Karthik Gaekwad gave a presentation on securing Kubernetes clusters. He discussed reducing the attack surface by hardening hosts, using official container images with specific versions, limiting privileges, and periodically checking for vulnerabilities. He explained how Kubernetes features like TLS, authentication, authorization, auditing, network policies and pod security policies can help. Open source tools like Clair, Kube-bench, Kubesec and Kubeaudit were presented to analyze vulnerabilities and check configuration best practices. The overall message was to take a layered approach to security using the platform capabilities and tooling available.
My cloud native security talk I gave at Innotech Austin 2018. I cover container and Kubernetes security topics, security features in Kubernetes, including opensource projects you will want to consider while building and maintaining cloud native applications.
Introduction to Kubernetes Security (Aqua & Weaveworks)Weaveworks
Kubernetes is fundamentally a complex system with lots of different potential attack vectors aimed at data theft, currency mining and other threats. During this webinar, Aqua Security and Weaveworks will provide an overview of the current state of security-related features in Kubernetes, demonstrate how you can build a secure and reliable Kubernetes deployment pipeline with GitOps best practices, and explore how to best prevent common Git attacks. In addition we will show image scanning and briefly explore how to best prevent common Git attacks.
Deploying Kubernetes without scaring off your security team - KubeCon 2017Major Hayden
Kubernetes provides plenty of enhancements for deploying software, but it can cause anxiety on the corporate security team. This talk explains how to approach your security team and how to push them to provide guardrails, not deployments.
My cloud native security talk I gave at Innotech Austin 2018. I cover container and Kubernetes security topics, security features in Kubernetes, including opensource projects you will want to consider while building and maintaining cloud native applications.
Introduction to Kubernetes Security (Aqua & Weaveworks)Weaveworks
Kubernetes is fundamentally a complex system with lots of different potential attack vectors aimed at data theft, currency mining and other threats. During this webinar, Aqua Security and Weaveworks will provide an overview of the current state of security-related features in Kubernetes, demonstrate how you can build a secure and reliable Kubernetes deployment pipeline with GitOps best practices, and explore how to best prevent common Git attacks. In addition we will show image scanning and briefly explore how to best prevent common Git attacks.
Deploying Kubernetes without scaring off your security team - KubeCon 2017Major Hayden
Kubernetes provides plenty of enhancements for deploying software, but it can cause anxiety on the corporate security team. This talk explains how to approach your security team and how to push them to provide guardrails, not deployments.
“The Elements of Style” is one of the most important and foundational guidelines on how to write well. It has effectively summarized, in a list of seminal guidelines, how to harness the power of the English language to write high quality prose of almost any kind.
In computing, we have similar guides for various technologies. Python offers “The Zen Of Python”, Ruby has “The Rails Doctrine”, and so on...
One of the powers these documents wield is that they help serve as a “north star” that guides an entire community toward the same goals.
I believe we need a similar guide for Kubernetes. It would describe how app developers and operators should think about and use the features in Kubernetes to build and deploy reliable, stable apps. Armed with such a guide, we could all hope to better understand the “essence” of Kubernetes in pursuit of building better cloud native apps.
We don’t have anything like this today, but many in the Kubernetes community have strong, detailed opinions for what should go in this guide. Much of it is tribal knowledge or scattered in blog posts.
In this talk, I’ll try to bring many of these opinions together and lay out an “Elements of Kubernetes” guide for app developers and operators alike. I’ll do so by relating each “element” to stories and details I’ve seen in the community that reveal what makes a good Kubernetes and cloud native app.
This talk was given at KubeCon / CloudNativeCon 2017 on December 7th, 2017 in Austin, TX
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...Docker, Inc.
The SDACK architecture stands for Spark, Docker, Akka, Cassandra, and Kafka. At TrendMicro, we adopted the SDACK architecture to implement a security event inspection platform for APT attack analysis. In this talk, we will introduce SDACK stack with Spark lambda architecture, Akka and Kafka for streaming data pipeline, Cassandra for time series data, and Docker for microservices. Specifically, we will show you how we Dockerize each SDACK component to facilitate the RD team of algorithms development, help the QA team test the product easily, and use the Docker as a Service strategy to ship our products to customers. Next, we will show you how we monitor each Docker container and adjust the resource usage based on monitoring metrics. And then, we will share our Docker security policy which ensures our products are safety before shipping to customers. After that, we'll show you how we develop an all-in-one Docker based data product and scale it out to multi-host Docker cluster to solve the big data problem. Finally, we will share some challenges we faced during the product development and some lesson learned.
Immutable Awesomeness by John Willis and Josh CormanDocker, Inc.
This presentation will show the combination of two ideas that can create 2 to 3 order of magnitude efficiencies in service delivery. We will discuss an example used in an insurance company that has experienced these efficiencies. Josh Corman will present the concept of using Open Source and Toyota Supply Chain principles as a weapon for eliminating operational costs of service delivery. By applying first order principles like fewer suppliers (e.g, less logging frameworks) and image manifests (i.e., bill of materials) he will show how an organization can cut down on bugs and issue resolution times. John Willis will then cover how these principles fit like peanut butter and chocolate when used in an immutable delivery model based on Docker. This presentation was the third highest rated session at the 2015 Devops Enterprise Summit.
Cloud native applications are popular these days. They promise superior reliability and almost arbitrary scalability. They follow three key principles: they are built and composed as microservices. They are packaged and distributed in containers. The containers are executed dynamically in the cloud. But which technology is best to build this kind of application? This talk will be your guidebook.
In this hands-on session, we will briefly introduce the core concepts and some key technologies of the cloud native stack and then show how to build, package, containerize, compose and orchestrate a cloud native showcase application on top of a cluster operating system such as Kubernetes or OpenShift. Throughout the session we will be using an off-the-shelf MIDI controller to visualize the concepts and to remote control the cluster.
Container Days 2017 conference. @ConDaysEU #CDS17 #qaware #CloudNativeNerd @LeanderReimer
Keeping your Kubernetes Cluster SecureGene Gotimer
From NOVA Cloud and Software Engineering Group meetup, Feb. 17, 2021 https://youtu.be/a5uPm1mPLKQ.
Hardening a Kubernetes cluster happens at different levels. We have to examine the nodes where Kubernetes is running. We want to secure the Kubernetes objects and workloads and review the files we used to create them. And we need to look for vulnerabilities in the containers we are using. Gene will show you some open-source tools that can find issues and vulnerabilities at each layer. All of them can be used in a pipeline to build your Kubernetes cluster safely and keep it secure.
Gene Gotimer is the meetup organizer and a DevSecOps Senior Engineer at Steampunk, focusing on agile processes, secure development practices, and automation. Gene feels strongly that repeatability, quality, and security are all strongly intertwined; each depends on the other two, making agile and DevSecOps that much more crucial to software development.
Kubernetes (K8s) is a powerful, flexible and portable open source framework for distributed containerized applications delivery and management. An important part of the services provided by most Kubernetes clusters is the containers’ networking stack. In most cases and for many applications it “just works”, but this seeming simplicity is backed by a complex stack of technologies that provide many capabilities beyond the basics.
This presentation accompanies the meetup and webinar where Oleg Chunikhin, CTO at Kublr, shows how Kubernetes networking stack works, describes main components, interfaces and extensibility options.
What is covered:
- general notions of Kubernetes networking - Pods and Network Policies
- implementation of Kubernetes networking - CNI, CNI plugins, and Linux network namespaces
- some Kubernetes CNI providers: Calico, Weave, Flanel, and Canal
- K8S networking extensibility for advanced and “exotic” use-cases with Multus CNI plugin as an example
Cloud Native Night May 2017, Mainz: Talk by Giant Swarm (@giantswarm).
Join our Meetup: www.meetup.com/cloud-native-night
Abstract: At Giant Swarm, we manage Kubernetes clusters for customers 24/7, both on-premises and in the cloud. That means we do not just set something up and hand it over, but we actually take care that it’s operational and up-to-date at all times.
This presentation demonstrates how Giant Swarm are using Operators to codify all operational tasks of managing Kubernetes cluster and distributed applications on top. The operators manage PKI infrastructures, networks, VMs and storage both on-premises and in the cloud.
Topics:
• RepoKid
Netflix’s Open-source Strategy to Rightsizing Cloud Permissions at Scale
• BetterTLS
A test suite for HTTPS clients implementing verification of the Name Constraints certificate extension
• Authorization at Netflix
Netflix’s architecture for implementing Authorization at scale
• Open Policy Agent
An open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack. (www.openpolicyagent.org)
• Introducing PADME (Policy Access Decision Management Engine)
A modern policy management for distributed heterogenous systems. (www.padme.io)
Demo Stations:
• Stethoscope
Personalized, user-focused recommendations for employee information security.
• HubCommander
Slack bot for GitHub organization management -- and other things too!
• Open Policy Agent
An open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack.
Practical Container Security by Mrunal Patel and Thomas Cameron, Red HatDocker, Inc.
You can secure your containerized microservices without slowing down development. Through a combination of Linux kernel features and open source tools, you can isolate the host from the container and the containers from each other, as well as finding vulnerabilities and securing data. Two of Red Hat's Docker contributors will discuss the state of container security today, covering Linux namespaces, SElinux, cgroups, capabilities, scan, seccomp, and other tools you can use right now.
Open Source Applied - Real World Use Cases
Justin Reock
Rogue Wave Software - Lead Architect of OSS Support and Services
To find more by Rogue Wave Software: https://www.slideshare.net/RogueWaveSoftware
Keeping your Kubernetes Cluster SecureGene Gotimer
Many organizations are shifting to containers and Kubernetes, and that move means learning new ways to secure their environments. Kubernetes clusters have to be hardened at different levels. We have to consider the nodes where the Kubernetes control plane is running. We also need to secure the Kubernetes workloads and check the files that create them. And we need to inspect the containers we are using for vulnerabilities and unusual behavior.
Gene will show you some open-source tools that can find issues and vulnerabilities at each layer. You will see how they can be used in a pipeline to build your Kubernetes cluster safely and keep it secure.
Continuous Delivery the Hard Way with Kubernetes Weaveworks
How do you version control your deployment config + automate the delivery of your software through a CI/CD pipeline?
We will cover open source tools that facilitate:
• Simultaneously updating configuration and performing releases to Kubernetes
• Rolling back and pinning releases
• Having different release policies to different environments
Read the blog: https://www.weave.works/blog/continuous-delivery-the-hard-way
Visit Weave Cloud: https://www.weave.works/product/cloud/
For more free talks, join our Weave Online User Group: https://www.meetup.com/Weave-User-Group/
DCSF 19 How Entergy is Mitigating Legacy Windows Operating System Vulnerabili...Docker, Inc.
Jason Brown - Program Manager, Entergy
Jeff Hummel - IT Infrastructure, Architect, Entergy
Entergy, a large utility company headquartered in New Orleans, LA has launched an initiative to modernize their application infrastructure. During the initial analysis, Entergy recognized the existing legacy infrastructure’s lack of compatibility with more recent operating systems would stand in the way of progress. As a result, containerization was fast-tracked as the solution that can help them with the various tenants of their strategy: hyperconvergence, SaaS (ServiceNow), and workload portability. Docker Enterprise proved to be the right solution to migrate roughly 850 legacy applications from Windows Server 2003 and 2008 to Windows Server 2016 quickly, securely and economically. Entergy IT has now delivered the ability for the business to run applications on-premise, in the cloud, and future-proofed the applications for migration to new versions of Windows Server. In this session, Entergy will talk about how they are modernizing their infrastructure to become more agile, secure, and enable workload portability.
Common vulnerabilities & exposures (cve) in docker containers- 2018 alldaydevopsJose Manuel Ortega Candel
CVEs are the standard source for vulnerability details and descriptions. Security professionals use CVEs to understand vulnerabilities and what can be done to prevent them.Securing application containers requires a security strategy which includes analyze and audit docker images layer by layer.
A list of action items you want to keep in mind when you're devsecops'ing for your cloudnative environments. Given as a part of a talk on the Modern Security series (
https://info.signalsciences.com/securing-cloud-native-ten-tips-better-container-security).
“The Elements of Style” is one of the most important and foundational guidelines on how to write well. It has effectively summarized, in a list of seminal guidelines, how to harness the power of the English language to write high quality prose of almost any kind.
In computing, we have similar guides for various technologies. Python offers “The Zen Of Python”, Ruby has “The Rails Doctrine”, and so on...
One of the powers these documents wield is that they help serve as a “north star” that guides an entire community toward the same goals.
I believe we need a similar guide for Kubernetes. It would describe how app developers and operators should think about and use the features in Kubernetes to build and deploy reliable, stable apps. Armed with such a guide, we could all hope to better understand the “essence” of Kubernetes in pursuit of building better cloud native apps.
We don’t have anything like this today, but many in the Kubernetes community have strong, detailed opinions for what should go in this guide. Much of it is tribal knowledge or scattered in blog posts.
In this talk, I’ll try to bring many of these opinions together and lay out an “Elements of Kubernetes” guide for app developers and operators alike. I’ll do so by relating each “element” to stories and details I’ve seen in the community that reveal what makes a good Kubernetes and cloud native app.
This talk was given at KubeCon / CloudNativeCon 2017 on December 7th, 2017 in Austin, TX
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...Docker, Inc.
The SDACK architecture stands for Spark, Docker, Akka, Cassandra, and Kafka. At TrendMicro, we adopted the SDACK architecture to implement a security event inspection platform for APT attack analysis. In this talk, we will introduce SDACK stack with Spark lambda architecture, Akka and Kafka for streaming data pipeline, Cassandra for time series data, and Docker for microservices. Specifically, we will show you how we Dockerize each SDACK component to facilitate the RD team of algorithms development, help the QA team test the product easily, and use the Docker as a Service strategy to ship our products to customers. Next, we will show you how we monitor each Docker container and adjust the resource usage based on monitoring metrics. And then, we will share our Docker security policy which ensures our products are safety before shipping to customers. After that, we'll show you how we develop an all-in-one Docker based data product and scale it out to multi-host Docker cluster to solve the big data problem. Finally, we will share some challenges we faced during the product development and some lesson learned.
Immutable Awesomeness by John Willis and Josh CormanDocker, Inc.
This presentation will show the combination of two ideas that can create 2 to 3 order of magnitude efficiencies in service delivery. We will discuss an example used in an insurance company that has experienced these efficiencies. Josh Corman will present the concept of using Open Source and Toyota Supply Chain principles as a weapon for eliminating operational costs of service delivery. By applying first order principles like fewer suppliers (e.g, less logging frameworks) and image manifests (i.e., bill of materials) he will show how an organization can cut down on bugs and issue resolution times. John Willis will then cover how these principles fit like peanut butter and chocolate when used in an immutable delivery model based on Docker. This presentation was the third highest rated session at the 2015 Devops Enterprise Summit.
Cloud native applications are popular these days. They promise superior reliability and almost arbitrary scalability. They follow three key principles: they are built and composed as microservices. They are packaged and distributed in containers. The containers are executed dynamically in the cloud. But which technology is best to build this kind of application? This talk will be your guidebook.
In this hands-on session, we will briefly introduce the core concepts and some key technologies of the cloud native stack and then show how to build, package, containerize, compose and orchestrate a cloud native showcase application on top of a cluster operating system such as Kubernetes or OpenShift. Throughout the session we will be using an off-the-shelf MIDI controller to visualize the concepts and to remote control the cluster.
Container Days 2017 conference. @ConDaysEU #CDS17 #qaware #CloudNativeNerd @LeanderReimer
Keeping your Kubernetes Cluster SecureGene Gotimer
From NOVA Cloud and Software Engineering Group meetup, Feb. 17, 2021 https://youtu.be/a5uPm1mPLKQ.
Hardening a Kubernetes cluster happens at different levels. We have to examine the nodes where Kubernetes is running. We want to secure the Kubernetes objects and workloads and review the files we used to create them. And we need to look for vulnerabilities in the containers we are using. Gene will show you some open-source tools that can find issues and vulnerabilities at each layer. All of them can be used in a pipeline to build your Kubernetes cluster safely and keep it secure.
Gene Gotimer is the meetup organizer and a DevSecOps Senior Engineer at Steampunk, focusing on agile processes, secure development practices, and automation. Gene feels strongly that repeatability, quality, and security are all strongly intertwined; each depends on the other two, making agile and DevSecOps that much more crucial to software development.
Kubernetes (K8s) is a powerful, flexible and portable open source framework for distributed containerized applications delivery and management. An important part of the services provided by most Kubernetes clusters is the containers’ networking stack. In most cases and for many applications it “just works”, but this seeming simplicity is backed by a complex stack of technologies that provide many capabilities beyond the basics.
This presentation accompanies the meetup and webinar where Oleg Chunikhin, CTO at Kublr, shows how Kubernetes networking stack works, describes main components, interfaces and extensibility options.
What is covered:
- general notions of Kubernetes networking - Pods and Network Policies
- implementation of Kubernetes networking - CNI, CNI plugins, and Linux network namespaces
- some Kubernetes CNI providers: Calico, Weave, Flanel, and Canal
- K8S networking extensibility for advanced and “exotic” use-cases with Multus CNI plugin as an example
Cloud Native Night May 2017, Mainz: Talk by Giant Swarm (@giantswarm).
Join our Meetup: www.meetup.com/cloud-native-night
Abstract: At Giant Swarm, we manage Kubernetes clusters for customers 24/7, both on-premises and in the cloud. That means we do not just set something up and hand it over, but we actually take care that it’s operational and up-to-date at all times.
This presentation demonstrates how Giant Swarm are using Operators to codify all operational tasks of managing Kubernetes cluster and distributed applications on top. The operators manage PKI infrastructures, networks, VMs and storage both on-premises and in the cloud.
Topics:
• RepoKid
Netflix’s Open-source Strategy to Rightsizing Cloud Permissions at Scale
• BetterTLS
A test suite for HTTPS clients implementing verification of the Name Constraints certificate extension
• Authorization at Netflix
Netflix’s architecture for implementing Authorization at scale
• Open Policy Agent
An open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack. (www.openpolicyagent.org)
• Introducing PADME (Policy Access Decision Management Engine)
A modern policy management for distributed heterogenous systems. (www.padme.io)
Demo Stations:
• Stethoscope
Personalized, user-focused recommendations for employee information security.
• HubCommander
Slack bot for GitHub organization management -- and other things too!
• Open Policy Agent
An open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack.
Practical Container Security by Mrunal Patel and Thomas Cameron, Red HatDocker, Inc.
You can secure your containerized microservices without slowing down development. Through a combination of Linux kernel features and open source tools, you can isolate the host from the container and the containers from each other, as well as finding vulnerabilities and securing data. Two of Red Hat's Docker contributors will discuss the state of container security today, covering Linux namespaces, SElinux, cgroups, capabilities, scan, seccomp, and other tools you can use right now.
Open Source Applied - Real World Use Cases
Justin Reock
Rogue Wave Software - Lead Architect of OSS Support and Services
To find more by Rogue Wave Software: https://www.slideshare.net/RogueWaveSoftware
Keeping your Kubernetes Cluster SecureGene Gotimer
Many organizations are shifting to containers and Kubernetes, and that move means learning new ways to secure their environments. Kubernetes clusters have to be hardened at different levels. We have to consider the nodes where the Kubernetes control plane is running. We also need to secure the Kubernetes workloads and check the files that create them. And we need to inspect the containers we are using for vulnerabilities and unusual behavior.
Gene will show you some open-source tools that can find issues and vulnerabilities at each layer. You will see how they can be used in a pipeline to build your Kubernetes cluster safely and keep it secure.
Continuous Delivery the Hard Way with Kubernetes Weaveworks
How do you version control your deployment config + automate the delivery of your software through a CI/CD pipeline?
We will cover open source tools that facilitate:
• Simultaneously updating configuration and performing releases to Kubernetes
• Rolling back and pinning releases
• Having different release policies to different environments
Read the blog: https://www.weave.works/blog/continuous-delivery-the-hard-way
Visit Weave Cloud: https://www.weave.works/product/cloud/
For more free talks, join our Weave Online User Group: https://www.meetup.com/Weave-User-Group/
DCSF 19 How Entergy is Mitigating Legacy Windows Operating System Vulnerabili...Docker, Inc.
Jason Brown - Program Manager, Entergy
Jeff Hummel - IT Infrastructure, Architect, Entergy
Entergy, a large utility company headquartered in New Orleans, LA has launched an initiative to modernize their application infrastructure. During the initial analysis, Entergy recognized the existing legacy infrastructure’s lack of compatibility with more recent operating systems would stand in the way of progress. As a result, containerization was fast-tracked as the solution that can help them with the various tenants of their strategy: hyperconvergence, SaaS (ServiceNow), and workload portability. Docker Enterprise proved to be the right solution to migrate roughly 850 legacy applications from Windows Server 2003 and 2008 to Windows Server 2016 quickly, securely and economically. Entergy IT has now delivered the ability for the business to run applications on-premise, in the cloud, and future-proofed the applications for migration to new versions of Windows Server. In this session, Entergy will talk about how they are modernizing their infrastructure to become more agile, secure, and enable workload portability.
Common vulnerabilities & exposures (cve) in docker containers- 2018 alldaydevopsJose Manuel Ortega Candel
CVEs are the standard source for vulnerability details and descriptions. Security professionals use CVEs to understand vulnerabilities and what can be done to prevent them.Securing application containers requires a security strategy which includes analyze and audit docker images layer by layer.
A list of action items you want to keep in mind when you're devsecops'ing for your cloudnative environments. Given as a part of a talk on the Modern Security series (
https://info.signalsciences.com/securing-cloud-native-ten-tips-better-container-security).
Containers help us move our applications forward in a consistent, repeatable, and predictable manner, reducing the labor and making things simpler. Design patterns exist to help you solve common problems for which containers are a good solution. Providing a common language to the architecture.
Csa container-security-in-aws-dw
Video: https://youtu.be/X2Db27sAcyM
This session will touch upon container security constructs and isolation mechanisms like capabilities, syscalls, seccomp and Firecracker before digging into secure container configuration recommendations, third-party tools for build- and run-time analysis and monitoring, and how Kubernetes security mechanisms and AWS security-focussed services interact.
At the end of 2017, our team started to work on a completely new mobile SDK. We started from scratch and we wanted to fix issues that we witnessed during our work on the existing SDK. And CI was one of the major topics.
This talk is about our approach to building new CI from scratch. What we tried, what didn't work, what types of issues we faced.
Keywords for this talk: Jenkins, AWS, Serverless, Docker, Mac mini, git, repo, Gerrit, Java, Go
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon
COLIN DOMONEY
The advent of DevOps and large scale automation of software construction and delivery has elevated the software supply chain – and its underpinning delivery pipeline – to mission critical status in any modern enterprise. The increased velocity of modern pipelines and the removal of manual checks and balances has meant that modern pipelines are potential single points of failure in the delivery of secure software.
Automotive and consumer electronics industries have long understood the need for both provenance (understanding the origin of materials) and veracity (ensuring the integrity of their manufacturing processes) in their supply chains; this presentation will address threats to software supply chains and practical approaches to reducing the fragility of your supply chain. Several examples of software supply chain failures will be presented and deconstructed to understand the typical failure modes.
At the most elementary level many pipelines are poorly constructed with low levels of repeatability and poor test coverage, in other organisations there is a lack of governance over the supply chain allowing careless or willingly negligent actors to subvert or bypass controls or testing within the pipeline. There is also no standard mechanism to ensure a ‘chain of custody’ within a pipeline due to a lack common interchange format between tools, or a standard manner to represent the steps within a pipeline build process.
This presentation will cover approaches (using ‘people and process’) in enforcing governance within a supply chain by describing best practices used in large-scale AppSec programmes. Several emerging technology initiatives will be presented: Google’s Grafeas is a means to ensure vulnerability information is represented in a uniform manner across all steps of a pipeline process, while In-Toto is a project to formally enforce the integrity of a pipeline process. A reference secure pipeline will be presented demonstrating both tools working in symphony, along with standard open source and commercial AppSec tools.
Finally the pipeline itself may become the Achille’s Heel in an organisation – many pipelines are not sufficiently hardened and are themselves open to attack by use of vulnerable components and their extensible nature, often along with very wide open permissions. Guidance will be given on hardening of typical pipelines, and a fully secured ephemeral Jenkins pipeline will be demonstrated.
Benefits of this Session: The attendee will gain an increased awareness of the pivotal importance of the software supply chain, and gain an understanding of some common failure modes and weaknesses. Most importantly the attendee will come away with practical guidance on enforcing higher levels of governance on their supply chain without reducing delivery velocity, as well as how to harden the pipeline infrastructure itself.
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...DevSecCon
ERNESTO BETHENCOURT
At BBVA we are developing the Bank’s Next Global Banking Platform for building, deploying and running banking services of any kind, leveraging on cloud technologies. Security is one of the main components for this new platform and is expected to be self-service and easy to use. But it’s not only technology we are building, it’s a new culture based mainly on DevOps. So, what better opportunity to shift-left and offer developers the tools that they need to easily change their (and security teams) mindsets regarding security? In this talk we will walk you through the strategy that we have adopted to expose security services for enabling secure development but at the same time automating security processes needed by security teams. All this trying to keep it in a low budget (at least for now) by levering on vendors and open-source solutions.
Introduction to Kubernetes - Docker Global Mentor Week 2016Opsta
Kubernetes is an open-source system for automating
deployment, scaling, and management of containerized
applications. This presentation will show you overview of Kubernetes concept.
Docker Global Mentor Week 2016 #DockerInThai at Kaidee on November 18, 2016
Kubernetes Architecture - beyond a black box - Part 1Hao H. Zhang
This is part 1 of my Kubernetes architecture deep-dive slide series.
I have been working with Kubernetes for more than a year, from v1.3.6 to v1.6.7, and I am a CNCF certified Kubernetes administrator. Before I move on to something else, I would like to summarize and share my knowledges and take-aways about Kubernetes, from a software engineer perspective.
This set of slides is a humble dig into one level below your running application in production, revealing how different components of Kubernetes work together to orchestrate containers and present your applications to the rest of the world.
The slides contains 80+ external links to Kubernetes documentations, blog posts, Github issues, discussions, design proposals, pull requests, papers, source code files I went through when I was working with Kubernetes - which I think are valuable for people to understand how Kubernetes works, Kubernetes design philosophies and why these design came into places.
It's 2018. Are My Containers Secure Yet!?Phil Estes
A talk given at DevOps Pro Vilnius on March 15, 2018 about container security. In this talk we discussed the core topics around the container ecosystem (host, runtime, image) applicable to both Docker and Kubernetes, as well as discussing usable security/secure by default, and defense in depth principles. Also discussed were security futures like Project Grafeas, libentitlement, LinuxKit concepts, and trusted/untrusted container runtimes in Kubernetes.
Log aggregation: using Elasticsearch, Fluentd/Fluentbit and Kibana (EFK)Lee Myring
A quick introduction to log aggregation in a local Docker development environment using Fluentd followed by a demonstration using a publicly available GitHub repo.
Deep dive into Kubernetes monitoring with Elastic Observability.pptxChris Markou
In this session we will learn how to use Elastic Observability to get a better understanding of our Kubernetes clusters and the applications that run on them.
Join us to learn new ways to get your data into Elastic with Elastic Agent and discuss some of the best practices to shape up your Kubernetes monitoring solution.
Learn about how ingest configuration can be done through Kubernetes manifests with the option to centrally manage it
Deep dive into node scope vs cluster scope metrics collection and what you can learn from each.
Understand how dynamic workload monitoring (aka autodiscovery) enables application teams to decide what needs to be monitored at workload level
Automatic APM instrumentation, to automatically attach an APM Agent and collect APM traces from running Pods.
Quick intro into watchers/alerts and how those can help us with issues’ detection.
See all these combined with a hands on demo including logs and metrics collection, dynamic workload monitoring, APM instrumentation, and synthetics monitoring for applications.
Furthermore, we will convert collected data into actionable observability with alerts and machine learning.
Last but not least, learn about our planned next steps and discuss your feedback with us.
Speakers: Christos Markou | Senior Software Engineer @Elastic & Miguel Luna | Principal Product Manager @Elastic
Options for running Kubernetes at scale across multiple cloud providersSAP HANA Cloud Platform
Kubernetes turned into the de-facto standard for scalable container orchestration. Nowadays - if you're dealing with Docker and containers and you don't play in the Kubernetes ecosystem - your relevance is questionable. There are many possible options for running Kubernetes across Amaxon, Azure and Google Cloud. The deck explores few of those, providing references and additional materials to explore.
A talk on building a tech community that I gave at Scale 17x in LA. I covered the meetup and tech conference scene in Austin, Cloud Austin, Devopsdays Austin, and some best practices for meetups orgs and attendees
13 practical tips for writing secure golang applicationsKarthik Gaekwad
Writing secure applications in a new language is challenging. Here are some tips to help get you started for writing secure code in golang. Presented at Lascon 2015
In this presentation, I talk about Docker and Container Management issues and solutions provided for them via StackEngine. I gave this talk at the CloudAustin meetup for the 12 Clouds of Christmas 2014.
Agile 2014- Metrics driven development and devopsKarthik Gaekwad
There are many facets of devops, and we will spend our time in this presentation focusing on collecting and using metrics (business, application, system, etc.) and building a metrics driven culture in organizations.
We will define how we have seen devops progress in our organizations and how we’ve realized that different teams in our organizations can find common ground when teams (who have different roles) can work well together when they use metrics as the common language.
Karthik will talk about how we are using the principles from the Lean Startup to define our development cycles, sprints and using metrics to quantify how successful the products we are trying to come out with in R&D. Initially we started practicing devops on the dev and ops side of the house but realized this was still a black box to the business side of the house, so we pivoted to what our business actually understood, and that was metrics; today, we focus more on metrics (business and system level), and can fail or succeed fast to achieve our business goals faster than before.
Ernest will go into detail on how a large, mature SaaS organization uses metrics in conjunction with distributed agile development and DevOps to guide their development at scale. How much a product is used, how much each feature is used, and how much value each user gets out of it are key drivers for a business strategy - and it’s all information that’s emitted by a system. He'll show how large companies have invested time in collecting and using these metrics to guide their decisions and influence their culture.
LASCON 2013 Talk: User Auth for Winners, how to get it right the first time!Karthik Gaekwad
In this talk, I will outline the best practices to build out a secure user management and authentication platforms for your products.
At the end of this talk, you’ll have the knowledge to implement (or fix) a stronger user authentication system for your startup or enterprise!
Agile 2013 Talk: How DevOps Changes EverythingKarthik Gaekwad
The most important DevOps things I’ve learned over the last 4 years. I presented this at Agile 2013 in Nashville, TN. This talk is the talk and story referenced in Gene Kim's Devops Handbook (https://www.amazon.com/DevOps-Handbook-World-Class-Reliability-Organizations/dp/1942788002)
#agile #devops #automation #culture #distributedTeams #measurement #sharing #bestPractices
To conclude, the pillars of devops (culture and sharing information) isn't limited to just us technologists, but transends to other fields such as the CIA
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Welocme to ViralQR, your best QR code generator.ViralQR
Welcome to ViralQR, your best QR code generator available on the market!
At ViralQR, we design static and dynamic QR codes. Our mission is to make business operations easier and customer engagement more powerful through the use of QR technology. Be it a small-scale business or a huge enterprise, our easy-to-use platform provides multiple choices that can be tailored according to your company's branding and marketing strategies.
Our Vision
We are here to make the process of creating QR codes easy and smooth, thus enhancing customer interaction and making business more fluid. We very strongly believe in the ability of QR codes to change the world for businesses in their interaction with customers and are set on making that technology accessible and usable far and wide.
Our Achievements
Ever since its inception, we have successfully served many clients by offering QR codes in their marketing, service delivery, and collection of feedback across various industries. Our platform has been recognized for its ease of use and amazing features, which helped a business to make QR codes.
Our Services
At ViralQR, here is a comprehensive suite of services that caters to your very needs:
Static QR Codes: Create free static QR codes. These QR codes are able to store significant information such as URLs, vCards, plain text, emails and SMS, Wi-Fi credentials, and Bitcoin addresses.
Dynamic QR codes: These also have all the advanced features but are subscription-based. They can directly link to PDF files, images, micro-landing pages, social accounts, review forms, business pages, and applications. In addition, they can be branded with CTAs, frames, patterns, colors, and logos to enhance your branding.
Pricing and Packages
Additionally, there is a 14-day free offer to ViralQR, which is an exceptional opportunity for new users to take a feel of this platform. One can easily subscribe from there and experience the full dynamic of using QR codes. The subscription plans are not only meant for business; they are priced very flexibly so that literally every business could afford to benefit from our service.
Why choose us?
ViralQR will provide services for marketing, advertising, catering, retail, and the like. The QR codes can be posted on fliers, packaging, merchandise, and banners, as well as to substitute for cash and cards in a restaurant or coffee shop. With QR codes integrated into your business, improve customer engagement and streamline operations.
Comprehensive Analytics
Subscribers of ViralQR receive detailed analytics and tracking tools in light of having a view of the core values of QR code performance. Our analytics dashboard shows aggregate views and unique views, as well as detailed information about each impression, including time, device, browser, and estimated location by city and country.
So, thank you for choosing ViralQR; we have an offer of nothing but the best in terms of QR code services to meet business diversity!
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
2. October 17, 2018October 17, 2018
• I’m Karthik Gaekwad
• NOT a DBA
• https://cloudnative.oracle.com/
• Cloud Native evangelist at Oracle Cloud
Infrastructure
• Used to be a developer on the OKE Team.
Hello!
@iteration1
3. October 17, 2018October 17, 2018
•Been in Industry 15 years.
•In general, I like building stuff with friends.
–A maintainer for Gauntlt- Open source security scanner.
•Love Teaching and building community.
–Run Devopsdays Austin, Container Days, Cloud Austin.
–Chair All Day Devops Cloud Native track.
–LinkedIn Learning Author for Learning Kubernetes (and more).
Hello!
5. October 17, 2018October 17, 2018
The Cloud Native Journey
Phase I
Developer Focus
Phase II
DevOps Focus
Phase III
Business Focus
(end-to-end)
Container Adoption Application Deployment Intelligent Operations
SpeedEfficiencyAgility
Docker
Kubernetes
Core to Edge
Developer adoption
Dev/Test apps
Simple orchestration
Individual developers
DevOps deployment
Production apps
Advanced orchestration
Teams & lines of business
End-to-end integration
Digital business apps
Serverless, DevSecOps, & ML
Cloud native enterprises
Focus
Applications
Automation
Community
6. October 17, 2018October 17, 2018
Latest CNCF Survey: August 2018
Where Does Your
Company Use Containers?
7. October 17, 2018October 17, 2018
Latest CNCF Survey: August 2018
Where Does Your
Company Use Containers?
8. October 17, 2018October 17, 2018
Container Management IS Kubernetes
Your company/organization
manages containers with?
9. October 17, 2018October 17, 2018
Good News, Bad News…
Good: On
average, CNCF
project usage is
up over 200%
since the Dec
2017!
But...
11. October 17, 2018October 17, 2018
• Managing, maintaining, upgrading Kubernetes Control Plane
– API Server, etcd, scheduler etc….
• Managing, maintaining, upgrading Kubernetes Data Plane
– In place upgrades, deploy parallel cluster etc….
• Figuring out container networking & storage
– Overlays, persistent storage etc… - it should just work
• Managing Teams
– How do I manage & control team access to my clusters?
• Security, security, security
Kubernetes & Cloud Native Challenges
Source: Oracle Customer Survey 2018
12. October 17, 2018October 17, 2018
How Teams Address Issues?
App Management
Upgrades & Patching
Platform Backup &
Recovery
High Availability
Scaling
App Deployment
Power, HVAC
Rack and Stack
Server Provisioning
Software Installation
Customer Managed Fully-Managed
App Management
Upgrades & Patching
Platform Backup &
Recovery
High Availability
Scaling
App Deployment
Power, HVAC
Rack and Stack
Server Provisioning
Software Installation
Faster Time to Deploy
Lower Risk
Accelerate Innovation
Benefits
YOU
15. October 17, 2018October 17, 2018
Unsecured K8s dashboards
• Unsecured Kubernetes
Dashboard with account
creds.
• Used this to mine
cryptocurrency.
• 2017: Aviva
• 2018: Tesla, Weight Watchers
• https://redlock.io/blog/cryptojacking-tesla
16. October 17, 2018October 17, 2018
Kubelet credentials hack
• Shopify: Server Side request
Forgery
• Get kubelet certs/private key
• Root access to any container
in part of infrastructure.
• https://hackerone.com/reports/341876
26. October 17, 2018October 17, 2018
Attack Surface
–More importantly, how to limit damage
Security related features in K8s
–The more you know, the better you build
Opensource Tooling to help
–Because we all need help
Let’s look at:
28. October 17, 2018October 17, 2018
Goal: Reduce the attack surface
Analysis for:
–Host
–Container (Images and running)
–Kubernetes Cluster
Attack Surface
29. October 17, 2018October 17, 2018
• These are the machines you’re running Kubernetes on.
• Age old principles of Linux still apply:
–Enable SELinux
–AppArmor
–Seccomp
–Hardened Images
• Goal: Minimize privilege to applications running on the host
• Good news: Already a wealth of information on this subject!
–http://lmgtfy.com/?q=how+to+reduce+attack+surface+linux
Attack Surface: Host
30. October 17, 2018October 17, 2018
GOAL: Know your base image
when building containers
Attack Surface: Container Images
31. October 17, 2018October 17, 2018
GOAL: Know your base image when building containers
Attack Surface: Container Images
**BTW, this is just a ruby helloworld app
32. October 17, 2018October 17, 2018
Full disclosure: I’m karthequian; I created this as a ruby 101 container for learning purposes only
Attack Surface: Container Images
GOAL: Know your base image when building containers
33. October 17, 2018October 17, 2018
GOAL: Know your base image when building containers
When in doubt, stick to an official images!
Or start from a sane base image (example: alpine
linux)
Attack Surface: Container Images
34. October 17, 2018October 17, 2018
GOAL: Smaller the image, the better
•Less things for an attacker to exploit.
•Quicker to push, quicker to pull.
Attack Surface: Container Images
35. October 17, 2018October 17, 2018
GOAL: Don’t rely on :latest tag
• :latest image yesterday might not be :latest image tomorrow
• Instead, you’d want to know what specific version you’re operating
with.
• Side benefit: If there is a new vulnerability announced for OS
version x.y.z, you know immediately whether you’re running that
version!
Attack Surface: Container Images
36. October 17, 2018October 17, 2018
GOAL: Check for vulnerabilities
periodically
•Plenty of ways to do this in registries. We’ll
cover more in the tooling section
Attack Surface: Container Images
37. October 17, 2018October 17, 2018
GOAL: Don’t run as root
•Containers running as root might be completely
unnecessary for the actual application.
•If compromised, attacker can do a lot more
things..
•Pod security policies can help (we’ll see how
later).
Attack Surface: Running Containers
38. October 17, 2018October 17, 2018
GOAL: Limit host mounts
•Be wary of images that require broad access to
paths on the host
•Limit your host mount to a smaller subset of
directories
•Reduces blast radius on compromise
Attack Surface: Running Containers
42. October 17, 2018October 17, 2018
TLS Checklist:
1. User and Master
2. Nodes and Master
3. Everything etcd
4. Kubelet to API Server
Kubernetes Cluster- TLS
44. October 17, 2018October 17, 2018
K8s Features
How can the platform help
me make secure choices?
45. October 17, 2018October 17, 2018
K8s Features
Authentication
Authorization
Audit Logging
Network Policies
Pod security policies
Kubernetes Secrets
46. October 17, 2018October 17, 2018
Do you know how you are authenticating with Kubernetes?
Many ways to Authenticate
–Client Certs
–Static token file
–Service Account tokens
–OpenID
–Webhook Mode
–And more (https://kubernetes.io/docs/reference/access-authn-
authz/authentication/)
Authentication and Authorization
47. October 17, 2018October 17, 2018
Whatever you do,
DO NOT YOLO!
Goal: Pick a strategy that
fits your use case
49. October 17, 2018October 17, 2018
Authentication and Authorization
https://kubernetes.io/docs/reference/access-authn-authz/authorization/
50. October 17, 2018October 17, 2018
• Pro tip: Nobody uses ABAC anymore. Don’t be that guy….
• RBAC is the defacto standard
–Based on roles and role bindings
–Good set of defaults: https://github.com/uruddarraju/kubernetes-rbac-
policies
• Can use multiple authorizers together, but can get confusing.
–1st authorizer to authorize passes authz
Authentication and Authorization
51. October 17, 2018October 17, 2018
• Wat?
• “Kubernetes auditing provides a security-relevant chronological set
of records documenting the sequence of activities that have
affected system by individual users, administrators or other
components of the system.”
• Answers: What/when/who/where information on security events.
• Your job: Periodically watch Kubernetes Audit logs
• https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
Kubernetes Cluster- Audit Logs
53. October 17, 2018October 17, 2018
•Consider adding a network policy to the
cluster…
•Default Policy: All pods can talk to all other
pods.
•Consider limiting this with a Network Policy
• https://kubernetes.io/docs/concepts/services-networking/network-policies/
Kubernetes Cluster- Network Policies
54. October 17, 2018October 17, 2018
•Consider adding Pod Security policies
•PodSecurityPolicy: A Defined set of conditions
a pod must run with.
•Think of this as authorization for pods.
Kubernetes Cluster- Pod Security Policies
55. October 17, 2018October 17, 2018
Kubernetes Cluster: Pod Security Policies
https://kubernetes.io/docs/concepts/policy/pod-
security-policy/#what-is-a-pod-security-policy
Capability for an
admin to control
specific actions
56. October 17, 2018October 17, 2018
•GOAL: Use Kubernetes secrets to store
sensitive data instead of config maps.
•Also look at: secrets encryption provider.
–Controls how etcd encrypts API data
–--experimental-encryption-provider-config
•https://kubernetes.io/docs/tasks/administer-
cluster/encrypt-data/
Kubernetes Secrets
58. October 17, 2018October 17, 2018
Keep tabs on the CNCF Security landscape
https://landscape.cncf.io/landscape=security-compliance
59. October 17, 2018October 17, 2018
• “The Update Framework”
• Is a framework or a
methodology.
• Used for secure software
updates.
• Based on ideas surrounding
trust and integrity.
• Is a project.
• Based on TUF.
• A solution to secure
software updates and
distribution.
• Used in Docker
Trusted Registry.
CNCF Projects
60. October 17, 2018October 17, 2018
•Open source project for the static analysis of
vulnerabilities in containers.
•Find vulnerable images in your repo.
•Built into quay.io, but you can add to your own
repo.
•https://github.com/coreos/clair
Clair
62. October 17, 2018October 17, 2018
• Checks whether a Kubernetes cluster is deployed according to
security best practices.
• Run this after creating your K8s cluster.
• https://github.com/aquasecurity/kube-bench
• Defined by the CIS Benchmarks Docs:
https://www.cisecurity.org/cis-benchmarks/
• Run it against your Kubernetes Master, or Kubernetes node.
Kube-bench
64. October 17, 2018October 17, 2018
•Helps you quantify risk for Kubernetes resources.
•Run against your K8s applications
(deployments/pods/daemonsets etc)
•https://kubesec.io/ from controlplane
•Can be used standalone, or as a kubectl plugin
(https://github.com/stefanprodan/kubectl-kubesec)
Kubesec
66. October 17, 2018October 17, 2018
•Opensourced from Shopify.
•Auditing your applications in your K8s cluster.
•https://github.com/Shopify/kubeaudit
•Little more targeted than Kubesec.
Kubeaudit
70. October 17, 2018October 17, 2018
•11 ways not to get hacked:
https://kubernetes.io/blog/2018/07/18/11-ways-not-to-
get-hacked
•K8s security (from Image Hygiene to Network Policy):
https://speakerdeck.com/mhausenblas/kubernetes-
security-from-image-hygiene-to-network-policies
Couple more resources to look at: