Shift Left Security & Zero Trust on Kubernetes Architecture

Shift Left Security is a security approach that focuses on integrating security into the software development process as early as possible, rather than waiting until the end of the development lifecycle. When it comes to Kubernetes, there are several practices and tools that can be used to implement Shift Left Security. Here are 10 bash code examples that can help you get started:

1. Check the Kubernetes API server's TLS certificate expiration date:

openssl s_client -connect ${KUBE_API_SERVER}:443 -servername ${KUBE_API_SERVER} -showcerts </dev/null 2>/dev/null | openssl x509 -noout -dates         

1. Scan Kubernetes cluster for vulnerabilities using kube-bench:

kube-bench run --targets node,master --config-dir /etc/kubernetes/kube-bench/         

1. Check the security configuration of Kubernetes deployments using kube-score:

kube-score score deployment.yaml         

1. Audit Kubernetes cluster configuration with kube-hunter:

kube-hunter         

1. Scan container images for vulnerabilities with Trivy:

trivy image --no-progress ${IMAGE_NAME}         

1. Verify Kubernetes resource manifests with kubeval:

kubeval deployment.yaml         

1. Check Kubernetes API server and controller-manager logs for suspicious activity:

kubectl logs kube-apiserver-${POD_NAME} -n kube-system kubectl logs kube-controller-manager-${POD_NAME} -n kube-system         

1. Restrict Kubernetes API access with RBAC:

kubectl create role pod-reader --verb=get --resource=pods --namespace=default kubectl create rolebinding read-pods --role=pod-reader --user=alice --namespace=default         

1. Enforce pod security policies with the admission controller:

kubectl create -f https://raw.githubusercontent.com/kubernetes/examples/master/policy/pod-security-policy/policy.yaml kubectl create clusterrolebinding psp-privileged --clusterrole=psp:privileged --group=system:authenticated         

1. Use network policies to restrict network access to pods:

kubectl create -f https://raw.githubusercontent.com/ahmetb/kubernetes-network-policy-recipes/master/05-deny-all-egress.yaml kubectl create -f https://raw.githubusercontent.com/ahmetb/kubernetes-network-policy-recipes/master/06-allow-http-egress.yaml         

Note: These are just a few examples of how to implement Shift Left Security on Kubernetes. The specific tools and techniques you use will depend on your organization's security requirements and development practices.

Zero trust is an approach to security that assumes that everything inside or outside a system is untrusted until proven otherwise. In the context of Kubernetes architecture, this means that all network traffic, both internal and external, should be considered untrusted and subject to strict access control and encryption.

Here are 10 Bash code examples that can help to implement zero trust on a Kubernetes architecture:

1. Enable network policies:

kubectl create namespace secure kubectl label namespace secure istio-injection=enabled kubectl apply -f network-policy.yaml -n secure         

This code creates a new namespace called "secure" and applies a network policy to it, which limits the communication between pods and services to only the necessary ones.

1. Use TLS encryption:

kubectl create secret tls my-tls-secret --cert=mycert.crt --key=mykey.key kubectl apply -f tls-ingress.yaml         

This code creates a secret containing a TLS certificate and key, and applies it to an ingress resource, ensuring that all communication between the client and the Kubernetes cluster is encrypted.

1. Enable RBAC:

kubectl create serviceaccount admin -n secure kubectl create clusterrolebinding admin --clusterrole=cluster-admin --serviceaccount=secure:admin         

This code creates a new service account called "admin" in the "secure" namespace and assigns the "cluster-admin" role to it, ensuring that only authorized users can access the Kubernetes API.

1. Use Pod Security Policies:

kubectl apply -f pod-security-policy.yaml kubectl create rolebinding psp-admin --clusterrole=psp-admin --serviceaccount=secure:admin -n secure         

This code applies a Pod Security Policy to the "secure" namespace, ensuring that pods are only created with the necessary security features, and assigns the "psp-admin" role to the "admin" service account.

1. Use Container Security Contexts:

kubectl apply -f container-security-context.yaml kubectl apply -f my-deployment.yaml         

This code applies a Container Security Context to a deployment, ensuring that containers are only run with the necessary security features, such as running as a non-root user.

1. Use Network Security Contexts:

kubectl apply -f network-security-context.yaml kubectl apply -f my-pod.yaml         

This code applies a Network Security Context to a pod, ensuring that it only has the necessary network capabilities, such as not being able to listen on privileged ports.

1. Use Pod Resource Limits:

kubectl apply -f pod-resource-limits.yaml kubectl apply -f my-deployment.yaml         

This code applies resource limits to a deployment, ensuring that pods are only given the necessary resources to run, and preventing resource exhaustion attacks.

1. Use Network Policies for Ingress Traffic:

kubectl apply -f ingress-network-policy.yaml         

This code applies a network policy to the ingress traffic, ensuring that only authorized clients can access the Kubernetes cluster.

1. Use Service Accounts with RBAC:

kubectl create serviceaccount my-service-account -n secure kubectl apply -f service-account-rbac.yaml         

This code creates a new service account called "my-service-account" in the "secure" namespace, and applies a role-based access control policy to it, ensuring that only authorized users can access the service account.

1. Use Pod Disruption Budgets:

kubectl apply -f pod-disruption-budget.yaml         

This code applies a Pod Disruption Budget to a deployment, ensuring that only a limited number of pods are disrupted at any given time, and preventing disruption attacks.

These are just a few examples of how to implement zero trust on a Kubernetes architecture using Bash.