Dates
Conferences
Tags
Sort by:
Most recent
Conference: KubeCon + CloudNativeCon Europe 2023
Authors: Lukonde Mwila
2023-04-19
tldr - powered by Generative AI
The presentation discusses the importance of secure secret strategies in Kubernetes and highlights the vulnerabilities around the storage, sharing, and consumption of secrets in Kubernetes.
- The best-kept secrets are the ones we've never heard of or told others about
- A secure secret strategy in Kubernetes depends on addressing questions such as where the secret is kept, who needs to know about it, how it gets shared, and how to prevent it from being easily interpreted
- The vulnerabilities around the storage, sharing, and consumption of secrets in Kubernetes are well known and more likely to be exploited
- The presentation shares a real-world project's Kubernetes secret strategy in relation to these questions and how to develop a framework for a secure secret lifecycle in Kubernetes environments
- The presentation includes a demo using ESO, ArgoCD, and OPA Gatekeeper
Conference: KubeCon + CloudNativeCon Europe 2023
Authors: Josh Van Leeuwen, Thomas Meadows
2023-04-19
tldr - powered by Generative AI
The presentation discusses the Secure Production Identity Framework for Everyone (SPIFFE) and how it can be used with Cert Manager to deliver certificates to pods that are SPIFFE-compliant and attested by workload identity.
- SPIFFE is an open-source framework that defines a standard for defining a workload or machine identity.
- SPIFFE can issue SVIDs in two document formats, JWT and x509, and can verify SVIDs of other workloads.
- SPIFFE has an emerging ecosystem of plugins to integrate with other tools and services.
- CSI Driver SPIFFE can be used with Cert Manager to deliver certificates to pods that are SPIFFE-compliant and attested by workload identity.
- CSI is the way that any kind of storage works in Kubernetes.
Conference: Global AppSec Dublin 2023
Authors: Skip Hovsmith
2023-02-16
tldr - powered by Generative AI
The speaker proposes an architecture for securing applications by moving all secrets off the app and into the cloud, minimizing the amount of functionality in the app, and delegating security decisions to an outside entity.
- Observing and detecting information in an application is important for security
- Secrets should not be hard-coded into the application
- Minimizing functionality in the app reduces impact on the application
- Delegating security decisions to an outside entity is more secure
- Proposed architecture involves an App authentication service that makes security decisions and returns a JWT token to the app
- The SDK installed in the app only contains measurement capabilities
- The JWT token is added to networking calls to authenticate the app
Conference: Cloud Native SecurityCon North America 2022
Authors: Rahul Arvind Jadhav
2022-10-25
For Kubernetes, the basic unit of execution is a pod. All the binaries in all the containers have equal access to the volume mount points and thus have direct access to the service account tokens and k8s secrets that the pod mounts. Almost all Kubernetes attacks exploit/leverage this fact. The only thing an attacker has to ensure is to inject a binary into the pod using a known/unknown vulnerability in any of the binaries within any of the containers. Once the attacker injects a malicious binary, it has unrestricted access to the secrets in predefined volume mount points (we are making it so easy for the attacker!). Typically only a few binaries within the pod need access to the tokens/secrets. The access should be restricted to such a list of processes/binaries, and an automated framework should derive this list. This is easier said than done, taking into consideration that the app is updated every few weeks, i.e., the security posture changes with the app updates. The sessions aim to highlight runtime security risks that are inherent to k8s design and possible solutions to alleviate some of these concerns. Rahul is a dev/maintainer of KubeArmor (runtime security engine).
Conference: KubeCon + CloudNativeCon North America 2021
Authors: Brad Geesaman, Ian Coldwater
2021-10-13
tldr - powered by Generative AI
The presentation discusses the potential security vulnerabilities in Kubernetes and how to secure it.
- External IP services can be powerful and cause problems, so admission control policies should be used to block or restrict them
- DNS can be used as a command and control channel for attackers, so even with strict network policies, it is important to monitor DNS traffic
- Validating web hooks can also be vulnerable to attacks
- To secure Kubernetes, it is important to understand how it works and not just assume its behavior
- Resources and links are provided for further reading and viewing
Conference: KubeCon + CloudNativeCon North America 2021
Authors: Jacob Wernette, Josh Kayani
2021-10-13
tldr - powered by Generative AI
Managing secrets in a GitOps way using argocd-vault-plugin
- Background on managing microservices with Kubernetes
- Challenges with managing resources and observability
- Solution: GitOps to manage resources and secrets
- Introduction to argocd-vault-plugin
- Benefits of using argocd-vault-plugin for secret management
- Anecdote: Challenges with manual management of resources and secrets