Conf42 JavaScript 2024 - Online

- premiere 5PM GMT

Kubernetes security for JavaScript applications

Abstract

Unlock the secrets to securing Kubernetes clusters in a rapidly evolving threat landscape! Discover cutting-edge strategies for protecting control planes, nodes, and workloads with real-world insights into RBAC, encryption, and runtime protections. Elevate your Kubernetes security game

Summary

Transcript

This transcript was autogenerated. To make changes, submit a PR.
Hello friends, a very warm welcome from my side to conf42 JavaScript 2024 conference. Today, I will be presenting on Kubernetes security for JavaScript applications. I will talk about myself. I'm Manpreet Singh Sachdeva. I work for Walmart Global Tech in United States. I'm an industry expert in DevSecOps, MLOps, incident management, and quality assurance. So I have experience in Asia, in Europe, as well as in North America. I've worked on various technologies, cloud technologies, different cloud providers, AWS, Azure, GCP, as well as on open source technology like OpenStack, Kubernetes, virtual machines, containerized applications. So I'm really excited to share my thoughts on this topic and I hope we learn together and take some key learnings with us. So let's get started. this is all about securing our JavaScript applications on the Kubernetes clusters. I'll share some best practices and strategies we use in the modern era. So we'll talk about how Kubernetes became so important and so necessary in today's world. we'll go a bit, around in the area of 2015, where we were just started to containerize the applications. So the Docker became popular. And we saw many applications like Java, JavaScript applications, and they all sort, sorted, their, apps and we started deploying on the containers. So the advantage of having containers is that it becomes platform agnostic and the application really becomes lightweight. You can deploy. locally in your machine, you can take it to production, you can scale in and you can scale out. And there was a lot of flexibility around containers. Then we started, thinking about the orchestration of containers that how to make applications work on scale. So that was the next challenge the industry had. Then we started using Docker Swarm, where we could use. to scale out the applications, do networking between all, the containers, communicate and secure container, you know, workloads, but that also there was a disadvantage or set of a sort of, issue while scaling on Docker swarm. So it couldn't support large scale applications where we had to. Run, production workloads for a very high intensified apps using memory as well as CPU. then came Kubernetes and really became popular because, the way it handled the Docker orchestration, the way it handled all the container containers in a, distributed environment, we could see the applications being scaled in, scaled out and, a massive workloads being supported, then. There was, networking between the applications. How can we restrict the app to communicate or how can we, allow an app to communicate to the outside world? And then came the most important part, which was how to secure the communication among the applications, how to make sure that we are covered on the vulnerabilities and the cyber threats we have in the, on the internet. So cyber security, as is one of the most or the hottest topic nowadays where there are so many cyber threats causing so much damage to the reputation, financial damage and so much, customers suffer so much at the stake of cyber security threats. So today we'll focus on how to secure our JavaScript applications and how to run them, efficiently using Kubernetes. So guys, let's get started. as I talked about containerizing the JavaScript applications, so why should we on the first hand containerize an application? So containers provide a very lightweight, portable, and consistent environment for applications. As we just spoke about, Docker is one of the most popular containerization platform, which allows the developers to package their applications with all their dependencies. So that's what we do in Node. js or Java applications, we package them with their dependencies. So the other advantage is, that there is a consistency across all the environments. We ensure that the applications runs the same way in all the different environments, like dev environment, testing, pre staging or a pre prod kind of environment, and then actually on a production environment. So we can do all the cycles of testing, starting from the dev to our pre prod and make sure that, we are well accustomed with all the scalability. And the networking perspective of our applications, and then, deploy the application on production and the other important factors, the, all the containers are totally isolated, all the applications, they run all the services they run without conflicts. in their own storage space, so they do not interact or interfere with the other apps which are also containerized. Then we spoke about scalability already where, it's very easy to scale the applications horizontally as well as vertically. So we will talk about the horizontal pod auto scaling on Kubernetes that how easily we can scale the application when there is an increase in the surge in traffic and we can also basically scale in the applications. Where if the traffic is less and you're going to, we can, make sure that we are running on less number of containers to, do cost optimization. And, we already spoke about the Kubernetes, which is, one of the most popular container orchestration platforms, which helps the applications to run at scale with different, Cloud providers nowadays. So we also have a hybrid kind of a cloud environment, which most of the companies nowadays support that they have their native inbuilt cloud platform and they leverage the, cloud providers in a hybrid way. So talking about now Kubernetes, which has actually transformed the way we deploy our applications, the way we, scale our applications and it's so easy to manage the applications. just with few commands and, just on, even if I have a UI to manage very easy to manage, all these applications in just one click, but we, that, we've given such a big, or a powerful tool. Now we also have a big responsibility to make sure that, we protect our internet world or all the applications which are hosted. We protect them. from all the kind of cyber threats we are having now. So we'll talk about different kind of, security implementation for Kubernetes. How can we secure our, applications, especially what are the best practices and some tips for the JavaScript applications. I'll also share some of the examples for JavaScript applications later in the slides. Yeah, we'll just go through, one of, one of the examples, and I also share some resources at the end of the presentation where you can refer it for later. So this presentation will mainly outline a multi layered approach to secure it, securing our Kubernetes clusters. So we'll focus on the different planes where the security vulnerabilities can catch us. So first will be the control plane. then we'll talk about the. Securing our node, securing actual applications, which we call as workloads in Kubernetes world or the containerized world. And then we'll talk about how we can secure the communication of all these apps on the network side. So we'll give, give you a real world examples and best practices. And, try to demonstrate how to protect Kubernetes environments and vulnerabilities from the vulnerabilities. So when we talk about security, there are mainly four C's, which we talk about. So first C is the cluster, where, how can we secure the cluster where our, application is hosted. Then the container. Container is nothing but the workload security. How to secure the container which is running, our JavaScript application. And we'll talk about the security on the cloud. Then we'll talk about that how can we leverage the cloud providers such as AWS. As your, as well as GCP, and then we'll talk about the actual code vulnerability and the code security. So just give an example of cloud securities like, AWS, Azure, they have some network policies and they have their own kind of security, mechanisms, which they support. So we'll not go in, in depth of those security mechanisms, but there's a lot of cloud security measures, which these cloud providers take. and we can definitely leverage, on our Kubernetes clusters. So moving forward, why does Kubernetes security matters that much? So as we were talking about the Kubernetes, it's now very popular in container orchestration and mostly all the big applications. They use kubernetes, at the back end of the cluster. So kubernetes has become the backbone of our modern cloud infrastructure with adoption growing rapidly across industries like, healthcare, finance, retail, telecommunications. So organizational organizations are totally relying on kubernetes for mission critical operations, like running big websites, retail websites, healthcare systems, and even. even the defense or the, different kind of industries like, AI industry and healthcare industry, all are using Kubernetes on large scale. But again, with the increased use comes the threat of cyber attacks, targeting vulnerabilities with Kubernetes clusters. We all are aware of the log4j vulnerability which happened a couple of years back. And there was another threat in 2021, which, a hacker was able to access a Kubernetes cluster through, like an admin and able to, destroy and delete so many apps, which were really mission critical supporting, the payment systems. And it hit a lot of reputation of that company. And, also a lot of financial damage happened, which the company had to pay back to the customers. So that is the reason, prime reason why the Kubernetes security matters so much now. So failing to secure Kubernetes environments can lead to severe consequences, the kind of one which we just discussed. So including data breaches, right? Service disruptions, you can completely delete the running application pods and just do a complete service disruption. You can filter out the secrets, the username passwords of the actual customers. And which is a big data breach for any company. And then there, the financial losses, that, that can actually cripple the, the operation centers. So the stakes are especially high for organizations undergoing digital transformation nowadays. Properly securing Kubernetes clusters will basically ensure trust, reliability, and safety, not only for the business, but also for the end users. Who rely on these digital services? Suppose, customers are using a banking app customers, like last week, there was a big outage on the bank of America. The user not, we're not even able to log into the app. So all of these, apps are hosted on Kubernetes and at the end, the end users are suffering and it's bringing so much loss, to these digital services. So now we'll talk about the multi layered approach, which we will follow to secure our Kubernetes clusters and workloads. as I was talking that we will talk about different kind of security planes where we need to, apply the security measures. securing Kubernetes requires a layered security strategy. Addressing vulnerabilities across different components. So each layer is crucial here for reducing the attack surface and mitigating threat. So we constitute, all these layers constitute a attack surface. So we will see where are attack surfaces and how to mitigate, the attack area. So first up, first of all, we'll talk about the control plane security, how we can protect the cluster's central brain where, you know, all the logic lives, then we'll talk about the node security that, we, the node, the host where our application is running, how to secure that node, then eventually we'll talk about, the workload security, which is nothing but securing our JavaScript applications, that how the applications run within the cluster. can be protected, right? And then we'll talk about the network security at last, that how we can control the traffic inflow and, which we call the ingress traffic and the egress traffic. How we can, control the inflow and the outflow traffic and manage the secure communications among the apps. basically we'll have a holistic approach to ensure that, all the vulnerabilities are addressed from all the angles. first we talk about control plane security. what is control plane security? It's the API server authentication and authorization, happens on the control plane. control plane is the brain of your Kubernetes cluster. Some of the, terms we use, we call it as the master component. or the one which is running the control, plane. So we also call it as a control plane component or a master component where are, all of the API servers are hosted. So the Kubernetes API server is the core interface for managing the cluster operations. Secure it by using strong authentication methods like OAuth or OpenID. So these are all open, source way of, providing an authorization, to the cluster level. And we can also use RBAC policies. So RBAC is nothing but Role Based Access Control policies by which we can limit the access to critical functions. So every org they implement RBAC, what is RBAC is like, with our, user ID, they will tie us to a particular group. And through a particular group, we will have a role based access that if I'm part of a developer group, I can only, do a read only on the cluster. If I'm part of a DevOps or a like incident management group, I will have access to production as an admin. And if I'm part of some testing group. I may not even have access to production. I may only have access to pre prod or a staging or testing environment. So that way we can secure, the user making it part of a certain group through RBAC policies. Then we have to, encrypt the etcd. So etcd is nothing but a database is a key value database like Redis. It stores, the cluster sensitive data, including some secrets and configuration details. So these configuration details, are very sensitive. They are actually, storing very sensitive data about the, secrets as well as the keys, as well as the certificates, which are used by the API server. So it's very important to encrypt all the etcd data, at rest and, only certain users with admin access be able to access the etcd database. Then we will talk about the network policies by default. Kubernetes networking is open, which can expose the cluster to risk. So that is the way Kubernetes has been designed. the networking is open. We have to make sure that these network policies are not accessible by external users. So we can implement the network policies using tools like Calico or Cal, Cillium to control the communication between the ports and minimize our potential attack surfaces. So we'll talk about network policies in details that how can we make sure that we have network policies to secure our infrastructure. So next we talk about the node security. so node is how our kubelet, interacts with the API will be hosted on a node. So there are, certain aspects we will talk about here. So first is the operating system hardening. How we can show, make sure that our operating system like Ubuntu or wheresoever our application is hosted, how we can make sure that all of the operating system is secure. So nodes should run a minimal hardened OS version with regular security patches. Adopting standards, such as the CIS benchmark, which is the standard benchmark for security, it's help reducing vulnerabilities at the OS level. So important thing here to. you know, notice that there is always a security patch, update from the OS level supports Ubuntu, 20. 04 is secure at a certain level, which supports a particular version of Kubernetes. Once, the Kubernetes patch new patch comes, it might not be secure. And that on that particular OS version, it's always, you have, we have to make sure that we have. Updated the OS or the kernel version with the latest security patches so we don't open our node for any kind of vulnerabilities. So operating system hardening is really important. Then we talk about the container runtime security. The container runtime security like Docker or ContainerD with what kind of, the runtime environment we use is responsible for managing our containers. So enforcing security controls like AppArmor. AppArmor or SE Linux can limit the actions containers can take protecting the host system. So we'll talk about AppArmor. we can make a profile and upload that profile or link that profile to AppArmor and make sure that only these kind of rules are allowed in our node. Like only these kind of rules we will be allowing on the node to run and certain rules. Which are not associated with the profiles will be discarded. So we'll create a profile and, filter all the rules based on the profile kind of profile we have. So we have security measures like app armor. I will share the resources that how we can use our app armors. really cool tool. it's an open source. And we can maintain our profiles with the help of AppArmor and, secure our run, container runtime. Then we talk about the kubelet security. The kubelet, which is an agent on each node, it runs as a daemon set on each node. Each of the node handles the communication with the control plane. the node interacts with the control plane with kubelet, with the kubelet and that also on a TLS secure communication. So securing the kubelet with TLS and restricting the API access prevents attacker from manipulating the node operations. So securing our kubelet is also really important because I've seen some teams, they will secure the API server, they will secure the workloads, but the kubelet security sometimes is discarded and, ignored, which, which will allow the hackers, to make any changes on the node level and it can create a lot of damage. Now we spoke about the node security. Let's talk about the actual workload security and coming to the JavaScript applications. How to secure a JavaScript application is, part of the workload security. suppose a JavaScript application is containerized on a Docker container and then, is orchestrated on Kubernetes. that JavaScript container running application will be running as a pod inside, and a pod will be having containers. initially we had used to. Call something called port security policies. They have been deprecated, but now we use, something called PSA, which is port security admission, which allows the admins to enforce security policies such as privileged baseline restricted kind of access on the port. So the basic fundamental on securing a workload is give least, privilege to a running container. means you give a least privilege that the user is not able to exec into a container and run commands on the root level. Because if any user is able to execute inside a container and run commands on a root level, that can even disrupt all the running applications that can destroy the network policies and, the user can you eventually, just do anything if they have the admin access. So the least access principle always is applicable on the workload while we are talking about security. And then we talk about runtime security that we can use tools like Falco or Aqua security. To detect some suspicious activity within the containers. So what we can do in Falco is create some rules and if we, if, if those rules are met, like we have, triggered that if we see some 5x kind of errors or, 3x kind of redirects in a container, traffic, which should not be ideally happening. So we can actually, write some Falco rules. create a Falco policy, write some rules and, trigger real time monitoring. If we see those rules are getting, break, so we can trigger alerts and notify the users with the help of runtime security. Then comes the most important part of securing our, workloads, which is managing of the secrets. So secrets are in general, some, workloads have exposed secrets, which is. Not a good practice. So we should always be using, tools like HashiCorp Vault or maybe, AWS Secrets Manager or Azure Secrets, which, whichever cloud provider you're using. So storing secrets directly in plain text with Kubernetes manifest is a common mistake. it is actually a very big mistake. if you do, and it can cause, it can expose your secrets and anybody access to that secrets. Can, run your APIs, on the cluster and, can even, change the data inside the applications and even, delete some of the important configurations in the application. So secrets management on the workload security is one of the most, important way of, securing our applications and always use, something which has been provided by the cloud provider, or, we already have HashiCorp Vault. they're, ultra secure way of, managing the secrets. So now at last, we will talk about network security, how we can secure our communication with the outside world or with the other apps. So we have something called service mesh. So like service mesh, most of the, organizations use, where they will limit the incoming traffic. And from there they will distribute the, traffic based on the network rules. commonly used service mesh are HTO or Linkerd, which add an additional layer of security by enabling a mutual TLS. So mutual TLS is very secure way of, communicating, over, a secure protocol. They encrypt the service to service communication and they make sure that, there's a very fine grained access control given to the user. So they also use their RBAC policies on the STO level and they make sure that the communication is very secure. So one is using service mesh on your network. Second is like you can use ingress and egress control. So you can control what traffic can enter and leave your, cluster by deploying an nginx ingress controller, which is a very common ingress controller. You can define your ingress rule that you want to, talk to this app. You don't want to like you restrict the traffic from this app. You can create your ingress rules on the Kubernetes cluster. So like ingress, controller also have their inbuilt network policies. So where you can restrict the external or internal, IPs, whichever IPs you want to, allow traffic to, or you don't want to allow traffic to, you can just create your network policies using the ingress control. Then we'll talk about the DDoS protection. Kubernetes clusters that are exposed to the public internet are susceptible to distributed denial of service attacks. It's a very common attack nowadays in the cyber world. So implement DDoS protection mechanisms like, again, leverage your cloud provider, use AWS Shield or there is Google Cloud Armor as well to defend against DDoS kind of attacks. So this was all about, network security. We Now, talking about the global impact of Kubernetes security. basically, what security does it, it enhances trust. So securing Kubernetes clusters, JavaScript applications running on Kubernetes clusters, we secure them, it directly impacts the trust that customers and stakeholders have in digital services. Security incidents can lead to significant reputational damage, As we, talked about before as well and erode confidence in the digital transformation efforts of organizations. So it's so important to, enhance our trust, in our end users. So protecting our critical infrastructure, Kubernetes is now a very critical part of managing infrastructure in industries like healthcare, finance and telecommunications. A security breach in these environments, suppose, some person's health data is breached. Such a, big data loss and such a, Big thing to, lose the confidence of customers providing their health data so it can actually have catastrophic effects. Global sec, cybersecurity contribution. As Kubernetes becomes, more widespread, its security becomes a vital part of the global cybersecurity ecosystem as a whole. By enhancing Kubernetes security, we protect our, broader digital landscape. working on security, cybersecurity. Sometimes I feel, I'm a cyber warrior protecting. The internet. I really feel proud of, I'm part of, securing something and helping users to, protect their data. So it's a big ownership, cyber security engineers carry with them and, working on such, cutting edge technologies like Kubernetes and learning how to leverage all this technology to protect the data is actually, amazing. open source standards like Kubernetes also is open sources. Most of the things are, actually free to use. like so much code is, posted on GitHub where we can leverage that code and secure our clusters. It basically sets a security standard for the broad and open source community, encourages them influencing the security practices of other projects. Being this open source is actually a very much, an inspiration for all to, even, use the code and even contribute to the open source community. So now, We'll do some examples on the JavaScript applications, some security considerations, which I spoke about, but I want to give some examples on that as well. So always run containers as non root users. That's a rule of thumb that, if I, if you see that always create a non root user, and never give a root kind of access. So here I've used user called app user. So I'm not giving a root kind of access. To the user implement network security, policies like restrict traffic between the ports, leverage namespace and labels, which are Kubernetes properties. And even with, using the labels, proper labels and namespace, you can secure applications like the way, examples shows that we have used, something, metadata called name allow node js, and we have pod selectors. We will match the labels. With the help of these, pod selectors and we can define rules like ingress or egress where we can, make sure that, the only this kind of namespace is allowed or only these kind of pods, which have those labels matching are being allowed, to serve the traffic and then manage secrets securely, already spoke about Kubernetes secrets and, never expose your secrets in plain text, at least have a base 64 type of encoding for your secrets and use HashiCorp Vault. They will, there's a very super way of securing your secrets. also we'll go through some security best practices. Always do or perform regular audits on your infrastructure, perform, audits of your Kubernetes configuration and ensure that all the components are configured securely, do a MFA, enforce MFA in your projects, in your organizations, encourage people to use MFA for, enforce MFA for accessing critical systems like the Kube, Kube API to add in regional layer of protection. Monitoring and alerting is always important. We can use. Leverage tools like Prometheus, Grafana, Kibana, and integrate runtime security solutions to detect any kind of suspicious behavior. So we can use our Falco rules, integrate them with, Prometheus and the user, an engineer on call can get notified of any, rules getting, if the rules are getting, break during and we can, detect vulnerabilities in that case. Also, again, pointing out, apply the least privilege principle always, always give a least privilege to any users or systems, having, they should have the minimum access necessary to perform their basic functions until and unless they're part of the admin team. Stay updated, always stay updated with the security patches. even the OS level patches and, the Kubernetes, kernel patches because, the security patches will make sure that the vulnerabilities are removed from the latest security patch and all the dependencies with the underlying OS match with those security patches. really important to focus on. Then, sharing these additional resources for you to check on like official documentation from Kubernetes, some Falco related docs, some cheat sheets of Kubernetes, sharing resources about AppArmor, SecCom, and encrypting the data at rest, really crucial for, securing, our, JavaScript applications running on these, Kubernetes clusters. also listed some couple of really, vital books, which helped me gain knowledge and, apply that, implement that knowledge, on my projects. so this is Kubernetes up and running by Kelsey Hightower, really, big, fan of this book. And then this is Node. js design patterns by, Mario. This also is a really good book if you want your expert in Node. js applications, it can really help you leverage what kind of, security measures as well as the scalable measures you can take for the JavaScript applications. And then feel free to join these communities because these are open source communities like the Kubernetes community and the Node. js community as well as the Kubernetes public slack. It's really handy to, give you the, what are the latest developments going on and, what kind of, people, issues people are having in their JavaScript applications, as well as, what kind of issues they're having in deploying these applications and running them on Kubernetes, platform. now I like, I'm almost at the, conclusion part of my talk. We have discussed a lot about security, how we can prevent our applications, from vulnerabilities, how we can at least secure our JavaScript applications running. And we also went through some examples. So concluding my talk, I will talk about, leveraging Kubernetes with JavaScript empowers developers to build scalable, resilient, as well as efficient applications by embracing containerization. Automated deployments and robust orchestration JavaScript applications can actually meet the demands of modern dynamic environments. Whether we are building microservices, real time applications, or serverless functions, the synergy between Kubernetes and JavaScript offers a very powerful foundation of innovation and growth. We saw, so much growth is possible and there's so many options for these applications to run. Kubernetes security is not just about protecting a single cluster. It's about safeguarding the critical infrastructure that businesses and societies depend on. As the adoption of Kubernetes continues to rise, securing these clusters becomes paramount to ensuring trust and security. Reliability and scalability, stability in digital systems. So by this, I'm coming to the end of my talk. I hope you guys learned here and you will take key learnings with you. it was really a privilege to speak on this conference. I just thank all the organizers to giving me an opportunity to present my thoughts. And, also thank you all my listeners who were there to, witness my talk. I hope. You really liked it. And if you have any questions, you can reach me out to the email, which is being showed on your screen. Again, it was, really a wonderful experience giving this talk and hope to connect with you guys soon in future. Thank you so much.
...

Manpreet Singh Sachdeva

Staff Software Engineer @ Walmart Global Tech

Manpreet Singh Sachdeva's LinkedIn account



Awesome tech events for

Priority access to all content

Video hallway track

Community chat

Exclusive promotions and giveaways