---
title: "Surviving Day2: Picking the right tool to secure your kubernetes habitat"
weight: 1
tags:
 - kubecon
 - security
---

{{% button href="https://youtu.be/FqUPqroF-Rw" style="warning" icon="video" %}}Watch talk on YouTube{{% /button %}}
{{% button href="https://static.sched.com/hosted_files/kccnceu2025/a1/Surviving%20Day2%20-%20Picking%20the%20Right%20Tool%20To%20Secure%20Your%20Kubernetes%20Habitat.pdf" style="tip" icon="person-chalkboard" %}}Slides{{% /button %}}

Premise: The CNCF landscape includes a huuuge number (80+) of security(related) projects.
Analogy: Animal kingdom (includes simmilar-ish animals that might do some of the same stuff but not entirely the same)

## Build Phase

- How can i scan my container for vulnerabilities? -> Well you probably mean your image
- The image itself is just a bunch of static layerns and we kinda have to trust the layers you didn't build yourself
- The main tool used is still trivy with some easy steps
  1. Extract layers
  2. Build FS
  3. Identify OS and Non-OS Packages
  4. Compare with vuln-db
- The animal in our analogy: Racoon

## Deploy Phase

- Kubernetes Native: Admission Controller
- Tool used: Kyverno (integrates as an admission controller with yaml/crd based configuration)
  1. Modify (e.g. add default resource limits)
  2. Validate (check policies)
- The animal is actually a human: The forrest guard

## Start Phase

- Before the pod itself is running CSI, CNI and secret related processes (the once we want to look into) happen
- Problems: Secrets have no rotation or versioning mechanism, there is no default integration for external kms
- Project: External Secrets -> Get secrets from external kms, automaticly sync (e.g. new versions)
- The chosen animal: Capricorn

## Run Phase

- Goal: Runtime scannning without including specialized instrumentation in each application
- Tool: Falco utilizing eBPF to check system calls against rules
- Idea: Detect dangerous behaviour (e.g. check for someone trying to exploit a fresh CVE)
- The analogy: Falcon

## TL;DR

1. Scan images (trivy)
2. Enforce best pracices (kyverno)
3. Use an external kms (external secrets)
4. Scan at runtime (falco)