SlideShare a Scribd company logo

Evolution of security strategies in K8s environments- All day devops

Jose Manuel Ortega Candel
Jose Manuel Ortega Candel

In the latest versions of K8s there has been an evolution regarding the definition of security strategies at the level of access policies to the cluster by users and developers. The security contexts (securityContext) allow you to define the configurations at the level of access control and privileges for a pod or container in a simple way using keywords in the configuration files. To facilitate the implementation of these security strategies throughout the cluster, new strategies have emerged such as the Pod Security Policy (PSP) where the cluster administrator is in charge of defining these policies at the cluster level with the aim that developers can follow these policies. Other interesting projects include Open Policy Agent (OPA) as the main cloud-native authorization policy agent for creating policies and managing user permissions for access to applications. The objective of this talk is to present the evolution that has occurred in security strategies and how we could use them together, as well as analyze their behavior in accessing resources. Among the points to be discussed we can highlight: -Introduction to security strategies in K8s environments -Pod Security Admission(PSA) vs Open Policy Agent (OPA) -Combination of different security strategies together -Access to resources in privileged and non-privileged mode

1 of 35
Download to read offline
TRACK: DEVSECOPS OCTOBER 26, 2023 Jose Manuel Ortega, OWASP Evolution of security strategies in K8s environments
TRACK: DEVSECOPS •Introduction to security strategies in K8s environments •Pod Security Admission(PSA) vs Open Policy Agent (OPA) •Combination of different security strategies together •Access to resources in privileged and non-privileged mode Agenda
TRACK: DEVSECOPS •Cluster Hardening: Implement best practices for securing the Kubernetes cluster itself, including securing access to the API server, enabling RBAC (Role-Based Access Control), and using network policies to control communication between pods. •Pod Security Policies (PSP): Enforce security policies that define what a pod can and cannot do, including limiting privilege levels, host access, and running as non-root users. Introduction to security strategies in K8s environments
TRACK: DEVSECOPS •Secrets Management: Use Kubernetes Secrets to store sensitive information securely, such as API keys, passwords, or certificates. •Role-Based Access Control (RBAC): Define fine-grained access controls for users and service accounts to limit the scope of actions they can perform within the cluster. Introduction to security strategies in K8s environments
TRACK: DEVSECOPS •Limit Resource Consumption: Set resource quotas to limit the amount of CPU, memory, and other resources that can be consumed by pods, preventing resource exhaustion and potential denial-of-service attacks. •Pod Security Context: Use pod security context to define security settings at the pod level, such as user and group IDs, SELinux, and file system permissions. Introduction to security strategies in K8s environments
TRACK: DEVSECOPS Introduction to security strategies in K8s environments Security Contexts RBAC (Role-Based Access Control) Resource scope Pods Pods, Nodes, cluster Actions Predefined capabilities RBAC policies Extensibility Via integrations with external frameworks, including SELinux and AppArmor Can’t use external tools to define policies.
TRACK: DEVSECOPS Introduction to security strategies in K8s environments spec: securityContext: runAsUser: 1000 fsGroup: 2000 allowPrivilegeEscalation: false
TRACK: DEVSECOPS Introduction to security strategies in K8s environments apiVersion: v1 kind: Pod metadata: name: scd-3 spec: containers: - name: scd-3 image: nginx securityContext: capabilities: add: ["NET_ADMIN","SYS_TIME"]
TRACK: DEVSECOPS Introduction to security strategies in K8s environments https://github.com/Shopify/kubeaudit
TRACK: DEVSECOPS •PodSecurityPolicy has been deprecated from Kubernetes 1.21. Introduction to security strategies in K8s environments
TRACK: DEVSECOPS Pod Security Admission(PSA) ● New form of admission control is created with the understanding that Kubernetes users are probably going to seek external authorization. ● It can be deactivated partially or entirely to coexist with external admission controllers like OPA. ● KEP-2579: Pod Security Admission Control ● https://github.com/kubernetes/enhancements/blob/mast er/keps/sig-auth/2579-psp-replacement/README.md
TRACK: DEVSECOPS Pod Security Admission(PSA) ● Pod Security admission places requirements on a Pod's Security Context and other related fields according to the three levels defined by the Pod Security Standards: privileged, baseline, and restricted. ● spec.containers[*].ports ● spec.volumes[*].hostPath ● spec.securityContext ● spec.containers[*].securityContext
TRACK: DEVSECOPS Pod Security Admission(PSA) kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 featureGates: PodSecurity: true nodes: - role: control-plane - role: worker
TRACK: DEVSECOPS Pod Security Admission(PSA) Mode Description enforce Policy violations will cause the pod to be rejected. audit Policy violations will trigger the addition of an audit annotation to the event recorded in the audit log, but are otherwise allowed. warn Policy violations will trigger a user-facing warning, but are otherwise allowed.
TRACK: DEVSECOPS Pod Security Admission(PSA) $ kubectl label --dry-run=server --overwrite ns --all pod-security.kubernetes.io/enforce=baseline Warning: kuard: privileged namespace/default labeled namespace/kube-node-lease labeled namespace/kube-public labeled Warning: kube-proxy-vxjwb: host namespaces, hostPath volumes, privileged Warning: kube-proxy-zxqzz: host namespaces, hostPath volumes, privileged Warning: kube-apiserver-kind-control-plane: host namespaces, hostPath volumes Warning: etcd-kind-control-plane: host namespaces, hostPath volumes Warning: kube-controller-manager-kind-control-plane: host namespaces, hostPath volumes Warning: kindnet-cl5ln: non-default capabilities, host namespaces, hostPath volumes Warning: kube-scheduler-kind-control-plane: host namespaces, hostPath volumes Warning: kindnet-6ptww: non-default capabilities, host namespaces, hostPath volumes namespace/kube-system labeled namespace/local-path-storage labeled
TRACK: DEVSECOPS Pod Security Admission(PSA) apiVersion: v1 kind: Namespace metadata: name: test-ns labels: pod-security.kubernetes.io/enforce: baseline pod-security.kubernetes.io/audit: restricted pod-security.kubernetes.io/warn: restricted
TRACK: DEVSECOPS Pod Security Admission(PSA) apiVersion: v1 kind: Pod metadata: name: nginx spec: containers: - image: nginx name: nginx ports: - containerPort: 80
TRACK: DEVSECOPS Pod Security Admission(PSA) $ kubectl apply -f pod.yaml Warning: would violate "latest" version of "restricted" PodSecurity profile: allowPrivilegeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") pod/nginx created $ kubectl get pods NAME READY STATUS RESTARTS AGE nginx 1/1 Running 0 6s
TRACK: DEVSECOPS Pod Security Admission(PSA) {"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"808ca159-914c-43fa-b4c8-d ee5cb2fc440","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods?fieldMan ager=kubectl-create","verb":"create","user":{"username":"kubernetes-admin","groups":["system:master s","system:authenticated"]},"sourceIPs":["172.18.0.1"],"userAgent":"kubectl/v1.22.0 (darwin/amd64) kubernetes/c2b5237","objectRef":{"resource":"pods","namespace":"default","name":"nginx","apiVersio n":"v1"},"responseStatus":{"metadata":{},"code":201},"requestReceivedTimestamp":"2023-08-21T03:3 0:26.605589Z","stageTimestamp":"2023-08-21T03:30:26.627123Z","annotations":{"authorization.k8s .io/decision":"allow","authorization.k8s.io/reason":"","pod-security.kubernetes.io/audit":"allowPrivil egeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")"}}
TRACK: DEVSECOPS Pod Security Admission(PSA) apiVersion: apiserver.config.k8s.io/v1 kind: AdmissionConfiguration plugins: - name: PodSecurity configuration: apiVersion: pod-security.admission.config.k8s.io/v1alpha1 kind: PodSecurityConfiguration defaults: enforce: "baseline" enforce-version: "latest" audit: "restricted" audit-version: "latest" warn: "restricted" warn-version: "latest" exemptions: usernames: [] runtimeClassNames: [] namespaces: [kube-system]
TRACK: DEVSECOPS Policy-as-code (PAC) solutions
TRACK: DEVSECOPS ● Policy agent for cloud-native authorization ● It provides a means of standardizing policy definition and management throughout the cloud-native technology stack. ● When combined with Kubernetes, OPA has the capability to enforce guardrails upon an entire system, requiring users’ permissions to match policy at all times.
TRACK: DEVSECOPS ● Require specific labels on all resources. ● Require container images from the corporate image registry. ● Require all Pods specify resource requests and limits. ● Prevent conflicting Ingress objects from being created.
TRACK: DEVSECOPS
TRACK: DEVSECOPS https://play.openpolicyagent.org
TRACK: DEVSECOPS https://play.openpolicyagent.org
TRACK: DEVSECOPS Pod Security Admission(PSA) vs Open Policy Agent(OPA) Pod Security Admission (PSA) Open Policy Agent (OPA) Simplicity Flexibility Native Integration Customization Performance External Control Limited Attack Surface Compliance
TRACK: DEVSECOPS Pod Security Admission(PSA) vs Open Policy Agent(OPA) ● Which users can access which resources? ● Which subnets egress traffic is allowed to? ● Which clusters a workload must be deployed to? ● Which registries images can be downloaded from? ● Which capabilities a container can execute with? ● Which times of day the system can be accessed at?
TRACK: DEVSECOPS Combination of different security strategies ● RBAC (Role-Based Access Control) ● PodSecurity Admission Controllers ● Network Policies ● Secrets Management ● Security Contexts ● Runtime Security
TRACK: DEVSECOPS Access to resources in privileged and non-privileged mode ● Privileged Mode ● Non-Privileged Mode*
TRACK: DEVSECOPS Access to resources in privileged and non-privileged mode ● Privileged Mode
TRACK: DEVSECOPS Access to resources in privileged and non-privileged mode ● Non Privileged Mode
TRACK: DEVSECOPS Conclusions ● Security ● Functionality ● Isolation ● Attack Surface ● Principle of least privilege
TRACK: DEVSECOPS @jmortegac https://www.linkedin.com/in/jmortega1 https://jmortega.github.io https://josemanuelortegablog.com
TRACK: DEVSECOPS
Ad

Recommended

Evolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfEvolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdf
Jose Manuel Ortega Candel
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloads
Runcy Oommen
 
12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster
Suman Chakraborty
 
Who is afraid of privileged containers ?
Who is afraid of privileged containers ?Who is afraid of privileged containers ?
Who is afraid of privileged containers ?
Marko Bevc
 
How we can do Multi-Tenancy on Kubernetes
How we can do Multi-Tenancy on KubernetesHow we can do Multi-Tenancy on Kubernetes
How we can do Multi-Tenancy on Kubernetes
Opsta
 
Anthos Security: modernize your security posture for cloud native applications
Anthos Security: modernize your security posture for cloud native applicationsAnthos Security: modernize your security posture for cloud native applications
Anthos Security: modernize your security posture for cloud native applications
Greg Castle
 
Who is afraid of privileged containers ?
Who is afraid of privileged containers ?Who is afraid of privileged containers ?
Who is afraid of privileged containers ?
Marko Bevc
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
Aqua Security
 
Security considerations while deploying Containerized Applications by Neepend...
Security considerations while deploying Containerized Applications by Neepend...Security considerations while deploying Containerized Applications by Neepend...
Security considerations while deploying Containerized Applications by Neepend...
Agile India
 
Unlocking DevOps Secuirty :Vault & Keylock
Unlocking DevOps Secuirty :Vault & KeylockUnlocking DevOps Secuirty :Vault & Keylock
Unlocking DevOps Secuirty :Vault & Keylock
HusseinMalikMammadli
 
Securing Containerized Applications: A Primer
Securing Containerized Applications: A PrimerSecuring Containerized Applications: A Primer
Securing Containerized Applications: A Primer
Phil Estes
 
Kubernetes: Beyond Baby Steps
Kubernetes: Beyond Baby StepsKubernetes: Beyond Baby Steps
Kubernetes: Beyond Baby Steps
DigitalOcean
 
Kubernetes basics and hands on exercise
Kubernetes basics and hands on exerciseKubernetes basics and hands on exercise
Kubernetes basics and hands on exercise
Cloud Technology Experts
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
Michael Man
 
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
QAware GmbH
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Michael Man
 
What's New in Docker - February 2017
What's New in Docker - February 2017What's New in Docker - February 2017
What's New in Docker - February 2017
Patrick Chanezon
 
Top 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKETop 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKE
Sreenivas Makam
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
Rishabh Indoria
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container Platform
All Things Open
 
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...
Vietnam Open Infrastructure User Group
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy Agent
CloudOps2005
 
Create a Varnish cluster in Kubernetes for Drupal caching - DrupalCon North A...
Create a Varnish cluster in Kubernetes for Drupal caching - DrupalCon North A...Create a Varnish cluster in Kubernetes for Drupal caching - DrupalCon North A...
Create a Varnish cluster in Kubernetes for Drupal caching - DrupalCon North A...
Ovadiah Myrgorod
 
Halifax DevOps - Meet-up - July.19 2017
Halifax DevOps - Meet-up - July.19 2017Halifax DevOps - Meet-up - July.19 2017
Halifax DevOps - Meet-up - July.19 2017
Kyle Bassett
 
Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014
Miguel Zuniga
 
Application portability with kubernetes
Application portability with kubernetesApplication portability with kubernetes
Application portability with kubernetes
Oleg Chunikhin
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
ОЛЕГ МАЦЬКІВ «Crash course on Operator Framework» Lviv DevOps Conference 2019
ОЛЕГ МАЦЬКІВ «Crash course on Operator Framework» Lviv DevOps Conference 2019ОЛЕГ МАЦЬКІВ «Crash course on Operator Framework» Lviv DevOps Conference 2019
ОЛЕГ МАЦЬКІВ «Crash course on Operator Framework» Lviv DevOps Conference 2019
UA DevOps Conference
 
Seguridad y auditorías en Modelos grandes del lenguaje (LLM).pdf
Seguridad y auditorías en Modelos grandes del lenguaje (LLM).pdfSeguridad y auditorías en Modelos grandes del lenguaje (LLM).pdf
Seguridad y auditorías en Modelos grandes del lenguaje (LLM).pdf
Jose Manuel Ortega Candel
 
Beyond the hype: The reality of AI security.pdf
Beyond the hype: The reality of AI security.pdfBeyond the hype: The reality of AI security.pdf
Beyond the hype: The reality of AI security.pdf
Jose Manuel Ortega Candel
 
Ad

More Related Content

Similar to Evolution of security strategies in K8s environments- All day devops (20)

Security considerations while deploying Containerized Applications by Neepend...
Security considerations while deploying Containerized Applications by Neepend...Security considerations while deploying Containerized Applications by Neepend...
Security considerations while deploying Containerized Applications by Neepend...
Agile India
 
Unlocking DevOps Secuirty :Vault & Keylock
Unlocking DevOps Secuirty :Vault & KeylockUnlocking DevOps Secuirty :Vault & Keylock
Unlocking DevOps Secuirty :Vault & Keylock
HusseinMalikMammadli
 
Securing Containerized Applications: A Primer
Securing Containerized Applications: A PrimerSecuring Containerized Applications: A Primer
Securing Containerized Applications: A Primer
Phil Estes
 
Kubernetes: Beyond Baby Steps
Kubernetes: Beyond Baby StepsKubernetes: Beyond Baby Steps
Kubernetes: Beyond Baby Steps
DigitalOcean
 
Kubernetes basics and hands on exercise
Kubernetes basics and hands on exerciseKubernetes basics and hands on exercise
Kubernetes basics and hands on exercise
Cloud Technology Experts
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
Michael Man
 
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
QAware GmbH
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Michael Man
 
What's New in Docker - February 2017
What's New in Docker - February 2017What's New in Docker - February 2017
What's New in Docker - February 2017
Patrick Chanezon
 
Top 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKETop 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKE
Sreenivas Makam
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
Rishabh Indoria
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container Platform
All Things Open
 
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...
Vietnam Open Infrastructure User Group
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy Agent
CloudOps2005
 
Create a Varnish cluster in Kubernetes for Drupal caching - DrupalCon North A...
Create a Varnish cluster in Kubernetes for Drupal caching - DrupalCon North A...Create a Varnish cluster in Kubernetes for Drupal caching - DrupalCon North A...
Create a Varnish cluster in Kubernetes for Drupal caching - DrupalCon North A...
Ovadiah Myrgorod
 
Halifax DevOps - Meet-up - July.19 2017
Halifax DevOps - Meet-up - July.19 2017Halifax DevOps - Meet-up - July.19 2017
Halifax DevOps - Meet-up - July.19 2017
Kyle Bassett
 
Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014
Miguel Zuniga
 
Application portability with kubernetes
Application portability with kubernetesApplication portability with kubernetes
Application portability with kubernetes
Oleg Chunikhin
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
ОЛЕГ МАЦЬКІВ «Crash course on Operator Framework» Lviv DevOps Conference 2019
ОЛЕГ МАЦЬКІВ «Crash course on Operator Framework» Lviv DevOps Conference 2019ОЛЕГ МАЦЬКІВ «Crash course on Operator Framework» Lviv DevOps Conference 2019
ОЛЕГ МАЦЬКІВ «Crash course on Operator Framework» Lviv DevOps Conference 2019
UA DevOps Conference
 
Security considerations while deploying Containerized Applications by Neepend...
Security considerations while deploying Containerized Applications by Neepend...Security considerations while deploying Containerized Applications by Neepend...
Security considerations while deploying Containerized Applications by Neepend...
Agile India
 
Unlocking DevOps Secuirty :Vault & Keylock
Unlocking DevOps Secuirty :Vault & KeylockUnlocking DevOps Secuirty :Vault & Keylock
Unlocking DevOps Secuirty :Vault & Keylock
HusseinMalikMammadli
 
Securing Containerized Applications: A Primer
Securing Containerized Applications: A PrimerSecuring Containerized Applications: A Primer
Securing Containerized Applications: A Primer
Phil Estes
 
Kubernetes: Beyond Baby Steps
Kubernetes: Beyond Baby StepsKubernetes: Beyond Baby Steps
Kubernetes: Beyond Baby Steps
DigitalOcean
 
Kubernetes basics and hands on exercise
Kubernetes basics and hands on exerciseKubernetes basics and hands on exercise
Kubernetes basics and hands on exercise
Cloud Technology Experts
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
Michael Man
 
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
QAware GmbH
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Michael Man
 
What's New in Docker - February 2017
What's New in Docker - February 2017What's New in Docker - February 2017
What's New in Docker - February 2017
Patrick Chanezon
 
Top 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKETop 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKE
Sreenivas Makam
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
Rishabh Indoria
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container Platform
All Things Open
 
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...
Vietnam Open Infrastructure User Group
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy Agent
CloudOps2005
 
Create a Varnish cluster in Kubernetes for Drupal caching - DrupalCon North A...
Create a Varnish cluster in Kubernetes for Drupal caching - DrupalCon North A...Create a Varnish cluster in Kubernetes for Drupal caching - DrupalCon North A...
Create a Varnish cluster in Kubernetes for Drupal caching - DrupalCon North A...
Ovadiah Myrgorod
 
Halifax DevOps - Meet-up - July.19 2017
Halifax DevOps - Meet-up - July.19 2017Halifax DevOps - Meet-up - July.19 2017
Halifax DevOps - Meet-up - July.19 2017
Kyle Bassett
 
Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014
Miguel Zuniga
 
Application portability with kubernetes
Application portability with kubernetesApplication portability with kubernetes
Application portability with kubernetes
Oleg Chunikhin
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
ОЛЕГ МАЦЬКІВ «Crash course on Operator Framework» Lviv DevOps Conference 2019
ОЛЕГ МАЦЬКІВ «Crash course on Operator Framework» Lviv DevOps Conference 2019ОЛЕГ МАЦЬКІВ «Crash course on Operator Framework» Lviv DevOps Conference 2019
ОЛЕГ МАЦЬКІВ «Crash course on Operator Framework» Lviv DevOps Conference 2019
UA DevOps Conference
 

More from Jose Manuel Ortega Candel (20)

Seguridad y auditorías en Modelos grandes del lenguaje (LLM).pdf
Seguridad y auditorías en Modelos grandes del lenguaje (LLM).pdfSeguridad y auditorías en Modelos grandes del lenguaje (LLM).pdf
Seguridad y auditorías en Modelos grandes del lenguaje (LLM).pdf
Jose Manuel Ortega Candel
 
Beyond the hype: The reality of AI security.pdf
Beyond the hype: The reality of AI security.pdfBeyond the hype: The reality of AI security.pdf
Beyond the hype: The reality of AI security.pdf
Jose Manuel Ortega Candel
 
Seguridad de APIs en Drupal_ herramientas, mejores prácticas y estrategias pa...
Seguridad de APIs en Drupal_ herramientas, mejores prácticas y estrategias pa...Seguridad de APIs en Drupal_ herramientas, mejores prácticas y estrategias pa...
Seguridad de APIs en Drupal_ herramientas, mejores prácticas y estrategias pa...
Jose Manuel Ortega Candel
 
Security and auditing tools in Large Language Models (LLM).pdf
Security and auditing tools in Large Language Models (LLM).pdfSecurity and auditing tools in Large Language Models (LLM).pdf
Security and auditing tools in Large Language Models (LLM).pdf
Jose Manuel Ortega Candel
 
Herramientas de benchmarks para evaluar el rendimiento en máquinas y aplicaci...
Herramientas de benchmarks para evaluar el rendimiento en máquinas y aplicaci...Herramientas de benchmarks para evaluar el rendimiento en máquinas y aplicaci...
Herramientas de benchmarks para evaluar el rendimiento en máquinas y aplicaci...
Jose Manuel Ortega Candel
 
Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdf
Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdfAsegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdf
Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdf
Jose Manuel Ortega Candel
 
PyGoat Analizando la seguridad en aplicaciones Django.pdf
PyGoat Analizando la seguridad en aplicaciones Django.pdfPyGoat Analizando la seguridad en aplicaciones Django.pdf
PyGoat Analizando la seguridad en aplicaciones Django.pdf
Jose Manuel Ortega Candel
 
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...
Jose Manuel Ortega Candel
 
Implementing Observability for Kubernetes.pdf
Implementing Observability for Kubernetes.pdfImplementing Observability for Kubernetes.pdf
Implementing Observability for Kubernetes.pdf
Jose Manuel Ortega Candel
 
Computación distribuida usando Python
Computación distribuida usando PythonComputación distribuida usando Python
Computación distribuida usando Python
Jose Manuel Ortega Candel
 
Seguridad en arquitecturas serverless y entornos cloud
Seguridad en arquitecturas serverless y entornos cloudSeguridad en arquitecturas serverless y entornos cloud
Seguridad en arquitecturas serverless y entornos cloud
Jose Manuel Ortega Candel
 
Construyendo arquitecturas zero trust sobre entornos cloud
Construyendo arquitecturas zero trust sobre entornos cloud Construyendo arquitecturas zero trust sobre entornos cloud
Construyendo arquitecturas zero trust sobre entornos cloud
Jose Manuel Ortega Candel
 
Tips and tricks for data science projects with Python
Tips and tricks for data science projects with Python Tips and tricks for data science projects with Python
Tips and tricks for data science projects with Python
Jose Manuel Ortega Candel
 
Sharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sSharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8s
Jose Manuel Ortega Candel
 
Implementing cert-manager in K8s
Implementing cert-manager in K8sImplementing cert-manager in K8s
Implementing cert-manager in K8s
Jose Manuel Ortega Candel
 
Python para equipos de ciberseguridad(pycones)
Python para equipos de ciberseguridad(pycones)Python para equipos de ciberseguridad(pycones)
Python para equipos de ciberseguridad(pycones)
Jose Manuel Ortega Candel
 
Python para equipos de ciberseguridad
Python para equipos de ciberseguridad Python para equipos de ciberseguridad
Python para equipos de ciberseguridad
Jose Manuel Ortega Candel
 
Shodan Tips and tricks. Automatiza y maximiza las búsquedas shodan
Shodan Tips and tricks. Automatiza y maximiza las búsquedas shodanShodan Tips and tricks. Automatiza y maximiza las búsquedas shodan
Shodan Tips and tricks. Automatiza y maximiza las búsquedas shodan
Jose Manuel Ortega Candel
 
ELK para analistas de seguridad y equipos Blue Team
ELK para analistas de seguridad y equipos Blue TeamELK para analistas de seguridad y equipos Blue Team
ELK para analistas de seguridad y equipos Blue Team
Jose Manuel Ortega Candel
 
Monitoring and managing Containers using Open Source tools
Monitoring and managing Containers using Open Source toolsMonitoring and managing Containers using Open Source tools
Monitoring and managing Containers using Open Source tools
Jose Manuel Ortega Candel
 
Seguridad y auditorías en Modelos grandes del lenguaje (LLM).pdf
Seguridad y auditorías en Modelos grandes del lenguaje (LLM).pdfSeguridad y auditorías en Modelos grandes del lenguaje (LLM).pdf
Seguridad y auditorías en Modelos grandes del lenguaje (LLM).pdf
Jose Manuel Ortega Candel
 
Beyond the hype: The reality of AI security.pdf
Beyond the hype: The reality of AI security.pdfBeyond the hype: The reality of AI security.pdf
Beyond the hype: The reality of AI security.pdf
Jose Manuel Ortega Candel
 
Seguridad de APIs en Drupal_ herramientas, mejores prácticas y estrategias pa...
Seguridad de APIs en Drupal_ herramientas, mejores prácticas y estrategias pa...Seguridad de APIs en Drupal_ herramientas, mejores prácticas y estrategias pa...
Seguridad de APIs en Drupal_ herramientas, mejores prácticas y estrategias pa...
Jose Manuel Ortega Candel
 
Security and auditing tools in Large Language Models (LLM).pdf
Security and auditing tools in Large Language Models (LLM).pdfSecurity and auditing tools in Large Language Models (LLM).pdf
Security and auditing tools in Large Language Models (LLM).pdf
Jose Manuel Ortega Candel
 
Herramientas de benchmarks para evaluar el rendimiento en máquinas y aplicaci...
Herramientas de benchmarks para evaluar el rendimiento en máquinas y aplicaci...Herramientas de benchmarks para evaluar el rendimiento en máquinas y aplicaci...
Herramientas de benchmarks para evaluar el rendimiento en máquinas y aplicaci...
Jose Manuel Ortega Candel
 
Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdf
Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdfAsegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdf
Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdf
Jose Manuel Ortega Candel
 
PyGoat Analizando la seguridad en aplicaciones Django.pdf
PyGoat Analizando la seguridad en aplicaciones Django.pdfPyGoat Analizando la seguridad en aplicaciones Django.pdf
PyGoat Analizando la seguridad en aplicaciones Django.pdf
Jose Manuel Ortega Candel
 
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...
Jose Manuel Ortega Candel
 
Implementing Observability for Kubernetes.pdf
Implementing Observability for Kubernetes.pdfImplementing Observability for Kubernetes.pdf
Implementing Observability for Kubernetes.pdf
Jose Manuel Ortega Candel
 
Computación distribuida usando Python
Computación distribuida usando PythonComputación distribuida usando Python
Computación distribuida usando Python
Jose Manuel Ortega Candel
 
Seguridad en arquitecturas serverless y entornos cloud
Seguridad en arquitecturas serverless y entornos cloudSeguridad en arquitecturas serverless y entornos cloud
Seguridad en arquitecturas serverless y entornos cloud
Jose Manuel Ortega Candel
 
Construyendo arquitecturas zero trust sobre entornos cloud
Construyendo arquitecturas zero trust sobre entornos cloud Construyendo arquitecturas zero trust sobre entornos cloud
Construyendo arquitecturas zero trust sobre entornos cloud
Jose Manuel Ortega Candel
 
Tips and tricks for data science projects with Python
Tips and tricks for data science projects with Python Tips and tricks for data science projects with Python
Tips and tricks for data science projects with Python
Jose Manuel Ortega Candel
 
Sharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sSharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8s
Jose Manuel Ortega Candel
 
Implementing cert-manager in K8s
Implementing cert-manager in K8sImplementing cert-manager in K8s
Implementing cert-manager in K8s
Jose Manuel Ortega Candel
 
Python para equipos de ciberseguridad(pycones)
Python para equipos de ciberseguridad(pycones)Python para equipos de ciberseguridad(pycones)
Python para equipos de ciberseguridad(pycones)
Jose Manuel Ortega Candel
 
Python para equipos de ciberseguridad
Python para equipos de ciberseguridad Python para equipos de ciberseguridad
Python para equipos de ciberseguridad
Jose Manuel Ortega Candel
 
Shodan Tips and tricks. Automatiza y maximiza las búsquedas shodan
Shodan Tips and tricks. Automatiza y maximiza las búsquedas shodanShodan Tips and tricks. Automatiza y maximiza las búsquedas shodan
Shodan Tips and tricks. Automatiza y maximiza las búsquedas shodan
Jose Manuel Ortega Candel
 
ELK para analistas de seguridad y equipos Blue Team
ELK para analistas de seguridad y equipos Blue TeamELK para analistas de seguridad y equipos Blue Team
ELK para analistas de seguridad y equipos Blue Team
Jose Manuel Ortega Candel
 
Monitoring and managing Containers using Open Source tools
Monitoring and managing Containers using Open Source toolsMonitoring and managing Containers using Open Source tools
Monitoring and managing Containers using Open Source tools
Jose Manuel Ortega Candel
 
Ad

Recently uploaded (20)

Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Ad

Evolution of security strategies in K8s environments- All day devops

  • 1. TRACK: DEVSECOPS OCTOBER 26, 2023 Jose Manuel Ortega, OWASP Evolution of security strategies in K8s environments
  • 2. TRACK: DEVSECOPS •Introduction to security strategies in K8s environments •Pod Security Admission(PSA) vs Open Policy Agent (OPA) •Combination of different security strategies together •Access to resources in privileged and non-privileged mode Agenda
  • 3. TRACK: DEVSECOPS •Cluster Hardening: Implement best practices for securing the Kubernetes cluster itself, including securing access to the API server, enabling RBAC (Role-Based Access Control), and using network policies to control communication between pods. •Pod Security Policies (PSP): Enforce security policies that define what a pod can and cannot do, including limiting privilege levels, host access, and running as non-root users. Introduction to security strategies in K8s environments
  • 4. TRACK: DEVSECOPS •Secrets Management: Use Kubernetes Secrets to store sensitive information securely, such as API keys, passwords, or certificates. •Role-Based Access Control (RBAC): Define fine-grained access controls for users and service accounts to limit the scope of actions they can perform within the cluster. Introduction to security strategies in K8s environments
  • 5. TRACK: DEVSECOPS •Limit Resource Consumption: Set resource quotas to limit the amount of CPU, memory, and other resources that can be consumed by pods, preventing resource exhaustion and potential denial-of-service attacks. •Pod Security Context: Use pod security context to define security settings at the pod level, such as user and group IDs, SELinux, and file system permissions. Introduction to security strategies in K8s environments
  • 6. TRACK: DEVSECOPS Introduction to security strategies in K8s environments Security Contexts RBAC (Role-Based Access Control) Resource scope Pods Pods, Nodes, cluster Actions Predefined capabilities RBAC policies Extensibility Via integrations with external frameworks, including SELinux and AppArmor Can’t use external tools to define policies.
  • 7. TRACK: DEVSECOPS Introduction to security strategies in K8s environments spec: securityContext: runAsUser: 1000 fsGroup: 2000 allowPrivilegeEscalation: false
  • 8. TRACK: DEVSECOPS Introduction to security strategies in K8s environments apiVersion: v1 kind: Pod metadata: name: scd-3 spec: containers: - name: scd-3 image: nginx securityContext: capabilities: add: ["NET_ADMIN","SYS_TIME"]
  • 9. TRACK: DEVSECOPS Introduction to security strategies in K8s environments https://github.com/Shopify/kubeaudit
  • 10. TRACK: DEVSECOPS •PodSecurityPolicy has been deprecated from Kubernetes 1.21. Introduction to security strategies in K8s environments
  • 11. TRACK: DEVSECOPS Pod Security Admission(PSA) ● New form of admission control is created with the understanding that Kubernetes users are probably going to seek external authorization. ● It can be deactivated partially or entirely to coexist with external admission controllers like OPA. ● KEP-2579: Pod Security Admission Control ● https://github.com/kubernetes/enhancements/blob/mast er/keps/sig-auth/2579-psp-replacement/README.md
  • 12. TRACK: DEVSECOPS Pod Security Admission(PSA) ● Pod Security admission places requirements on a Pod's Security Context and other related fields according to the three levels defined by the Pod Security Standards: privileged, baseline, and restricted. ● spec.containers[*].ports ● spec.volumes[*].hostPath ● spec.securityContext ● spec.containers[*].securityContext
  • 13. TRACK: DEVSECOPS Pod Security Admission(PSA) kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 featureGates: PodSecurity: true nodes: - role: control-plane - role: worker
  • 14. TRACK: DEVSECOPS Pod Security Admission(PSA) Mode Description enforce Policy violations will cause the pod to be rejected. audit Policy violations will trigger the addition of an audit annotation to the event recorded in the audit log, but are otherwise allowed. warn Policy violations will trigger a user-facing warning, but are otherwise allowed.
  • 15. TRACK: DEVSECOPS Pod Security Admission(PSA) $ kubectl label --dry-run=server --overwrite ns --all pod-security.kubernetes.io/enforce=baseline Warning: kuard: privileged namespace/default labeled namespace/kube-node-lease labeled namespace/kube-public labeled Warning: kube-proxy-vxjwb: host namespaces, hostPath volumes, privileged Warning: kube-proxy-zxqzz: host namespaces, hostPath volumes, privileged Warning: kube-apiserver-kind-control-plane: host namespaces, hostPath volumes Warning: etcd-kind-control-plane: host namespaces, hostPath volumes Warning: kube-controller-manager-kind-control-plane: host namespaces, hostPath volumes Warning: kindnet-cl5ln: non-default capabilities, host namespaces, hostPath volumes Warning: kube-scheduler-kind-control-plane: host namespaces, hostPath volumes Warning: kindnet-6ptww: non-default capabilities, host namespaces, hostPath volumes namespace/kube-system labeled namespace/local-path-storage labeled
  • 16. TRACK: DEVSECOPS Pod Security Admission(PSA) apiVersion: v1 kind: Namespace metadata: name: test-ns labels: pod-security.kubernetes.io/enforce: baseline pod-security.kubernetes.io/audit: restricted pod-security.kubernetes.io/warn: restricted
  • 17. TRACK: DEVSECOPS Pod Security Admission(PSA) apiVersion: v1 kind: Pod metadata: name: nginx spec: containers: - image: nginx name: nginx ports: - containerPort: 80
  • 18. TRACK: DEVSECOPS Pod Security Admission(PSA) $ kubectl apply -f pod.yaml Warning: would violate "latest" version of "restricted" PodSecurity profile: allowPrivilegeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") pod/nginx created $ kubectl get pods NAME READY STATUS RESTARTS AGE nginx 1/1 Running 0 6s
  • 19. TRACK: DEVSECOPS Pod Security Admission(PSA) {"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"808ca159-914c-43fa-b4c8-d ee5cb2fc440","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods?fieldMan ager=kubectl-create","verb":"create","user":{"username":"kubernetes-admin","groups":["system:master s","system:authenticated"]},"sourceIPs":["172.18.0.1"],"userAgent":"kubectl/v1.22.0 (darwin/amd64) kubernetes/c2b5237","objectRef":{"resource":"pods","namespace":"default","name":"nginx","apiVersio n":"v1"},"responseStatus":{"metadata":{},"code":201},"requestReceivedTimestamp":"2023-08-21T03:3 0:26.605589Z","stageTimestamp":"2023-08-21T03:30:26.627123Z","annotations":{"authorization.k8s .io/decision":"allow","authorization.k8s.io/reason":"","pod-security.kubernetes.io/audit":"allowPrivil egeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")"}}
  • 20. TRACK: DEVSECOPS Pod Security Admission(PSA) apiVersion: apiserver.config.k8s.io/v1 kind: AdmissionConfiguration plugins: - name: PodSecurity configuration: apiVersion: pod-security.admission.config.k8s.io/v1alpha1 kind: PodSecurityConfiguration defaults: enforce: "baseline" enforce-version: "latest" audit: "restricted" audit-version: "latest" warn: "restricted" warn-version: "latest" exemptions: usernames: [] runtimeClassNames: [] namespaces: [kube-system]
  • 22. TRACK: DEVSECOPS ● Policy agent for cloud-native authorization ● It provides a means of standardizing policy definition and management throughout the cloud-native technology stack. ● When combined with Kubernetes, OPA has the capability to enforce guardrails upon an entire system, requiring users’ permissions to match policy at all times.
  • 23. TRACK: DEVSECOPS ● Require specific labels on all resources. ● Require container images from the corporate image registry. ● Require all Pods specify resource requests and limits. ● Prevent conflicting Ingress objects from being created.
  • 27. TRACK: DEVSECOPS Pod Security Admission(PSA) vs Open Policy Agent(OPA) Pod Security Admission (PSA) Open Policy Agent (OPA) Simplicity Flexibility Native Integration Customization Performance External Control Limited Attack Surface Compliance
  • 28. TRACK: DEVSECOPS Pod Security Admission(PSA) vs Open Policy Agent(OPA) ● Which users can access which resources? ● Which subnets egress traffic is allowed to? ● Which clusters a workload must be deployed to? ● Which registries images can be downloaded from? ● Which capabilities a container can execute with? ● Which times of day the system can be accessed at?
  • 29. TRACK: DEVSECOPS Combination of different security strategies ● RBAC (Role-Based Access Control) ● PodSecurity Admission Controllers ● Network Policies ● Secrets Management ● Security Contexts ● Runtime Security
  • 30. TRACK: DEVSECOPS Access to resources in privileged and non-privileged mode ● Privileged Mode ● Non-Privileged Mode*
  • 31. TRACK: DEVSECOPS Access to resources in privileged and non-privileged mode ● Privileged Mode
  • 32. TRACK: DEVSECOPS Access to resources in privileged and non-privileged mode ● Non Privileged Mode
  • 33. TRACK: DEVSECOPS Conclusions ● Security ● Functionality ● Isolation ● Attack Surface ● Principle of least privilege