logo
Dates

Author


Conferences

Tags

Sort by:  

Authors: Ben Hirschberg
2023-02-16

tldr - powered by Generative AI

The presentation discusses the state of Kubernetes risk, compliance, and security vulnerabilities based on the analysis of telemetry data from Kubescape, an open source tool that has scanned over 10K+ unique Kubernetes clusters. The talk sheds light on the most common misconfigurations, known software vulnerabilities, and RBAC violations in Kubernetes deployments, and provides insights on why and where Kubernetes deployments mostly commonly fail and statistics on which controls fail most. The presentation also offers simple measures to work towards eliminating these risks and improving overall cloud native security posture.
  • Telemetry data from Kubescape reveals a high number of misconfigurations, unpatched vulnerabilities, and overly-privileged users in Kubernetes systems
  • The talk highlights the most common misconfigurations across Kubernetes deployments according to multiple frameworks, known software vulnerabilities, and RBAC violations at early stages of the CI/CD pipeline
  • The presentation provides insights on why and where Kubernetes deployments mostly commonly fail and statistics on which controls fail most
  • Simple measures are offered to work towards eliminating these risks and improving overall cloud native security posture
Authors: Jimmy Mesta
2022-10-25

tldr - powered by Generative AI

The OWASP Top Ten for Kubernetes is a community-curated list of the most common Kubernetes risks backed by data collected from organizations varying in maturity and complexity. The project aims to help practitioners assess and secure the security of their containerized infrastructure.
  • The OWASP community has published a number of projects to help practitioners assess and secure the security of their containerized infrastructure
  • The OWASP Top Ten for Kubernetes is a community-curated list of the most common Kubernetes risks
  • The project is backed by data collected from organizations varying in maturity and complexity
  • The project aims to help practitioners assess and secure the security of their containerized infrastructure
Authors: Steve Wade
2022-10-25

tldr - powered by Generative AI

The presentation discusses the importance of asset inventory in Kubernetes clusters and highlights the need to stay updated with CVEs and API specifications. It also emphasizes the significance of networking and security in managed providers like EKS, GKE, and AKS.
  • Asset inventory is crucial in Kubernetes clusters to identify running applications and stay updated with CVEs and API specifications.
  • Managed providers like EKS, GKE, and AKS have limits and boundaries that need to be considered, especially in terms of networking and security.
  • Staying ahead of the curve of application developers is important for platform engineers responsible for Kubernetes clusters.
  • Links to official Kubernetes CVE streams are provided for reference.
Authors: Tracy P Holmes, Raymond de Jong
2022-10-25

tldr - powered by Generative AI

The presentation discusses how to enforce network policies using Psyllium and Kubernetes to ensure least privilege security between microservices.
  • Psyllium and Kubernetes can be used to enforce network policies for microservices
  • Least privilege security can be achieved by filtering HTTP requests and restricting API access
  • L7 security policies can restrict access to required API resources
  • Psyllium website provides resources and a helpful Slack community for beginners and contributors
Authors: Yuji Watanabe, Jayashree Ramanathan
2022-10-25

tldr - powered by Generative AI

The presentation discusses the importance of policy-based governance in protecting the integrity of Ansible playbooks and ensuring a consistent approach to managing clusters. The approach involves representing best practices as policies, managing them like source code, and deploying them using GitHub's methodology. The benefits include reduced operational costs, continuous security and audit readiness, and efficient day-to-day collaboration among various personas. The presentation also highlights the Kubernetes Policy Workgroup's white paper on policy management and the Open Cluster Management CNCF Sandbox project that enables the policy-based governance approach.
  • Policy-based governance is crucial in protecting the integrity of Ansible playbooks and ensuring a consistent approach to managing clusters
  • Best practices can be represented as policies, managed like source code, and deployed using GitHub's methodology
  • Benefits include reduced operational costs, continuous security and audit readiness, and efficient day-to-day collaboration among various personas
  • The Kubernetes Policy Workgroup's white paper on policy management and the Open Cluster Management CNCF Sandbox project enable the policy-based governance approach
Authors: Rahul Arvind Jadhav
2022-10-25

For Kubernetes, the basic unit of execution is a pod. All the binaries in all the containers have equal access to the volume mount points and thus have direct access to the service account tokens and k8s secrets that the pod mounts. Almost all Kubernetes attacks exploit/leverage this fact. The only thing an attacker has to ensure is to inject a binary into the pod using a known/unknown vulnerability in any of the binaries within any of the containers. Once the attacker injects a malicious binary, it has unrestricted access to the secrets in predefined volume mount points (we are making it so easy for the attacker!). Typically only a few binaries within the pod need access to the tokens/secrets. The access should be restricted to such a list of processes/binaries, and an automated framework should derive this list. This is easier said than done, taking into consideration that the app is updated every few weeks, i.e., the security posture changes with the app updates. The sessions aim to highlight runtime security risks that are inherent to k8s design and possible solutions to alleviate some of these concerns. Rahul is a dev/maintainer of KubeArmor (runtime security engine).
Authors: Mohan Atreya
2022-10-24

tldr - powered by Generative AI

The presentation discusses the challenges of managing RBACs and access control in Kubernetes at scale and introduces an open-source project called Periscope to automate the process.
  • Managing RBACs and access control in Kubernetes at scale is a challenge for organizations with hundreds of clusters and developers.
  • Manual management of RBACs is impractical and requires automation to ensure the right people have access to the right things.
  • Periscope is an open-source project that automates RBAC management and access control in Kubernetes.
  • Periscope allows for secure access to clusters behind a firewall and dynamically injects RBACs just in time.
  • Periscope also provides strong authentication for all user access and allows for governance and compliance by tracking commands run against clusters.
Authors: Michael Foster
2022-10-24

tldr - powered by Generative AI

The MP Guard project proposes a flexible workflow for DevSec organizations to simplify the experience of creating and maintaining Kubernetes Network policies. The project aims to automate the generation of policies and integrate them into the application's CI/CD pipeline, ensuring that policies get updated whenever required cluster connectivity changes. The proposed network activity is presented to the DevOps team for review, and changes can be automatically updated. The resulting Kubernetes network policies become part of the GitOps process to provision Kubernetes clusters, helping organizations cross the Kubernetes network policy chasm.
  • Identifying the right networking requirements of individual workloads is challenging, and operationalizing the task across Dev, Sec, and Ops is not trivial.
  • The MP Guard project proposes a flexible workflow for DevSec organizations to simplify the experience of creating and maintaining Kubernetes Network policies.
  • The project aims to automate the generation of policies and integrate them into the application's CI/CD pipeline, ensuring that policies get updated whenever required cluster connectivity changes.
  • The proposed network activity is presented to the DevOps team for review, and changes can be automatically updated.
  • The resulting Kubernetes network policies become part of the GitOps process to provision Kubernetes clusters, helping organizations cross the Kubernetes network policy chasm.
Authors: Ariel Shuper
2022-06-22

tldr - powered by Generative AI

The need for a deeper Kubernetes risk assessment framework beyond the current CIS benchmarks
  • The current common Kubernetes risk assessment framework is based on the CIS benchmarks for Kubernetes
  • The framework only covers security misconfigurations and doesn't go deeper than the security configurations of the various elements
  • Real attacks can start by multiple elements expanding beyond security misconfigurations
  • There is a need for an additional risk-assessment framework that can go deeper than the Kubernetes configurations, verifying that all other attack methods, steps, and stages are covered
  • MITRE has crafted an ATT&CK matrix for containers/Kubernetes, which consists of tactics and techniques used in real attacks
Authors: Magno Logan
2021-09-24

tldr - powered by Generative AI

The presentation discusses different attack scenarios on Kubernetes clusters and provides best practices for securing them.
  • Overview of Kubernetes architecture and components
  • Using K8s Threat Matrix and MITRE ATT&CK for Containers to demonstrate attack phases
  • Best practices for securing Kubernetes clusters
  • Anecdote about a vulnerable Drupal web application used for modeling attacks