From 6bf47e49c582381d30c9cce62ac6d6524c30be48 Mon Sep 17 00:00:00 2001
From: Nicolai Ort <info@nicolai-ort.com>
Date: Fri, 4 Apr 2025 12:22:31 +0200
Subject: [PATCH] =?UTF-8?q?docs(day3):=20First=20talk=20of=20the=20day=20?=
 =?UTF-8?q?=F0=9F=8E=89?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 content/day3/01_day-two.md | 52 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 content/day3/01_day-two.md

diff --git a/content/day3/01_day-two.md b/content/day3/01_day-two.md
new file mode 100644
index 0000000..a84d3b0
--- /dev/null
+++ b/content/day3/01_day-two.md
@@ -0,0 +1,52 @@
+---
+title: Surviving Day2: Picking the right tool to secure your kubernetes habitat
+weight: 1
+tags:
+ - kubecon
+---
+
+<!-- {{% button href="https://youtu.be/rkteV6Mzjfs" style="warning" icon="video" %}}Watch talk on YouTube{{% /button %}} -->
+<!-- {{% button href="https://docs.google.com/presentation/d/1nEK0CVC_yQgIDqwsdh-PRihB6dc9RyT-" style="tip" icon="person-chalkboard" %}}Slides{{% /button %}} -->
+
+Premise: The CNCF landscape includes a huuuge number (80+) of security(related) projects.
+Analogy: Animal kingdom (includes simmilar-ish animals that might do some of the same stuff but not entirely the same)
+
+## Build Phase
+
+- How can i scan my container for vulnerabilities? -> Well you probably mean your image
+- The image itself is just a bunch of static layerns and we kinda have to trust the layers you didn't build yourself
+- The main tool used is still trivy with some easy steps
+  1. Extract layers
+  2. Build FS
+  3. Identify OS and Non-OS Packages
+  4. Compare with vuln-db
+- The animal in our analogy: Racoon
+
+## Deploy Phase
+
+- Kubernetes Native: Admission Controller
+- Tool used: Kyverno (integrates as an admission controller with yaml/crd based configuration)
+  1. Modify (e.g. add default resource limits)
+  2. Validate (check policies)
+- The animal is actually a human: The forrest guard
+
+## Start Phase
+
+- Before the pod itself is running CSI, CNI and secret related processes (the once we want to look into) happen
+- Problems: Secrets have no rotation or versioning mechanism, there is no default integration for external kms
+- Project: External Secrets -> Get secrets from external kms, automaticly sync (e.g. new versions)
+- The chosen animal: Capricorn
+
+## Run Phase
+
+- Goal: Runtime scannning without including specialized instrumentation in each application
+- Tool: Falco utilizing eBPF to check system calls against rules
+- Idea: Detect dangerous behaviour (e.g. check for someone trying to exploit a fresh CVE)
+- The analogy: Falcon
+
+## TL;DR
+
+1. Scan images (trivy)
+2. Enforce best pracices (kyverno)
+3. Use an external kms (external secrets)
+4. Scan at runtime (falco)
\ No newline at end of file