**This notebook covered by the following [license](License.ipynb)  This note must not be removed**

# Pause bis 15:35h


# Kubernetes Security

## Day 1: Introduction

- repetiton of the basics
- what is running in my cluster?
- the Linux heritage: Linux Namespaces, Capabilities, SecComp, Selinux and Apparmor 
- containers and virtualization
- container runtimes: beyond Docker
- pods, daemonsets, statefulsets and other workloads
- architectural aspects
- the most common errors
- container patterns, designing containers with security in mind
- secure architecture: does an application need privileged
- databases in Kubernetes
- access to the Host Filesystem
- standards (German BSI, Nist, CIS)
- container images
- SecDevOps in secure environments
- filtering

## Day 2: networks

- services
- ingress as an additional network layer
- transport layer security and secrets
- NetworkPolicies
- distributed firewalls
- when do you need service meshs?

## Day 3: Hardening Kubernetes

- PodSecurityPolicies
- Admission Controller, Open Policy Agent
- Users, Roles und RBAC (Role Based Access Control)
- Audit Logs
- What is allowed to a Pod?
- distributions
- cloud vendors
- On Premises
- criteria for selecting vendors

## Introduction

- [Basics](KubernetesBasics.ipynb)
- [What goes on in my Cluster?](ClusterOverview.ipynb)
- Linux Heritage
   - [Linux Namespaces](Linux%20Namespaces.ipynb)
   - [SeLinux](https://platform9.com/blog/selinux-kubernetes-rbac-and-shipping-security-policies-for-on-prem-applications/)
   - [AppArmor](https://kubernetes.io/docs/tutorials/clusters/apparmor/)
   - [seccomp](https://kubernetes.io/docs/tutorials/clusters/seccomp/)
     - [gvisor](https://gvisor.dev/)
     - [Kubernetes Runtime Class](https://kubernetes.io/docs/concepts/containers/runtime-class/)
   - [Linux Capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html), [Outlook to PodSecurityPolicies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/)
- [Container Runtimes](https://kubernetes.io/docs/setup/production-environment/container-runtimes/)
  - [Open Container Initiative](https://opencontainers.org/) 
- Signatures
   - [Signing with Skopeo](https://github.com/containers/skopeo)
     - [IBM](https://cloud.ibm.com/docs/Registry?topic=Registry-registry_trustedcontent)
     - [Skopeo and OpenShift](https://www.openshift.com/blog/signing-and-verifying-container-images)
     - [Verifying](https://developers.redhat.com/blog/2019/10/29/verifying-signatures-of-red-hat-container-images/)
- Registry [Harbor](https://goharbor.io/)
- Pods, Daemonsets, StatefulSets and other [Workloads](https://kubernetes.io/docs/concepts/workloads/controllers/)
- Secure Containers
   - [Snyk Node.js](https://snyk.io/blog/hacking-docker-containers-by-exploiting-base-image-vulnerabilities/)
   - [Google best practices for building containers](https://cloud.google.com/solutions/best-practices-for-building-containers)
   - [Minimal go container from scratch](https://github.com/endocode/minimal-go-container-from-scratch)
   - [Google Distroless](https://github.com/GoogleContainerTools/distroless)
   - [Alpine](https://www.alpinelinux.org/), [Ariadne Conill's Blog](https://ariadne.space/) 
   - [Unprivileged NGinx](Unprivileged.ipynb)
   - [Impftermine App](https://github.com/kiebitz-oss/apps)
- [Access to the host file system](Kube-Scan-Cloudbomb.ipynb)
- [Secure Architecture](https://www.heise.de/hintergrund/Kubernetes-Security-Teil-3-Im-Spannungsfeld-von-Komplexitaet-und-Sicherheit-4862263.html?seite=all)
-  Standards
  - [BSI - Bausteine (Drafts) - Benutzerdefinierter Baustein Container unter openshift](https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/Benutzerdefinierte_BS/openshift.pdf)
    - [OpenShift Installation](https://docs.openshift.com/container-platform/4.6/installing/installing_bare_metal/installing-bare-metal.html)
    - [Code Ready Containers](https://github.com/code-ready/crc)
    - [Heise Artikel über Kubernetes Grundschutz](https://www.heise.de/hintergrund/IT-Grundschutz-BSI-Anforderungen-fuer-Container-und-Kubernetes-6200393.html) Vorsicht, manchmal sehr ungenau
  - [CIS - Docker Benchmarks](https://www.cisecurity.org/benchmark/docker/)
  - [CIS - Kubernetes](https://www.cisecurity.org/?s=kubernetes)
  - [kube-bench und kubescape](kube-bench.ipynb)
  - [Awesome K8S Security](https://github.com/magnologan/awesome-k8s-security) from [magnologan](https://twitter.com/magnologan)
  - [Ian Coldwater](https://twitter.com/IanColdwater)
  - [NIST Application Container Security Guide](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf) 
  - DoD US Verteidigungsministerium
    - [DoD Container Hardening Process Guide](https://dl.dod.cyber.mil/wp-content/uploads/devsecops/pdf/Final_DevSecOps_Enterprise_Container_Hardening_Guide_1.1.pdf)
    - [DoD Enterprise DevSecOps Reference Design](https://dodcio.defense.gov/Portals/0/Documents/DoD%20Enterprise%20DevSecOps%20Reference%20Design%20v1.0_Public%20Release.pdf)
    - [DoD Enterprise DevSecOps Reference Design: CNCF Kubernetes ](https://dodcio.defense.gov/Portals/0/Documents/Library/DevSecOpsReferenceDesign.pdf)
  - [NSA Hardening Guidance](https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETESHARDENINGGUIDANCE.PDF)
    - [Kubernetes.io: Closer LOok on the NSA Kubernetes Hardening Guide](https://kubernetes.io/blog/2021/10/05/nsa-cisa-kubernetes-hardening-guidance/)
    - [Aquasecurity: A Closer Look Into the NSA Kubernetes Hardening Guide](https://blog.aquasec.com/nsa-kubernetes-hardening-guide)



# Networks

- Ingress seems to be broken [Ingress Recap](Ingress.ipynb)
  - Kong to the rescue
      - [Kong Start](IngressKongStart.ipynb)
      - [Kong Example](IngressKong.ipynb)
  - [cert-manager](https://github.com/jetstack/cert-manager)
    - [ACME](https://de.wikipedia.org/wiki/Automatic_Certificate_Management_Environment)
      - [Boulder](https://github.com/letsencrypt/boulder)
      - [Smallstep](https://github.com/smallstep)
      - [Digicert](https://docs.digicert.com/certificate-tools/Certificate-lifecycle-automation-index/automation-user-guide/install-automation-agent-webserver/)
    - [Example Helm Template](https://github.com/kiebitz-oss/kubernetes/blob/main/charts/kiebitz/templates/kiebitz-certificate.yaml)
  - [see Google cloud-proxy](https://github.com/GoogleCloudPlatform/cloudsql-proxy)
  - [mkcert](https://github.com/FiloSottile/mkcert)
- Istio
  - Service Mesh
  - [The service mesh manifesto](https://buoyant.io/service-mesh-manifesto/)
  - [Distributed Firewall](https://www1.cs.columbia.edu/~smb/papers/ccs-df.pdf)
  - [NIST Zero Trust](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf)
  - [Installation](Istio1.8.2.ipynb)
  - [Traffic Management](Istio-Traffic-Mgmt.ipynb)
  - [Hack](IstioHack.ipynb)
  - Fix it
    - [A Hacker’s Guide to Kubernetes Networking](https://thenewstack.io/hackers-guide-kubernetes-networking/)
    - [Kubernetes Networking](https://kubernetes.io/docs/concepts/cluster-administration/networking/)
    - CNI [Network Plugins](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/)
    - [Istio CNI](https://istio.io/latest/docs/setup/additional-setup/cni/)
    - [Istio Platforms](https://istio.io/latest/docs/concepts/what-is-istio/#platform-support)
  - Other Meshes
    - [Service Mesh](https://servicemesh.es/)
- [NetworkPolicies](NetworkPolicy.ipynb)
  - Calico
  - Traffic Control
  - Testing with Netcat
  - [Multi Tenancy](https://blog.jessfraz.com/post/hard-multi-tenancy-in-kubernetes/)
- Misc
  - Maglev 
    - [GitHub](https://github.com/kkdai/maglev)
    - [Google Research](https://research.google/pubs/pub44824/)
  - [Wireguard Wormhole](https://goteleport.com/blog/announcing-wormhole/)
  - [CNCF Landscape Networking](https://landscape.cncf.io/card-mode?category=cloud-native-network&grouping=category)
  - [Machine Config Operator](https://github.com/openshift/machine-config-operator)
  - [Multus](https://github.com/k8snetworkplumbingwg/multus-cni)

## Kubernetes Hardening

- Resilience Concepts
  - [Google SRE](https://sre.google/books/)
  - High Availibity
  - Highest Availibility
    - [BSI Standortwahl](hhttps://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/RZ-Sicherheit/Standort-Kriterien_Rechenzentren.html)
    - [Kommentar der f-i-ts: Georedundanz](https://www.finsurance-it-services.de/blog/bsi-anforderungen-die-georedundanz)
  - Design for Resilience
    - Racks, Zones, Regions
    - Resilience Testing
      - [Chaos Engineering](https://en.wikipedia.org/wiki/Chaos_engineering)
      - [The Netflix Symian Army](https://netflixtechblog.com/the-netflix-simian-army-16e57fbab116)
      - [Blast Radius: AWS](https://aws.amazon.com/de/getting-started/fundamentals-core-concepts/)
    -[Eschborner Landstraße 100](https://www.google.de/maps/place/Eschborner+Landstra%C3%9Fe+100,+60489+Frankfurt+am+Main/@50.1295737,8.5978761,521m/data=!3m1!1e3!4m5!3m4!1s0x47bd0996b4099c65:0x3114c7b98478ce03!8m2!3d50.1281919!4d8.6014355)  
- [12factor](https://12factor.net/)
- Databases
  - Concepts
    - Migration vs Clustering
    - Load considerations
      - High Availibility
      - Node Restore under load
    - Level of Done
    - Infrastructure Nodes
  - [Postgres Operator by Zalando](Postgres%20Zalando.ipynb), at [Operator Hub](https://operatorhub.io/operator/postgres-operator)
  - [Vitesse](https://vitess.io/)
  - [Bloomberg Solr](https://2019.berlinbuzzwords.de/19/session/running-solr-within-kubernetes-scale.html)
  - [Snapshots](https://kubernetes.io/docs/concepts/storage/volume-snapshots/)
  - [Encrypted Volumes](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/)
- [Audit Logs](AuditLogs.ipynb)
  - [FluentD](https://docs.fluentd.org/v/0.12/) 
- [Service Account Token](ServiceAccountToken.ipynb)
- [OpenShift Examples](OpenShift/Overview.ipynb)
- [Further Hardening](https://github.com/thomasfricke/container-hardening)
- [Nico Meisenzahl escalation into Azure](https://github.com/nmeisenzahl/hijack-kubernetes/blob/main/docs/hands-on.md)
- [Unprivileged $\neq$ Hardened](Unprivileged.ipynb)
- [PodSecurityPolicies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/)
  - [Basics](PodSecurityPolicyBasic.ipynb)
  - [Permissive](PodSecurityPolicyPermissive.ipynb)
  - [Strict](PodSecurityPolicyStrict.ipynb)
- [Accounts and Permissions](AccountWithRBAC.ipynb)  
- [Heise Artikel](https://www.heise.de/hintergrund/Kubernetes-Security-Teil-3-Im-Spannungsfeld-von-Komplexitaet-und-Sicherheit-4862263.html?seite=all)
- OAuth2
- [OpenPolicyAgent](OpenPolicyAgent.ipynb)
  - [Rego Examples](https://gist.github.com/garethr/ea41afb1b6562cdb2b1555719f51f90e)
  


# Breaking news - latest

- [CVE-2021-25742 Ingress Nginx Lua Snippets](https://github.com/kubernetes/ingress-nginx/issues/7837)
- [Impftermine - Kiebitz](https://github.com/kiebitz-oss/kubernetes)
- [Cilium Beta](https://cilium.io/blog/2021/12/01/cilium-service-mesh-beta)
- [StackRox](https://www.stackrox.com/), [aquired by Redh Hat](https://www.redhat.com/en/blog/red-hat-closes-acquisition-stackrox)
- [Cosign](https://github.com/sigstore/cosign)

# Sources

- [Talk ContainerConf](https://drive.google.com/file/d/15EHHoFQWa4m_GfIAYqTvYmXWU3Kg2Ig6/view)
- [Securing a Cluster](https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/)
- [Concepts Security](https://kubernetes.io/docs/concepts/security/), what?
- [The Definitive
Guide to Securing
Kubernetes
Liz Rice, Brendan Burns: The Definitive
Guide to Securing
Kubernetes](https://cdn2.hubspot.net/hubfs/1665891/Assets/The%20Definitive%20Guide%20to%20Securing%20Kubernetes.pdf), advertising
- [Liz Rice & Michael Hausenblas: Kubernetes Security](https://cdn2.hubspot.net/hubfs/1665891/Assets/Kubernetes%20Security%20-%20Operating%20Kubernetes%20Clusters%20and%20Applications%20Safely.pdf) better, but still too basic

# High Availability

## Höchstverfügbarkeit 
[Georedundanz](https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Sicherheitsberatung/Standort-Kriterien_RZ/Standort-Kriterien_Rechenzentren.pdf)

## Resilience
### Chaos Engineering
### 

In [22]:
rm -f my-kubeconfig my-namespace-rbac.dot my-namespace-rbac.png minikube.dot minikube.png notebooks.tgz
(cd .. ; tar cfz  /tmp/notebooks.tgz  --no-recursion  notebooks/*.* )

In [23]:
mv  /tmp/notebooks.tgz .
tar tzf notebooks.tgz

notebooks/AccountWithRBAC.ipynb
notebooks/AuditLogs.ipynb
notebooks/ClusterOverview.ipynb
notebooks/ContainerdCloudbomb.ipynb
notebooks/CrioBomb.ipynb
notebooks/Helm.ipynb
notebooks/Ingress.ipynb
notebooks/IngressStart.ipynb
notebooks/Istio-Traffic-Mgmt.ipynb
notebooks/Istio1.8.2.ipynb
notebooks/IstioHack.ipynb
notebooks/Kube-Scan-Cloudbomb.ipynb
notebooks/KubernetesBasics.ipynb
notebooks/Linux Namespaces.ipynb
notebooks/NetworkPolicy.ipynb
notebooks/OpenPolicyAgent.ipynb
notebooks/Overview.ipynb
notebooks/PodSecurityPolicyBasic.ipynb
notebooks/PodSecurityPolicyPermissive.ipynb
notebooks/PodSecurityPolicyStrict.ipynb
notebooks/Postgres Zalando.ipynb
notebooks/ServiceAccountToken.ipynb
notebooks/Unprivileged.ipynb
notebooks/audit-policy.yaml
notebooks/docker-hypervisor.png
notebooks/istio-1.8.2/
notebooks/kube-bench.ipynb


# Break until 15:00