How To Secure Everything Without Making Everyone Suffer
Vložit
- čas přidán 16. 06. 2024
- What makes a system secure? How do we secure everything, no matter whether it's running inside Kubernetes clusters, Cloud providers like AWS, Azure, Google Cloud (GCP), or anything else?
#security #kubernetes #aws #azure #googlecloud #gcp
Consider joining the channel: / devopstoolkit
▬▬▬▬▬▬ 🔗 Additional Info 🔗 ▬▬▬▬▬▬
🎬 Virtual Machines (VMs) Inside Kubernetes Clusters With KubeVirt: • Virtual Machines (VMs)...
🎬 How To Create, Provision, And Operate Kubernetes With Cluster API (CAPI): • How To Create, Provisi...
🎬 Crossplane - GitOps-based Infrastructure as Code through Kubernetes API: • Crossplane - GitOps-ba...
🎬 Metacontroller - Custom Kubernetes Controllers The Easy Way: • Metacontroller - Custo...
🎬 Cloud-Native Apps With Open Application Model (OAM) And KubeVela: • Cloud-Native Apps With...
🎬 How To Shift Left Infrastructure Management Using Crossplane Compositions: • How To Shift Left Infr...
🎬 How to apply policies in Kubernetes using Open Policy Agent (OPA) and Gatekeeper: • How to apply policies ...
🎬 Kubernetes-Native Policy Management With Kyverno: • Kubernetes-Native Poli...
🎬 Admission Controllers Or CLI? Kubernetes Policy Validations with Datree: • Admission Controllers ...
🎬 Kubernetes Validating Admission Policy Changes The Game: • Kubernetes Validating ...
🎬 Argo CD - Applying GitOps Principles To Manage A Production Environment In Kubernetes: • Argo CD - Applying Git...
🎬 Flux CD v2 With GitOps Toolkit - Kubernetes Deployment And Sync Mechanism: • Flux CD v2 With GitOps...
🎬 Rancher Fleet: GitOps Across A Large Number Of Kubernetes Clusters: • Rancher Fleet: GitOps ...
🎬 Signing And Verifying Container Images With Sigstore Cosign And Kyverno: • Signing and Verifying ...
🎬 Manage Container (Docker) Images, Helm, CNAB, and Other Artifacts With Harbor: • Manage Container (Dock...
🎬 Manage Kubernetes Secrets With External Secrets Operator (ESO): • Manage Kubernetes Secr...
🎬 Eliminate Kubernetes Secrets With Secrets Store CSI Driver (SSCSID): • Eliminate Kubernetes S...
🎬 Bitnami Sealed Secrets - How To Store Kubernetes Secrets In Git Repositories: • Bitnami Sealed Secrets...
▬▬▬▬▬▬ 💰 Sponsoships 💰 ▬▬▬▬▬▬
If you are interested in sponsoring this channel, please use calendly.com/vfarcic/meet to book a timeslot that suits you, and we'll go over the details. Or feel free to contact me over Twitter or LinkedIn (see below).
▬▬▬▬▬▬ 👋 Contact me 👋 ▬▬▬▬▬▬
➡ Twitter: / vfarcic
➡ LinkedIn: / viktorfarcic
▬▬▬▬▬▬ 🚀 Other Channels 🚀 ▬▬▬▬▬▬
🎤 Podcast: www.devopsparadox.com/
💬 Live streams: / devopsparadox
▬▬▬▬▬▬ ⏱ Timecodes ⏱ ▬▬▬▬▬▬
00:00 Introduction To Security For Everything
02:02 Role-Based Access Control (RBAC)
08:30 Custom Resource Definitions (CRDs)
11:18 Admission Controllers And Policies
15:34 GitOps
20:15 SBOM & Signatures & Image Scanners
22:22 Secrets Management
25:37 Final Thoughts - Věda a technologie
How do you secure your systems?
You understand the power and point of Kubernetes so well. I need to master this skill.
Like always, amazing content!
Awesome as always!
This is an university of information , awesome
Love this channel ❤❤❤
Awesome T-shirt. I also want one :)
Would love to see a video on TUF (The Update Framework).
Unfortunately, i haven't used it (yet) so I cannot comment on it 😔
Tolkien be like: ""One k8s to rule them all, One k8s to find them, One k8s to bring them all and in the darkness bind them.""
Just regarding policies and context... with opa we have policies that check other objects too... because opa can call the k8 api to get the extra context...
This does not invalidate the crd aproach ofc... but sometimes one does really need to get data from other k8 objects or crds
Not if that extra context was not yet created. When, for example, you execute helm install, there is no guarantee in which order resources will be submitted to Kube API.
@@DevOpsToolkit ... in detail we are using a styra opa agent that has helper functions for this and the context includes all other changes being applied... our main use case is compliance rules whose context is some application metadata crd that is not generated by any other helm or controller... but you right, there might be cases where the context was not generated yet and we have to be careful with these context dependant rules
@@hugolopes5604 Let's say that you have a rule that an app deployed in a k8s cluster should have multiple replicas. That probably means that you have rules evaluated when a deployment is created or updated. But, since scaling can be done in HPA, you need to take it into the account. Now, there might not be an HPA in a cluster (it's coming after the Deployment). Or there might be an HPA in the cluster but it would be overwritten by a changed HPA that will be applied after the changes to the Deployment. Or there might not be an HPA in the cluster and it's not going to come. Or... There are quite a few permutations to that simple scenario, and "real world" scenarios are even more complex.
All that is not directly related to whether you use OPA, of Kyverno, or Datree, or something else to manage policies. It's a nuance of how Kubernetes works and it's not easy to solve.
@@DevOpsToolkit , yes absolutly, I understood the hpa /replicas example and i agree it that example it would not work. but somehow our examples are more simple... like block containers with root privileges if the application data classification is high... because we modeled the aplication metadata as a crd , the context is another k8 object. Doing policy rules dependant of other k8 objects that some controller dynamically changes seems a bad idea, but is this representative of context dependant policy rules?
Hi using sealed secret operator still using k8s secret mechanism so it's still only base 64. I think better solution will be using sdk or api to secret manger directly and inject secrets to application in real-time.
I agree, as long as that does not require any "special" logic to be added to the code of the app. Apps should be focused only on business requirements. Also, you will still need kubernetes secrets for third-party apps since almost all assume them.
How do you solve for the chicken & egg problem? How can you use such a great system base on all the tools around Kubernetes if you don't have any Kubernetes cluster yet?
There are a few solutions. You can use a local cluster to bootstrap a "real" cluster. In that scenario, all you have to do is apply the same manifest you used in the local cluster to create the "real" cluster. From there on, crossplane in the real cluster would manage itself.
The alternative will be announced this wednesday and I cannot talk about it until then.
@@DevOpsToolkit So what is it you couldn't talk about last week? ;o)
Upbound cloud
Really Great Explanation of the concept. If all this concepts are in place the security guys will be extremely happy. But the guy who has to implement this will be completely overloaded. All the implementing Stuff is much to complex. 10 Tools just to roll out one App? In my Opinion the title should be "without making everyone suffer... EXCEPT the Devops Guy/Team" who has to implement it. The truth is no Developer wants to fiddle around with all this config tools clouds and everything else. You build it you run it? At the end you have a Infrastructure Team called Devops. What s the difference to the old days. I can tell you: the complexity. Your Explanation assumes everything works, but what if it does not work as a charme, which Developer will be able to trubleshoot when he or she only should work with Deployments in a Deployment Tool. Will a Developer suddenly know how all the Deployment Tooling works or how any cloud works (resources in Azure, AWS... and so on)?
Developers cannot know everything. No one can. That's why companies are building internal developer platforms and trying to create the right levels of abstractions. Self service is the key and that does not exclude any roll but allows experts to offer their experience as a service.
Are you safe? Just kidding, I don't care about that.
Thanks man!...
First 😂