Tuesday, November 19 • 3:20pm - 3:55pm
Walls Within Walls: What if Your Attacker Knows Parkour? - Tim Allclair & Greg Castle, Google

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
What happens if an attacker escapes a container and compromises your node? Is it game over for the whole cluster, or can you limit the blast radius? Whether it be for defense in depth or multi-tenancy, it is important to understand the security boundaries in your cluster. In this talk, we’ll discuss various isolation approaches and evaluate them through the eyes of an attacker who has compromised a node and is looking to propagate.

We’ll deep dive on ‘node isolation’: using Kubernetes scheduling to execute workloads on separate nodes, and demonstrate live attacks and defences to educate about strengths and weaknesses of this strategy. We’ll also discuss progress made by SIG-Auth in this area over the past few releases. After this talk you will understand when node isolation is or isn't an appropriate security mechanism, the steps to implement it, and what some alternatives are.

avatar for Greg Castle

Greg Castle

Kubernetes/GKE Security Tech Lead, Google
Greg is the tech lead for the Kubernetes and Google Kubernetes Engine (GKE) security team at Google, and is a regular at SIG-Auth. Greg has 15 years of experience in a number of security roles including product security, penetration testing, incident response, platform hardening... Read More →
avatar for Tim Allclair

Tim Allclair

Google, Software Engineer
Tim Allclair joined the Kubernetes project with Google just after the 1.0 launch in 2015. He co-chairs sig-auth, is an active sig-node contributor, and a member of the Kubernetes Product Security Team (responsible for responding to vulnerabilities in Kubernetes). His most recent charter... Read More →

Tuesday November 19, 2019 3:20pm - 3:55pm
Room 6F - San Diego Convention Center Upper Level