Andreas Falk
@andifalk
Slides: https://andifalk.github.io/kubernetes-spring-io-2019
Source-Code: https://github.com/andifalk/kubernetes-spring-io-2019
Novatec Consulting GmbH
https://www.novatec-gmbh.de
andreas.falk@novatec-gmbh.de / @andifalk
By courtesy of Matthias Haeussler (@maeddes)
kind: ConfigMap
apiVersion: v1
metadata:
name: hello-spring-cloud-kubernetes
namespace: default
data:
hello.message: k8s
hello.prefix: Hi
...
data:
application.properties: |-
hello.message=k8s
hello.prefix=Hi
...
data:
application.yaml: |-
hello:
message: k8s
prefix: Hi
apiVersion: v1
kind: Secret
metadata:
name: hello-spring-cloud-kubernetes
namespace: default
type: Opaque
data:
user.username: dXNlcg==
user.password: azhzX3VzZXI=
admin.username: YWRtaW4=
admin.password: azhzX2FkbWlu
Secrets in etcd DB are NOT encrypted with default settings !!
Just Base64 encoded!
Attractive target for hackers
Easily leak to repos, logs, ...
Violation of “Least Privilege” principle
Do not use K8s API for reading secrets
"Listing secrets allows the clients to inspect the values of all secrets that are in that namespace."
https://kubernetes.io/docs/concepts/configuration/secret/#best-practices
Supported as of kubernetes version 1.10
https://cloud.google.com/kms/docs/envelope-encryption
https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/
https://spring.io/projects/spring-cloud-kubernetes
https://cloud.spring.io/spring-cloud-kubernetes/spring-cloud-kubernetes.html
Starter | Description |
---|---|
spring-cloud-starter-kubernetes | Discovery Client |
spring-cloud-starter-kubernetes-config | Load application properties from ConfigMaps & Secrets |
spring-cloud-starter-kubernetes-ribbon | Ribbon client-side load balancer |
USER directive in Dockerfile
K8s Security Context for a Pod/Container
Pod Security Policy (Beta)
Just say no to root containers
Pod Security Policy
Pod Security Context
Perform image scanning (Anchore, Clair, ...)
Regularly update your kubernetes cluster version
Regularly update your (base) images
Checkout Google Distroless Images
andreas.falk@novatec-gmbh.de
Twitter: @andifalk