Marc Nimmerrichter

Kubernetes Security - Challenge and Opportunity

What's the most dangerous permission in Kubernetes? Learn why the `create pod` privilege, not `cluster-admin`, can lead to a full cluster compromise.

Kubernetes Security - Challenge and Opportunity
#1about 3 minutes

A high-level overview of Kubernetes architecture

The core components of a Kubernetes cluster are explained, including the master node, worker nodes, etcd, API server, and kubelet.

#2about 3 minutes

Configuring workloads with Kubernetes objects

Key Kubernetes objects like pods, deployments, services, and volumes are introduced as the building blocks for configuring applications.

#3about 4 minutes

Managing access with namespaces and admission control

Namespaces are used to group resources, while authentication, authorization, and admission controllers provide granular access control through the API server.

#4about 7 minutes

How container isolation works in the Linux kernel

Containers achieve isolation using Linux kernel features like namespaces and cgroups, but share the host kernel, creating a different security model than VMs.

#5about 2 minutes

Deconstructing a typical Kubernetes cluster attack chain

An attacker can chain exploits, starting from an application vulnerability and escalating to a full container escape and cluster compromise.

#6about 4 minutes

Identifying common Kubernetes security vulnerabilities

Misconfigurations like privileged containers, disabled namespaces, and unpatched software in runtimes like runc create significant security risks.

#7about 6 minutes

Demonstrating a container escape via kernel exploit

A live demo shows how a kernel vulnerability like Dirty COW can be exploited to escape container isolation and gain root access on the host node.

#8about 4 minutes

The risks of RBAC and essential hardening measures

The `create pod` privilege is dangerously powerful, and security can be improved by enabling hardening measures like seccomp profiles and Pod Security Admission.

#9about 4 minutes

Addressing networking and multi-tenancy security challenges

Kubernetes network policies are essential for segmenting traffic, while true multi-tenancy is extremely risky and requires advanced solutions like hardened runtimes.

#10about 1 minute

Leveraging containerization for improved security posture

Despite the risks, containerization offers security advantages through small, understandable workloads that allow for tight security profiles and automated scanning.

#11about 3 minutes

Q&A on managed Kubernetes security in the cloud

The shared responsibility model in cloud Kubernetes services is discussed, highlighting that users must still explicitly enable many hardening features.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

The prevalence and impact of Kubernetes security incidents
01:27 MIN

The prevalence and impact of Kubernetes security incidents

Kubernetes Security Best Practices

Security best practices for containers and Kubernetes
06:25 MIN

Security best practices for containers and Kubernetes

Microservices: how to get started with Spring Boot and Kubernetes

Understanding the Kubernetes threat landscape and adversaries
08:13 MIN

Understanding the Kubernetes threat landscape and adversaries

Hacking Kubernetes: Live Demo Marathon

Addressing unique data protection challenges in Kubernetes
03:37 MIN

Addressing unique data protection challenges in Kubernetes

It's all about the Data

Key takeaways for hardening Kubernetes clusters
02:16 MIN

Key takeaways for hardening Kubernetes clusters

Kubernetes Security Best Practices

Centralizing security services in a Kubernetes ecosystem
02:04 MIN

Centralizing security services in a Kubernetes ecosystem

DevSecOps: Security in DevOps

Securing containers and infrastructure as code (IAC)
07:59 MIN

Securing containers and infrastructure as code (IAC)

Maturity assessment for technicians or how I learned to love OWASP SAMM

Understanding the challenges of scaling Kubernetes with confidence
02:45 MIN

Understanding the challenges of scaling Kubernetes with confidence

5 steps for running a Kubernetes environment at scale

Featured Partners

Related Videos

See all videos
Hacking Kubernetes: Live Demo Marathon46:36

Hacking Kubernetes: Live Demo Marathon

Andrew Martin

Enhancing Workload Security in Kubernetes44:00

Enhancing Workload Security in Kubernetes

Dimitrij Klesev & Andreas Zeissner

Kubernetes Security Best Practices23:08

Kubernetes Security Best Practices

Rico Komenda

Local Development Techniques with Kubernetes40:00

Local Development Techniques with Kubernetes

Rob Richardson

Turning Container security up to 11 with Capabilities28:47

Turning Container security up to 11 with Capabilities

Mathias Tausig

Mastering Kubernetes – Beginner Edition57:24

Mastering Kubernetes – Beginner Edition

Hannes Norbert Göring

What we Learned from Reading 100+ Kubernetes Post-Mortems28:36

What we Learned from Reading 100+ Kubernetes Post-Mortems

Noaa Barki

Chaos in Containers - Unleashing Resilience27:52

Chaos in Containers - Unleashing Resilience

Maish Saidel-Keesing

Related Articles

View all articles
Learning Kubernetes made easy with KubeCampus
Learning to use Kubernetes? KubeCampus by Kasten offers free educational content for all skill levels to get you started!Kubernetes is an open-source system for deploying, scaling and managing containerized applications. It allows you to deploy your ...
Learning Kubernetes made easy with KubeCampus
DC
Daniel Cranney
Why Attend a Developer Event?
Modern software engineering moves too fast for documentation alone. Attending a world-class event is about shifting from tactical execution to strategic leadership. Skill Diversification: Break out of your specific tech stack to see how the industry...
Why Attend a Developer Event?

From learning to earning

Jobs that call for the skills explored in this talk.