Kubernetes Security Updates from Kubecon 2018 Seattle

•

2 likes•484 views

This is talk delivered in Kubernetes Bangalore meetup of January which is just an update from the Kubecon that happened in Seattle in December 2018. Also includes some updates from recent Kubernetes release v1.13.

Software

Kubernetes Security
Updates
Suraj Deshmukh

$ whoami
● Suraj Deshmukh
● works @ Kinvolk
● Twitter @surajd_
● Kubernetes Slack @surajd
● Blog suraj.io

Features
● Fixed limited duration
● Every pod gets a different service account token
● Kubelet handles rotation of the token
● Force rotate by restarting the pod
● Not stored in secret, directly mounted inside the pod
● Need to re-read the token since it changes periodically
● Specify audiences so token is valid to talk to only those services

New API
TokenRequest
TokenRequestProjection
BoundServiceAccountTokenVolume
KEP: Service Account Token Volumes & Bound Service Account Tokens

Features
● Run heterogeneous container runtimes in cluster, allows you to run VMs and
containers together.
● Scheduling based on RuntimeClass is work in progress.
KEP: Runtime Class

● Field in PodSpec called runtimeClassName
● RuntimeClass
New API

Features
● Add restriction to kubelet
● Node isolation
● Prevent nodes from updating taints & their own labels specifically
node-restriction.kubernetes.io/*
● Can’t delete the node object itself
● Warn on whitelisted modifications

Features
● Graduated from experimental
● Define what resources you want to be encrypted
● Supports various encryption providers: aescbc, secretbox, aesgcm,
kms
● Solves the long standing problem of credentials not being safe with
Kubernetes.

Features
● Dynamically configure the audit backends
● No need to provide information to apiserver via flags

Other announcements
● Bug bounty program is coming to Kubernetes

References
● Transition ServiceAccount admission controller to improved service account token volumes #70679
● Kubernetes Contributor Summit 2018 - Security Through the Ages
● Deep Dive: Container Identity WG - Greg Castle & Michael Danese, Google
● Encrypting Secret Data at Rest
● NodeRestriction
● Dynamic Backend
● Audit in Kubernetes, the Future is Here - Stefan Schimanski & Maciej Szulik, Red Hat

Connect with us
● Twitter @k8sBLR
● Join Kubernetes slack slack.k8s.io and channel #in-dev & #in-users
● GSOC for Kubernetes announced!

Kubernetes Security Updates from Kubecon 2018 Seattle

What's hot

Mirantis Contributions to Kubernetes Ecosystem

MoscowKubernetes

DCSF19 Deploying Istio as an Ingress Controller

Docker, Inc.

Contiv provides a higher level of networking abstraction for microservices: it provides built-in service discovery and service routing for scale out services, working with schedulers like Docker Swarm, Kubernetes, Mesos and Openshift. A powerful policy-based management that makes networking on large scale easy. We will see some code examples, use cases and an easy tutorial on the web. This session is a follow up to the successful sessions at Codemotion Rome and Amsterdam in 2016: we'll go deeper into the architecture and the use cases.

Luca Relandini - Microservices and containers networking: Contiv, deep dive a...

Codemotion

Istio (service mesh) why and how

Milan Das

Mettere in sicurezza un cluster Kubernetes richiede l'uso di diverse strategie e di strumenti per attuarle. Tra queste, i Dynamic Admission Controllers giocano un ruolo fondamentale per garantire non solo la sicurezza di un cluster, ma anche la sua compliance. Infatti tramite di essi è possibile definire, ed applicare, regole personalizzate. Nonostante molte organizzazioni riconoscano l'importanza di abbracciare la "filosofia" Policy As Code, sono purtroppo poche le realtà in cui questa metodologia viene utilizzata in ambienti di produzione. Durante questo talk mostrerò come WebAssembly, una tecnologia nata originariamente per il Web, possa essere utilizzato per implementare strategie di Policy As Code in Kubernetes. Vedremo come l'adozione di WebAssembly semplifichi il processo di creazione, mantenimento e distribuzione di queste policy.

Kubernetes Policy As Code usando WebAssembly | Flavio Castelli

KCDItaly

Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan

VMware Tanzu

This presentation provides the basic concepts of the Kubernetes for Beginners. 1) Introduction of Kubernetes Before Kubernetes What is Kubernetes What Kubernetes can do? What Kubernetes can't do? Features of Kubernetes Kubernetes Architecture Kubernetes vs Docker Swarm Kubernetes 7 use cases ... 2) Kubernetes Component What is Kubelet? What is Kubectl? What is Kubeadm? 3) Nodes in Kubernetes What is a node in Kubernetes? Master node Worker node 4) Kubernetes Development Process What is blue green deployment? How to automate the deployment? 5) Networking in Kubernetes Kubernetes networking model Ingress networking in Kubernetes 6) Security Measures in Kubernetes Best security measures in Kubernetes

Introduction of Kubernetes - Trang Nguyen

Trang Nguyen

Getting started with Azure Container Service (AKS)

Janakiram MSV

What is Google Cloud Good For at DevFestInspire 2021

Robert John

Introduction to Kubernetes and Google Container Engine (GKE)

Opsta

Meetup 22 - 04 - Logging and Monitoring at scale on Kubernetes

Vietnam Open Infrastructure User Group

Kubernetes - Security Journey

Jerry Jalava

Watch this Tech Talk: https://do.co/video_pgupta An introduction into the world of containers and the orchestration ecosystem, and how Kubernetes can help software developers and cloud infrastructure engineers be more agile, efficient, and productive. Containers and Kubernetes have changed the infra world for good, bringing agility, efficiency, and more productivity. Still thinking about how to get started with Kubernetes? This talk is designed to give you an introduction into the world of containers and the orchestration ecosystem. What You'll Learn - Introduction to containers and microservices - Introduction to Kubernetes and how it can help - Essential Kubernetes building blocks (“primitives”) for getting started About the Presenter Peeyush Gupta is a cloud enthusiast with 5+ years of experience in developing cloud platforms and helping customers migrate their legacy applications to cloud. He has also been a speaker at multiple meetups and serves the developer community as part of Kubernetes contributor experience group. He is currently working with DigitalOcean as a Senior Developer Advocate. New to DigitalOcean? Get US $100 in credit when you sign up: https://do.co/deploytoday To learn more about DigitalOcean: https://www.digitalocean.com/ Follow us on Twitter: https://twitter.com/digitalocean Like us on Facebook: https://www.facebook.com/DigitalOcean Follow us on Instagram: https://www.instagram.com/thedigitalocean/ We're hiring: http://do.co/careers

Kubernetes for Beginners

DigitalOcean

Kubernetes Architecture

Knoldus Inc.

16. Cncf meetup-docker

Juraj Hantak

Introduction to Kubernetes with demo

Opsta

Service Mesh For Beginner

Mien Dinh

Extending Kubernetes

Johannes Rudolph

Kubernetes Security

Karthik Gaekwad

Sempre più spesso è presente l'esigenza di costruire applicativi dinamici, interattivi e veloci al punto tale da risultare istantanei e in grado di permettere la fruizione di informazioni aggiornate in tempo reale. Durante il talk vedremo un esempio concreto di come sia possibile creare un’applicazione production ready, basata su uno use-case che rispetti queste esigenze e sfruttando alcune delle principali tecnologie offerte dal mercato come React, Flux, WebSocket e MongoDB.

M.Montalbano/M.Colombo Speroni/S.Sala - Combining React and Websocket to buil...

Codemotion

What's hot (20)

Mirantis Contributions to Kubernetes Ecosystem

DCSF19 Deploying Istio as an Ingress Controller

Luca Relandini - Microservices and containers networking: Contiv, deep dive a...

Istio (service mesh) why and how

Kubernetes Policy As Code usando WebAssembly | Flavio Castelli

Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan

Introduction of Kubernetes - Trang Nguyen

Getting started with Azure Container Service (AKS)

What is Google Cloud Good For at DevFestInspire 2021

Introduction to Kubernetes and Google Container Engine (GKE)

Meetup 22 - 04 - Logging and Monitoring at scale on Kubernetes

Kubernetes - Security Journey

Kubernetes for Beginners

Kubernetes Architecture

16. Cncf meetup-docker

Introduction to Kubernetes with demo

Service Mesh For Beginner

Extending Kubernetes

Kubernetes Security

M.Montalbano/M.Colombo Speroni/S.Sala - Combining React and Websocket to buil...

Similar to Kubernetes Security Updates from Kubecon 2018 Seattle

Dynamic management of kubernetes

Martin Podval

Extending kubernetes

Gigi Sayfan

Kubernetes secret introduction

Evan Lin

Container orchestration and microservices world

Karol Chrapek

Kubernetes provides an automated platform to deployment, scaling and operations of applications across a cluster of hosts. Complementing Kubernetes with a series of build scripts in conjunction with Travis-CI, GitHub, Artifactory, and Google Cloud Platform, we can take code from a merged pull request to a deployed environment with no manual intervention on a highly scaleable and robust infrastructure.

GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...

Oleg Shalygin

Ultimate Guide to Microservice Architecture on Kubernetes

kloia

Join us to learn the concepts and terminology of Kubernetes such as Nodes, Labels, Pods, Replication Controllers, Services. After taking a closer look at the Kubernetes master and the nodes, we will walk you through the process of building, deploying, and scaling microservices applications. Each attendee gets $100 credit to start using Google Container Engine. The source code is available at https://github.com/janakiramm/kubernetes-101

Kubernetes architecture

Janakiram MSV

Introduction to kubernetes

Rishabh Indoria

Introduction to Kubernetes Workshop

Bob Killen

Incredibly powerful and flexible, Kubernetes role-based access control (RBAC) is an essential tool to effectively manage production clusters. Yet many Ops and DevOps engineers are still facing barriers to efficiently use it at scale. These include a steep learning curve, YAML-based configuration, lack of standardized best practices, and the general complexity of this functionality at large -- it truly can be somewhat overwhelming. During this meetup Oleg, CTO at Kublr, will discuss Kubernetes RBAC concepts and objects. He'll explore different use cases ranging from simple permission management for in-cluster application accounts to integrations with external identity providers for SSO and enterprise user access management. Leveraging the Kublr Platform, Oleg will demonstrate how it simplifies the management of access and RBAC rules in a cloud native environment while staying vendor-independent and compatible with any Kubernetes distribution.

Introduction to Kubernetes RBAC

Kublr

CNCF Live Webinar: Kubernetes 1.23

LibbySchulze

Kube 1.2

Diógenes Rettori

Docker on docker leveraging kubernetes in docker ee

Docker, Inc.

Google Cloud platform: GKE with CI/CD using CircleCI and Flux

komaldevg

kubernetesssssssssssssssssssssssssss.pdf

bchiriamina2

WSO2 API Manager provides cloud-native API management, where a user can expose microservices as managed APIs in cloud environments with no hassle. In an age where applications are increasingly adopting microservice architecture, it is obvious that container-orchestration systems such as Kubernetes have gained popularity due to the attractive functionality they offer to simplify a number of complex management tasks. With WSO2 API Manager, now you can expose microservices as managed APIs in cloud environments such as Kubernetes. It automates a number of complex tasks such as application deployment, scaling, and management. Exposing microservices in cloud environments with private jet mode provides a dedicated microgateway to handle each managed API. This will provide maximum security and guaranteed resource allocation for API execution. By attending this webinar, you will gain hands-on experience on how to expose microservices as managed APIs in cloud clusters in private jet mode where each API is managed by a dedicated microgateway. Watch the on-demand here: https://wso2.com/library/webinars/how-to-build-a-scalable-distributed-multi-cloud-api-architecture/

How to Build a Scalable, Distributed, Multi-Cloud API Architecture on Kubernetes

WSO2

WSO2 API Microgateway is a lightweight, developer focused, cloud-native, decentralized gateway designed to be deployed in microservice architectures. It acts as a gateway for microservices with inbuilt capabilities for service enrichment such as authentication, authorization, rate limiting, and analytics. This deck covers, - Architectural changes done for the major version - Developer centric approach of microgateway - New features and their use cases - Deployment patterns for microgateways - Demonstration of its capabilities (Create microgateway projects, and deploy them in multiple environments) Watch the webinar on-demand here - https://wso2.com/library/webinars/2019/07/wso2-api-microgateway-for-easier-development-and-greater-scalability/

WSO2 API Microgateway for Easier Development and Greater Scalability

WSO2

Getting started with Kubernetes and Azure DevOps

RaTul Basak

Docker Enterprise Workshop - Technical

Patrick Chanezon

01 - VMUGIT - Lecce 2018 - Fabio Rapposelli, VMware

VMUG IT

Similar to Kubernetes Security Updates from Kubecon 2018 Seattle (20)

Dynamic management of kubernetes

Extending kubernetes

Kubernetes secret introduction

Container orchestration and microservices world

GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...

Ultimate Guide to Microservice Architecture on Kubernetes

Kubernetes architecture

Introduction to kubernetes

Introduction to Kubernetes Workshop

Introduction to Kubernetes RBAC

CNCF Live Webinar: Kubernetes 1.23

Kube 1.2

Docker on docker leveraging kubernetes in docker ee

Google Cloud platform: GKE with CI/CD using CircleCI and Flux

kubernetesssssssssssssssssssssssssss.pdf

How to Build a Scalable, Distributed, Multi-Cloud API Architecture on Kubernetes

WSO2 API Microgateway for Easier Development and Greater Scalability

Getting started with Kubernetes and Azure DevOps

Docker Enterprise Workshop - Technical

01 - VMUGIT - Lecce 2018 - Fabio Rapposelli, VMware

Recently uploaded

Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...

SelfMade bd

WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration

WSO2

Azure Native Qumulo scales elastically for common High Performance Compute (HPC) workloads based on application requirements for: Financial Services, Automotive, Genomics / Life Sciences, Media and Entertainment, Energy, Oil and Gas, and more. Performance can be increased (and elastically decreased) much higher than the examples shown here. These slides offer a glimpse into ANQ's HPC capabilities, although at a smaller scale. We invite YOU to do your own testing (with a free ANQ trial) and work with us to test your HPC workloads in Azure.

AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf

ryanfarris8

This presentation covers the following topics: What is logging? The purpose of logging: Debugging The purpose of logging: Security The purpose of logging: Stats & analytics Traditional logging Traditional logging: Advantages Traditional logging: Disadvantages The solution: Large-scale logging Large-scale logging: Core principles Large-scale logging: Solution types Large-scale logging: Cloud vs on-prem Large-scale logging: Operational complexity Large-scale logging: Security Large-scale logging: Costs Large-scale logging: On-prem comparison - Elasticsearch - Grafana Loki - VictoriaLogs On-prem comparison: Setup and operation On-prem comparison: Costs On-prem comparison: Full-text search support On-prem comparison: How to efficiently query 100TB of logs? On-prem comparison: Integration with CLI tools VictoriaLogs for large-scale logging VictoriaLogs demo instance - Ingestion rate: 3600 messages / minute - The number of log messages: 1.1 billion - Uncompressed log messages’ size: 1.5TB - Compressed log messages’ size: 23GB - Compression ratio: 47x - Memory usage: 150MB VictoriaLogs CLI integration demo - Which errors have occurred in all the apps during the last hour? - How many errors have occurred during the last hour? - Which apps generated the most of errors during the last hour? - The number of per-minute errors for the last 10 minutes - Status codes for the last hour - Non-200 status codes for the last week - Top client IPs for the last 4 weeks with 404 and 500 response status codes - Per-month stats for the given IP across all the logs Large-scale logging solution MUST provide excellent CLI integration VictoriaLogs: (temporary) drawbacks VictoriaLogs: Recap - Easy to setup and operate - The lowest RAM usage and disk space usage (up to 30x less than Elasticsearch and Grafana Loki) - Fast full-text search - Excellent integration with traditional command-line tools for log analysis - Accepts logs from popular log shippers (Filebeat, Fluentbit, Logstash, Vector, Promtail, Grafana Agent) - Open source and free to use!

Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024

VictoriaMetrics

WSO2Con2024 - Organization Management: The Revolution in B2B CIAM

WSO2

WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration

WSO2

%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein

masabamasaba

Artyushina_Guest lecture_YorkU CS May 2024.pptx

AnnaArtyushina1

WSO2CON 2024 - How to Run a Security Program

WSO2

WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity

WSO2

Direct Style Effect Systems -The Print[A] Example- A Comprehension Aid

Philip Schwarz

WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications

WSO2

WSO2Con2024 - Software Delivery in Hybrid Environments

WSO2

WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...

WSO2

WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...

WSO2

Modeling languages are generally applied for developing systems and software – both internally, with domain-specific languages, and with standardized languages targeting a general purpose and a wide audience. Way too often these languages are weakly created and defined leading to poor quality: Language definitions tend to contain errors and inconsistencies; notations do not recognize the communication and problem-solving needs of humans; standardization organizations push exchange formats that do not fully work and offer certificates that do not measure mastery of the language. We describe common problems in language development and point them out with examples from known cases. To overcome these problems, we suggest several solutions to improve language development, including using modeling languages specifically designed to define modeling languages, continuous testing and prototyping, and keeping language users in the loop.

What Goes Wrong with Language Definitions and How to Improve the Situation

Juha-Pekka Tolvanen

WSO2CON 2024 - Building a Digital Government in Uganda

WSO2

WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...

WSO2

WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...

WSO2

Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...

Bert Jan Schrijver

Recently uploaded (20)

Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...

WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration

AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf

Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024

WSO2Con2024 - Organization Management: The Revolution in B2B CIAM

WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration

%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein

Artyushina_Guest lecture_YorkU CS May 2024.pptx

WSO2CON 2024 - How to Run a Security Program

WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity

Direct Style Effect Systems -The Print[A] Example- A Comprehension Aid

WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications

WSO2Con2024 - Software Delivery in Hybrid Environments

WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...

WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...

What Goes Wrong with Language Definitions and How to Improve the Situation

WSO2CON 2024 - Building a Digital Government in Uganda

WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...

WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...

Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...

Kubernetes Security Updates from Kubecon 2018 Seattle

1. Kubernetes Security Updates Suraj Deshmukh

2. $ whoami ● Suraj Deshmukh ● works @ Kinvolk ● Twitter @surajd_ ● Kubernetes Slack @surajd ● Blog suraj.io

3. ServiceAccount

4. Features ● Fixed limited duration ● Every pod gets a different service account token ● Kubelet handles rotation of the token ● Force rotate by restarting the pod ● Not stored in secret, directly mounted inside the pod ● Need to re-read the token since it changes periodically ● Specify audiences so token is valid to talk to only those services

5. New API TokenRequest TokenRequestProjection BoundServiceAccountTokenVolume KEP: Service Account Token Volumes & Bound Service Account Tokens

6. RuntimeClass

7. Features ● Run heterogeneous container runtimes in cluster, allows you to run VMs and containers together. ● Scheduling based on RuntimeClass is work in progress. KEP: Runtime Class

8. ● Field in PodSpec called runtimeClassName ● RuntimeClass New API

9. NodeRestriction

10. Features ● Add restriction to kubelet ● Node isolation ● Prevent nodes from updating taints & their own labels specifically node-restriction.kubernetes.io/* ● Can’t delete the node object itself ● Warn on whitelisted modifications

11. Encrypting Secret Data at Rest

12. Features ● Graduated from experimental ● Define what resources you want to be encrypted ● Supports various encryption providers: aescbc, secretbox, aesgcm, kms ● Solves the long standing problem of credentials not being safe with Kubernetes.

13. EncryptionConfiguration New API

14. Dynamic Audit backend

15. Features ● Dynamically configure the audit backends ● No need to provide information to apiserver via flags

16. New API AuditSink

17. Other announcements ● Bug bounty program is coming to Kubernetes

18. References ● Transition ServiceAccount admission controller to improved service account token volumes #70679 ● Kubernetes Contributor Summit 2018 - Security Through the Ages ● Deep Dive: Container Identity WG - Greg Castle & Michael Danese, Google ● Encrypting Secret Data at Rest ● NodeRestriction ● Dynamic Backend ● Audit in Kubernetes, the Future is Here - Stefan Schimanski & Maciej Szulik, Red Hat

19. Connect with us ● Twitter @k8sBLR ● Join Kubernetes slack slack.k8s.io and channel #in-dev & #in-users ● GSOC for Kubernetes announced!

Kubernetes Security Updates from Kubecon 2018 Seattle

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Kubernetes Security Updates from Kubecon 2018 Seattle

Similar to Kubernetes Security Updates from Kubecon 2018 Seattle (20)

More from Suraj Deshmukh

More from Suraj Deshmukh (12)

Recently uploaded

Recently uploaded (20)

Kubernetes Security Updates from Kubecon 2018 Seattle