tldr - powered by Generative AI

• Telemetry data from Kubescape reveals a high number of misconfigurations, unpatched vulnerabilities, and overly-privileged users in Kubernetes systems
• The talk highlights the most common misconfigurations across Kubernetes deployments according to multiple frameworks, known software vulnerabilities, and RBAC violations at early stages of the CI/CD pipeline
• The presentation provides insights on why and where Kubernetes deployments mostly commonly fail and statistics on which controls fail most
• Simple measures are offered to work towards eliminating these risks and improving overall cloud native security posture

tldr - powered by Generative AI

• The OWASP community has published a number of projects to help practitioners assess and secure the security of their containerized infrastructure
• The OWASP Top Ten for Kubernetes is a community-curated list of the most common Kubernetes risks
• The project is backed by data collected from organizations varying in maturity and complexity
• The project aims to help practitioners assess and secure the security of their containerized infrastructure

tldr - powered by Generative AI

• Asset inventory is crucial in Kubernetes clusters to identify running applications and stay updated with CVEs and API specifications.
• Managed providers like EKS, GKE, and AKS have limits and boundaries that need to be considered, especially in terms of networking and security.
• Staying ahead of the curve of application developers is important for platform engineers responsible for Kubernetes clusters.
• Links to official Kubernetes CVE streams are provided for reference.

tldr - powered by Generative AI

• Psyllium and Kubernetes can be used to enforce network policies for microservices
• Least privilege security can be achieved by filtering HTTP requests and restricting API access
• L7 security policies can restrict access to required API resources
• Psyllium website provides resources and a helpful Slack community for beginners and contributors

tldr - powered by Generative AI

• Policy-based governance is crucial in protecting the integrity of Ansible playbooks and ensuring a consistent approach to managing clusters
• Best practices can be represented as policies, managed like source code, and deployed using GitHub's methodology
• Benefits include reduced operational costs, continuous security and audit readiness, and efficient day-to-day collaboration among various personas
• The Kubernetes Policy Workgroup's white paper on policy management and the Open Cluster Management CNCF Sandbox project enable the policy-based governance approach

tldr - powered by Generative AI

• Managing RBACs and access control in Kubernetes at scale is a challenge for organizations with hundreds of clusters and developers.
• Manual management of RBACs is impractical and requires automation to ensure the right people have access to the right things.
• Periscope is an open-source project that automates RBAC management and access control in Kubernetes.
• Periscope allows for secure access to clusters behind a firewall and dynamically injects RBACs just in time.
• Periscope also provides strong authentication for all user access and allows for governance and compliance by tracking commands run against clusters.

tldr - powered by Generative AI

• Identifying the right networking requirements of individual workloads is challenging, and operationalizing the task across Dev, Sec, and Ops is not trivial.
• The MP Guard project proposes a flexible workflow for DevSec organizations to simplify the experience of creating and maintaining Kubernetes Network policies.
• The project aims to automate the generation of policies and integrate them into the application's CI/CD pipeline, ensuring that policies get updated whenever required cluster connectivity changes.
• The proposed network activity is presented to the DevOps team for review, and changes can be automatically updated.
• The resulting Kubernetes network policies become part of the GitOps process to provision Kubernetes clusters, helping organizations cross the Kubernetes network policy chasm.

tldr - powered by Generative AI

• The current common Kubernetes risk assessment framework is based on the CIS benchmarks for Kubernetes
• The framework only covers security misconfigurations and doesn't go deeper than the security configurations of the various elements
• Real attacks can start by multiple elements expanding beyond security misconfigurations
• There is a need for an additional risk-assessment framework that can go deeper than the Kubernetes configurations, verifying that all other attack methods, steps, and stages are covered
• MITRE has crafted an ATT&CK matrix for containers/Kubernetes, which consists of tactics and techniques used in real attacks

tldr - powered by Generative AI

• Overview of Kubernetes architecture and components
• Using K8s Threat Matrix and MITRE ATT&CK for Containers to demonstrate attack phases
• Best practices for securing Kubernetes clusters
• Anecdote about a vulnerable Drupal web application used for modeling attacks