The presentation discusses the importance of secure identity assertion in Kubernetes clusters and presents a workaround using X.509 client certificates.
- Impersonation proxies in Kubernetes have had critical CVEs in the past
- Using the standard library instead of Kubernetes for critical code is safer
- X.509 client certificates are a secure way to assert identity in Kubernetes
- Piniped provides a workaround for revoking certificates using the cluster signing key