Spring Cloud on Kubernetes

Andreas Falk

@andifalk

Slides: https://andifalk.github.io/kubernetes-spring-io-2019
Source-Code: https://github.com/andifalk/kubernetes-spring-io-2019

Andreas Falk

Novatec Consulting GmbH

https://www.novatec-gmbh.de
andreas.falk@novatec-gmbh.de / @andifalk

What's in this session

Kubernetes 101

Spring Cloud Kubernetes

K8s Security Best Practices

Kubernetes

101

Kubernetes Basics

By courtesy of Matthias Haeussler (@maeddes)

K8s Config Maps


                                kind: ConfigMap
                                apiVersion: v1
                                metadata:
                                  name: hello-spring-cloud-kubernetes
                                  namespace: default
                                data:
                                  hello.message: k8s
                                  hello.prefix: Hi
                        

                                ...
                                data:
                                  application.properties: |-
                                    hello.message=k8s
                                    hello.prefix=Hi
                        

                                ...
                                data:
                                  application.yaml: |-
                                    hello:
                                      message: k8s
                                      prefix: Hi
                        

K8s Secrets


                            apiVersion: v1
                            kind: Secret
                            metadata:
                              name: hello-spring-cloud-kubernetes
                              namespace: default
                            type: Opaque
                            data:
                              user.username: dXNlcg==
                              user.password: azhzX3VzZXI=
                              admin.username: YWRtaW4=
                              admin.password: azhzX2FkbWlu
                        

Secrets in etcd DB are NOT encrypted with default settings !!

Just Base64 encoded!

Why protect Secrets?

Attractive target for hackers

Easily leak to repos, logs, ...

Violation of “Least Privilege” principle

Best Practice for secrets

Do not use K8s API for reading secrets

"Listing secrets allows the clients to inspect the values of all secrets that are in that namespace."

https://kubernetes.io/docs/concepts/configuration/secret/#best-practices

Best Practice for secrets

Encryption Layers

Envelope Encryption on K8S

Supported as of kubernetes version 1.10

https://cloud.google.com/kms/docs/envelope-encryption
https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/

Cloud KMS

Azure Key Vault

Google Cloud KMS

AWS KMS

Hashicorp Vault KMS Plugin

Spring Cloud Kubernetes

https://spring.io/projects/spring-cloud-kubernetes
https://cloud.spring.io/spring-cloud-kubernetes/spring-cloud-kubernetes.html

Features

Spring Cloud Kubernetes Starter Deps

Starter Description
spring-cloud-starter-kubernetes Discovery Client
spring-cloud-starter-kubernetes-config Load application properties from ConfigMaps & Secrets
spring-cloud-starter-kubernetes-ribbon Ribbon client-side load balancer

Demo Time

https://github.com/andifalk/kubernetes-spring-io-2019

Kubernetes Security

Best Practices

Kubernetes Security?

Helm is Root on K8s

Say no to Root

USER directive in Dockerfile

K8s Security Context for a Pod/Container

Pod Security Policy (Beta)

Just say no to root containers
Pod Security Policy
Pod Security Context

Vulnerabilities in well-know images

Source: The state of open source security report (snyk.io)

Root without Password!

Keep being secure

Perform image scanning (Anchore, Clair, ...)

Regularly update your kubernetes cluster version

Regularly update your (base) images

Checkout Google Distroless Images

https://github.com/GoogleContainerTools/distroless

Summary / Key Insights

  • Configs, Secrets & Discovery the “Spring Way”
    -- More to come: Istio & Helm awareness, ...
  • “Least privilege” for service accounts
  • Ensure your secrets are encrypted in K8s
  • Say NO to root on K8s
  • Keep K8s and container images up-to-date

Q&A

https://www.novatec-gmbh.de
https://blog.novatec-gmbh.de

andreas.falk@novatec-gmbh.de
Twitter: @andifalk