Securing Pods via Scheduling - Mitigating Risks from Neighboring Containers

Explore a conference talk that delves into enhancing Kubernetes pod security through innovative scheduling techniques. Learn about the vulnerabilities that can arise from neighboring containers sharing a host kernel and how these can be exploited to compromise security. Discover SySched, a new security-aware pod scheduling scheme for Kubernetes that co-locates pods based on their system call exposure risk. Examine experimental results demonstrating the effectiveness of this approach in reducing the impact of potential kernel attacks. Gain insights into the implementation of the scheduler plugin in Kubernetes and understand how to utilize the Security Profile Operator for generating, storing, and managing pod system call profiles. This presentation offers valuable knowledge for DevOps professionals and security experts looking to bolster container security in Kubernetes environments.

Don’t Trust Your Neighbors: Securing Pods via Scheduling - Michael Le, IBM & Sascha Grunert, Red Hat