20230201 - CloudNativeSecurityCon NA 2023 - Securing user to server access in Kubernetes.pdf

《20230201 - CloudNativeSecurityCon NA 2023 - Securing user to server access in Kubernetes.pdf》由会员分享，可在线阅读，更多相关《20230201 - CloudNativeSecurityCon NA 2023 - Securing user to server access in Kubernetes.pdf（22页珍藏版）》请在三个皮匠报告上搜索。

1、Maisem Ali&Maya KaczorowskiSecuring user to server access in Kubernetes maisem_ali,MayaKaczorowski ,MayaKaczorowskiinfosec.exchangeMaya KaczorowskiHead of Productshe/herMaisem AliMember of Technical Staffhe/himAgendaKubernetes traffic and use casesUser access to internal servicesSecurity properties

2、you wantWhat options you haveHow these options stack upSummarymaisem_ali MayaKaczorowski maisem_ali MayaKaczorowski UserAdminControl planeServiceWorker nodeLoad balancerWorker nodeWorker nodeService1234Kubernetes ClusterKubernetes cluster trafficTraffic between the components of Kuberneteshttps:/ Tr

3、affic from a service to a serviceTraffic from a user to the Kubernetes control planeTraffic from a user to a servicePublic serviceInternal servicemaisem_ali MayaKaczorowski Batteries includedService meshBastionLoad balancer?TrafficTypical securityBut does it do its own authentication?maisem_ali Maya

4、Kaczorowski https:/kubernetes.io/docs/tasks/access-application-cluster/access-cluster-services/Internal services you can run on KubernetesTools run alongside your serviceDatabases:PostgresMonitoring,logging and tracing:Grafana,PrometheusBI:MetabaseInternal applicationsmaisem_ali MayaKaczorowski Secu

5、rity properties for internal servicesVisibility:the service isnt publicly accessibleAuthentication:verify the user connecting to the serviceAuthorization:only the right user can access the serviceEncryption:if traffic is intercepted,its still protectedLoad balancing:share traffic between multiple in

6、stancesTraffic filtering:limit traffic flowsAuditability:monitor and log traffic flowsmaisem_ali MayaKaczorowski Options to considerKubernetes cluster serviceKubernetes load balancerKubernetes IngressKubernetes network policyService meshBastionIPsecWireGuardmaisem_ali MayaKaczorowski maisem_ali Maya