The Hitchhikers Guide to Container Security - Tunde Olu

The presentation discusses container security in Kubernetes and how to create security policies to protect the cluster and its users.

• Introduction to the riskiest privileges that Pods can request
• Explanation of what enabling privileged means
• Importance of creating security policies to protect the cluster and its users
• Anecdote about a container named Paulie hitchhiking on a node named Gnome

The presentation tells a story about a container named Paulie who hitchhikes on a node named Gnome. Paulie used to run in a dedicated VM environment but decided to hitchhike on a node as a container. The presentation explains that containers are Linux processes that run in the context of a namespace, which provides isolated resources for containers like volumes and networking. The presentation also shows a demo of how to take advantage of a Kubernetes bug by injecting an incognito pod that runs inside a Kubernetes namespace that doesn't exist. The presentation emphasizes the importance of creating security policies to protect the cluster and its users.

You’ve seen the Kubernetes security announcements: CAP_NET_RAW rogue advertisements, runc breakout, hostNetwork hijack.. oh my! It seems that the best you can do is keep up with patching, but often these vulnerabilities take advantage of overly permissive Pods. In this talk, we’ll introduce the riskiest privileges that Pods can request, what allowing those privileges means for your cluster, and how to create security policy to protect your cluster and its users. If you’ve ever wondered, “what does enabling privileged actually mean?”, hitch a ride on a whirlwind and fun guide about the basics of Pod security and how you can easily configure security policy to keep Kubernetes safe. Any level of experience can benefit from learning about the riskiest privileges Pods can request and reducing the threats in your environment by running your workloads safely.