Orchestrating Least Privilege by Diogo Monica
-
Upload
docker-inc -
Category
Technology
-
view
522 -
download
0
Transcript of Orchestrating Least Privilege by Diogo Monica
Orchestrating Least Privilege
What is an Orchestrator?
What is an Orchestra?
SWARM
Job of a Conductor
-Casting-Assign sheet music-Unify performers-Set the tempo
Job of an Orchestrator
-Node management-Task assignment-Cluster state reconciliation-Resource Management
What is a Least Privilege
Orchestrator?
What is Least Privilege?
A process must be able to access only the information and
resources that are necessary for its legitimate purpose. Principle of Least Privilege
Why Least Privilege?
What do we need to achieve Least
Privilege Orchestration?
Mitigating External Attacker
-Externally accessible service ports are explicitly defined
-Administration endpoints are authenticated and authorized
Mitigating Internal Network Attacker
-Authentication of both network and cluster control-plane communication
-Service to service communication is authorized, with orchestrator managed ACLs
Mitigating MiTM Attacker
-All control and data-plane traffic is encrypted.
Mitigating Malicious Worker
‣Should only have access to resources currently in use‣Push VS Pull‣No ability to modify or access any cluster state except their own.‣Identity is assigned, never requested
Mitigating Malicious Manager
‣Can’t run arbitrary code on workers‣No access to secret material‣No ability to spin up unauthorized nodes/impersonate existing nodes.‣No ability to read service-to-service communication
Byzantine Consensus.
SWARM
Mutual TLS by default
• First node generates a new self-signed CA.
Mutual TLS by default
• First node generates a new self-signed CA.
• New nodes can get a certificate issued w/ a token.
Mutual TLS by default
• First node generates a new self-signed CA.
• New nodes can get a certificate issued w/ a token.
• Workers and managers identified by their certificate.
Mutual TLS by default
• First node generates a new self-signed CA.
• New nodes can get a certificate issued w/ a token.
• Workers and managers identified by their certificate.
• Communications secured with Mutual TLS.
The Token
SWMTKN-1-mx8susrv1etsmc8omaom825bet6-cm6zts22rl4hly2
Prefix to allow VCSsearches for leaked
Tokens
Token Version
Cryptographic Hashof the CA Root Certificate
for bootstrap
Randomly generatedSecret
Bootstrap
1. Retrieve and validate Root CA Public key material.
2. Submit new CSR along with secret token.
3. Retrieve the signed certificate.
Automatic Certificate Rotation
1. Submit new CSR using old key-pair.
2. Retrieve the new signed certificate.
Support for External CAs
• Managers support BYO CA.
• Forwards CSRs to external CA.
Demo
Thank you