Marc Nimmerrichter

Kubernetes Security - Challenge and Opportunity

What's the most dangerous permission in Kubernetes? Learn why the `create pod` privilege, not `cluster-admin`, can lead to a full cluster compromise.

Kubernetes Security - Challenge and Opportunity
#1about 3 minutes

A high-level overview of Kubernetes architecture

The core components of a Kubernetes cluster are explained, including the master node, worker nodes, etcd, API server, and kubelet.

#2about 3 minutes

Configuring workloads with Kubernetes objects

Key Kubernetes objects like pods, deployments, services, and volumes are introduced as the building blocks for configuring applications.

#3about 4 minutes

Managing access with namespaces and admission control

Namespaces are used to group resources, while authentication, authorization, and admission controllers provide granular access control through the API server.

#4about 7 minutes

How container isolation works in the Linux kernel

Containers achieve isolation using Linux kernel features like namespaces and cgroups, but share the host kernel, creating a different security model than VMs.

#5about 2 minutes

Deconstructing a typical Kubernetes cluster attack chain

An attacker can chain exploits, starting from an application vulnerability and escalating to a full container escape and cluster compromise.

#6about 4 minutes

Identifying common Kubernetes security vulnerabilities

Misconfigurations like privileged containers, disabled namespaces, and unpatched software in runtimes like runc create significant security risks.

#7about 6 minutes

Demonstrating a container escape via kernel exploit

A live demo shows how a kernel vulnerability like Dirty COW can be exploited to escape container isolation and gain root access on the host node.

#8about 4 minutes

The risks of RBAC and essential hardening measures

The `create pod` privilege is dangerously powerful, and security can be improved by enabling hardening measures like seccomp profiles and Pod Security Admission.

#9about 4 minutes

Addressing networking and multi-tenancy security challenges

Kubernetes network policies are essential for segmenting traffic, while true multi-tenancy is extremely risky and requires advanced solutions like hardened runtimes.

#10about 1 minute

Leveraging containerization for improved security posture

Despite the risks, containerization offers security advantages through small, understandable workloads that allow for tight security profiles and automated scanning.

#11about 3 minutes

Q&A on managed Kubernetes security in the cloud

The shared responsibility model in cloud Kubernetes services is discussed, highlighting that users must still explicitly enable many hardening features.

Related jobs
Jobs that call for the skills explored in this talk.

Featured Partners

Related Videos

See all videos
Hacking Kubernetes: Live Demo Marathon46:36

Hacking Kubernetes: Live Demo Marathon

Andrew Martin

Enhancing Workload Security in Kubernetes44:00

Enhancing Workload Security in Kubernetes

Dimitrij Klesev & Andreas Zeissner

Local Development Techniques with Kubernetes40:00

Local Development Techniques with Kubernetes

Rob Richardson

Kubernetes Security Best Practices23:08

Kubernetes Security Best Practices

Rico Komenda

Turning Container security up to 11 with Capabilities28:47

Turning Container security up to 11 with Capabilities

Mathias Tausig

Mastering Kubernetes – Beginner Edition57:24

Mastering Kubernetes – Beginner Edition

Hannes Norbert Göring

What we Learned from Reading 100+ Kubernetes Post-Mortems28:36

What we Learned from Reading 100+ Kubernetes Post-Mortems

Noaa Barki

Chaos in Containers - Unleashing Resilience27:52

Chaos in Containers - Unleashing Resilience

Maish Saidel-Keesing

From learning to earning

Jobs that call for the skills explored in this talk.

Kubernetes Engineer

Circle Recruitment
Charing Cross, United Kingdom

Remote
80-90K
Go
GIT
Azure
+3