Kubernetes Security Updates from Kubecon 2018 Seattle

•

2 likes•484 views

This is talk delivered in Kubernetes Bangalore meetup of January which is just an update from the Kubecon that happened in Seattle in December 2018. Also includes some updates from recent Kubernetes release v1.13.

Software

Kubernetes Security
Updates
Suraj Deshmukh

$ whoami
● Suraj Deshmukh
● works @ Kinvolk
● Twitter @surajd_
● Kubernetes Slack @surajd
● Blog suraj.io

Features
● Fixed limited duration
● Every pod gets a different service account token
● Kubelet handles rotation of the token
● Force rotate by restarting the pod
● Not stored in secret, directly mounted inside the pod
● Need to re-read the token since it changes periodically
● Specify audiences so token is valid to talk to only those services

New API
TokenRequest
TokenRequestProjection
BoundServiceAccountTokenVolume
KEP: Service Account Token Volumes & Bound Service Account Tokens

Features
● Run heterogeneous container runtimes in cluster, allows you to run VMs and
containers together.
● Scheduling based on RuntimeClass is work in progress.
KEP: Runtime Class

● Field in PodSpec called runtimeClassName
● RuntimeClass
New API

Features
● Add restriction to kubelet
● Node isolation
● Prevent nodes from updating taints & their own labels specifically
node-restriction.kubernetes.io/*
● Can’t delete the node object itself
● Warn on whitelisted modifications

Features
● Graduated from experimental
● Define what resources you want to be encrypted
● Supports various encryption providers: aescbc, secretbox, aesgcm,
kms
● Solves the long standing problem of credentials not being safe with
Kubernetes.

Features
● Dynamically configure the audit backends
● No need to provide information to apiserver via flags

Other announcements
● Bug bounty program is coming to Kubernetes

References
● Transition ServiceAccount admission controller to improved service account token volumes #70679
● Kubernetes Contributor Summit 2018 - Security Through the Ages
● Deep Dive: Container Identity WG - Greg Castle & Michael Danese, Google
● Encrypting Secret Data at Rest
● NodeRestriction
● Dynamic Backend
● Audit in Kubernetes, the Future is Here - Stefan Schimanski & Maciej Szulik, Red Hat

Connect with us
● Twitter @k8sBLR
● Join Kubernetes slack slack.k8s.io and channel #in-dev & #in-users
● GSOC for Kubernetes announced!

Kubernetes Security Updates from Kubecon 2018 Seattle

What's hot

Mirantis Contributions to Kubernetes Ecosystem

MoscowKubernetes

DCSF19 Deploying Istio as an Ingress Controller

Docker, Inc.

Contiv provides a higher level of networking abstraction for microservices: it provides built-in service discovery and service routing for scale out services, working with schedulers like Docker Swarm, Kubernetes, Mesos and Openshift. A powerful policy-based management that makes networking on large scale easy. We will see some code examples, use cases and an easy tutorial on the web. This session is a follow up to the successful sessions at Codemotion Rome and Amsterdam in 2016: we'll go deeper into the architecture and the use cases.

Luca Relandini - Microservices and containers networking: Contiv, deep dive a...

Codemotion

Istio (service mesh) why and how

Milan Das

Mettere in sicurezza un cluster Kubernetes richiede l'uso di diverse strategie e di strumenti per attuarle. Tra queste, i Dynamic Admission Controllers giocano un ruolo fondamentale per garantire non solo la sicurezza di un cluster, ma anche la sua compliance. Infatti tramite di essi è possibile definire, ed applicare, regole personalizzate. Nonostante molte organizzazioni riconoscano l'importanza di abbracciare la "filosofia" Policy As Code, sono purtroppo poche le realtà in cui questa metodologia viene utilizzata in ambienti di produzione. Durante questo talk mostrerò come WebAssembly, una tecnologia nata originariamente per il Web, possa essere utilizzato per implementare strategie di Policy As Code in Kubernetes. Vedremo come l'adozione di WebAssembly semplifichi il processo di creazione, mantenimento e distribuzione di queste policy.

Kubernetes Policy As Code usando WebAssembly | Flavio Castelli

KCDItaly

Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan

VMware Tanzu

This presentation provides the basic concepts of the Kubernetes for Beginners. 1) Introduction of Kubernetes Before Kubernetes What is Kubernetes What Kubernetes can do? What Kubernetes can't do? Features of Kubernetes Kubernetes Architecture Kubernetes vs Docker Swarm Kubernetes 7 use cases ... 2) Kubernetes Component What is Kubelet? What is Kubectl? What is Kubeadm? 3) Nodes in Kubernetes What is a node in Kubernetes? Master node Worker node 4) Kubernetes Development Process What is blue green deployment? How to automate the deployment? 5) Networking in Kubernetes Kubernetes networking model Ingress networking in Kubernetes 6) Security Measures in Kubernetes Best security measures in Kubernetes

Introduction of Kubernetes - Trang Nguyen

Trang Nguyen

Getting started with Azure Container Service (AKS)

Janakiram MSV

What is Google Cloud Good For at DevFestInspire 2021

Robert John

Introduction to Kubernetes and Google Container Engine (GKE)

Opsta

Meetup 22 - 04 - Logging and Monitoring at scale on Kubernetes

Vietnam Open Infrastructure User Group

Kubernetes - Security Journey

Jerry Jalava

Watch this Tech Talk: https://do.co/video_pgupta An introduction into the world of containers and the orchestration ecosystem, and how Kubernetes can help software developers and cloud infrastructure engineers be more agile, efficient, and productive. Containers and Kubernetes have changed the infra world for good, bringing agility, efficiency, and more productivity. Still thinking about how to get started with Kubernetes? This talk is designed to give you an introduction into the world of containers and the orchestration ecosystem. What You'll Learn - Introduction to containers and microservices - Introduction to Kubernetes and how it can help - Essential Kubernetes building blocks (“primitives”) for getting started About the Presenter Peeyush Gupta is a cloud enthusiast with 5+ years of experience in developing cloud platforms and helping customers migrate their legacy applications to cloud. He has also been a speaker at multiple meetups and serves the developer community as part of Kubernetes contributor experience group. He is currently working with DigitalOcean as a Senior Developer Advocate. New to DigitalOcean? Get US $100 in credit when you sign up: https://do.co/deploytoday To learn more about DigitalOcean: https://www.digitalocean.com/ Follow us on Twitter: https://twitter.com/digitalocean Like us on Facebook: https://www.facebook.com/DigitalOcean Follow us on Instagram: https://www.instagram.com/thedigitalocean/ We're hiring: http://do.co/careers

Kubernetes for Beginners

DigitalOcean

Kubernetes Architecture

Knoldus Inc.

16. Cncf meetup-docker

Juraj Hantak

Introduction to Kubernetes with demo

Opsta

Service Mesh For Beginner

Mien Dinh

Extending Kubernetes

Johannes Rudolph

Kubernetes Security

Karthik Gaekwad

Sempre più spesso è presente l'esigenza di costruire applicativi dinamici, interattivi e veloci al punto tale da risultare istantanei e in grado di permettere la fruizione di informazioni aggiornate in tempo reale. Durante il talk vedremo un esempio concreto di come sia possibile creare un’applicazione production ready, basata su uno use-case che rispetti queste esigenze e sfruttando alcune delle principali tecnologie offerte dal mercato come React, Flux, WebSocket e MongoDB.

M.Montalbano/M.Colombo Speroni/S.Sala - Combining React and Websocket to buil...

Codemotion

What's hot (20)

Mirantis Contributions to Kubernetes Ecosystem

DCSF19 Deploying Istio as an Ingress Controller

Luca Relandini - Microservices and containers networking: Contiv, deep dive a...

Istio (service mesh) why and how

Kubernetes Policy As Code usando WebAssembly | Flavio Castelli

Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan

Introduction of Kubernetes - Trang Nguyen

Getting started with Azure Container Service (AKS)

What is Google Cloud Good For at DevFestInspire 2021

Introduction to Kubernetes and Google Container Engine (GKE)

Meetup 22 - 04 - Logging and Monitoring at scale on Kubernetes

Kubernetes - Security Journey

Kubernetes for Beginners

Kubernetes Architecture

16. Cncf meetup-docker

Introduction to Kubernetes with demo

Service Mesh For Beginner

Extending Kubernetes

Kubernetes Security

M.Montalbano/M.Colombo Speroni/S.Sala - Combining React and Websocket to buil...

Similar to Kubernetes Security Updates from Kubecon 2018 Seattle

Dynamic management of kubernetes

Martin Podval

Extending kubernetes

Gigi Sayfan

Kubernetes secret introduction

Evan Lin

Container orchestration and microservices world

Karol Chrapek

Kubernetes provides an automated platform to deployment, scaling and operations of applications across a cluster of hosts. Complementing Kubernetes with a series of build scripts in conjunction with Travis-CI, GitHub, Artifactory, and Google Cloud Platform, we can take code from a merged pull request to a deployed environment with no manual intervention on a highly scaleable and robust infrastructure.

GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...

Oleg Shalygin

Ultimate Guide to Microservice Architecture on Kubernetes

kloia

Join us to learn the concepts and terminology of Kubernetes such as Nodes, Labels, Pods, Replication Controllers, Services. After taking a closer look at the Kubernetes master and the nodes, we will walk you through the process of building, deploying, and scaling microservices applications. Each attendee gets $100 credit to start using Google Container Engine. The source code is available at https://github.com/janakiramm/kubernetes-101

Kubernetes architecture

Janakiram MSV

Introduction to kubernetes

Rishabh Indoria

Introduction to Kubernetes Workshop

Bob Killen

Incredibly powerful and flexible, Kubernetes role-based access control (RBAC) is an essential tool to effectively manage production clusters. Yet many Ops and DevOps engineers are still facing barriers to efficiently use it at scale. These include a steep learning curve, YAML-based configuration, lack of standardized best practices, and the general complexity of this functionality at large -- it truly can be somewhat overwhelming. During this meetup Oleg, CTO at Kublr, will discuss Kubernetes RBAC concepts and objects. He'll explore different use cases ranging from simple permission management for in-cluster application accounts to integrations with external identity providers for SSO and enterprise user access management. Leveraging the Kublr Platform, Oleg will demonstrate how it simplifies the management of access and RBAC rules in a cloud native environment while staying vendor-independent and compatible with any Kubernetes distribution.

Introduction to Kubernetes RBAC

Kublr

CNCF Live Webinar: Kubernetes 1.23

LibbySchulze

Kube 1.2

Diógenes Rettori

Docker on docker leveraging kubernetes in docker ee

Docker, Inc.

Google Cloud platform: GKE with CI/CD using CircleCI and Flux

komaldevg

kubernetesssssssssssssssssssssssssss.pdf

bchiriamina2

WSO2 API Manager provides cloud-native API management, where a user can expose microservices as managed APIs in cloud environments with no hassle. In an age where applications are increasingly adopting microservice architecture, it is obvious that container-orchestration systems such as Kubernetes have gained popularity due to the attractive functionality they offer to simplify a number of complex management tasks. With WSO2 API Manager, now you can expose microservices as managed APIs in cloud environments such as Kubernetes. It automates a number of complex tasks such as application deployment, scaling, and management. Exposing microservices in cloud environments with private jet mode provides a dedicated microgateway to handle each managed API. This will provide maximum security and guaranteed resource allocation for API execution. By attending this webinar, you will gain hands-on experience on how to expose microservices as managed APIs in cloud clusters in private jet mode where each API is managed by a dedicated microgateway. Watch the on-demand here: https://wso2.com/library/webinars/how-to-build-a-scalable-distributed-multi-cloud-api-architecture/

How to Build a Scalable, Distributed, Multi-Cloud API Architecture on Kubernetes

WSO2

WSO2 API Microgateway is a lightweight, developer focused, cloud-native, decentralized gateway designed to be deployed in microservice architectures. It acts as a gateway for microservices with inbuilt capabilities for service enrichment such as authentication, authorization, rate limiting, and analytics. This deck covers, - Architectural changes done for the major version - Developer centric approach of microgateway - New features and their use cases - Deployment patterns for microgateways - Demonstration of its capabilities (Create microgateway projects, and deploy them in multiple environments) Watch the webinar on-demand here - https://wso2.com/library/webinars/2019/07/wso2-api-microgateway-for-easier-development-and-greater-scalability/

WSO2 API Microgateway for Easier Development and Greater Scalability

WSO2

Getting started with Kubernetes and Azure DevOps

RaTul Basak

Docker Enterprise Workshop - Technical

Patrick Chanezon

01 - VMUGIT - Lecce 2018 - Fabio Rapposelli, VMware

VMUG IT

Similar to Kubernetes Security Updates from Kubecon 2018 Seattle (20)

Dynamic management of kubernetes

Extending kubernetes

Kubernetes secret introduction

Container orchestration and microservices world

GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...

Ultimate Guide to Microservice Architecture on Kubernetes

Kubernetes architecture

Introduction to kubernetes

Introduction to Kubernetes Workshop

Introduction to Kubernetes RBAC

CNCF Live Webinar: Kubernetes 1.23

Kube 1.2

Docker on docker leveraging kubernetes in docker ee

Google Cloud platform: GKE with CI/CD using CircleCI and Flux

kubernetesssssssssssssssssssssssssss.pdf

How to Build a Scalable, Distributed, Multi-Cloud API Architecture on Kubernetes

WSO2 API Microgateway for Easier Development and Greater Scalability

Getting started with Kubernetes and Azure DevOps

Docker Enterprise Workshop - Technical

01 - VMUGIT - Lecce 2018 - Fabio Rapposelli, VMware

Recently uploaded

Test automation is a cornerstone of software development and quality assurance in today's rapidly evolving digital landscape. Its significance cannot be overstated. Businesses can enhance efficiency, productivity, and accelerate software delivery to market through automation, streamlining testing processes effectively. This comprehensive guide addresses the best practices for test automation in 2024. It offers a detailed checklist to empower you to optimize your automation efforts and maintain a competitive edge.

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf

kalichargn70th171

Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...

SelfMade bd

Craft an AI & Machine Learning Pitch with our Editable Professional PowerPoint Template. Ignite your AI & Machine Learning pitch with our cutting-edge PowerPoint template tailored for the industry. Perfect for AI conferences, investor presentations, sales pitches to tech-focused companies, training sessions, and educational programs. - 20+ editable slides: Get a variety of options to choose from for your presentation. - Time-saving solution: Download, replace text/images with a few clicks. - User-friendly customization: Easy to use and personalize. - Modern and attractive design: Captivating visuals, sleek layout. - Tailored to your requirements: Fully alterable for customization. - Well-organized slides: Complete control over content. - Thematic specificity: Reflects healthcare industry with relevant graphics. - Showcase your business idea: Communicate value proposition effectively.

AI & Machine Learning Presentation Template

Presentation.STUDIO

In an era where security concerns are paramount, the integration of artificial intelligence (AI) into CCTV cameras has revolutionized surveillance capabilities. One of the most significant advancements is the ability to achieve real-time threat detection, enabling immediate responses to potential security breaches. This blog explores how AI is reshaping surveillance through real-time threat detection and the implications of this technology.

Optimizing AI for immediate response in Smart CCTV

shikhaohhpro

Data spaces in distributed environments should be allowed to evolve in agile ways providing data space owners with large flexibility about which data they store. Agility and heterogeneity, however, jeopardize data exchanges because representations may build on varying ontologies and data consumers may not rely on the semantic correctness of their queries in the context of semantically heterogeneous, evolving data spaces. Graph data spaces are one example of a powerful model for representing and querying data whose semantics may change over time. To assert and enforce conditions on individual graph data spaces, shape languages (e.g SHACL) have been developed. We investigate the question of how querying and programming can be guarded by reasoning over SHACL constraints in a distributed setting and we sketch a picture of how a future landscape based on semantically heterogeneous data spaces might look like.

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...

Steffen Staab

In today's dynamic e-commerce landscape, the payment gateway emerges as a linchpin, ensuring smooth and secure transactions between buyers and sellers. In this discourse, we delve into the meticulous process of devising test cases tailored for scrutinizing payment gateways. Crafting precise test cases for payment gateways is a quintessential responsibility for testers operating within the service industry. This article meticulously explores pivotal scenarios integral to how to test payment gateways, coupled with essential guidelines for drafting effective test cases.

Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf

kalichargn70th171

(Vivek)Call Us, 8448380779,Call girls in Delhi NCr – We Offer best in class call girls. escort Service At Affordable Price At low Rate with Space Night 8000 We Are One Of The Oldest Escort and Call girls Agencies in Delhi. You Will Find That Our Female Escorts Are Full Of Fun, Sexy And They Would Love Enjoy Your Company. We Have A Fantastic Selection Of Escort Ladies Available For In-Calls As Well As Out-Calls. Our Escorts Are Not Only Beautiful But All Have Great Personalities Making Them The Perfect Companion For Any Occasion. In-Call:- You Can Come At Our Place in Delhi Our place Which Is Very Clean Hygienic 100% safe Accommodation. Out-Call:- You have To Come Pick The Girl From My Place We Are Also Provide Door Step Services (Delhi Ncr, Noida, Gurgaon, Faridabad, Ghaziabad Note:- Pic Collectors Time Passers Bargainers Stay Away As We Respect The Value For Your Money Time And Expect The Same From You Hygienic:- Full Ac room And Clean Rooms Available In Hotel 24 * 7 Hourly In Delhi NCR More Details, With WhatsApp Number, +91-8448380779

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

Delhi Call girls

8257 interfacing 2 in microprocessor for btech students

HimanshiGarg82

The title is not connected to what is inside

shinachiaurasa2

How To Troubleshoot Collaboration Apps for the Modern Connected Worker

ThousandEyes

MakeMyPass" Online Bus Pass Management System illustrates the flow of activities and actions that occur within the system to accomplish specific tasks or use cases. This type of diagram focuses on representing the sequence of activities and decision points involved in a particular process. Below is an example outline and description of key elements that could be included in an Activity Diagram for the system:

BUS PASS MANGEMENT SYSTEM USING PHP.pptx

alwaysnagaraju26

Direct Style Effect Systems -The Print[A] Example- A Comprehension Aid

Philip Schwarz

Technology has taken up space all over the world. From generating content with a single command on ChatGPT to getting your food served by Robots at your favorite restaurant, artificial advancements have ruled every space. Every industry is set to develop top-notch technology in every sector; finance, IT, healthcare, gaming, and banking, with competitive market standards. One of these rapidly growing industries is Mobile App Development. According to the Straits Research report, it is expected to reach USD 583.03 billion at a CAGR OF 12.8% between (2022 and 2030). It clearly shows how mobile app development has become an integral part of the digital landscape and revolutionized technology.

The Top App Development Trends Shaping the Industry in 2024-25 .pdf

ayushiqss

At TECUNIQUE, we're a stable and steadily growing Indian software services company with over 14 years of industry experience. Specializing in offshore software development and quality assurance services, we've built a reputation for delivering unique and effective solutions to start-ups, software development companies, enterprises, and digital agencies. We pride ourselves on our commitment to excellence and innovation. By blending insightful business domain knowledge with exceptional technical prowess, we craft tailor-made solutions that meet the unique needs of our clients. Our dedicated teams are adept in specific technologies, ensuring seamless integration of skills and delivering reliable, scalable, and high-quality software solutions aligned with our clients' preferences. Bespoke Dedicated Teams: Crafted to meet your specific needs and technology preferences, our dedicated teams are committed to delivering top-notch software solutions. Offshore Software Development: Accelerate your software development and scale up quickly with our 12+ years of expertise in offshore development. Quality Assurance Services: Ensure the quality of your software products with our dedicated teams of experienced QA professionals. IT Staff Augmentation: Overcome skill gaps with our client-centric software team, offering staff augmentation services. Expert Software Services: Unlock our capabilities in custom software development, product development, and quality assurance. Mission and Vision: Our mission at TECUNIQUE is to be the catalyst for our clients' success in the dynamic domain of software development. Rooted in our core values of respect, authenticity, and responsibility, we strive to ease the software outsourcing experience, reducing both time and cost to market for our clients. We envision ourselves as the leading Indian software services company, renowned for our unwavering commitment to excellence and innovation. www.tecunique.com

TECUNIQUE: Success Stories: IT Service provider

mohitmore19

A great deal of attention in medical devices has shifted towards cybersecurity with the ratification of section 524B of the FD&C act. This new law enables the FDA to enforce cybersecurity controls in any medical device that is capable of networked communications or that has software. In this webinar we will recap the process for managing vulnerabilities, identify categories of vulnerabilities and solutions and more.

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...

ICS

HR Software Buyers Guide in 2024 - HRSoftware.com

Fatema Valibhai

LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456

KiaraTiradoMicha

Define the academic and professional writing..pdf

PearlKirahMaeRagusta1

VTU technical seminar 8Th Sem on Scikit-learn

AmarnathKambale

At the recent Microsoft Ignite 2023 conference, Microsoft unveiled a groundbreaking strategy that will redefine enterprise work management. The plan involves integrating Microsoft’s key planning tools, Microsoft To Do, Microsoft Planner, and Microsoft Project for the web into a unified experience called “Microsoft Planner.” What does this new strategy from Microsoft mean for current users? Join us and learn how best to take advantage of this announcement while gaining a clear path on how to elevate the current state of Microsoft Planner from a basic task manager to a comprehensive tool for Enterprise Work Management using OnePlan. Learn how OnePlan’s integration with Microsoft Planner allows for strategic alignment with business goals through advanced features like strategic planning, portfolio management, resource management, financial management, and more!

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution

OnePlan Solutions

Recently uploaded (20)

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf

Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...

AI & Machine Learning Presentation Template

Optimizing AI for immediate response in Smart CCTV

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...

Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

8257 interfacing 2 in microprocessor for btech students

The title is not connected to what is inside

How To Troubleshoot Collaboration Apps for the Modern Connected Worker

BUS PASS MANGEMENT SYSTEM USING PHP.pptx

Direct Style Effect Systems -The Print[A] Example- A Comprehension Aid

The Top App Development Trends Shaping the Industry in 2024-25 .pdf

TECUNIQUE: Success Stories: IT Service provider

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...

HR Software Buyers Guide in 2024 - HRSoftware.com

LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456

Define the academic and professional writing..pdf

VTU technical seminar 8Th Sem on Scikit-learn

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution

Kubernetes Security Updates from Kubecon 2018 Seattle

1. Kubernetes Security Updates Suraj Deshmukh

2. $ whoami ● Suraj Deshmukh ● works @ Kinvolk ● Twitter @surajd_ ● Kubernetes Slack @surajd ● Blog suraj.io

3. ServiceAccount

4. Features ● Fixed limited duration ● Every pod gets a different service account token ● Kubelet handles rotation of the token ● Force rotate by restarting the pod ● Not stored in secret, directly mounted inside the pod ● Need to re-read the token since it changes periodically ● Specify audiences so token is valid to talk to only those services

5. New API TokenRequest TokenRequestProjection BoundServiceAccountTokenVolume KEP: Service Account Token Volumes & Bound Service Account Tokens

6. RuntimeClass

7. Features ● Run heterogeneous container runtimes in cluster, allows you to run VMs and containers together. ● Scheduling based on RuntimeClass is work in progress. KEP: Runtime Class

8. ● Field in PodSpec called runtimeClassName ● RuntimeClass New API

9. NodeRestriction

10. Features ● Add restriction to kubelet ● Node isolation ● Prevent nodes from updating taints & their own labels specifically node-restriction.kubernetes.io/* ● Can’t delete the node object itself ● Warn on whitelisted modifications

11. Encrypting Secret Data at Rest

12. Features ● Graduated from experimental ● Define what resources you want to be encrypted ● Supports various encryption providers: aescbc, secretbox, aesgcm, kms ● Solves the long standing problem of credentials not being safe with Kubernetes.

13. EncryptionConfiguration New API

14. Dynamic Audit backend

15. Features ● Dynamically configure the audit backends ● No need to provide information to apiserver via flags

16. New API AuditSink

17. Other announcements ● Bug bounty program is coming to Kubernetes

18. References ● Transition ServiceAccount admission controller to improved service account token volumes #70679 ● Kubernetes Contributor Summit 2018 - Security Through the Ages ● Deep Dive: Container Identity WG - Greg Castle & Michael Danese, Google ● Encrypting Secret Data at Rest ● NodeRestriction ● Dynamic Backend ● Audit in Kubernetes, the Future is Here - Stefan Schimanski & Maciej Szulik, Red Hat

19. Connect with us ● Twitter @k8sBLR ● Join Kubernetes slack slack.k8s.io and channel #in-dev & #in-users ● GSOC for Kubernetes announced!

Kubernetes Security Updates from Kubecon 2018 Seattle

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Kubernetes Security Updates from Kubecon 2018 Seattle

Similar to Kubernetes Security Updates from Kubecon 2018 Seattle (20)

More from Suraj Deshmukh

More from Suraj Deshmukh (12)

Recently uploaded

Recently uploaded (20)

Kubernetes Security Updates from Kubecon 2018 Seattle