**This notebook covered by the following [license](License.ipynb)  This note must not be removed**


# Kubernetes Security

## Day 1: Introduction

- repetiton of the basics
- what is running in my cluster?
- the Linux heritage: Linux Namespaces, Capabilities, SecComp, Selinux and Apparmor 
- containers and virtualization
- container runtimes: beyond Docker
- pods, daemonsets, statefulsets and other workloads
- architectural aspects
- the most common errors
- container patterns, designing containers with security in mind
- secure architectur: does an application need privileged
- databased in Kubernetes
- access to the Host Filesystem
- standards (German BSI, Nist, CIS)
- container images
- SecDevOps in secure environments
- filtering

## Day 2: networks

- services
- ingress as an additional network layer
- transport layer security and secrets
- NetworkPolicies
- distributed firewalls
- when do you need service meshs?

## Day 3: Hardening Kubernetes

- PodSecurityPolicies
- Admission Controller, Open Policy Agent
- Users, Roles und RBAC (Role Based Access Control)
- Audit Logs
- What is allowed to a Pod?
- distributions
- cloud vendors
- On Premises
- criteria for selecting vendors

## Introduction

- [Basics](KubernetesBasics.ipynb)
- [What goes on in my Cluster?](ClusterOverview.ipynb)
- Linux Heritage
   - [Linux Namespaces](Linux%20Namespaces.ipynb)
   - [SeLinux](https://platform9.com/blog/selinux-kubernetes-rbac-and-shipping-security-policies-for-on-prem-applications/)
   - [AppArmor](https://kubernetes.io/docs/tutorials/clusters/apparmor/)
   - [seccomp](https://kubernetes.io/docs/tutorials/clusters/seccomp/)
     - [gvisor](https://gvisor.dev/)
   - [Linux Capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html), [Outlook to PodSecurityPolicies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/)
- [Container Runtimes](https://kubernetes.io/docs/setup/production-environment/container-runtimes/)
- Signatures
   - [Signing with Skopeo](https://github.com/containers/skopeo)
   - [Verifying](https://developers.redhat.com/blog/2019/10/29/verifying-signatures-of-red-hat-container-images/)
- Pods, Daemonsets, StatefulSets and other [Workloads](https://kubernetes.io/docs/concepts/workloads/controllers/)
- Secure Containers
   - [Google best practices for building containers](https://cloud.google.com/solutions/best-practices-for-building-containers)
   - [Minimal go container from scratch](https://github.com/endocode/minimal-go-container-from-scratch)
   - [Google Distroless](https://github.com/GoogleContainerTools/distroless)
   - [Unprivileged NGinx](Unprivileged.ipynb)
- [Access to the host file system](Kube-Scan-Cloudbomb.ipynb)
- [Secure Architecture](https://www.heise.de/hintergrund/Kubernetes-Security-Teil-3-Im-Spannungsfeld-von-Komplexitaet-und-Sicherheit-4862263.html?seite=all)
-  Standards
  - [BSI - Bausteine (Drafts) - Benutzerdefinierter Baustein Container unter openshift](https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/Benutzerdefinierte_BS/openshift.pdf)
    - [OpenShift Installation](https://docs.openshift.com/container-platform/4.6/installing/installing_bare_metal/installing-bare-metal.html)
    - [Code Ready Containers](https://github.com/code-ready/crc)
  - [CIS - Docker Benchmarks](https://www.cisecurity.org/benchmark/docker/) 
  - [kube-bench](kube-bench.ipynb)
  - [NIST Application Container Security Guide](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf) 
  - DoD US Verteidigungsministerium
    - [DoD Container Hardening Process Guide](https://dl.dod.cyber.mil/wp-content/uploads/devsecops/pdf/Final_DevSecOps_Enterprise_Container_Hardening_Guide_1.1.pdf)
    - [DoD Enterprise DevSecOps Reference Design](https://dodcio.defense.gov/Portals/0/Documents/DoD%20Enterprise%20DevSecOps%20Reference%20Design%20v1.0_Public%20Release.pdf) 


# Networks

- [Ingress Recap](Ingress.ipynb)
  - OAuth2
  - cert-manager
    - ACME
- Istio
  - Service Mesh
  - [Distributed Firewall](https://www1.cs.columbia.edu/~smb/papers/ccs-df.pdf)
  - [NIST Zero Trust](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf)
  - [Installation](Istio1.8.2.ipynb)
  - [Traffic Management](Istio-Traffic-Mgmt.ipynb)
  - [Hack](IstioHack.ipynb)
  - Fix it
    - [A Hacker’s Guide to Kubernetes Networking](https://thenewstack.io/hackers-guide-kubernetes-networking/)
    - [Kubernetes Networking](https://kubernetes.io/docs/concepts/cluster-administration/networking/)
    - CNI [Network Plugins](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/)
    - [Istio CNI](https://istio.io/latest/docs/setup/additional-setup/cni/)
    - [Istio Platforms](https://istio.io/latest/docs/concepts/what-is-istio/#platform-support)
  - Other Meshes
    - [Service Mesh](https://servicemesh.es/)
- NetworkPolicies
  - Calico
  - Traffic Control
  - Testing with Netcat
- Misc
  - [Maglev](https://github.com/kkdai/maglev)
  - [Wireguard Wormhole](https://goteleport.com/blog/announcing-wormhole/)
  - [CNCF CI/CD](https://landscape.cncf.io/card-mode?category=continuous-integration-delivery&grouping=category)
  - [Machine Config Operator](https://github.com/openshift/machine-config-operator)

## Kubernetes Hardening

- Resilience Concepts
  - High Availibity
  - Highest Availibility
  - Design for Resilience
    - Racks, Zones, Regions
    - Resilience Testing
      - Chaos Engineering
      - The Symian Army
      - Blast Radius
- Databases
  - Concepts
    - Migration vs Clustering
    - Load considerations
      - High Availibility
      - Node Restore under load
    - Level of Done
    - Infrastructure Nodes
  - [Postgres Operator by Zalando](Postgres%20Zalando.ipynb)
  - [Vitesse](https://vitess.io/)
  - [Bloomberg Solr](https://2019.berlinbuzzwords.de/19/session/running-solr-within-kubernetes-scale.html)
- [Audit Logs](AuditLogs.ipynb)
  - [FluentD](https://docs.fluentd.org/v/0.12/) 
- [Service Account Token](ServiceAccountToken.ipynb)
- [Unprivileged $\neq$ Hardened](Unprivileged.ipynb)
- [PodSecurityPolicies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/)
  - [Basics](PodSecurityPolicyBasic.ipynb)
  - [Permissive](PodSecurityPolicyPermissive.ipynb)
  - [Strict](PodSecurityPolicyStrict.ipynb)
- [Accounts and Permissions](AccountWithRBAC.ipynb)  
- [OpenPolicyAgent](OpenPolicyAgent.ipynb)
  - [Rego Examples](https://gist.github.com/garethr/ea41afb1b6562cdb2b1555719f51f90e)
  


# Sources

- [Talk ContainerConf](https://drive.google.com/file/d/15EHHoFQWa4m_GfIAYqTvYmXWU3Kg2Ig6/view)
- [Securing a Cluster](https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/)
- [Concepts Security](https://kubernetes.io/docs/concepts/security/), what?
- [The Definitive
Guide to Securing
Kubernetes
Liz Rice, Brendan Burns: The Definitive
Guide to Securing
Kubernetes](https://cdn2.hubspot.net/hubfs/1665891/Assets/The%20Definitive%20Guide%20to%20Securing%20Kubernetes.pdf), advertising
- [Liz Rice & Michael Hausenblas: Kubernetes Security](https://cdn2.hubspot.net/hubfs/1665891/Assets/Kubernetes%20Security%20-%20Operating%20Kubernetes%20Clusters%20and%20Applications%20Safely.pdf) better, but still too basic

# High Availability

## Höchstsicherheitsverordnung

## Resilience
### Chaos Engineering
### 

In [22]:
rm -f my-kubeconfig my-namespace-rbac.dot my-namespace-rbac.png minikube.dot minikube.png notebooks.tgz
(cd .. ; tar cfz  /tmp/notebooks.tgz  --no-recursion  notebooks/*.* )

In [23]:
mv  /tmp/notebooks.tgz .
tar tzf notebooks.tgz

notebooks/AccountWithRBAC.ipynb
notebooks/AuditLogs.ipynb
notebooks/ClusterOverview.ipynb
notebooks/ContainerdCloudbomb.ipynb
notebooks/CrioBomb.ipynb
notebooks/Helm.ipynb
notebooks/Ingress.ipynb
notebooks/IngressStart.ipynb
notebooks/Istio-Traffic-Mgmt.ipynb
notebooks/Istio1.8.2.ipynb
notebooks/IstioHack.ipynb
notebooks/Kube-Scan-Cloudbomb.ipynb
notebooks/KubernetesBasics.ipynb
notebooks/Linux Namespaces.ipynb
notebooks/NetworkPolicy.ipynb
notebooks/OpenPolicyAgent.ipynb
notebooks/Overview.ipynb
notebooks/PodSecurityPolicyBasic.ipynb
notebooks/PodSecurityPolicyPermissive.ipynb
notebooks/PodSecurityPolicyStrict.ipynb
notebooks/Postgres Zalando.ipynb
notebooks/ServiceAccountToken.ipynb
notebooks/Unprivileged.ipynb
notebooks/audit-policy.yaml
notebooks/docker-hypervisor.png
notebooks/istio-1.8.2/
notebooks/kube-bench.ipynb
