Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Security + Identity + Policy [clear filter]
Tuesday, November 19

10:55am PST

The Devil in the Details: Kubernetes’ First Security Assessment - Aaron Small, Google & Jay Beale, InGuardians
In October of last year, the Kubernetes project created a new Security Audit working group and began Kubernetes’ first comprehensive third-party security assessment. In the months that followed, we worked closely with Trail of Bits and Atredis Partners to assess and improve Kubernetes’ security posture.  Through code review and penetration testing, we found and addressed 37 new vulnerabilities.  With support from many Kubernetes contributors, the third party security firms and Kubernetes project produced a formal threat model covering eight critical components across six different trust zones.  In this talk, we will share our findings, methodology, and vision for future security investments.  We’ll discuss what the work uncovered, and what this means to Kubernetes security both now and for the future.

avatar for Aaron Small

Aaron Small

Product Manager, Google
avatar for Jay Beale

Jay Beale

CTO, InGuardians
Jay Beale works on Kubernetes and cloud native security, both as a professional threat actor and as a member of the Kubernetes project, where he previously co-led the Security Audit working group. He's the architect of the Peirates attack tool for Kubernetes, as well as of the @Bustakube... Read More →

Tuesday November 19, 2019 10:55am - 11:30am PST
Room 16AB - San Diego Convention Center Mezzanine Level

11:50am PST

CAP_NET_RAW and ARP Spoofing in Your Cluster: It's Going Downhill From Here - Liz Rice, Aqua Security
Did you know that by default, your applications running in Kubernetes can open raw network sockets? This talk demonstrates how, in the right circumstances, the CAP_NET_RAW capability that allows this can be abused by a compromised application.

* ARP spoofing: pretending to represent the wrong IP address
* If the app can ARP spoof the IP address of the DNS service, this potentially lets it spoof DNS addresses: pretending to represent the wrong domain name

Sounds bad, doesn't it?

These attacks, and their consequences, will be demonstrated live, along with preventative measures that you can take to ensure they aren't happening on your cluster.

This talk explains CAP_NET_RAW and spoofing, but the audience is expected to be comfortable with Kubernetes concepts like pod specs and admission controllers.

avatar for Liz Rice

Liz Rice

Chief Open Source Officer, Isovalent
Liz Rice is Chief Open Source Officer with eBPF specialists Isovalent, creators of the Cilium cloud native networking, security and observability project. She was Chair of the CNCF's Technical Oversight Committee in 2019-2022, and Co-Chair of KubeCon + CloudNativeCon in 2018. She... Read More →

Tuesday November 19, 2019 11:50am - 12:25pm PST
Room 11AB - San Diego Convention Center Upper Level

2:25pm PST

Enforcing Automatic mTLS with Linkerd and OPA Gatekeeper - Ivan Sim, Buoyant & Rita Zhang, Microsoft
Whether you are operating a 5-node or a 500-node Kubernetes clusters, ensuring the integrity and security of the traffic among your workloads is something that should be taken seriously. As your team grows, it is important to automate the application and management of different mTLS policies.

In this talk, Ivan and Rita will share with you how Linkerd and Gatekeeper work together to automate and enforce mTLS policy in production. They will show you how easy it is to encrypt all east-west traffic using Linkerd’s zero config automatic mTLS feature. Then, you will see how Gatekeeper is used to define, enforce and audit every workload entering your cluster to ensure configuration is valid and conformant to policy.

avatar for Rita Zhang

Rita Zhang

Principal Software Engineer, Microsoft
Rita Zhang is a software engineer at Microsoft, based in San Francisco. She leads the Azure Container Upstream team building features for Kubernetes upstream and various CNCF projects. Rita is a Kubernetes SIG Auth co-chair, a maintainer of the Secrets Store CSI Driver project, and... Read More →
avatar for Ivan Sim

Ivan Sim

Software Engineer, Red Hat

Tuesday November 19, 2019 2:25pm - 3:00pm PST
Room 31ABC - San Diego Convention Center Upper Level

3:20pm PST

Walls Within Walls: What if Your Attacker Knows Parkour? - Tim Allclair & Greg Castle, Google
What happens if an attacker escapes a container and compromises your node? Is it game over for the whole cluster, or can you limit the blast radius? Whether it be for defense in depth or multi-tenancy, it is important to understand the security boundaries in your cluster. In this talk, we’ll discuss various isolation approaches and evaluate them through the eyes of an attacker who has compromised a node and is looking to propagate.

We’ll deep dive on ‘node isolation’: using Kubernetes scheduling to execute workloads on separate nodes, and demonstrate live attacks and defences to educate about strengths and weaknesses of this strategy. We’ll also discuss progress made by SIG-Auth in this area over the past few releases. After this talk you will understand when node isolation is or isn't an appropriate security mechanism, the steps to implement it, and what some alternatives are.

avatar for Greg Castle

Greg Castle

Kubernetes/GKE Security Tech Lead, Google
Greg is the tech lead for the Kubernetes and Google Kubernetes Engine (GKE) security team at Google, and is a regular at SIG-Auth. Greg has 15 years of experience in a number of security roles including product security, penetration testing, incident response, platform hardening... Read More →
avatar for Tim Allclair

Tim Allclair

Software Engineer, Google
Tim Allclair joined the Kubernetes project just after the 1.0 launch in 2015, and currently works on the GKE Control Plane team. He is a member of the Kubernetes Security Response Committee, and a SIG Auth maintainer (previous co-chair). He has led development of several Kubernetes... Read More →

Tuesday November 19, 2019 3:20pm - 3:55pm PST
Room 6F - San Diego Convention Center Upper Level

4:25pm PST

Panel: Control Plane vs Data Plane: Untangling the Tenets of Multitenancy - Tasha Drew, VMware; Sanjeev Rampal, Cisco; Ryan Bezdicek, Cray Inc.; Adrian Ludwin, Google; & Fei Guo, Alibaba
Virtually every organization over a certain size wants to be able to share their clusters between different sets of users. As a result, the Multi-tenancy Working Group is seeing increasingly high demand for higher-level features to support Kubernetes multi-tenancy. Unfortunately, each organization has different and often unspoken assumptions about what tenancy means to them, so different use cases and needs often get conflated. In this discussion, our panelists will share their proposals for the principles of multi-tenancy, according to both the type of concerns (control plane vs data plane) as well as the type of tenants (such as dev teams, production teams and third-party users).

avatar for Tasha Drew

Tasha Drew

Senior Director, xLabs, VMware
Tasha has been an innovative product leader in Silicon Valley for over a decade. She is Senior Director of xLabs in the Office of the CTO’s Advanced Technology Group at VMware. She is co-chair of the Kubernetes Working Group for Multi-Tenancy and co-chair of the Kubernetes SIG Usability... Read More →
avatar for Sanjeev Rampal

Sanjeev Rampal

Principal Engineer, Cisco
Sanjeev Rampal, PhD, is a Principal Engineer in the Cloud Platforms and Solutions group at Cisco Systems where he works on the Cisco Container Platform, an enterprise multi-cloud platform based on Kubernetes and cloud native technologies. He has over 20 years of experience in development... Read More →
avatar for Ryan Bezdicek

Ryan Bezdicek

Principle Software Engineer, Twilio
Ryan Bezdicek is using Kubernetes to build the next generation of supercomputer at Cray Inc. He’s active in several Kubernetes working groups including multi-tenancy and conformance. A tester and DevOps consultant by background, Ryan has experienced first hand the benefits of adding... Read More →
avatar for Adrian Ludwin

Adrian Ludwin

Senior Software Engineer, Google
Adrian is a software engineer on the Google Kubernetes Engine (GKE) in Kitchener, Ontario, and created the Hierarchical Namespace Controller (HNC). Before Google, he was a developer at Intel’s Programmable Solutions Group (formerly Altera) in Toronto, and specialized in parallel... Read More →

Fei Guo

Senior Staff Engineer, Alibaba
Fei Guo is currently a senior staff engineer in Alibaba Container Platform Group. He has more than 10 years of experience in compute resource management and performance optimization for virtualized and containerized environments. His work focuses on providing workload automation and... Read More →

Tuesday November 19, 2019 4:25pm - 5:00pm PST
Room 29ABCD - San Diego Convention Center Upper Level
Wednesday, November 20

10:55am PST

Binary Authorization in Kubernetes - Aysylu Greenberg, Google & Liron Levin, Palo Alto Networks
Kritis is an open-source solution for securing your software supply chain for Kubernetes applications. Kritis enforces deploy-time security policies that ensures only trusted container images are deployed on kubernetes to your cluster. With Kritis, you can require images to be signed by trusted authorities during the development process and then enforce signature validation when deploying. Kritis enables tighter control over your container environment by ensuring only verified images are integrated into production.
Talk outline:
- Introduction to the concept of binary authorization
- Live demo of using Kritis and Grafeas for deploying images with confidence in Kubernetes
- Grafeas and Kritis roadmap
At the end, attendees will gain solid understanding on the process of binary authorization and how to incorporate it in their build and deployment pipelines

avatar for Liron Levin

Liron Levin

Chief software architect, Palo alto networks
Liron is the Chief Software Architect at Twistlock, where he focus on scaling, engineering methodologies and security . Before that, he worked as a tech lead at Microsoft on cloud computing and machine learning projects. He is an active contributor to popular open source go projects... Read More →
avatar for Aysylu Greenberg

Aysylu Greenberg

Senior Software Engineer, Google
Aysylu Greenberg is the Tech Lead of GCP Container Analysis, focusing on the software supply chain integrity and security. In her spare time, she ponders the design of systems that deal with inaccuracies, enthusiastically reads CS research papers, and paints.

Wednesday November 20, 2019 10:55am - 11:30am PST
Room 16AB - San Diego Convention Center Mezzanine Level

2:25pm PST

Piloting Around the Rocks: Avoiding Threats in Kubernetes - Robert Tonic & Stefan Edwards, Trail of Bits
Over three months in 2019, Trail of Bits completed the first-ever security review of Kubernetes, consisting of source review, dynamic testing, and threat modeling. One artifact, the threat model, lets users understand the risks of any given feature or deployment. We’ll show attendees how to make the most of this invaluable resource.

First, we’ll break down the architecture of Kubernetes into trust zones. These are security boundaries where controls should be enforced. Incorrectly implemented controls can result in catastrophic security failures.

After we describe the trust zones, you’ll find the architectural issues are easy to identify. We’ll discuss a few! We’ll also situate vulnerabilities we found in our code review into each trust zone.

Finally, we’ll teach you how to review your own Kubernetes environment using our threat model to get simple answers to your security questions.

avatar for Robert Tonic

Robert Tonic

Security Engineer, Trail of Bits
Robert performs audits and assessments of blockchain and web-related technologies in our assurance practice. He most enjoys client interactions, especially those that help clients uncover deep-rooted design flaws and correctness issues. Prior to joining Trail of Bits, Robert worked... Read More →

Stefan Edwards

Principal Security Engineer, Trail of Bits
Stefan performs assurance work across a variety of verticals, from blockchain to IoT to Defense. In addition, he’s heavily involved in our infrastructure and architecture review work, and makes discerning comments in our reports. Prior to Trail of Bits, Stefan worked at nVisium... Read More →

Wednesday November 20, 2019 2:25pm - 3:00pm PST
Pacific Ballroom, Salon 20-22 - Marriott Marquis San Diego Marina Hotel

3:20pm PST

On the Security of Copying To and From Live Containers - Ariel Zelivansky & Yuval Avrahami, Palo Alto Networks
Nowadays mature container platforms (such as Docker, Kubernetes and LXD) provide users a way to extract files from a running container. There are several different design approaches for implementing such a copy feature. In this talk, Yuval and Ariel will present the ups and downs of the different implementations with a focus on security and possible vulnerabilities.

Throughout the presentation, different vulnerabilities that affected the major container engines will be reviewed. A live proof of concept of a vulnerability in the Docker copy command will be presented.


Ariel Z

Security Research Team Lead, Palo Alto Networks
Ariel is a security researcher and the head of research at Twistlock, dealing with hacking and securing anything related to containers.
avatar for Yuval Avrahami

Yuval Avrahami

Principal Security Researcher, Palo Alto Networks
Yuval Avrahami is a principal security researcher at Palo Alto Networks, dealing with hacking and securing anything related to containers and cloud. Yuval found and disclosed numerous vulnerabliites across the cloud-native landscape, including container breakouts, Kubernetes CVEs... Read More →

Wednesday November 20, 2019 3:20pm - 3:55pm PST
Room 11AB - San Diego Convention Center Upper Level

4:25pm PST

Redesigning Notary in a Multi-registry World - Justin Cormack, Docker
Notary, used to secure container image updates, is the most widely adopted implementation of the TUF protocol. However, since Notary’s design around Docker Hub in 2015, container registries have proliferated and some of the design decisions don’t support the needs of a multi-registry world. This talk looks at redesigning the model to allow portability of container images between registries with signature data stored alongside the image data allowing it to be pushed and pulled alongside the image. This reworking of Notary will enable easier portability of images, and improve supply chain security by enabling mirrors and users of mirrors to validate image data, allowing users to easily work with cloud and local registries, offline caches and other common architectures.

avatar for Justin Cormack

Justin Cormack

CTO, Docker
Justin is the CTO at Docker. He is a maintainer of the Notary project, and a member of the CNCF TOC and TAG Security. 

Wednesday November 20, 2019 4:25pm - 5:00pm PST
Room 6E - San Diego Convention Center Upper Level

5:20pm PST

Knative - The Security Platypus? - Ariel Shuper, Aqua Security
Knative provides a way to extend Kubernetes to run serverless workloads. Although it runs as pods, given the nature of those workloads it requires an approach to security that is distinct from standard Kubernetes security practices. As 18th century explorers were wondering when they first encountered the platypus, is it a duck? an otter? or something else?
In this talk Ariel reviews the serverless threat landscape, which is quite differentiated from the container equivalent, using examples of how coding mistakes may expose applications despite the extremely ephemeral workloads.
This talk will show how combining preventative methods and more "offensive" methods such as tripwires can provide much better visibility and reduce the risk of Knative workloads being used as attack vehicles to reach other areas of the cluster or application.
Finally, the platypus question will be resolved.

avatar for Ariel Shuper

Ariel Shuper

VP, Product Management, Portshift
Ariel Shuper is Vice President of proudct management at Portshift Security, specializing in cloud native identity based security for micro services. He specialized in serverless environments as an entrepreneur prior to joining Aqua. He also focuses on other innovative cloud native... Read More →

Wednesday November 20, 2019 5:20pm - 5:55pm PST
Pacific Ballroom, Salon 20-22 - Marriott Marquis San Diego Marina Hotel
Thursday, November 21

10:55am PST

How Yelp Moved Security From the App to the Mesh with Envoy and OPA - Daniel Popescu, Yelp & Ben Plotnick, Cruise
From its inception, Yelp's service infrastructure has treated security as a fundamental component. For many years, developers carried the burden of building security features directly into their services. By using standard cloud native building blocks, the service infrastructure now provides security features by default; this enables hundreds of developers to focus on shipping features for more than 100M monthly active Yelp users.

This talk will cover Yelp’s journey from a legacy service proxy to a modern, secure service mesh based on Envoy and Open Policy Agent. It will discuss

-Authn and Authz mechanisms using mTLS and JWT with Envoy and OPA
-Migration from using an in-house policy decision engine to standardized open source tools (OPA)
-Transpiling legacy policy data to rego and other best practices for policy maintenance
-Strategies for quickly and safely rolling out policy changes

avatar for Daniel Popescu

Daniel Popescu

Security Engineer, Yelp
Daniel Popescu works at Yelp where he is responsible for security infrastructure and operations. Previously he worked at Microsoft on non-security products, but has maintained a passion for security since his undergrad years at the University of California, Santa Barbara. Professionally... Read More →
avatar for Ben Plotnick

Ben Plotnick

a Senior Software Enginee, Cruise Automation
Ben Plotnick is a Senior Software Engineer at Cruise Automation, leading the Platform Services team in moving the bytes around in Kubernetes. Prior to this, he was a member of the Engineering Effectiveness group at Yelp, working to redesign Yelp's service infrastructure with Envoy... Read More →

Thursday November 21, 2019 10:55am - 11:30am PST
Room 6F - San Diego Convention Center Upper Level

11:50am PST

How Kubernetes Components Communicate Securely in Your Cluster - Maya Kaczorowski, Google
How *do* your cluster components talk to each other?

In this expository talk, we'll first cover the main Kubernetes components that need trusted communication - that is, the API server, kubelet, and etcd, and how this communication is protected. Then, we'll go over how the cluster certificate authority (CA) works, and how this grants certificates to Kubernetes components. Furthermore, we'll explain what authentication, integrity, and encryption means, and what options are available in Kubernetes, and what you need to configure to address these pieces of CIS benchmarks. Lastly, we'll explain how you can protect other communications within your cluster, if needed for your workload - like node to node and pod to pod.

You'll come away with a better understanding of how communications in Kubernetes work, cluster trust, and default protections.

avatar for Maya Kaczorowski

Maya Kaczorowski

Product Manager, Software Supply Chain Security, Tailscale
Maya is a Product Manager at Tailscale, providing secure networking for the long tail. She was mostly recently at GitHub in software supply chain security, and previously at Google working on container security, encryption at rest and encryption key management. Prior to Google, she... Read More →

Thursday November 21, 2019 11:50am - 12:25pm PST
Ballroom Sec 20CD - San Diego Convention Center Upper Level

2:25pm PST

Securing Communication Between Meshes and Beyond with SPIFFE Federation - Evan Gilman, Scytale & Oliver Liu, Google
One of the hottest features that Istio brings to the table is transparent, mutually-authenticated TLS between all workloads running on it. Under the covers, it relies on SPIFFE to provide the cryptographic identity that is used to perform this mutual authentication.

SPIFFE relies on an authority to issue identity. In an Istio mesh, Istio Citadel (CA) issues certificates to workloads by default... but, what happens when you have more than one Istio mesh, and hence more than one Citadel? Or Istio workloads talking to external services?

Enter SPIFFE federation. It allows SPIFFE identity issuers to peer with each other, enabling workloads in disparate domains to securely authenticate and communicate with each other. In this talk, we will describe the challenges involved here and how SPIFFE addresses them, as well as demonstrate SPIFFE federation between Istio mesh and SPIRE.

avatar for Evan Gilman

Evan Gilman

Staff Engineer, VMware
Evan Gilman is an engineer with a background in computer networks. With roots in academia, and currently working on the SPIFFE project, he has been building and operating systems in hostile environments his entire professional career. An open source contributor, speaker, and author... Read More →
avatar for Oliver Liu

Oliver Liu

Senior Software Engineer, Google
Dr. Oliver (Yonggang) Liu is a senior software engineer in Google. He is one of the early developers and core engineers of Istio. Oliver has 10 years of experience in research and development of distributed systems and service mesh. Oliver received his PhD degree from University of... Read More →

Thursday November 21, 2019 2:25pm - 3:00pm PST
Room 6C - San Diego Convention Center Upper Level

3:20pm PST

Prepare to Be Boarded! A Tale of Kubernetes, Plunder, and Cryptobooty - James Condon, Lacework
How are Kubernetes cluster’s being compromised in the wild? There aren’t a whole lot of public reports detailing successful attacks against Kubernetes clusters. The goal of this talk is to demystify these attacks and provide recommendations to prevent them.

In this talk, a successful attack on a Kubernetes honeypot is analyzed. The amount of time it took for this to occur is quite surprising. Next, using this information, the scope of research is widened to survey other clusters that have fallen victim to the same attacks. Multiple cryptojacking campaigns emerge and details behind the methods of the attackers are shared. After providing statistics on these attacks, recommendations for prevention along with indicators of compromise are provided.

avatar for James Condon

James Condon

Director of Research, Lacework
James Condon is Director of Research at Lacework. James is a security veteran with over 10 years of experience in incident response, intelligence analysis, and automated threat detection. James was previously Director of Threat Research at ProtectWise (acquired by Verizon), an Incident... Read More →

Thursday November 21, 2019 3:20pm - 3:55pm PST
Room 14AB - San Diego Convention Center Mezzanine Level

4:25pm PST

Identity Bootstrapping in Multi-tenant Multi-cluster Kubernetes - Manish Mehta, Volterra & Derek Suzuki, The Voleon Group
With the increasing popularity of Kubernetes, providing managed K8s has been a great way to convert enthusiasts into adopters. However, current solutions mainly focus on providing isolated clusters and adopters are responsible for making workload identities work across clusters. If multi-tenancy is added to the mix, the challenges of bootstrapping identities that work across clusters - but within tenancy - are even greater.

In this presentation, the speakers will share challenges of securely bootstrapping identities in such a setup (especially when the individual clusters could be running in untrusted environments), the tradeoffs, and possible solutions. Manish will also introduce planned open-source components of a solution used by Volterra Edge Services for identity bootstrapping and other security services.

avatar for Derek Suzuki

Derek Suzuki

Director of DevOps, The Voleon Group
Derek Suzuki is Director of DevOps at The Voleon Group.  Previously he was Senior Director of Information Technology and Business Applications at Outbrain and has held a variety of technology management roles at Redwood Systems, ZipRealty, Wine.com, Juno Online Services, and other... Read More →
avatar for Manish Mehta

Manish Mehta

Chief Security Architect, Volterra
Manish Mehta is Chief Security Architect at Volterra Edge Services, CA. In the past, he has worked at Netflix, Cryptography Research Inc., and other SF bay area companies designing and developing solutions around secure bootstrapping, authentication (service and user), and authorization... Read More →

Thursday November 21, 2019 4:25pm - 5:00pm PST
Room 14AB - San Diego Convention Center Mezzanine Level

5:20pm PST

Kubernetes Policy Enforcement Using OPA At Goldman Sachs - Miguel Uzcategui, Goldman Sachs & Tim Hinrichs, Styra
Managing state on multiple shared Kubernetes clusters may sound scary. The Goldman Sachs Kubernetes team uses OPA to manage that state using two different applications of policy. The first is the validating admission control policies that prevent unsafe resources on the cluster. The second, and novel, application goes beyond simple yes/no decisions and uses OPA policy to provision new resources on the cluster to implement a common baseline, e.g. RBAC, Volumes, ResourceQuotas, and LimitRanges.

This talk focuses on the architectural design that allows GS to run OPA at scale in production. Along the way we discuss best practices and lessons learned, highlighting how GS reduced policy deployment times from days to under 10 minutes. The audience will learn how to create their own policy pipelines using popular open-source tools to enforce OPA policy across multiple Kubernetes clusters.

avatar for Tim Hinrichs

Tim Hinrichs

CTO, Styra
Tim Hinrichs is a co-founder and CTO of Styra, the cloud-native authorization company, and he is a co-creator of the open source CNCF Open Policy Agent project. Before that, he worked at VMware and co-founded the OpenStack Congress project. Tim has 20+ years of experience developing... Read More →
avatar for Miguel Uzcategui

Miguel Uzcategui

Associate, Goldman Sachs
Miguel Uzcategui is a Technology Associate in the Unix Engineering team at Goldman Sachs. He spends his time managing the compute infrastructure in areas such as configuration management, OS patching, and kubernetes. Miguel's team is currently responsible for engineering & maintaining... Read More →

Thursday November 21, 2019 5:20pm - 5:55pm PST
Room 16AB - San Diego Convention Center Mezzanine Level
  Security + Identity + Policy

Filter sessions
Apply filters to sessions.