Securing Self-Hosted GitHub Actions with Kubernetes and Actions-Runner-Controller

Explore the intricacies of securing self-hosted GitHub Actions using Kubernetes and Actions-Runner-Controller in this comprehensive conference talk. Delve into the challenges and best practices for integrating these technologies securely, with a focus on regulated environments. Learn about typical deployment architectures and discover three critical areas where security risks intersect with usability. Examine cluster settings to limit potential security breaches, review controller settings for proper runner deployment and permission management, and dissect the runner pod to implement supply chain security. Gain valuable insights on topics such as Docker-in-Docker risks, rootless configurations, multi-tenant practices, and secure runner images. Benefit from practical recommendations, examples, and often-overlooked considerations like logging and mount sharing to enhance your GitHub Actions security posture within a Kubernetes environment.

Intro
Where are we headed?
I have a bias!
What's GitHub Actions?
Why self-hosted?
Unique security challenges
types of Actions
3 types of security concerns
2- Do you trust your neighbors?
Docker-in-Docker is risky, but...
Rootless?
Firecracker
Runner with Kubernetes jobs
3- Right-sizing your runners
Controller authorizations
Multi-tenant in practice
Recommendations
Secure runner images
Examples to get started!
You may have forgotten
Logging is easy to overlook
Sharing (mounts) isn't caring!
Building and deploying
Sharing is caring!
in)conclusions
Questions!