Conference:  KubeCon + CloudNativeCon Europe 2023

Authors: V Körbes, Christian Schlotter

2023-04-21

The presentation discusses the challenges of implementing Pod Security Admission in real-world scenarios and provides solutions to address them.

• Pod Security Admission is a security feature that replaces pod security policies.
• The main challenge with implementing Pod Security Admission is that workloads often require privileges to run, which defeats the purpose of the feature.
• To address this, the speaker suggests breaking down services into separate component parts and locking down everything else.
• The principle of least privilege does not mean zero privilege, so a node with minimal value can be used to welcome exploited privileges.
• The presentation provides an overview of the challenges and pitfalls of implementing Pod Security Admission and offers guidelines to develop applications using PSA.

Conference:  KubeCon + CloudNativeCon Europe 2023

Authors: Thijs Ebbers, Diana Iordan

2023-04-19

In this talk we'll start out with a bit of Dutch folkore (Hey, we're in Amsterdam :-)), we'll explain what is wrong with typical "Least Privilege" & "Zero Trust" implementations and ask the confronting question: "Are we playing for a Draw or are we playing to Win against our IT security adversaries...? Next we'll use some "classical" laws of war/diplomacy, biology/business and engineering to develop a modern IT architecture suitable for todays challenges. This architecture is based on desired state infrastructure, built using CI/CD and Infra/Policy-as-code. It stores its data in Data Services. It uses Events, Observability and IAM to operate securely. (In summary: we cover quite a lot of the CNCF landscape...) We'll explain this architecture and show different views of this architecture for: - Architects/Developers/Engineers - C-level Managers - CISO/Auditors And answer some questions like: - Can it be build ? (spoiler : Yes, ING is running it today, details in previous talks we gave at OpenShift Commons Detroit & San Diego) - My workloads won't fit - We're not a bank, we cannot afford this - Doesn't this collide with current views/implementations of established entities in the security(/compliancy) industry ? To conclude answer any other question the audience asks