VMworld EU 2018 – Put a Lid on It; Securing Containers and Kubernetes on vSphere and AWS

Steve Hoenisch, VMware

Nolan Karpinski, VMware

Steve described the need to secure the entire cloud native stack. What are the risks and threats? The session will cover identifying the risks and then how things like PKS and AppDefense help mitigate these risks both on prem and using the newly announced Cloud PKS.

Steve described the cloud native stack and how this integrates with pipelines.

To summarise risks and threats, the NIST guide to application container security was used by Steve. Just like traditional applications, containerised apps are vulnerable to flaws.

Nolan mentioned that AppDefense can analyse a yaml file and understand what the app should do before it is deployed.

Steve covered the NIST guide at a high level. He outlined that portability and reuse can heighten risks. Images can contain vulnerabilities, embedded secrets, insecure configuration etc. The orchestration layer can pose risks. Insecure dashboards, lack of standard authentication and RBAC, apps sharing common networks, mixing workloads with different sensitivity levels. And at the infrastructure layer, their are risks from unprotected data traffic and lack of visibility from logging and monitoring.

Securing PKS

PKS uses BOSH as an underlying layer to provision and update infrastructure. NSX-T is used for network security.

Harbour is a key component for securing a PKS deployment. It scans and signs images and also protects the registry using RBAC.

PKS secures Kubernetes with RBAC and a centralised credentials store.

Using NSX-T allows for clusters to be isolated from each other and for orchestrator traffic to be isolated from container networks. This is automated as clusters are provisioned.

NSX-T also translates policies from Kubernetes into NSX policies and firewall rules.

NSX-T also brings visibility across the stack with Traceflow.

In addition to TraceFlow, PKS can leverage vRLI and vROPs for operationally visibility and monitoring.

Bosh helps provide lifecycle management which ensures clusters are kept patched.

All of these features where then summarised on a handy slide as shown above; PKS Security Overview.

Security in VMware Cloud PKS

Steve updated everyone that VMware Kubernetes Engine (VKE), which was in preview, has been renamed VMware Cloud PKS.

Cloud PKS (aka VKE) is fully managed by VMware running on AWS. Key capability is Elastic cluster sizing with Smart Clusters.

Cloud PKS doesn’t provide NSX-T currently, it’s based on using canal.

Cloud PKS is part of VMware Cloud Services.

In CloudPKS, you can use multi tenant access policies to group clusters and names spaces for different organisational units.

Lightwave is a security platform used by Cloud PKS. It provides authentication and security when accessing Cloud PKS.

Cloud PKS helps secure things by managing patching, maintenance and encryption.

Container Security at Runtime

AppDefense and securing the application.

Nolan talked about how VMware are good at operations and that is what AppDefense can bring from a security perspective to your applications.

AppDefense uses a partnership with Aqua to protect container workloads.

AppDefense aims to Ensure Good rather than Chasing Bad.

Nolan ran through a demo of AppDefense with Aqua protecting container workloads.

Steve wrapped up by saying the NIST Guide is essential reading and provided a summary of best practices, protecting the entire stack. You can find the NIST guide here.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s