Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Policy + Security - KubeCon [clear filter]
Thursday, December 7


Deploying Kubernetes Without Scaring Off Your Security Team [I] - Paul CzarkowskI, Pivotal & Major Hayden, Rackspace
subtitle: "The Major Hayden Center For Kubernauts Who Can't Security Good And Wanna Learn To Do Other Stuff Good Too"

One of the larger roadblocks we face in the enterprise when trying to adopt new technologies is getting the security and compliance teams onboard.

Tools like kubicorn and kubeadm are likely the foundation on which Kubernetes deployments will be performed in the future as they help simplify the deployment and operations of Kubernetes a very complex distributed system.

However concerns about security and compliance, which are not as yet addressed by those tools, may act as inhibitors and road blocks to using these them and thus Kubernetes in the enterprise.

Thankfully the techniques and tools for deploying Enterprise Linux distributions, securing them, and ensuring compliance already exist and can be very easily combined with kubernetes.

In this talk we’ll expand upon these enterprise requirements and use cases and show how we can use existing Ansible tooling to deploy kubernetes on bare metal or the cloud, monitor it with common enterprise monitoring tools, secure it with a 2fa SSH bastion, and ensure [DISA STIG] compliance.

avatar for Paul Czarkowski

Paul Czarkowski

Principal Technologist, Pivotal Software
Paul Czarkowski is a recovering Systems Administrator who has run infrastructure for longer than he cares to admit. After cutting his teeth in the ISP and Gaming industries Paul changed his focus to using (and contributing to) Open Source Software to improve the Operability of complex... Read More →
avatar for Major Hayden

Major Hayden

Principal Software Engineer, Red Hat
Major Hayden is a principal software engineer at Red Hat and he is the technical lead for the Continuous Kernel Integration (CKI) project. He spends most of his day wrestling with kernel tests on various architectures using GitLab, Python, and OpenShift. He maintains a technical blog... Read More →

Thursday December 7, 2017 11:10am - 11:45am
Meeting Room 12AB, Level 4


Preventing Attacks at Scale [I] - Dino Dai Zovi, Capsule8

Security hardening for containers, clusters, and operating systems is a very important part of setting up infrastructure and always "Plan A". The world of "Plan A" defends the importance of making sure your cluster is set up securly. Dino comes from the world of "Plan B" and will focus on detecting when security boundaries have been breached. This is necessary for environments where you don't have ability to ensure base OS is fully patched, etc.

Step into the world of Linux kernel features such as seccomp, eBPF, kprobes and Kubernetes tunable security features and learn how to detect and defend against attacks at scale.


Dino Dai Zovi

CTO, Capsule8
Dino Dai Zovi is the Co-Founder and CTO at Capsule8. Dino is also a regular speaker at information security conferences having presented his independent research at conferences around the world including DEF CON, Black Hat, and CanSecWest. He is a co-author of the books "The iOS Hacker's... Read More →

Thursday December 7, 2017 11:55am - 12:55pm
Meeting Room 12AB, Level 4


Certifik8s: All You Need to Know About Certificates in Kubernetes [I] - Alexander Brand, Apprenda
Certificates are an integral part of a secure Kubernetes cluster deployment. They are mainly used to secure the Kubernetes API server using TLS, but certificates (and keys) are also used for other cluster functions such as client authentication, encryption of secrets, TLS bootstrapping, and the generation of service account tokens.

Certificates pose interesting challenges to cluster operators. What does the certificate setup look like in an ideal scenario? How long should certificates be valid for? When nearing expiration dates, how can certificates be rotated to ensure the cluster remains operational? These challenges must be understood when it comes to deploying and operating a Kubernetes cluster.

After this talk, you should have a better understanding of:
- How each cluster component uses certificates for secure communications
- How certificates can be used for authentication, including service account tokens
- How the Kubelet TLS bootstrapping process works
- How to plan, generate and deploy the certificates required for a secure cluster
- How to rotate certificates that are nearing their expiration date

avatar for Alexander Brand

Alexander Brand

Senior Systems Analyst, Apprenda
Alex works on the Kismatic Enterprise Toolkit at Apprenda, making the deployment of production Kubernetes clusters easier. He has been involved with Kubernetes and related projects since early 2016. Before Apprenda, Alex attended Queen's University in Canada, where he majored in Biomedical... Read More →

Thursday December 7, 2017 2:00pm - 2:35pm
Meeting Room 12AB, Level 4


Vault and Secret Management in Kubernetes [I] - Armon Dadgar, HashiCorp
Secret data is everywhere, from database credentials, TLS certificates, API tokens, to encryption keys. Manageing secrets is a difficult challenge, but HashiCorp Vault provides an answer. In this talk, we discuss the challenges in secret management, provide an overview of Vault, and discuss how Vault and Kubernetes can be integrated. Integrating Vault solves the basic secret management challenge of securely distributing credentials, but also gives applications running Kubernetes access to features like dynamic secrets which are generated on demand and cryptographic offload to securely manage data in transit and at rest.

avatar for Armon Dadgar

Armon Dadgar

CTO, HashiCorp
Armon (@armon) has a passion for distributed systems and their application to real-world problems. He is a founder and CTO of HashiCorp, where he brings distributed systems into the world of DevOps tooling. He has worked on Nomad, Vault, Terraform, Consul, and Serf at HashiCorp, and... Read More →

Thursday December 7, 2017 2:45pm - 3:20pm
Ballroom A, Level 1


Compliance and Identity Management in Kubernetes [I] - Marc Boorshtein, Tremolo Security, Inc.
Compliance with what? Depends on your industry. As k8s continues to expand into regulated enterprises such as government, health care and financials deployments will need to understand how managing users and their access relates to compliance obligations. This session will focus on how identity management can be approached for solving this issue. How do you onboard users? Authorize their access to a namespace? Offboard them? Is there a need to differentiate between a privileged user and an unprivileged user? I'll go beyond the technical implementation in k8s and tie it to specific compliance requirements in FISMA and demo how solving the compliance issue can also improve the usability and security of your k8s deployment. This talk will follow a similar form to https://www.tremolosecurity.com/openshift-compliance-and-identity-management/ but specifically on k8s.

avatar for Marc Boorshtein

Marc Boorshtein

CTO, Tremolo Security, Inc.
Marc has nearly fifteen years of identity and access management experience as a software engineer, product developer, and consultant. He is experienced building, deploying, and managing identity systems from most major vendors across numerous industries as well as working with security... Read More →

Thursday December 7, 2017 3:50pm - 4:25pm
Meeting Room 12AB, Level 4


Multi-Tenancy Support & Security Modeling with RBAC and Namespaces [I] - Fred Vong & Michael Y. Chen, VMware
As container technologies mature, Kubernetes is clearly gaining momentum with developers as a means to deploy their distributed applications. As more applications and clusters are deployed by more developers, multi-tenancy and isolation become concerns not only for the app developer, but also for the cluster admins. In this talk, we will discuss the various cluster security models available today, and how to use namespaces to provide tenant isolation. We will also demonstrate how to use Kubernetes’ Role Based Access Control (RBAC) feature as means of enforcing a multi-tenant security model. By assigning roles and role bindings and creating namespaces, we can implement restrictions on resource consumption and provide tenant isolation throughout the cluster. We’ll also demonstrate how the RBAC feature provides granularity of access control that can be adjusted to suit varying requirements—from granting full access to users or groups to a cluster to only granting access to specific resources within a namespace. Following the discussion of how to build a security model with namespaces and RBAC, this talk will also feature a live demonstration of RBAC and namespaces in action to illustrate the concepts and show how both admins and developers are affected by the model.

avatar for Michael Chen

Michael Chen

Senior Manager, VMware
avatar for Fred Vong

Fred Vong

Staff Engineer, VMware
Fred Vong is passionate about the cloud and data center automation technologies. Currently, he is actively working on both OpenStack and container orchestration area in VMware. He believes deployment of whole software stack should be as simple as clicking a button.

Thursday December 7, 2017 4:35pm - 5:10pm
Meeting Room 12AB, Level 4
Friday, December 8


Shipping in Pirate-Infested Waters: Practical Attack and Defense in Kubernetes [A] - Greg Castle & CJ Cullen, Google
Kubernetes has a growing array of security controls available, but knowing where they all fit in, what the highest priorities are, and how it all helps against real attacks is still far from obvious. In this talk we’ll take a vulnerable application, exploit it, install tools, escalate privileges, propagate between containers and gain control of the cluster. At each stage of the attack we’ll demonstrate how proactive steps could have prevented these actions (or at least made them more difficult), from the container build process to writing RBAC/PodSecurity/AppArmor/Network policies, and more. Since configuration of each defence could be the subject of it’s own deep-dive talk, we’ll mainly focus on the big picture of “what” technologies you’d use to configure your cluster securely and “why”.

avatar for Greg Castle

Greg Castle

Kubernetes/GKE Security Tech Lead, Google
Greg is the tech lead for the Kubernetes and Google Kubernetes Engine (GKE) security team at Google, and is a regular at SIG-Auth. Greg has 15 years of experience in a number of security roles including product security, penetration testing, incident response, platform hardening... Read More →
avatar for CJ Cullen

CJ Cullen

Software Engineer, Google
CJ works on the Google Kubernetes Engine (GKE) Security team. CJ has helped develop the Kubernetes authentication and authorization system, as well as building the cluster deployment and management infrastructure of Google Kubernetes Engine.

Friday December 8, 2017 11:10am - 11:45am
Meeting Room 12AB, Level 4


Enforcing Bespoke Policies in Kubernetes [I] - Torin Sandall, Styra
Kubernetes enables fully-automated, self-service management of large-scale, heterogenous deployments. These deployments are often managed by distributed engineering teams that have unique requirements for how the platform treats their workloads, but at the same time, they must conform to organization-wide constraints around cost, security, and performance. As Kubernetes matures, extensibility has become a critical feature that organizations can leverage to enforce their organization’s bespoke policies.

In this talk, Torin explains how to use extensibility features in Kubernetes (e.g., External Admission Control) to enforce custom policies over workloads. The talk shows how to build custom admission controllers using Initializers and Webhooks, and shows how the same features lay the groundwork for policy-based control through integration with third party policy engines like the Open Policy Agent project.

avatar for Torin Sandall

Torin Sandall

Software Engineer, Styra
Torin Sandall is a co-founder of the Open Policy Agent (OPA) project. Torin has spent 10 years as a software engineer working on large-scale distributed systems projects. Torin is a frequent speaker at events like KubeCon, DockerCon, Velocity, and more. Prior to working on OPA, Torin... Read More →

Friday December 8, 2017 11:55am - 12:30pm
Meeting Room 12AB, Level 4


Hacking and Hardening Kubernetes Clusters by Example [I] - Brad Geesaman, Symantec
While Kubernetes offers new and exciting ways to deploy and scale container-based workloads in production, many organizations may not be aware of the security risks inherent in the out-of-the-box state of most Kubernetes installations and the common practices for deploying workloads that could lead to unintentional compromise. Join Brad Geesaman, the Cyber Skills Development team lead at Symantec, on an eye-opening journey examining real compromises and sensitive data leaks that can occur inside a Kubernetes cluster, highlighting the configurations that allowed them to succeed, applying practical applications of the latest built-in security features and policies to prevent those attacks, and providing actionable steps for future detection.

The hardening measures taken in response to the attacks demonstrated will include guidelines for improving configurations installed by common deployment tools, securing the sources of containers, implementing firewall and networking plugin policies, isolating workloads with namespaces and labels, controlling container security contexts, better handling of secrets and environment variables, limiting API server access, examining audit logs for malicious attack patterns, and more.

avatar for Brad Geesaman

Brad Geesaman

Kubernetes Security Consultant, Darkbit
Brad is an Independent Security Consultant helping clients improve the security of their Kubernetes clusters in cloud-native environments. Although he spent several years as a penetration tester, his real passion is educating others on the security risks inherent in complex infrastructure... Read More →

Friday December 8, 2017 2:00pm - 2:35pm
Meeting Room 12AB, Level 4


Securing Shopify's PaaS on GKE [I] - Jonathan Pulsifer, Shopify
Shopify has leveraged Kubernetes through Google Container Engine (GKE) to build its new cloud platform. This PaaS is currently serving the majority of the company's internal tools as well as business-critical production workloads. Moving to Kubernetes and a public cloud is no easy task, especially for a security team.

Unfortunately for us, a hosted solution does not offer all the features we've come to love in Kubernetes including NetworkPolicies, PodSecurityPolicies, and admission controllers among others. Given this, the security team has created a number of Kubernetes controllers and other cloud platform solutions to maintain an effective security posture on our new platform.

In this talk we'll introduce our cloud platform, explore the tools we've created to bridge the security gaps, detail the struggles we've encountered using Google Cloud Platform and GKE, and discuss our growing pains with Kubernetes multi-tenancy. Attendees will gain an understanding of the current state of Kubernetes security controls on GKE, a familiarity with some of the products available on Google Cloud Platform, and insight on how to integrate security controls into their development pipelines.

avatar for Jonathan Pulsifer

Jonathan Pulsifer

Infrastructure Security Engineer, Shopify
Jonathan is a Senior Security Engineer at Shopify working on securing their new platform using Kubernetes on GKE. Previously, he was a SANS mentor, network defense instructor, and a team lead at the Canadian Forces Network Operations Centre in Ottawa. Find Jonathan on Twitter @Jo... Read More →

Friday December 8, 2017 2:45pm - 3:20pm
Meeting Room 12AB, Level 4


Real Security for Services on Kubernetes [I] - Eric Wang & Yun Zhang, Databricks
We all love the ease-of-use Kubernetes provides to engineers to deploy and manage their services. But before you can start running production code and dealing with customer data, you need to ensure that everyone's favorite features are in place: audit logs and access control. (And the crowd goes wild!)

At Databricks, we know that the best way to do security is to make sure the simplest way to do something is the secure one. In this talk, we introduce a system called Genie which uses time-boxed TLS certificates to authorize engineers to talk to certain namespaces within Kubernetes. Additionally, we will discuss how we extended this framework to allow for continuous deployment/continuous integration without weakening our security story!

avatar for Eric Wang

Eric Wang

Software Engineer, Databricks
Eric is a software engineer on the Cloud team at Databricks. Before that, he worked at Cisco Meraki, developing core features for the time-series database Little Table. At Databricks, Eric and his colleagues on the Cloud team work on infrastructure to enable engineers to rapidly deliver... Read More →
avatar for Yun Zhang

Yun Zhang

Software Engineer, Databricks
Yun is a software engineer of the Cloud team at Databricks. He is experienced in building highly-available cloud infrastructure for data processing engines like Apache Spark and Amazon Redshift.

Friday December 8, 2017 3:40pm - 4:15pm
Meeting Room 12AB, Level 4


Effective RBAC - Jordan Liggitt, Red Hat
The v1 release of role-based access control (RBAC) in Kubernetes 1.8 provides a flexible way to ensure users and applications have proper access to the Kubernetes API. This talk is for administrators who want to secure their clusters, and for anyone who wants their applications to integrate easily in RBAC-enabled environments. This talk will give an overview of the RBAC design and API, explain how to set up an RBAC-enabled cluster, demonstrate applying policies to existing applications, show how to create custom roles to distribute with applications, and answer the question "Can Bob educate dolphins?"

avatar for Jordan Liggitt

Jordan Liggitt

Principal Software Engineer, Red Hat
Jordan Liggitt is a principal software engineer at Red Hat, and helps lead Kubernetes authentication and authorization efforts.

Friday December 8, 2017 4:25pm - 5:00pm
Meeting Room 12AB, Level 4