Shipping in Pirate-Infested Waters: Practical Attack and Defense in Kubernetes [A]
Kubernetes has a growing array of security controls available, but knowing where they all fit in, what the highest priorities are, and how it all helps against real attacks is still far from obvious. …
Talk Title | Shipping in Pirate-Infested Waters: Practical Attack and Defense in Kubernetes [A] |
Speakers | Greg Castle (Kubernetes/GKE Security Tech Lead, Google), CJ Cullen (Software Engineer, Google) |
Conference | KubeCon + CloudNativeCon North America |
Conf Tag | |
Location | Austin, TX, United States |
Date | Dec 4- 8, 2017 |
URL | Talk Page |
Slides | Talk Slides |
Video | |
Kubernetes has a growing array of security controls available, but knowing where they all fit in, what the highest priorities are, and how it all helps against real attacks is still far from obvious. In this talk we’ll take a vulnerable application, exploit it, install tools, escalate privileges, propagate between containers and gain control of the cluster. At each stage of the attack we’ll demonstrate how proactive steps could have prevented these actions (or at least made them more difficult), from the container build process to writing RBAC/PodSecurity/AppArmor/Network policies, and more. Since configuration of each defence could be the subject of it’s own deep-dive talk, we’ll mainly focus on the big picture of “what” technologies you’d use to configure your cluster securely and “why”.