logo
allArticlesConferencesPresentations

Using the EBPF Superpowers To Generate Kubernetes Security Policies

Conference:  KubeCon + CloudNativeCon North America 2022

2022-10-26

Authors:   Alban Crequy, Mauricio Vásquez Bernal

Summary

The presentation discusses the use of tools for developing initial security policies and network policies in Kubernetes environments. It also explores the challenges of maintaining these policies over time as applications change.
  • Tools can be used to develop initial security policies in Kubernetes environments
  • Network policies are generated based on captured traffic and enriched with Kubernetes-related information
  • Maintaining policies over time can be challenging as applications change and may require new capabilities or system calls
  • Automatic updates to policies may not be reliable without human supervision
The speaker explains that updating security policies automatically without human supervision can be risky, as it may allow malicious activity to go unnoticed. It is important for developers to understand the output of the tools and ensure that the security profile makes sense for their application. Additionally, the speaker discusses the challenge of consolidating network policies and generating policies that are easier to understand for users.

Abstract

Kubernetes has several security mechanisms that can be used to secure your applications: - limit network connectivity with network policies - block some system calls with seccomp profiles - restrict access to some Linux capabilities in security contexts Defining those policies is difficult. It usually happens that the team defining them is not the one that created the application, hence they might not have a good enough view of the architecture to know how to write them. We will present and demo different ways to automatically generate the 3 different kind of policies mentioned above by monitoring the application's events with the following eBPF-based tools: - Inspektor Gadget - Kubernetes Security Profiles Operator - oci-seccomp-bpf-hook We'll discuss the limitations of this approach and the future ahead of these tools. Finally, we will explain how applications can be audited to see if the security policies are respected.
Materials:
Slides
Tags:
Kubernetes security
eBPF
network policies
SecComp
security contexts

Post a comment

Related work

Unravelling the Magical Act of DockerSlim Minifying Container Images

Conference:  ContainerCon 2022
Authors: Mritunjay Sharma
2022-06-23

Lightning Talk: Tell Your SD-WAN About Your Service Mesh External Services!

Conference:  KubeCon + CloudNativeCon Europe 2022
Authors: Alberto Rodriguez-Natal
2022-05-17

Container Is the New VM: The Paradigm Change No One Explained to You

Conference:  KubeCon + CloudNativeCon Europe 2023
Authors: Rodrigo Campos Catelin, Marga Manterola
2023-04-20

Cloud Native Security 101: Building Blocks, Patterns and Best Practices

Conference:  Cloud Native SecurityCon North America 2023
Authors: Rafik Harabi

Visual Studio Code is why I have (Workspace) Trust issues

Conference:  Defcon 31
Authors: Thomas Chauchefoin Vulnerability Researcher @ Sonar, Paul Gerste Vulnerability Researcher @ Sonar
2023-08-01

Leveraging SBOMS to Automate Packaging, Transfer, and Reporting of Dependencies Between Secure Environments - Ian Dunbar

Conference:  Cloud Native SecurityCon North America 2023
Authors: Jerod Heck, Ian Dunbar-Hall