This was first published by Carol Valencia on Medium
In August, the KubeCon EU 2020 took place, It was a new experience considered that the event was remote for the first time. The quality and content of the speakers were great, a nice virtual conference to share knowledge and interact with others. There were lots of interesting security-related talks, and I’ve collected them together in this article. But first I’d like to mention some of my favorite keynotes.
KubeCon + CloudNativeCon Europe 2020
The keynote with Priyanka Sharma — general manager of the Cloud Native Computing Foundation (CNCF) presented an overview of a cloud-native community, open collaboration with most of 97,000 contributors representing 177 countries, the largest end-user community, a true challenge of trustworthy governance, safe space for contribution, self-sustaining ecosystem building and using cloud-native tech. Online events will bring attendees from a much richer cross-section of society and in the future will always be a virtual component taking part. Priyanka highlighted the cloud-native community strives to be inclusive and it is possible for everyone to contribute in their own way — “You are as important as equal whatever your role is!”
In the keynote The Beginner’s Guide to the CNCF TOC with Liz Rice, one of the chair in CNCF’s technical oversight committee talked about the role of TOC, these eleven volunteers engineers and technologists with significant expertise in cloud-native software reviewing projects into the foundation and evaluating the maturity level (sandbox, incubation, and graduation), always considering a high quality, velocity, governance, documentation, etc of these projects, together with the challenges to be cloud-native ubiquitous, throughout neutral ownership, open governance, all these concerns with the help of Linux Foundation. Liz shared her personal journey about how she was elected, also commented about the experience of imposter syndrome, and her reaction to this new challenge (chair in TOC), and how she dealt with this concern and push ourselves to achieve more than sometimes we think it’s possible. The CNCF projects represent the best open source tools that our industry has to offer in a real-world experience. If you want to understand more and be involved, watch it!!
In the talk “From Infrastructure Bro to Hacker Chick” by Kris Nóva, she shared her own experience as a transgender engineer in the open-source community, her career, and also the gender transition, personal experience, and feelings. I really loved and identified myself with some thoughts about the difficulties and challenges in IT, dominated mainly by men, and also she commented about toxic culture how quickly it could spare and manipulate the surroundings. An inspiring story with deep thoughts about overcoming, really recommend it to watch it! — “Be yourself could inspire people, give you confidence, and happiness” :) — “Safe environment harbor growth and innovation, and let you grow” — “Inspiring other people are equally important as inspiring yourself so teach others how to grow”.
The trends in Cloud Native Computing innovation is mainly in the platform (Kubernetes, Envoy, Etcd, Linkerd, etc), observability (Prometheus, Fluentd, Jaeger, OpenTracing, etc) and security (OPA, TUF, Notary, Trivy, Kube-hunter, etc).
Therefore, this is my list focus on Security in Containers and Kubernetes with a brief description of the main points in the talks.
List of Talks on "Security in Containers and Kubernetes"
Getting Started With Cloud-Native Security — Liz Rice, Aqua Security & Michael Hausenblas
Amazing security container workshop!, you will have an interactive tutorial using kind, you will know more about the Kubernetes attack vectors, run a compromised application, scanning container images (Trivy) and integrated with CI/CD, scanning your Kubernetes workloads with Starboard and find the vulnerabilities. Use the own Kubernetes features in your favor, as a security context and network policies. Demo with OPA and Gatekeeper, CIS Kubernetes benchmark (Kube-bench). Finally, an introduction for Gitops and ArgoCD.
Workshop: https://tutorial.kubernetes-security.info/
Using BPF in Cloud Native environments — Alban Crequy & Marga Manterola, Kinvolk
Workshop using minikube and inspektor Gadget. The tool Inspektor Gadget uses BPF Compiler Collection (BCC), kubectl-trace and traceloop. An interesting tutorial will answer these questions: — Which TCP packets were retransmitted? — Which queries run slow? — Was this file opened?.
Workshop: https://github.com/kinvolk/cloud-native-bpf-workshop
Help! My Cluster Is On The Internet: Container Security Fundamentals — Samuel Davidson, Google
Best practices to build containers and how to apply the Kubernetes features for security. A nice Security checklist for the cluster. Tips & tricks on setting Kubernetes and build containers.
Handling Container Vulnerabilities with Open Policy Agent — Teppei Fukuda, Aqua Security
Do you know all the vulnerabilities that you can find in your application?. The scanning tool process, the score CVSS vector and the different sceneries about how exploit the vulnerability (CVE). Trivy overview and demos about how automatically manage the vulnerabilities detected by Trivy and use policy with OPA. Trivy Enforcer, a Kubernetes operator to create runtime controls, you could define your custom policy for vulnerability handling. Presentation Slides
Seccomp Security Profiles and You: A Practical Guide — Duffie Cooley, VMware
Seccomp, a security profile applied in containers and Kubernetes. What is a container? — Cgroups, and Capabilities as a way of hardening applications. Security context and Seccomp profile applied in Kubernetes. Demo using the seccomp operator.
How This Innocent Image Had a Party in My Cluster — Amir Jerbi & Itay Shakury, Aqua Security
What is vulnerability? The scanners and the blind spot about the static analysis with respect Zero-day attacks, polymorphic malware, etc. Dynamic analysis can trace the activity of the running container, detect and document the entire multi-stage attack. Real-world evasive malware case (DzMLT). Runtime security (monitor, detect and block) and shift left approach. Several demos using Tracee (system tracing using eBPF) exploring the different threads of attacks about malware. Demo with Dynamic Thread Analysis (DTA) for advanced technique in a security container. Presentation Slides
Cloud Native Policy Deep Dive — Zhipeng Huang, Huawei & Erica von Buelow, Red Hat
Main topics: — Open source initiatives in the #wg-policy (k8s slack) — what is cloud native policy? — Automates security goes beyond auditing/compliance — Policy case studies like Kyverno, CloudCustodian, K-rail, OPA Gatekeeper, Policy Report CRD — Policy & Compliance tools: polaris, kube-bench, trivy, Falco, etc.
Main topics: — How to prepare for a security incident. — The challenges to deal with incidents in Kubernetes. — CIS security benchmark. — Services owners’ pre-incident checklist: Least privileged RBAC profile, network policy, best practices to build image and deploy the pod, kube-apiserver audit log, etc. — Incident checklist: Try to reproduce the scenario, create common channels for communication, ownership, analyze and mitigate, and finally create a postmortem. Presentation Slides
Notary v2 Introduction and Status Report — Justin Cormack, Docker & Omar Paul, Amazon
Main topics: — Introduction to Notary (governance and supply chain security for container images). — TUF project. — Signatures and metadata in the registry, signatures as first-class elements of registries. — Threat vectors included in an automated deployment process. — Supply chain attacks. — Overview of the Notary v2 and the roadmap.
Open Policy Agent Introduction — Rita Zhang, Microsoft & Patrick East, Styra
Main topics: — Overview about Open Policy Agent (OPA) from maintainers. — Samples with Rego Playground. — Policy is in all the cloud-native ecosystem (CI/CD, orchestrators, microservices, databases, public cloud) — OPA integrations. — Overview of Gatekeeper v3 core features. — Demo for Container security policy in Kubernetes with Gatekeeper. — Conftest, test for Kubernetes configuration. Presentation Slides
Securing Container Delivery with TUF — Lukas Puehringer, NYU
The Update Framework (TUF) was designed to prevent, detect attacks and risk mitigation (reducing the damage from a successful attack) as a core principle. TUF roles for integrity, consistency, root of trust and timestamp. Presentation Slides
Designing a gRPC Interface for Kernel Tracing with eBPF — Leonardo Di Donato, Sysdig
Main topics: — Introduction to Falco (CNCF runtime security project) and the challenges using eBPF over gRPC. — Security doing prevention, detection, enforcement and auditing. — Runtime security by tracing the Linux kernel, using a defense in depth strategy. — How to get syscalls to userspace? — How does eBPF work? — eBPF maps for sharing state between kernel and userspace. Presentation Slides
How to Work in Cloud Native Security: Demystifying the Security Role — Justin Cormack, Docker
Nice presentation about Justin’s experience as a Security Lead at Docker and as a member of CNCF SIG Security. His first security work experience in this field, and the involvement with the open source community, specially with the SIG security and projects like Notary and Containerd. The talk presented the most important things he learned in security as well as the importance of empathy among teams and other topics like — How hard is hiring people and tips for contracting security people. — What is the difference in security regarding Cloud-native?. — Understand the threat model and secure your code. — Burnout in security roles! Presentation Slides
In a Container, Nobody Hears Your Screams: Next Generation Process Isolation — Andrew Martin
Main topics: — Compare and contrast the emerging generation of process isolation and security techniques. — Container runtimes with overview perspective about high and low level, CRI and OCI. — Containers vs Virtualization what’s wrong with the containers?. — Rootless Docker and Podman. — Spectrum of OS isolation. Sandboxed container technologies. — Firecracker device model. — Kata containers. — Kubernetes RuntimeClass. Presentation Slides
Making Compliance Cloud Native — Ann Wallace & Zeal Somani, Google
Main topics: — Compliance and auditing requirements and frameworks such as PCI and ISO 27001 adapted for cloud-native technologies. — Shift left for declarative compliance as a code. — Macro and micro segmentations. — Istio components for security. — Data security and Encryption. — Secure all the stages of the software Supply Chain. — Empathy between Security, regulators, auditors and governance, risk & compliance teams. Presentation Slides
CRI-O: Deep Diving into the Security — Sascha Grunert, SUSE & Daniel Walsh, Red Hat
Main topics: — Basic container security principles. — What is the least privileged container?. — Consider the different Kubernetes features for security (ServiceAccount, ClusterRole, PodSecurityPolicy, Network Policy). — Secure the node level (image signing, images encrypted, encrypt secrets at REST level). Container image signing and encryption with CRI-O. — Demo about running secure workloads with CRI-O and Seccomp (general available in Kubernetes v1.19), and also with AppArmor. — Linux Capabilities and Kubernetes namespace isolation. — OCI hook to generate seccomp profiles by tracing the syscalls made by the container.
Threat Modelling: Securing Kubernetes Infrastructure & Deployments — Rowan Baker, ControlPlane
Main topics: — Threat Modelling Kubernetes (Code, Container, Cluster and Cloud). — Data flow diagrams about Kubernetes Pod Launch and CI/CD. — Attack trees. — A list of Kubernetes security requirements and controls. — RBAC and policy with OPA. — Enforce the defense in depth with attack trees in the software supply chain. — Automated Testing. — Integrating Kubernetes with a SOC to configure the SIEM. — Map controls to compliance standards and policies. — Node Segregation, Service Mesh and Pod Security Policies. Presentation Slides
