Dimitrij Klesev & Andreas Zeissner
Enhancing Workload Security in Kubernetes
#1about 3 minutes
Understanding the Kubernetes securityContext for workloads
The securityContext field in a pod specification allows you to define privilege and access control settings for a pod or container.
#2about 4 minutes
Restricting kernel system calls with seccomp profiles
Seccomp profiles enhance security by allowing you to explicitly define which kernel system calls a containerized workload is permitted to make.
#3about 4 minutes
Hardening file system access with AppArmor profiles
AppArmor provides mandatory access control by defining profiles that restrict application capabilities like file reads, writes, and network access.
#4about 6 minutes
Implementing fine-grained control with SELinux contexts
SELinux uses a labeling system to enforce mandatory access control policies, providing granular control over process and object interactions.
#5about 2 minutes
Automating security with the Security Profiles Operator
The Security Profiles Operator simplifies the management and distribution of seccomp, AppArmor, and SELinux profiles across all nodes in a Kubernetes cluster.
#6about 5 minutes
Demo of blocking an in-memory execution attack
A live demonstration shows how a seccomp profile can block the `memfd_create` system call to prevent a fileless malware execution attack.
#7about 3 minutes
Demo of managing seccomp with the operator
This demo illustrates how the Security Profiles Operator uses a `ProfileBinding` to automatically apply a seccomp profile to workloads based on their image.
#8about 8 minutes
Demo of troubleshooting SELinux permissions
A practical demonstration shows how SELinux denies access by default and how to use audit logs and tools like `audit2allow` to diagnose and create new policies.
#9about 8 minutes
Q&A on AppArmor, fileless attacks, and eBPF
The speakers answer audience questions about applying AppArmor profiles, the nature of fileless malware, discovering system calls, and the role of eBPF.
Related jobs
Jobs that call for the skills explored in this talk.
Matching moments
22:09 MIN
Centralizing security services in a Kubernetes ecosystem
DevSecOps: Security in DevOps
01:46 MIN
Understanding the Kubernetes threat landscape and adversaries
Hacking Kubernetes: Live Demo Marathon
56:21 MIN
Security best practices for containers and Kubernetes
Microservices: how to get started with Spring Boot and Kubernetes
07:14 MIN
Addressing unique data protection challenges in Kubernetes
It's all about the Data
18:57 MIN
Moving from perimeter defense to workload microsegmentation
You can’t hack what you can’t see
29:55 MIN
Demo: Verifying deployment and monitoring runtime security
Open Source Secure Software Supply Chain in action
25:41 MIN
The benefits of a modern workload-centric security architecture
You can’t hack what you can’t see
10:33 MIN
Tools and techniques for Kubernetes development
How I saved 200K/yr in direct costs writing 0 code lines in K8s
Featured Partners
Related Videos
23:08Kubernetes Security Best Practices
Rico Komenda
42:45Kubernetes Security - Challenge and Opportunity
Marc Nimmerrichter
46:36Hacking Kubernetes: Live Demo Marathon
Andrew Martin
58:52Securing secrets in the GitOps Era
Davide Imola
58:57Securing Secrets in the GitOps era
Alex Soto
33:20DevSecOps: Security in DevOps
Aarno Aukia
39:20Developing locally with Kubernetes - a Guide and Best Practices
Dan Erez
28:47Turning Container security up to 11 with Capabilities
Mathias Tausig
From learning to earning
Jobs that call for the skills explored in this talk.
DevOps Engineer – Kubernetes & Cloud (m/w/d)
epostbox epb GmbH
Berlin, Germany
Intermediate
Senior
DevOps
Kubernetes
Cloud (AWS/Google/Azure)
Senior Systems/DevOps Developer (f/m/d)
Bonial International GmbH
Berlin, Germany
Senior
Python
Terraform
Kubernetes
Elasticsearch
Amazon Web Services (AWS)
