Flying Above the Clouds - Securing Kubernetes

Explore the Kubernetes attack surface and learn methods to secure cloud-native systems in this 53-minute conference talk from AppSecUSA 2018. Dive into the complexities of containerized microservices managed by orchestration systems, focusing on authentication, authorization, network segmentation, storage, and logging/auditing. Discover quick security wins and design-level choices for building resilient architectures. Examine container runtime security, underlying cloud infrastructure considerations, and microservice security. Gain insights into deploying secure services and meshes while maintaining development speed. By the end, understand the cloud-native attack surface and approach to hardening infrastructure and deploying secure services with Kubernetes.

Intro
What is Kubernetes? Open-source system for deploying, scaling and managing containerized apps and services
Isolating Container Workloads, IRL
Container Manifest & Daemon
Spoiler: Containers Aren't Sandboxes
Container Isolation Models Via cgroups & namespaces
Cloud-Native Secure Architecture
Cluster and Namespace Scopes • Resources are scoped at the Cluster or Namespace
Control Plane & Core Components The Control Plane manages the cluster's state and schedules containers.
Authorization Mode
Authentication
Fixing the Problem Always use a unique service account per pod!
Role-Based Access Control
Create Roles & Bindings
Secrets Management
Dynamic Secrets
Conclusion Think about security early and anticipate future growth