The multitude of security controls and guidelines for both Kubernetes and Azure can be overwhelming. Based on real-life experiences from securing web applications running on Azure Kubernetes Service, Karl has compiled a list of best practices that bring these worlds together.
In this session, you will learn how to build, operate and develop secure web applications on top of Azure Kubernetes Service. After this session, you will know which security controls are available, how effective they are and what will be the cost of implementing them.
Take control of your SAP testing with UiPath Test Suite
CloudBurst Malmö: Best practices of securing web applications running on Azure Kubernetes Service
1. @fincooper
Best practices of securing
web applications running
on Azure Kubernetes
Service
Karl Ots
28.8.2019
CloudBurst Malmö
2. Karl Ots
Chief Consulting Officer
karl.ots@zure.com
• Cloud & cybersecurity expert from Finland
• Community leader, speaker, author & patented inventor
• Working on Azure since 2011
• Helped to secure 100+ Azure applications, from startups to
Fortune 500 enterprises
• zure.ly/karl
4. @fincooper
What to expect in this session
• You will learn how to build, operate and architect secure web applications on
top of Azure Kubernetes Service.
• You will learn which security controls are available, how effective they are
and what will be the cost of implementing them.
• Resources to help you better secure your AKS environment in Azure,
regardless of your current level!
10. @fincooper
Access control to Azure management pane
• To provision Azure infrastructure, the AKS resource will need the following
AAD entities:
• A service principal for the Kubernetes cluster to create new resources and modify
existing ones
• RBAC role assignment for the Service Principal
• A service principal for accessing the container registry
• In addition, you will need to configure:
• An app registration for acting as the AAD Server
• An app registration for acting as the AAD Client
11. @fincooper
Access control when connecting to cluster
• By default, when you use the az aks get-credentials command, the admin
credentials for the AKS cluster and added to your kubectl config.
• The admin user bypasses does not allow for granular access control.
• AKS can be configured to use Azure AD for user authentication. In this
configuration, you can sign in to an AKS cluster by using your Azure AD
authentication token.
13. @fincooper
Access control when connecting to cluster
• By default, when you use the az aks get-credentials command, the admin
credentials for the AKS cluster and added to your kubectl config.
• The admin user bypasses the enforcement of pod security policies and does
not allow for granular access control.
• AKS can be configured to use Azure AD for user authentication. In this
configuration, you can sign in to an AKS cluster by using your Azure AD
authentication token.
• But what about az aks get-credentials --admin?
16. @fincooper
Access control once inside the cluster
• Once our users are authenticated through Azure AD, we can implement
proper access control.
• Kubernetes RBAC and Pod Security policies allow us to restrict which pods
our dev/ops can operate.
17. @fincooper
Often overlooked in AKS ops
• Azure automatically applies security patches to the Linux nodes in your
cluster on a nightly schedule.
• You are responsible for ensuring that those Linux nodes are rebooted as
required.
19. @fincooper
Often overlooked in AKS ops
• Azure automatically applies security patches to the Linux nodes in your
cluster on a nightly schedule.
• You are responsible for ensuring that those Linux nodes are rebooted as
required.
• Because AKS is free, no cost is available to reimburse, so AKS has no formal
SLA.
• AKS “seeks to maintain” availability of at least 99.5 percent for the
Kubernetes API server.
23. @fincooper
User
WAFSubnet 10.0.2.0/24
AppAKSSubnet 10.0.1.0/24
Application VNET 10.0.0.0/16
Web Application
Firewall
Frontend IP
Configuration
Public IP
Web Application
Firewall
Enabled, Prevention
mode
Access only
over SSL
IP restriction
Web Application
Firewall Frontend IP
only Admin
access
Azure SQL
Database
Access restricted
Access only from AppAKSSubnet
Access restricted
Access only over SSL
k8s
HTTP Listener
HTTPS
Port 443
Private SSL
certificate
Backend Pool
Kubernetes Internal
Load Balancer IP
address
HTTP Settings
HTTPS redirect
SSL: Public
Certificate
Health Probe
Kubernetes Internal
Load Balancer IP
address
25. @fincooper
Network policies
• Control the flow of traffic between pods
in the AKS cluster
• ingress from / egress to
• namespaceSelector / podSelector
• Network policies are translated into sets
of allowed and disallowed IP pairs
• Kubernetes implements these pairs as
IPTable rules
30. @fincooper
Deployment
• Deploy the cluster using ARM templates
• Deploy the applications using Helm charts
• Connections strings and other secrets should be stored in Azure Key Vault
• Bind secrets as Kubernetes Secrets using Key Vault FlexVolume
• github.com/Azure/kubernetes-keyvault-flexvol
• What about WAF certificates?
31. @fincooper
Securing web apps on AKS
• Cluster security
• Network security
• Pod security
• Deployment considerations
35. @fincooper
Securing AKS web apps best practices
• Control access to
Microsoft.ContainerService/managedClusters/listClusterAdminCredential/acti
on
• Cluster operators should authenticate with AAD to appropriate cluster RBAC
role
• Control ingress traffic to the cluster
• Store secret in Azure Key Vault and access them at runtime
• Ops is key – spend enough design time on how you deploy new services and
maintain the cluster
• Not the first web app in the cluster? Control cross-pod networking and
access with Pod Identity
36. @fincooper
Wrapping up
• Compared to PaaS, AKS allows for more security controls to be put in place
• This comes with more responsibilities!
• Every application is different
• You might not need all (or any) of the security controls listed in this session
• AKS is continuously evolving
• Check the backlog and challenge your (perceived) security requirements
• Use AzSK and Azure Policy to automatically scan the security posture of your
cluster and Azure environment
37. @fincooper
Resources
• My slides: zure.ly/karl/slides
• AKS Roadmap at https://github.com/Azure/AKS/projects/1
• docs.microsoft.com/en-us/azure/aks/api-server-authorized-ip-ranges
• github.com/Azure/kubernetes-keyvault-flexvol
• github.com/Azure/aad-pod-identity
• azure.github.io/application-gateway-kubernetes-ingress/
• docs.microsoft.com/en-us/azure/aks/concepts-security
• docs.microsoft.com/en-us/azure/aks/operator-best-practices-cluster-security
• docs.microsoft.com/en-us/azure/aks/developer-best-practices-pod-security