jpg', 'highlights': ['The growing number of cloud native applications mostly use Kubernetes as a platform, making it an attractive target for hackers.', 'The misconception that cloud is secure by default is addressed, emphasizing the need to manage infrastructure and applications in the cloud similar to on-premise, using different tools and technologies for configuration.', 'Common number one issue is when someone gets access from Kubernetes platform to the underlying operating system, in which case an attacker can do a lot of damage to the whole system.', 'Security best practice generally is to be redundant, using many security mechanisms in place to protect every attack point.', 'The video emphasizes the importance of security in Kubernetes due to the complexity of setting up and configuring a Kubernetes cluster, making it an afterthought for many. This highlights the challenge of prioritizing security in complex systems.']}, {'end': 459.629, 'segs': [{'end': 272.385, 'src': 'embed', 'start': 227.214, 'weight': 0, 'content': [{'end': 235.203, 'text': 'Now, before we dive in the 10 security best practices, I want to say a huge thanks to Kasten for sponsoring and making this video possible.', 'start': 227.214, 'duration': 7.989}, {'end': 241.508, 'text': 'They have an amazing tool called K10, which is the Kubernetes backup and restore solution.', 'start': 235.723, 'duration': 5.785}, {'end': 248.654, 'text': 'It is a Kubernetes native application and has a lot of really good features for backup and restore use cases.', 'start': 241.868, 'duration': 6.786}, {'end': 254.719, 'text': 'And apart from backup and restore being an important part of security mechanism itself.', 'start': 249.115, 'duration': 5.604}, {'end': 256.798, 'text': "And we're going to talk about that in this video.", 'start': 255.179, 'duration': 1.619}, {'end': 261.94, 'text': 'K10 actually has a big focus on all the security aspects in Kubernetes.', 'start': 257.16, 'duration': 4.78}, {'end': 272.385, 'text': 'So it integrates with various tools and is basically engineered to make it easy for Kubernetes administrators to secure the K10 service itself in the cluster.', 'start': 262.281, 'duration': 10.104}], 'summary': "Kasten's k10, a kubernetes backup and restore solution, prioritizes security by integrating with various tools and focusing on all security aspects in kubernetes.", 'duration': 45.171, 'max_score': 227.214, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/oBf5lrmquYI/pics/oBf5lrmquYI227214.jpg'}, {'end': 413.373, 'src': 'embed', 'start': 366.729, 'weight': 2, 'content': [{'end': 369.911, 'text': 'so this means we need to be careful what goes inside the image,', 'start': 366.729, 'duration': 3.182}, {'end': 375.695, 'text': "what libraries and dependencies and tools we're using when putting together our application image.", 'start': 369.911, 'duration': 5.784}, {'end': 381.619, 'text': "Generally, when we're building images, developers should eliminate any unnecessary packages,", 'start': 376.315, 'duration': 5.304}, {'end': 391.546, 'text': "libraries and dependencies that application doesn't necessarily need, or it may need in a build time, but not necessarily in runtime.", 'start': 381.619, 'duration': 9.927}, {'end': 399.588, 'text': 'and also they should choose leaner and smaller base images with less tools inside to build the application image,', 'start': 392.086, 'duration': 7.502}, {'end': 404.13, 'text': "because mostly you don't need so many tools to run your applications.", 'start': 399.588, 'duration': 4.542}, {'end': 413.373, 'text': 'if we do build an application image with some vulnerabilities and it gets deployed to the cluster, that may introduce serious security issues.', 'start': 404.13, 'duration': 9.243}], 'summary': 'Developers should choose leaner base images, eliminate unnecessary packages, and avoid vulnerabilities to ensure application security and efficiency.', 'duration': 46.644, 'max_score': 366.729, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/oBf5lrmquYI/pics/oBf5lrmquYI366729.jpg'}], 'start': 227.214, 'title': 'Kubernetes security best practices and securing workloads', 'summary': 'Covers 10 kubernetes security best practices, focusing on backup and restore mechanisms, integrating k10, and securing container images in ci-cd pipeline to mitigate untrusted code, vulnerabilities, and impact on cluster security.', 'chapters': [{'end': 292.868, 'start': 227.214, 'title': 'Kubernetes security best practices', 'summary': 'Discusses 10 security best practices for kubernetes, emphasizing the importance of backup and restore mechanisms and the integration of k10 for securing kubernetes services.', 'duration': 65.654, 'highlights': ["Kasten's K10 is a Kubernetes backup and restore solution with a focus on security, offering features and integrations to secure Kubernetes services.", 'Backup and restore mechanisms are crucial for security, and K10 is engineered to make it easy for Kubernetes administrators to secure the K10 service itself in the cluster.', 'The main purpose of Kubernetes is to run applications inside containers, highlighting the need for secure deployment practices.']}, {'end': 459.629, 'start': 293.528, 'title': 'Securing workloads in kubernetes', 'summary': "Emphasizes the importance of building a secure container image in the ci-cd pipeline, highlighting potential security issues such as untrusted code, vulnerabilities in dependencies, and the impact of deploying images with vulnerabilities on the cluster's security.", 'duration': 166.101, 'highlights': ['Developers should eliminate unnecessary packages, libraries, and dependencies in the application image, reducing the risk of vulnerabilities and potential security breaches.', 'Choosing leaner and smaller base images with fewer tools can minimize the attack surface and reduce the risk of security vulnerabilities in the deployed images.', 'Vulnerabilities in the application image deployed to the cluster can lead to serious security issues, enabling attackers to access the host, other containers, and sensitive information, potentially escalating privileges and causing significant damage to the cluster.', "Untrusted code from registries and vulnerabilities in dependencies pose security risks to the container images, potentially granting attackers access to the host or Kubernetes worker node, compromising the cluster's security."]}], 'duration': 232.415, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/oBf5lrmquYI/pics/oBf5lrmquYI227214.jpg', 'highlights': ["Kasten's K10 offers features and integrations to secure Kubernetes services.", 'K10 is engineered to make it easy for Kubernetes administrators to secure the K10 service itself.', 'Developers should eliminate unnecessary packages, libraries, and dependencies in the application image.', 'Choosing leaner and smaller base images with fewer tools can minimize the attack surface.', 'Vulnerabilities in the application image deployed to the cluster can lead to serious security issues.']}, {'end': 693.453, 'segs': [{'end': 507.139, 'src': 'embed', 'start': 481.997, 'weight': 0, 'content': [{'end': 487.001, 'text': 'So the first security best practice is to do image scanning and make sure to build secure images.', 'start': 481.997, 'duration': 5.004}, {'end': 490.364, 'text': 'And there are a lot of tools out there that can help you in that.', 'start': 487.482, 'duration': 2.882}, {'end': 496.509, 'text': 'For example, you have SysTick and Snyk, et cetera, that basically have a database of vulnerabilities,', 'start': 490.805, 'duration': 5.704}, {'end': 503.135, 'text': 'that get updated regularly and they will basically do the scanning of your image against those known vulnerabilities.', 'start': 496.509, 'duration': 6.626}, {'end': 507.139, 'text': "So you need to make sure you're constantly scanning for vulnerabilities.", 'start': 503.576, 'duration': 3.563}], 'summary': 'One security best practice is to regularly scan images for vulnerabilities using tools like systick and snyk.', 'duration': 25.142, 'max_score': 481.997, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/oBf5lrmquYI/pics/oBf5lrmquYI481997.jpg'}, {'end': 598.262, 'src': 'embed', 'start': 522.044, 'weight': 1, 'content': [{'end': 531.267, 'text': 'you can run a command of that image scanning tool that checks the image for any insecure tools or packages for dependencies with any vulnerabilities,', 'start': 522.044, 'duration': 9.223}, {'end': 534.988, 'text': 'as well as it also checks for an insecure configuration.', 'start': 531.267, 'duration': 3.721}, {'end': 538.011, 'text': 'and any hard coded secrets, for example.', 'start': 535.649, 'duration': 2.362}, {'end': 545.997, 'text': 'So once the image is built and it basically passes that vulnerability scan or security scan, it can be pushed to a repository.', 'start': 538.451, 'duration': 7.546}, {'end': 553.744, 'text': 'However, it could happen that a vulnerability gets discovered after an image was scanned and pushed to the repository.', 'start': 546.578, 'duration': 7.166}, {'end': 562.189, 'text': 'As I said, tools like Snyk, for example, they have a database of vulnerabilities that gets updated constantly when new ones get discovered.', 'start': 554.298, 'duration': 7.891}, {'end': 572.882, 'text': 'So a lot of image registries like Docker, Hub and so on actually have a feature for scanning images in the repository itself,', 'start': 562.55, 'duration': 10.332}, {'end': 585.589, 'text': "which means it's also important to scan images regularly that have already been pushed to a registry to make sure there are no vulnerabilities that appeared after the image was built.", 'start': 572.882, 'duration': 12.707}, {'end': 593.436, 'text': 'Another security best practice is to avoid using root user in your containers and running your containers with privileges.', 'start': 586.17, 'duration': 7.266}, {'end': 598.262, 'text': "If you have a vulnerability in an image and it's running with a root user,", 'start': 594.077, 'duration': 4.185}], 'summary': 'Image scanning tool checks for vulnerabilities and insecure configurations before pushing to repository; regular scanning needed post-push.', 'duration': 76.218, 'max_score': 522.044, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/oBf5lrmquYI/pics/oBf5lrmquYI522044.jpg'}, {'end': 675.566, 'src': 'embed', 'start': 644.132, 'weight': 4, 'content': [{'end': 649.954, 'text': 'So avoid running privileged containers to make it harder to break out from it,', 'start': 644.132, 'duration': 5.822}, {'end': 659.057, 'text': 'because this way the attacker will have to first get access to the root user inside the container and then they will be able to break out and access the host.', 'start': 649.954, 'duration': 9.103}, {'end': 667.3, 'text': 'Now, once our application is deployed and running in Kubernetes, we have a number of things to secure inside the cluster itself.', 'start': 660.157, 'duration': 7.143}, {'end': 675.566, 'text': 'First of all, who can access the cluster? Which human or application users??', 'start': 671.325, 'duration': 4.241}], 'summary': 'Avoid running privileged containers to enhance security in kubernetes.', 'duration': 31.434, 'max_score': 644.132, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/oBf5lrmquYI/pics/oBf5lrmquYI644132.jpg'}], 'start': 460.269, 'title': 'Image scanning and security best practices in kubernetes', 'summary': 'Emphasizes the importance of image scanning for secure container images and in ci cd pipelines, highlighting the use of tools like systick and snyk. it also discusses security best practices in kubernetes, including running images with a service user, avoiding misconfigurations, and securing access and privileges within the cluster.', 'chapters': [{'end': 503.135, 'start': 460.269, 'title': 'Image scanning for secure container images', 'summary': 'Highlights the importance of image scanning to prevent vulnerabilities in container images, emphasizing the use of tools like systick and snyk to regularly scan for known vulnerabilities, ensuring the creation of secure images.', 'duration': 42.866, 'highlights': ['Tools like SysTick and Snyk are recommended for image scanning to prevent vulnerabilities in container images.', 'Regular updates of vulnerability databases are crucial for effective image scanning.', 'The chapter emphasizes the significance of preventing vulnerabilities in container images to avoid serious security issues.']}, {'end': 598.262, 'start': 503.576, 'title': 'Image scanning for ci cd pipeline', 'summary': 'Discusses the importance of image scanning in ci cd pipeline, highlighting the process of image scanning, checking for vulnerabilities, and the need for regular scanning of images in the repository, with tools like snyk providing constant updates on vulnerabilities.', 'duration': 94.686, 'highlights': ['Using image scanning tools in the CI CD pipeline, you can scan images before pushing them to the repository, checking for insecure tools, packages, dependencies, configurations, and hard coded secrets.', 'Tools like Snyk have a constantly updated database of vulnerabilities, enabling the scanning of images in the repository to detect any vulnerabilities discovered after the image was built.', 'Regularly scanning images in the repository is important to ensure there are no vulnerabilities that appeared after the image was built.', 'Avoid using root user in containers and running containers with privileges to adhere to security best practices.']}, {'end': 693.453, 'start': 598.262, 'title': 'Security best practices in kubernetes', 'summary': 'Discusses the importance of running images with a service user instead of root user, the risks of misconfiguring pod settings, and the significance of securing access and privileges within the kubernetes cluster.', 'duration': 95.191, 'highlights': ['Running images with a service user instead of root user is important to avoid potential security breaches, as misconfiguring pod settings can allow access to the host network, leading to very insecure pods.', 'Avoiding running privileged containers is crucial as it makes it harder for attackers to break out from the container and access the host, enhancing overall security within the Kubernetes environment.', "Securing access and privileges within the Kubernetes cluster is essential to prevent unauthorized access and potential malicious activities, especially in the event of an attacker gaining access to authorized parties' identities."]}], 'duration': 233.184, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/oBf5lrmquYI/pics/oBf5lrmquYI460269.jpg', 'highlights': ['Tools like Snyk and SysTick are recommended for image scanning to prevent vulnerabilities in container images.', 'Regular updates of vulnerability databases are crucial for effective image scanning.', 'Using image scanning tools in the CI CD pipeline, you can scan images before pushing them to the repository, checking for insecure tools, packages, dependencies, configurations, and hard coded secrets.', 'Running images with a service user instead of root user is important to avoid potential security breaches.', 'Avoiding running privileged containers is crucial as it makes it harder for attackers to break out from the container and access the host, enhancing overall security within the Kubernetes environment.', 'Securing access and privileges within the Kubernetes cluster is essential to prevent unauthorized access and potential malicious activities.']}, {'end': 1031.449, 'segs': [{'end': 743.999, 'src': 'embed', 'start': 693.913, 'weight': 0, 'content': [{'end': 699.135, 'text': "Therefore, we need to manage users' roles and their permissions in Kubernetes.", 'start': 693.913, 'duration': 5.222}, {'end': 703.437, 'text': 'And we need to keep these permissions as restricted as possible.', 'start': 699.855, 'duration': 3.582}, {'end': 710.48, 'text': 'If someone in the team needs access to troubleshoot or debug pods in my app namespace,', 'start': 704.057, 'duration': 6.423}, {'end': 715.943, 'text': 'then they should be given read-only permission to Kubernetes resources in that namespace only.', 'start': 710.48, 'duration': 5.463}, {'end': 724.448, 'text': 'So how do we manage users and their permissions in Kubernetes? For that, we have RBAC or role based access control.', 'start': 716.403, 'duration': 8.045}, {'end': 731.432, 'text': 'And these are Kubernetes resources that allows you to create roles in Kubernetes with certain permissions.', 'start': 725.228, 'duration': 6.204}, {'end': 741.618, 'text': 'For example, a role that allows viewing, creating and updating deployments, services, config maps in a namespace called database.', 'start': 731.812, 'duration': 9.806}, {'end': 743.999, 'text': 'So that would be one role right?', 'start': 742.318, 'duration': 1.681}], 'summary': "Manage users' roles and permissions in kubernetes using rbac for restricted access.", 'duration': 50.086, 'max_score': 693.913, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/oBf5lrmquYI/pics/oBf5lrmquYI693913.jpg'}, {'end': 826.768, 'src': 'embed', 'start': 796.055, 'weight': 3, 'content': [{'end': 800.119, 'text': 'by generating a client certificate for the Kubernetes API server.', 'start': 796.055, 'duration': 4.064}, {'end': 801.898, 'text': 'for a specific user.', 'start': 800.677, 'duration': 1.221}, {'end': 809.325, 'text': 'So, in our example, client certificates will be generated for both Sarah and Tom for the Kubernetes cluster,', 'start': 802.258, 'duration': 7.067}, {'end': 813.926, 'text': 'and the user for that certificate will be registered as a user in Kubernetes.', 'start': 809.325, 'duration': 4.601}, {'end': 821.927, 'text': 'And once you have that user Sarah, user Tom, both with their own client certificates associated to the cluster,', 'start': 814.426, 'duration': 7.501}, {'end': 826.768, 'text': 'you can then attach those roles with the respective users.', 'start': 821.927, 'duration': 4.841}], 'summary': 'Client certificates generated for sarah and tom, registered as users in kubernetes.', 'duration': 30.713, 'max_score': 796.055, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/oBf5lrmquYI/pics/oBf5lrmquYI796055.jpg'}, {'end': 872.545, 'src': 'embed', 'start': 845.351, 'weight': 1, 'content': [{'end': 855.778, 'text': 'So, for example, Kubernetes administrators, Kate and Mark, can both get cluster roles associated to their users that allow them to create,', 'start': 845.351, 'duration': 10.427}, {'end': 860.981, 'text': 'view and delete a list of different resources in all the namespaces in the cluster.', 'start': 855.778, 'duration': 5.203}, {'end': 863.963, 'text': 'As I mentioned, you also have non-human users.', 'start': 861.481, 'duration': 2.482}, {'end': 872.545, 'text': "example, if you're deploying to kubernetes cluster from a jenkins pipeline or running a third-party service like istio, for example,", 'start': 864.543, 'duration': 8.002}], 'summary': 'Kubernetes administrators can access cluster roles for resource management.', 'duration': 27.194, 'max_score': 845.351, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/oBf5lrmquYI/pics/oBf5lrmquYI845351.jpg'}, {'end': 920.344, 'src': 'embed', 'start': 889.589, 'weight': 5, 'content': [{'end': 896.853, 'text': 'So the way it works is that every pod in Kubernetes gets a service account which they can use to talk to Kubernetes.', 'start': 889.589, 'duration': 7.264}, {'end': 903.256, 'text': 'And service account, just like human users, has roles associated to it with some permissions.', 'start': 897.393, 'duration': 5.863}, {'end': 911.82, 'text': 'And while users have client certificate to authenticate with API server, the service account uses token to authenticate.', 'start': 903.896, 'duration': 7.924}, {'end': 920.344, 'text': "So it's important to know exactly and limit the permissions a service account has, Because if an attacker got access to a pod,", 'start': 912.421, 'duration': 7.923}], 'summary': 'In kubernetes, every pod has a service account with roles and permissions, and uses tokens for authentication.', 'duration': 30.755, 'max_score': 889.589, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/oBf5lrmquYI/pics/oBf5lrmquYI889589.jpg'}, {'end': 1016.763, 'src': 'embed', 'start': 986.93, 'weight': 6, 'content': [{'end': 991.373, 'text': 'which other pods and also which pods they can receive traffic from.', 'start': 986.93, 'duration': 4.443}, {'end': 995.876, 'text': 'And you can do that with a Kubernetes resource called Network Policies.', 'start': 991.693, 'duration': 4.183}, {'end': 1000.517, 'text': 'So, using network policies, you can define a rule that, for example,', 'start': 996.556, 'duration': 3.961}, {'end': 1010.701, 'text': 'a front end service can only talk to the back end service but it cannot talk to database or an authentication service that are running in the cluster.', 'start': 1000.517, 'duration': 10.184}, {'end': 1016.763, 'text': 'And you can define the database pod can only receive traffic from back end pod and so on.', 'start': 1011.281, 'duration': 5.482}], 'summary': 'Kubernetes network policies enable specific communication rules between pods, restricting front end service from accessing database or authentication service.', 'duration': 29.833, 'max_score': 986.93, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/oBf5lrmquYI/pics/oBf5lrmquYI986930.jpg'}], 'start': 693.913, 'title': "Managing users' roles and permissions in kubernetes and kubernetes rbac", 'summary': "Discusses the importance of managing users' roles and permissions in kubernetes, particularly through rbac, to restrict and specify access to resources in different namespaces for team members. it also covers setting up client certificates, roles, and cluster roles for access control, using service accounts for non-human users, and implementing network policies to limit pod communication for enhanced security in a kubernetes cluster.", 'chapters': [{'end': 796.055, 'start': 693.913, 'title': "Managing users' roles and permissions in kubernetes", 'summary': "Discusses the importance of managing users' roles and permissions in kubernetes, particularly through rbac, to restrict and specify access to resources in different namespaces for team members.", 'duration': 102.142, 'highlights': ['RBAC or role based access control allows creating roles in Kubernetes with specific permissions, such as viewing, creating, and updating deployments, services, and config maps in a designated namespace. RBAC in Kubernetes enables the creation of roles with specific permissions, e.g., viewing, creating, and updating resources in a namespace, ensuring fine-grained access control.', 'Users are indirectly created in Kubernetes by associating roles with actual team members, such as granting a role to Sarah for deploying and managing database services and providing a view-only role to a junior developer like Tom. Users in Kubernetes are indirectly created by associating roles with team members, e.g., granting deployment and management permissions to Sarah and providing view-only access to junior developer Tom.', 'Permissions should be as restricted as possible, ensuring that team members are granted only the necessary access to troubleshoot or debug pods in specific namespaces. Emphasizes the importance of restricting permissions, granting access only as necessary for troubleshooting or debugging pods in designated namespaces.']}, {'end': 1031.449, 'start': 796.055, 'title': 'Kubernetes rbac and network policies', 'summary': 'Covers setting up client certificates for users, roles and cluster roles for access control, using service accounts for non-human users, and implementing network policies to limit pod communication for enhanced security in a kubernetes cluster.', 'duration': 235.394, 'highlights': ['Setting up client certificates for users and attaching roles for access control Users like Sarah and Tom are provided with client certificates for authentication, and roles are attached to them for controlling access to resources within the Kubernetes cluster.', 'Defining cluster roles for administrators with access to multiple namespaces or the entire cluster Kubernetes administrators like Kate and Mark are assigned cluster roles for creating, viewing, and deleting various resources across all namespaces in the cluster.', 'Utilizing service accounts for non-human users and managing their permissions Non-human users, such as pods in Kubernetes, utilize service accounts with associated roles and permissions, which are crucial for securing access to the cluster and preventing potential attacks.', 'Implementing network policies to restrict pod communication and enhance security Network policies are used to create rules for limiting communication between pods, ensuring that only specific pods can interact with each other, thereby enhancing the security of the Kubernetes cluster.']}], 'duration': 337.536, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/oBf5lrmquYI/pics/oBf5lrmquYI693913.jpg', 'highlights': ['RBAC in Kubernetes enables the creation of roles with specific permissions, e.g., viewing, creating, and updating resources in a namespace, ensuring fine-grained access control.', 'Users in Kubernetes are indirectly created by associating roles with team members, e.g., granting deployment and management permissions to Sarah and providing view-only access to junior developer Tom.', 'Emphasizes the importance of restricting permissions, granting access only as necessary for troubleshooting or debugging pods in designated namespaces.', 'Users like Sarah and Tom are provided with client certificates for authentication, and roles are attached to them for controlling access to resources within the Kubernetes cluster.', 'Kubernetes administrators like Kate and Mark are assigned cluster roles for creating, viewing, and deleting various resources across all namespaces in the cluster.', 'Non-human users, such as pods in Kubernetes, utilize service accounts with associated roles and permissions, which are crucial for securing access to the cluster and preventing potential attacks.', 'Network policies are used to create rules for limiting communication between pods, ensuring that only specific pods can interact with each other, thereby enhancing the security of the Kubernetes cluster.']}, {'end': 1780.285, 'segs': [{'end': 1146.265, 'src': 'embed', 'start': 1120.145, 'weight': 0, 'content': [{'end': 1128.671, 'text': 'With service mesh like Istio, in addition to defining the service communication rules, you can also enable mutual TLS between the services.', 'start': 1120.145, 'duration': 8.526}, {'end': 1132.093, 'text': 'So all the communication between them will be encrypted.', 'start': 1129.251, 'duration': 2.842}, {'end': 1137.457, 'text': "And that means if an attacker sees the traffic inside the cluster, they won't be able to read it.", 'start': 1132.433, 'duration': 5.024}, {'end': 1146.265, 'text': 'So encrypting cluster internal communication is another good security practice that will give you an additional layer of security.', 'start': 1137.998, 'duration': 8.267}], 'summary': 'With istio service mesh, enabling mutual tls encrypts internal communication, adding security.', 'duration': 26.12, 'max_score': 1120.145, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/oBf5lrmquYI/pics/oBf5lrmquYI1120145.jpg'}, {'end': 1227.015, 'src': 'embed', 'start': 1205.585, 'weight': 1, 'content': [{'end': 1214.93, 'text': 'So some third party tools can be used for this, like AWS KMS, which is Key Management Service, for example, can be used to manage the encryption keys.', 'start': 1205.585, 'duration': 9.345}, {'end': 1222.293, 'text': 'Or a service like Vault from HashiCorp can be used to securely store the secrets themselves.', 'start': 1215.37, 'duration': 6.923}, {'end': 1227.015, 'text': 'And Vault would actually take over storing and managing the secret data.', 'start': 1222.753, 'duration': 4.262}], 'summary': 'Aws kms and vault can be used to manage encryption keys and store secrets securely.', 'duration': 21.43, 'max_score': 1205.585, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/oBf5lrmquYI/pics/oBf5lrmquYI1205585.jpg'}, {'end': 1331.944, 'src': 'embed', 'start': 1303.12, 'weight': 2, 'content': [{'end': 1307.023, 'text': 'whether inside the cluster itself or outside, managed separately.', 'start': 1303.12, 'duration': 3.903}, {'end': 1317.21, 'text': "But generally speaking, it's a good practice to put your etcd behind a firewall and allow only the API server to access it with proper authentication.", 'start': 1307.623, 'duration': 9.587}, {'end': 1324.516, 'text': "In addition to that, the whole etcd data can be encrypted, so even if the attacker gets access to it, they won't be able to read it.", 'start': 1317.691, 'duration': 6.825}, {'end': 1331.944, 'text': 'Now, etcd stores the cluster configuration data.', 'start': 1328.379, 'duration': 3.565}], 'summary': 'Etcd should be secured behind a firewall, encrypted, and only accessible by the api server.', 'duration': 28.824, 'max_score': 1303.12, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/oBf5lrmquYI/pics/oBf5lrmquYI1303120.jpg'}, {'end': 1443.798, 'src': 'embed', 'start': 1415.723, 'weight': 3, 'content': [{'end': 1419.686, 'text': 'And since, as I mentioned, K10 is so focused on security,', 'start': 1415.723, 'duration': 3.963}, {'end': 1428.713, 'text': 'they have all the mechanisms in place to both transfer the data as well as store that backup data securely and encrypting it throughout.', 'start': 1419.686, 'duration': 9.027}, {'end': 1438.277, 'text': 'Now, in addition to attackers corrupting or stealing your data, the attacks may be so advanced that they will try to get the backups as well.', 'start': 1429.594, 'duration': 8.683}, {'end': 1443.798, 'text': 'So they will corrupt the database data plus all the backups that you have for the data.', 'start': 1438.657, 'duration': 5.141}], 'summary': 'K10 ensures secure data transfer and storage, including advanced backup protection.', 'duration': 28.075, 'max_score': 1415.723, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/oBf5lrmquYI/pics/oBf5lrmquYI1415723.jpg'}, {'end': 1488.736, 'src': 'embed', 'start': 1463.769, 'weight': 4, 'content': [{'end': 1469.273, 'text': 'And a big advantage of K10 is also that you can backup all the Kubernetes related data with it.', 'start': 1463.769, 'duration': 5.504}, {'end': 1476.279, 'text': 'So not only the application data in Kubernetes, but also the data outside Kubernetes, plus the etcd store data.', 'start': 1469.633, 'duration': 6.646}, {'end': 1483.985, 'text': 'And this is great because you have one tool and one automated mechanism for all your relevant backups for your cluster.', 'start': 1476.579, 'duration': 7.406}, {'end': 1488.736, 'text': "If you want to know exactly how K10's backup and restore mechanism works.", 'start': 1484.585, 'duration': 4.151}], 'summary': 'K10 offers a single tool for backing up all kubernetes-related data, including application data, data outside kubernetes, and etcd store data, streamlining the backup process for your cluster.', 'duration': 24.967, 'max_score': 1463.769, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/oBf5lrmquYI/pics/oBf5lrmquYI1463769.jpg'}, {'end': 1553.861, 'src': 'embed', 'start': 1524.375, 'weight': 5, 'content': [{'end': 1531.441, 'text': "Maybe their pod configurations are super insecure because they don't have enough knowledge about security configuration best practices.", 'start': 1524.375, 'duration': 7.066}, {'end': 1536.125, 'text': "And you can't just manually check everything they deploy to the cluster.", 'start': 1532.082, 'duration': 4.043}, {'end': 1543.572, 'text': "So how can you deal with such a scenario? Well, for that, there are what's called security policies in Kubernetes.", 'start': 1536.666, 'duration': 6.906}, {'end': 1553.861, 'text': 'With security policies, you can define some rules such as Pods that run privileged containers or container with root user cannot be deployed.', 'start': 1544.232, 'duration': 9.629}], 'summary': 'Insecure pod configurations due to lack of knowledge can be addressed using kubernetes security policies.', 'duration': 29.486, 'max_score': 1524.375, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/oBf5lrmquYI/pics/oBf5lrmquYI1524375.jpg'}, {'end': 1684.5, 'src': 'embed', 'start': 1657.193, 'weight': 6, 'content': [{'end': 1663.715, 'text': 'And for that, you need a tool that allows you to recover the cluster in the same state with the latest backup.', 'start': 1657.193, 'duration': 6.522}, {'end': 1672.116, 'text': 'So again, tool like K10 has a feature to take the last backup and let you do the disaster recovery in an automated way.', 'start': 1664.095, 'duration': 8.021}, {'end': 1680.538, 'text': 'And an important emphasis here is on the automated recovery, because in such a scenario, when your system is under attack,', 'start': 1672.597, 'duration': 7.941}, {'end': 1684.5, 'text': "you don't want to be manually recovering your cluster under time pressure.", 'start': 1680.538, 'duration': 3.962}], 'summary': 'K10 tool enables automated disaster recovery with latest backup for clusters under attack.', 'duration': 27.307, 'max_score': 1657.193, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/oBf5lrmquYI/pics/oBf5lrmquYI1657193.jpg'}, {'end': 1780.285, 'src': 'heatmap', 'start': 1761.667, 'weight': 1, 'content': [{'end': 1766.772, 'text': 'Well, I hope the security practices that I explained in this video were already super helpful.', 'start': 1761.667, 'duration': 5.105}, {'end': 1776.841, 'text': "Please comment and share your experiences with security in Kubernetes and which security practice that I haven't mentioned here is also very important.", 'start': 1767.112, 'duration': 9.729}, {'end': 1780.285, 'text': 'And with that, thank you for watching and see you in the next video.', 'start': 1777.342, 'duration': 2.943}], 'summary': 'Video covered security practices in kubernetes, seeking feedback on unmentioned practices.', 'duration': 18.618, 'max_score': 1761.667, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/oBf5lrmquYI/pics/oBf5lrmquYI1761667.jpg'}], 'start': 1031.449, 'title': 'Kubernetes security best practices', 'summary': "Emphasizes securing kubernetes through encryption, securing secrets, and protecting etcd store, highlighting tools like istio, aws kms, and vault, and discusses backup and restore systems, security policies, and disaster recovery mechanisms with a focus on kasten's k10 tool.", 'chapters': [{'end': 1387.46, 'start': 1031.449, 'title': 'Kubernetes security best practices', 'summary': 'Highlights the importance of securing kubernetes by encrypting internal communication, securing secrets, and protecting etcd store, emphasizing the use of tools like istio, aws kms, and vault for encryption and management, as well as the potential risks and consequences of data breaches.', 'duration': 356.011, 'highlights': ['Encrypting internal communication using service mesh like Istio and enabling mutual TLS between services is crucial for securing Kubernetes, preventing attackers from intercepting and reading unencrypted communication between pods. Importance of encrypting internal communication, using Istio for defining communication rules, enabling mutual TLS for encrypted communication, and preventing attackers from intercepting unencrypted pod communication.', 'Securing and encrypting sensitive data like credentials and private keys is essential to prevent unauthorized access, with the use of third-party tools such as AWS KMS or Vault for managing encryption keys and securely storing secrets. Importance of securing sensitive data, using AWS KMS or Vault for managing encryption keys, and securely storing secrets to prevent unauthorized access.', 'Protecting the etcd store, which holds cluster configuration data, by encrypting the data, securing access with proper authentication, and putting it behind a firewall is critical to prevent unauthorized changes and access to the cluster resources. Importance of protecting etcd store, encrypting the data, securing access with proper authentication, and putting it behind a firewall to prevent unauthorized changes and access to the cluster resources.']}, {'end': 1780.285, 'start': 1387.82, 'title': 'Security best practices for kubernetes', 'summary': "Discusses the importance of automated backup and restore systems, immutable backups, security policies, and disaster recovery mechanisms to secure kubernetes clusters, with a focus on kasten's k10 tool.", 'duration': 392.465, 'highlights': ["K10 offers immutable backups, ensuring that the data can't be manipulated or corrupted, providing enhanced protection against advanced attacks. Immutable backups feature of K10", "K10 allows for automated backup and restore of all Kubernetes-related data, including application data, data outside Kubernetes, and etcd store data, simplifying the backup process for the entire cluster. K10's capability to backup all Kubernetes-related data", 'Implementing security policies in Kubernetes with tools like Open Policy Agent or Kubernetes can automate validations for various security configurations, ensuring that developers also apply security best practices when deploying applications. Automated validation of security configurations using security policies in Kubernetes', "Having a proper strategy and mechanism for disaster recovery, such as K10's automated recovery feature, can minimize the effect of an attack and quickly restore the cluster to the latest backup, ensuring minimal impact on user experience. K10's automated recovery feature for disaster recovery"]}], 'duration': 748.836, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/oBf5lrmquYI/pics/oBf5lrmquYI1031449.jpg', 'highlights': ['Importance of encrypting internal communication, using Istio for defining communication rules, enabling mutual TLS for encrypted communication, and preventing attackers from intercepting unencrypted pod communication.', 'Importance of securing sensitive data, using AWS KMS or Vault for managing encryption keys, and securely storing secrets to prevent unauthorized access.', 'Importance of protecting etcd store, encrypting the data, securing access with proper authentication, and putting it behind a firewall to prevent unauthorized changes and access to the cluster resources.', 'Immutable backups feature of K10', "K10's capability to backup all Kubernetes-related data", 'Automated validation of security configurations using security policies in Kubernetes', "K10's automated recovery feature for disaster recovery"]}], 'highlights': ['The growing number of cloud native applications mostly use Kubernetes as a platform, making it an attractive target for hackers.', 'Common number one issue is when someone gets access from Kubernetes platform to the underlying operating system, in which case an attacker can do a lot of damage to the whole system.', 'Security best practice generally is to be redundant, using many security mechanisms in place to protect every attack point.', 'The video emphasizes the importance of security in Kubernetes due to the complexity of setting up and configuring a Kubernetes cluster, making it an afterthought for many. This highlights the challenge of prioritizing security in complex systems.', "Kasten's K10 offers features and integrations to secure Kubernetes services.", 'Developers should eliminate unnecessary packages, libraries, and dependencies in the application image.', 'Choosing leaner and smaller base images with fewer tools can minimize the attack surface.', 'Regular updates of vulnerability databases are crucial for effective image scanning.', 'Using image scanning tools in the CI CD pipeline, you can scan images before pushing them to the repository, checking for insecure tools, packages, dependencies, configurations, and hard coded secrets.', 'Running images with a service user instead of root user is important to avoid potential security breaches.', 'Avoiding running privileged containers is crucial as it makes it harder for attackers to break out from the container and access the host, enhancing overall security within the Kubernetes environment.', 'Securing access and privileges within the Kubernetes cluster is essential to prevent unauthorized access and potential malicious activities.', 'RBAC in Kubernetes enables the creation of roles with specific permissions, e.g., viewing, creating, and updating resources in a namespace, ensuring fine-grained access control.', 'Users in Kubernetes are indirectly created by associating roles with team members, e.g., granting deployment and management permissions to Sarah and providing view-only access to junior developer Tom.', 'Emphasizes the importance of restricting permissions, granting access only as necessary for troubleshooting or debugging pods in designated namespaces.', 'Users like Sarah and Tom are provided with client certificates for authentication, and roles are attached to them for controlling access to resources within the Kubernetes cluster.', 'Kubernetes administrators like Kate and Mark are assigned cluster roles for creating, viewing, and deleting various resources across all namespaces in the cluster.', 'Non-human users, such as pods in Kubernetes, utilize service accounts with associated roles and permissions, which are crucial for securing access to the cluster and preventing potential attacks.', 'Network policies are used to create rules for limiting communication between pods, ensuring that only specific pods can interact with each other, thereby enhancing the security of the Kubernetes cluster.', 'Importance of encrypting internal communication, using Istio for defining communication rules, enabling mutual TLS for encrypted communication, and preventing attackers from intercepting unencrypted pod communication.', 'Importance of securing sensitive data, using AWS KMS or Vault for managing encryption keys, and securely storing secrets to prevent unauthorized access.', 'Importance of protecting etcd store, encrypting the data, securing access with proper authentication, and putting it behind a firewall to prevent unauthorized changes and access to the cluster resources.', 'Immutable backups feature of K10', "K10's capability to backup all Kubernetes-related data", 'Automated validation of security configurations using security policies in Kubernetes', "K10's automated recovery feature for disaster recovery"]}