Most organizations have experienced a Kubernetes security incident in the last year, commonly caused by runtime issues or cluster misconfigurations.
The 4 Cs model provides a framework for securing the entire stack, from the cloud infrastructure and cluster to the container and code.
Prevent container breakouts by scanning images for vulnerabilities, using trusted registries, and removing unnecessary dependencies.
Enhance pod security by running containers as non-root users, disabling privilege escalation, and enforcing policies with Pod Security Standards.
Use Role-Based Access Control (RBAC) to grant users and service accounts only the specific permissions they need at the namespace level.
Restrict communication between pods by default and define explicit allow rules using network policies and CNI plugins like Calico.
Secure the cluster's central datastore, etcd, by enforcing TLS communication with the API server and using a separate certificate authority.
Use tools like Kyverno, Kubewarden, or OPA Gatekeeper as admission controllers to automatically validate and enforce security policies at scale.
A summary of essential practices includes hardening images, using RBAC, isolating traffic, protecting etcd, and automating policy enforcement.
ROSEN Technology and Research Center GmbH
Lingen (Ems), Germany
42:45Marc Nimmerrichter
46:36Andrew Martin
44:00Dimitrij Klesev & Andreas Zeissner
28:47Mathias Tausig
29:50Kevin Lewis
27:52Maish Saidel-Keesing
57:24Hannes Norbert Göring
24:47Adrian Mouat
Jobs that call for the skills explored in this talk.
Capgemini
Chicago, United States of America
