Dimitrij Klesev & Andreas Zeissner

Enhancing Workload Security in Kubernetes

A single blocked syscall can prevent a file-less memory attack. Learn how to automate this level of security across your Kubernetes cluster with the Security Profiles Operator.

Enhancing Workload Security in Kubernetes
#1about 3 minutes

Understanding the Kubernetes securityContext for workloads

The securityContext field in a pod specification allows you to define privilege and access control settings for a pod or container.

#2about 4 minutes

Restricting kernel system calls with seccomp profiles

Seccomp profiles enhance security by allowing you to explicitly define which kernel system calls a containerized workload is permitted to make.

#3about 4 minutes

Hardening file system access with AppArmor profiles

AppArmor provides mandatory access control by defining profiles that restrict application capabilities like file reads, writes, and network access.

#4about 6 minutes

Implementing fine-grained control with SELinux contexts

SELinux uses a labeling system to enforce mandatory access control policies, providing granular control over process and object interactions.

#5about 2 minutes

Automating security with the Security Profiles Operator

The Security Profiles Operator simplifies the management and distribution of seccomp, AppArmor, and SELinux profiles across all nodes in a Kubernetes cluster.

#6about 5 minutes

Demo of blocking an in-memory execution attack

A live demonstration shows how a seccomp profile can block the `memfd_create` system call to prevent a fileless malware execution attack.

#7about 3 minutes

Demo of managing seccomp with the operator

This demo illustrates how the Security Profiles Operator uses a `ProfileBinding` to automatically apply a seccomp profile to workloads based on their image.

#8about 8 minutes

Demo of troubleshooting SELinux permissions

A practical demonstration shows how SELinux denies access by default and how to use audit logs and tools like `audit2allow` to diagnose and create new policies.

#9about 8 minutes

Q&A on AppArmor, fileless attacks, and eBPF

The speakers answer audience questions about applying AppArmor profiles, the nature of fileless malware, discovering system calls, and the role of eBPF.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Q&A on managed Kubernetes security in the cloud
02:52 MIN

Q&A on managed Kubernetes security in the cloud

Kubernetes Security - Challenge and Opportunity

Centralizing security services in a Kubernetes ecosystem
02:04 MIN

Centralizing security services in a Kubernetes ecosystem

DevSecOps: Security in DevOps

Understanding the Kubernetes threat landscape and adversaries
08:13 MIN

Understanding the Kubernetes threat landscape and adversaries

Hacking Kubernetes: Live Demo Marathon

Identifying common Kubernetes security vulnerabilities
04:28 MIN

Identifying common Kubernetes security vulnerabilities

Kubernetes Security - Challenge and Opportunity

The prevalence and impact of Kubernetes security incidents
01:27 MIN

The prevalence and impact of Kubernetes security incidents

Kubernetes Security Best Practices

Security best practices for containers and Kubernetes
06:25 MIN

Security best practices for containers and Kubernetes

Microservices: how to get started with Spring Boot and Kubernetes

Addressing unique data protection challenges in Kubernetes
03:37 MIN

Addressing unique data protection challenges in Kubernetes

It's all about the Data

Moving from perimeter defense to workload microsegmentation
03:04 MIN

Moving from perimeter defense to workload microsegmentation

You can’t hack what you can’t see

Featured Partners

Related Videos

See all videos
Kubernetes Security - Challenge and Opportunity42:45

Kubernetes Security - Challenge and Opportunity

Marc Nimmerrichter

Hacking Kubernetes: Live Demo Marathon46:36

Hacking Kubernetes: Live Demo Marathon

Andrew Martin

Kubernetes Security Best Practices23:08

Kubernetes Security Best Practices

Rico Komenda

DevSecOps: Security in DevOps33:20

DevSecOps: Security in DevOps

Aarno Aukia

A practical guide to writing secure Dockerfiles42:25

A practical guide to writing secure Dockerfiles

Madhu Akula

Securing secrets in the GitOps Era58:52

Securing secrets in the GitOps Era

Davide Imola

You can’t hack what you can’t see29:34

You can’t hack what you can’t see

Reto Kaeser

Securing Your Web Application Pipeline From Intruders44:30

Securing Your Web Application Pipeline From Intruders

Milecia McGregor

Related Articles

View all articles
AG
Andre Braun, GitLab
Now is the time for industrialized software development
Now is the time for industrialized software development Recently, I received a letter from my car’s manufacturer alerting me to a recall. They had discovered a defective part and wanted to replace it. It was easily fixed, and I might have forgotten a...
Now is the time for industrialized software development
DC
Daniel Cranney
Why Attend a Developer Event?
Modern software engineering moves too fast for documentation alone. Attending a world-class event is about shifting from tactical execution to strategic leadership. Skill Diversification: Break out of your specific tech stack to see how the industry...
Why Attend a Developer Event?
Learning Kubernetes made easy with KubeCampus
Learning to use Kubernetes? KubeCampus by Kasten offers free educational content for all skill levels to get you started!Kubernetes is an open-source system for deploying, scaling and managing containerized applications. It allows you to deploy your ...
Learning Kubernetes made easy with KubeCampus

From learning to earning

Jobs that call for the skills explored in this talk.