Last week the Cloud Native Computing Foundation (CNCF) hosted KubeCon + CloudNativeCon Europe. As the first of CNCF’s two hosted events, KubeCon EU was entirely virtual, with all recorded sessions and content generally available to the public. As an attendee of the event, I wanted to share my top security talks for the week with you.
For the next two weeks, the sessions will be gated for attendees that have purchased a ticket. After two weeks, the content will be uploaded to YouTube and become publicly available. I will link to the gated content sessions and update this blog when the content becomes publicly available.
With all of that out of the way, here are my top 10 selections.
Taking security to the 101 session track, Ellen and Tabitha take you through typical workflows that users (or hackers) will use to navigate a Kubernetes cluster. They manage this through well-produced scenes highlighting the various Kubernetes security features and how they can be misused. From RBAC explorations, leveraging existing tooling and exploiting known CVEs, Tabitha and Ellen manage to make Kubernetes security features educational and fun.
If you’re looking for a more technical talk, Lorenzo showcases his years of Kubernetes and security experience demonstrating how hackers avoid detection in Kubernetes. After reviewing a few standard methods of hiding on a Linux host, Lorenzo explains what you can do to mitigate the risks and root out bad actors. Lorenzo is a maintainer of the Falco project, author of “Linux Observability with BPF” and creates sessions worth watching.
The Cloud Native Security Day brought excellent, focused content to the event this year. There was a great session of capture the flag (CTF) for the event attendees. Each attendee was given a Kubernetes cluster, 60 minutes, and 6 flags to capture. Challenges like this make the event collaborative, competitive, and much more fun. So a thank you to Andrew, Lewis, and all who were involved in the setup and execution.
There will be a formal write-up about the CTF and how to capture all 6 flags. I will update the links as soon as I learn more.
Aeva does a fantastic job creating a concise and accurate discussion about isolation models and data protection. Confidential Computing is a concept focused on the protection of data in use. If you are looking to understand more about confidential computing, I highly recommended Aeva’s session, and you can check out Brendan Burns article from The New Stack to learn more.
We Didn’t Start the Fire: Communication Breakdowns and How to Prevent Them
Speakers: Ian Coldwater & Kat Cosgrove
Communication, documentation, and general information dissemination are on display in this entertaining talk by Ian Coldwater and Kat Cosgrove. The pair assess a few issues troubling the community, such as the slow adoption of newer Kubernetes versions, the deprecation of dockershim, and the future deprecation of Pod Security Policies (PSP).
Along with a bit of humor, this session gives an interesting perspective on previous project decisions and how to handle communication better in the future.
I had the privilege of seeing the Hierarchal Namespace Controller (HNC) in action during a CNCF meetup earlier this year. The HNC is an excellent tool to help write composable, multi-namespace policies, enabling more of a “self-service” approach to namespace management. An HNC paired with Kyverno makes this abstraction even more powerful. Jim and Adrian showcase two handy tools that would help and cluster administrators in their day-to-day.
For a checkout Seth McCombs and his breakdown of why you should use managed Kubernetes. In my day-to-day, there is a constant conversation about managed Kubernetes, what it gets us, and how I can make sure it is secure. Seth does a great job reviewing all of the considerations associated with managed Kubernetes, along with the pitfalls of managing your clusters.
Uncovering a Sophisticated Kubernetes Attack in Real-Time
Speakers: Jed Salazar & Natália Réka Ivánkó
eBPF has been a growing topic over the last year. With multiple eBPF discussions at KubeCon this year, it was tough to select a single one. Natália and Jed do a fantastic job explaining the high-level benefits of eBPF and demonstrating its practical use in a demo. If you want to learn more about eBPF, we recently did an office hours discussing its implementation and use cases.
If you still want more eBPF, Natália had a second talk titled: Top 5 Concerns Every InfoSec Team Has And How To Overcome Them With eBPF.
The deprecation of Pod Security Policies (PSP) forces the discussion about how to replace it. There is an ongoing conversation about how Kubernetes will manage security contexts, but this area is still open for debate. The Security Profiles Operator is an out-of-tree Kubernetes enhancement to manage Linux security features, like seccomp, AppArmor, and SELinux.
Make sure you have a plan for the PSP deprecation, and it’s worth knowing all the options available to you.
Protecting Ourselves from CNCFgate. Software Supply Chain Security at CNCF - Practices, and Tools
Speakers: Andres Vega, Emily Fox & Jonathan Meadows
Supply chain security is a constant conversation in today’s world, and what better way to discuss it than with the CNCF SIG-Security Supply Chain Working Group. Andres, Emily, and Jonathan give a brief session discussing the tools and practices you can put in place to secure your supply chain. They even outline future improvements in upcoming projects like sig-store.
KubeCon North America will be October 12-15 in Los Angeles. It is currently advertised as a hybrid event which means more online content for us to watch. The call for papers is still open, and Sunday, May 23, is the final date to get your session details in.
I hope to be watching your session in October!