Compare commits
No commits in common. "6bf47e49c582381d30c9cce62ac6d6524c30be48" and "4d528bf5deae73e5a8aedde1b02a15b07fa2c423" have entirely different histories.
6bf47e49c5
...
4d528bf5de
@ -1,52 +0,0 @@
|
|||||||
---
|
|
||||||
title: Surviving Day2: Picking the right tool to secure your kubernetes habitat
|
|
||||||
weight: 1
|
|
||||||
tags:
|
|
||||||
- kubecon
|
|
||||||
---
|
|
||||||
|
|
||||||
<!-- {{% button href="https://youtu.be/rkteV6Mzjfs" style="warning" icon="video" %}}Watch talk on YouTube{{% /button %}} -->
|
|
||||||
<!-- {{% button href="https://docs.google.com/presentation/d/1nEK0CVC_yQgIDqwsdh-PRihB6dc9RyT-" style="tip" icon="person-chalkboard" %}}Slides{{% /button %}} -->
|
|
||||||
|
|
||||||
Premise: The CNCF landscape includes a huuuge number (80+) of security(related) projects.
|
|
||||||
Analogy: Animal kingdom (includes simmilar-ish animals that might do some of the same stuff but not entirely the same)
|
|
||||||
|
|
||||||
## Build Phase
|
|
||||||
|
|
||||||
- How can i scan my container for vulnerabilities? -> Well you probably mean your image
|
|
||||||
- The image itself is just a bunch of static layerns and we kinda have to trust the layers you didn't build yourself
|
|
||||||
- The main tool used is still trivy with some easy steps
|
|
||||||
1. Extract layers
|
|
||||||
2. Build FS
|
|
||||||
3. Identify OS and Non-OS Packages
|
|
||||||
4. Compare with vuln-db
|
|
||||||
- The animal in our analogy: Racoon
|
|
||||||
|
|
||||||
## Deploy Phase
|
|
||||||
|
|
||||||
- Kubernetes Native: Admission Controller
|
|
||||||
- Tool used: Kyverno (integrates as an admission controller with yaml/crd based configuration)
|
|
||||||
1. Modify (e.g. add default resource limits)
|
|
||||||
2. Validate (check policies)
|
|
||||||
- The animal is actually a human: The forrest guard
|
|
||||||
|
|
||||||
## Start Phase
|
|
||||||
|
|
||||||
- Before the pod itself is running CSI, CNI and secret related processes (the once we want to look into) happen
|
|
||||||
- Problems: Secrets have no rotation or versioning mechanism, there is no default integration for external kms
|
|
||||||
- Project: External Secrets -> Get secrets from external kms, automaticly sync (e.g. new versions)
|
|
||||||
- The chosen animal: Capricorn
|
|
||||||
|
|
||||||
## Run Phase
|
|
||||||
|
|
||||||
- Goal: Runtime scannning without including specialized instrumentation in each application
|
|
||||||
- Tool: Falco utilizing eBPF to check system calls against rules
|
|
||||||
- Idea: Detect dangerous behaviour (e.g. check for someone trying to exploit a fresh CVE)
|
|
||||||
- The analogy: Falcon
|
|
||||||
|
|
||||||
## TL;DR
|
|
||||||
|
|
||||||
1. Scan images (trivy)
|
|
||||||
2. Enforce best pracices (kyverno)
|
|
||||||
3. Use an external kms (external secrets)
|
|
||||||
4. Scan at runtime (falco)
|
|
||||||
@ -5,9 +5,6 @@ weight: 7
|
|||||||
---
|
---
|
||||||
|
|
||||||
The last day of KubeCon - aka the day everone leaves early.
|
The last day of KubeCon - aka the day everone leaves early.
|
||||||
But not me and I had no meetings scheduled for this day -> More talks for me and notes for you.
|
|
||||||
|
|
||||||
This being my 7th day of the trip and 6th day of non-stop conferences took a bit of a toll on my note taking skills (expect more spelling mistakes)
|
|
||||||
|
|
||||||
## Talk recommendations
|
## Talk recommendations
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user