Google Cloud Container Security Quick Overview
1 like518 views
This document provides an overview of Google Cloud's container security features and best practices. It covers key aspects such as IAM policies, workload protection, vulnerability scanning, and components of Google Kubernetes Engine security, including control plane management and node security. Additionally, it highlights integration with third-party security solutions and emphasizes the importance of compliance and security across hybrid cloud environments.
Google Cloud Container Security Quick Overview
- 1. Google Cloud Container Security QuickView Lightning talk of 5-10 minutes.... Krishna Kumar – CNCF Ambassador
- 2. Google Cloud Security – Console View – First Look https://console.cloud.google.com/
- 3. Google Compute Engine Security Google cloud Identity service - IAM IAM Policies & Organization level policies Effectively design the hierarchy Apply Leave privileaged access policy mode Create security groups with conceptual roles instead randiomly creating users and groups Like One top account create/set polciies & service acconts only and the other accounts apply it. Unmanaged credentials night mare! Key Management Services (KMS) VPC network can be managed/deleted as needed Rootkits & Bootkits for VM hardening Tools – AuditLogs, CSCC, KMS Resource Hierarchy in general
- 4. Google Container Security Infrastructure Security Software Supply Chain Security Run time Security Cloud IAM, RBAC Google container Registry Stackdriver – monitoring, Attack profiles Compliance Certifications Security Vulnerability Scanning Anomolous detection by third party products like Twistlocks, acqua, sysdig Cloud Audit Logging Secure base images Cloud SCC Container Optimized minimal OS, Node auto upgrade Regular builds Isolation gVisor sandbox Network policy, Private clusters, Shared VPC Deployment policies, Binary authorization Runtime detection – host, network, workload, Boot
- 5. Google Kubernetes Engine Security Managed Security by Google ● Control plane security – Google does the control plane management (Mater VM, Scheduler, Cntroll manager, API server, etcd, CA, IAM, logging to stackdriver,) & Patching the contol plane. ● Node security – Google handles K8s comoponents, COS (Chromium OS), logging & monitoring. Autoupgarde & security patches automatically rolled out. Manage base images. – Live migration: Node auto upgrade is like adding new node and drain the work from old. ● Workloads: User need to secure workloads. Protect the secret with Cloud KMS or KMS plugin (Vault).
- 6. Hardening GKE ● Disable the Kubernetes web UI (Dashboard) ● Restrict Cluster discovery RBAC permission & binary authentication ● Restrict Traffic Among Pods with a Network Policy & Pod security policy ● Use Least Privilege Service Accounts for your Nodes ● Restrict your Node Service Account Scopes & Client Authentication Methods ● Protect node metadata & Automatically upgrade nodes ● Authorized networks & meta data concealment ● Google Container Registry (GCR) Vulnerability Scanning ● Third party container security. ● Read secuity bulletins – Vulnerabilties and solutiond
- 7. GKE Istio Security Istio, a service mesh implementation, on GKE is an add-on. ● The version of Istio installed is tied to the GKE version, and you will not be able to update them independently. ● Pilot: ● Istio Auth ensures that services with sensitive data can only be accessed ● Istio RBAC provides namespace-level, service-level, and method-level access control ● Mixer: ● Istio config policy on server side not client side. ● Citadel: ● MutualTLS authentication - both service-to-service and end-user-to-service ● Automates key and certificate generation, distribution, rotation, and revocation.
- 8. Anthos Security ● Single pane of glass visibility across all clusters ● Service-centric view of your infrastructure ● Configuration management & Compliance centralized ● Istio providing in-cluster mTLS and certificate management. ● 3rd party marketplace Hybrid cloud solutions: Anthos relies on Google Kubernetes Engine (GKE) and GKE On-Prem to manage Kubernetes installations in the environments
- 9. Google Cloud Partner Security ● Splunk ● Palo alto Networks ● Checkpoint ● F5 ● Brocade ● Nginx ● Symantec ● Cisco ● Hashicorp ● Acqua ● Blackduck ● Twistlock ● Stackrox ● & more...... With 3rd party providers, GCP Protects a wide variety of hybrid cloud solutions and data.