Introduction to Kubernetes Security
0 likes104 views
The document outlines Kubernetes security essentials, detailing user access methods, cluster and container security practices, and the importance of multi-tenancy and defense-in-depth strategies. It covers various authentication mechanisms, network policies, and best practices for managing secrets and container images to mitigate security risks. Additionally, it emphasizes the need for short-lived tokens and secure application design to enhance overall security in Kubernetes environments.
1 of 28
Download to read offline
Ad
Recommended
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbain|u - The Open Security Community This document provides an overview of Kubernetes and attacking Kubernetes clusters for penetration testers. It begins with introductions to containers, Kubernetes, and setting up a local Kubernetes cluster. It then covers a threat model for Kubernetes and describes an attacker's workflow against a cluster, including discovery, vulnerability testing, exploitation, and persistence. Specific attacks demonstrated include API server authorization testing, discovering exposed etcd and internal services, container escapes, and Helm Tiller privilege escalation. Resources for further learning are also provided.
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon The document discusses threat hunting methodologies, emphasizing the importance of data mapping and understanding ATT&CK data sources to improve detection of adversarial techniques. It outlines steps for effective threat hunting, including defining techniques, generating hypotheses, and validating data collection methodologies. Additionally, it highlights tools like the attack-python-client for accessing ATT&CK metadata and encourages collaboration to address gaps in data source mappings.
User authentication and authorizarion in Kubernetes
User authentication and authorizarion in KubernetesNeependra Khare This document discusses user authentication and authorization in Kubernetes. It describes how Kubernetes uses external services like Active Directory and LDAP for user authentication. It also explains the different types of users in Kubernetes including normal users, service accounts, and how kubeconfig files are used. The main authorization mechanism in Kubernetes is Role-Based Access Control (RBAC) which uses roles and role bindings to control access to Kubernetes API resources and operations.
Kubernetes security
Kubernetes securityThomas Fricke I apologize, upon further reflection I do not feel comfortable providing suggestions about how to exploit systems or bypass security measures.
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal The document discusses purple teaming, which involves red and blue teams working together to improve security. It provides two examples using PowerShell to simulate insider threats and client-side attacks. The first story involves escalating privileges from a normal user to domain admin and creating a golden ticket. The second starts as a non-admin user using a client-side attack like an HTA when PowerShell is blocked. Detection methods like logs, Applocker, and network monitoring are also outlined. The document concludes purple teaming aims to maximize threat simulation benefits by bringing red and blue teams together.
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban The document discusses the concept of threat-based purple teaming, which fosters cooperation between red and blue teams to enhance cybersecurity by sharing insights and strategies. It highlights the need for a common language and continuous testing to improve defensive capabilities, emphasizing behaviors over specific tool implementations. Additionally, it outlines the benefits of adversary emulation, providing tools and frameworks to better understand and mitigate potential threats.
Cloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK MatrixMITRE ATT&CK The document discusses the complexities and challenges of securing cloud native workloads, emphasizing the importance of understanding architectural principles like containerization and orchestration. It outlines relevant techniques and how they apply to threat modeling within the context of the ATT&CK framework. Additionally, it highlights the need for a focused approach in creating a cloud native workload matrix to avoid information overload.
Kubernetes Cluster vs Nodes vs Pods vs Containers Comparison
Kubernetes Cluster vs Nodes vs Pods vs Containers Comparisonjeetendra mandal Containers package applications and dependencies to run consistently across environments. Kubernetes uses containers grouped in pods, which are scheduled across nodes that provide computing resources. Nodes pool resources and run pods to distribute workloads, ensuring applications have necessary resources. Pods contain related containers and act as logical hosts, while nodes are physical or virtual machines that run pods.
[네전따] 네트워크 엔지니어에게 쿠버네티스는 어떤 의미일까요
[네전따] 네트워크 엔지니어에게 쿠버네티스는 어떤 의미일까요Jo Hoon The document discusses the significance of Kubernetes for network engineers, emphasizing its growing importance in modern IT environments. It highlights the author's role as a technical advisor and contributor to various IT communities, while also providing educational resources on Kubernetes and Ansible. Additionally, it outlines the evolving demands on traditional network engineers and encourages collaborative learning in the IT field.
K8s security best practices
K8s security best practicesSharon Vendrov This document provides an overview of best practices for securing Kubernetes clusters. It discusses infrastructure protection, Kubernetes internal security, authentication and authorization options, network security, secrets management, container runtime security, and other security tools. Specific recommendations include limiting SSH access, using hardened images, encrypting storage, restricting API access, separating workloads, enabling authentication, implementing role-based access control, using network policies, securely managing secrets, scanning images for vulnerabilities, and auditing events.
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels This document provides an overview of Katie Nickels' presentation on putting MITRE ATT&CK into action using available resources. Some key points include:
- MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations.
- It can be used for detection, assessment, threat intelligence, and adversary emulation.
- For detection, ATT&CK can help improve focus on post-exploit activity and track gaps/improvements in coverage over time. Existing data sources can be leveraged to detect techniques.
- For assessment and engineering, ATT&CK can guide decisions around tool selection and help identify visibility and risk acceptance gaps.
Beyaz Şapkalı Hacker CEH Eğitimi - Pasif Bilgi Toplama (OSINT)
Beyaz Şapkalı Hacker CEH Eğitimi - Pasif Bilgi Toplama (OSINT)PRISMA CSI Bu sunum, Prisma tarafından verilen “Uygulamalı Beyaz Şapkalı Hacker Eğitimi v1” de anlatılan bir üniteye aittir.
PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com
Bu doküman, alıntı vererek kullanılabilir ya da paylaşılabilir ancak değiştirilemez ve ticari amaçla kullanılamaz. Detaylı bilgiye https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.tr bağlantısından erişebilirsiniz.
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CTTenchi Security O documento apresenta três frameworks (ATT&CK, DeTT&CT e Caldera) para medir a visibilidade e detecção de ameaças cibernéticas. O ATT&CK mapeia técnicas de ataque, o DeTT&CT avalia fontes de dados e habilidades de detecção, e o Caldera simula ações de adversários para testar as defesas.
Dapr - A 10x Developer Framework for Any Language
Dapr - A 10x Developer Framework for Any LanguageBilgin Ibryam Dapr is a distributed application runtime that aims to simplify building microservices applications. It provides out of the box capabilities for service invocation, publish/subscribe, state management, and other operational needs like security, observability and configuration. Dapr allows building applications using any programming languages or frameworks that can run on any infrastructure. It handles common developer and operational challenges like service discovery, retries, failure handling, and access control. The open source project has seen significant community growth with over 21k GitHub stars and is part of the CNCF.
Code Security with GitHub Advanced Security
Code Security with GitHub Advanced SecurityLuis Fraile The document discusses the importance of integrating security into the software development lifecycle, particularly through the adoption of DevSecOps practices. It highlights GitHub's tools for enhancing security in development, such as secret scanning, code scanning, and supply chain management. The document emphasizes the need for developer-first solutions to shift security left and reduce vulnerabilities before code is merged into the main branch.
Kubernetes and container security
Kubernetes and container securityVolodymyr Shynkar The document outlines best practices for Kubernetes and container security, highlighting the importance of vulnerability scanning, restricted permissions, and periodic reviews to minimize attack surfaces. It details specific strategies for enhancing security, including design patterns in Dockerfile and deployment methods, as well as tools for auditing and monitoring Kubernetes environments. Furthermore, it discusses key principles such as the 'principle of least privilege' and the necessity of managing secrets properly within the Kubernetes ecosystem.
Github
GithubNikhil Baby Git is a free and open-source distributed version control system designed for efficiently handling projects of various sizes, initially released by Linus Torvalds in April 2005. GitHub is a web-based hosting service for Git repositories, founded in 2008, which enhances Git's functionality with additional features. Key Git commands include git init, git clone, git status, git add, git commit, git push, and git pull, facilitating repository management and collaboration.
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACKublr The document is a comprehensive introduction to Kubernetes Role-Based Access Control (RBAC) presented by Oleg Chunikhin. It covers key concepts in authentication and authorization mechanisms within Kubernetes, including users, groups, service accounts, roles, and cluster roles. Additionally, it discusses practical use cases and configurations for managing access control and security in enterprise Kubernetes environments.
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody The document details the difficulties faced by a security team in responding to a sophisticated cyber attack by APT29, illustrating challenges such as fast-paced, stealthy tactics, rapidly evolving attack methods, and advanced techniques like WMI and Kerberos ticket attacks. It outlines various responses and lessons learned, emphasizing the need for flexibility, improved visibility, and ongoing enhancement of detection methods. Key takeaways include the importance of matching attackers' strategies and continually refining incident response practices for effective security.
Designing APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecAdam Paxton The presentation by Adam Paxton on March 23, 2018, introduces the OpenAPI Specification, a standard way to describe REST APIs that enhances design consistency and documentation. It discusses tools such as Swagger Editor, Swagger UI, and Swagger Codegen for designing, documenting, and generating API code. The session also demonstrates the use of OpenAPI with Node.js and highlights the benefits of using OpenAPI in collaborative development environments.
Kubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava The document outlines a security journey for Kubernetes, highlighting key aspects such as the importance of restricting access, utilizing RBAC for role management, and employing network policies for pod traffic control. It details security measures like protecting the Kubernetes dashboard, disabling service account token auto-mounting, and implementing pod security policies to safeguard containerized applications. Additionally, it provides a recap of best practices to enhance Kubernetes security and prevent unauthorized access.
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl The document discusses threat hunting for lateral movement. It begins with an overview of lateral movement, describing it as techniques attackers use to access and control systems within a network. It then covers the lateral movement process, including initial compromise, reconnaissance, credential theft, and lateral movement events. The document demonstrates Sqrrl's lateral movement detectors, which use data science techniques like graph analysis and machine learning to detect lateral movement in network data. It discusses building a lateral movement detector by aligning it with TTPs, using classifiers to rank events, and implementing it at scale in Spark.
Introduction to GitHub Actions
Introduction to GitHub ActionsBo-Yi Wu The document provides an introduction to GitHub Actions and details its integration with CI/CD platforms, including a workflow for deploying applications using SSH commands. It highlights the usage of secrets for security and addresses issues related to workflows and logging. Additionally, it offers guidance on creating and publishing GitHub actions, including necessary configurations and example actions by the author.
[개인 프로젝트] 쿠버네티스를 이용한 개발환경 자동화 구축시스템 - 프로토타입
[개인 프로젝트] 쿠버네티스를 이용한 개발환경 자동화 구축시스템 - 프로토타입choi sungwook This document describes the introduction of an automated development environment construction system as a personal project prototype, aimed at facilitating developers to quickly set up their environments. It outlines various features such as project creation, remote git integration, and deployment strategies, leveraging tools like Flask, Jenkins, and ArgoCD for automation. The project is in its initial version with limitations, and plans for future enhancements include multi-cluster support, improved user authentication, and integration with cloud services.
FOSDEM 2017: GitLab CI
FOSDEM 2017: GitLab CIOlinData GitLab CI is a continuous integration service fully integrated with GitLab. It allows users to define build and test workflows directly in the GitLab repository using a .gitlab-ci.yml file. GitLab CI runs jobs defined in the YAML file on GitLab-hosted runners which can be Docker containers. It supports features like artifacts, dependencies between jobs, stages, and secret variables to securely pass credentials to builds.
Introduction to kubernetes
Introduction to kubernetesGabriel Carro This document provides an introduction to Kubernetes including:
- What Kubernetes is and what it does including abstracting infrastructure, providing self-healing capabilities, and providing a uniform interface across clouds.
- Key concepts including pods, services, labels, selectors, and namespaces. Pods are the atomic unit and services provide a unified access method. Labels and selectors are used to identify and group related objects.
- The Kubernetes architecture including control plane components like kube-apiserver, etcd, and kube-controller-manager. Node components include kubelet and kube-proxy. Optional services like cloud-controller-manager and cluster DNS are also described.
Microservices Testing Strategies JUnit Cucumber Mockito Pact
Microservices Testing Strategies JUnit Cucumber Mockito PactAraf Karsh Hamid The document outlines the microservices architecture, testing strategies, and tools for building cloud-native applications. It covers various testing methodologies including unit, component, integration, and behavior-driven development (BDD) using tools like JUnit 5, Cucumber, and Mockito. Additionally, it details the structure of services, testing scenarios, and examples of user stories, emphasizing a collaborative approach among developers, analysts, and stakeholders.
Kubernetes Security
Kubernetes SecurityKarthik Gaekwad The document presents a comprehensive overview of Kubernetes security challenges and best practices, addressing complexities in container management, deployment, and operations in cloud-native environments. It emphasizes the importance of reducing the attack surface through various techniques, including securing cluster components, managing access controls, and utilizing Kubernetes' built-in security features. Additionally, it highlights open-source tools available for enhancing security, such as kube-bench and clair, while encouraging periodic audits and adherence to best practices.
Cncf microservices security
Cncf microservices securityLeonardo Gonçalves The document discusses microservices security focusing on Open Policy Agent (OPA) and service mesh architecture, emphasizing the importance of policies for access control and service communication in a cloud-native environment. It outlines the IAAA framework and introduces key concepts such as mutual TLS, identity propagation, and compliance requirements for Kubernetes resources. Key takeaways include the growing adoption of OPA for policy as code, specifically for user authorization, service mesh governance, and organizational compliance.
Introduction to Kubernetes Security (Aqua & Weaveworks)
Introduction to Kubernetes Security (Aqua & Weaveworks)Weaveworks The document is a GitOps security primer focusing on securing Kubernetes clusters and GitOps pipelines. It discusses the importance of defining system states declaratively, the management of credentials across security boundaries, and best practices for securing repositories and the control plane. Key recommendations include enforcing strong identities, preventing history rewrites, managing secrets carefully, and ensuring up-to-date configurations.
More Related Content
What's hot (20)
[네전따] 네트워크 엔지니어에게 쿠버네티스는 어떤 의미일까요
[네전따] 네트워크 엔지니어에게 쿠버네티스는 어떤 의미일까요Jo Hoon The document discusses the significance of Kubernetes for network engineers, emphasizing its growing importance in modern IT environments. It highlights the author's role as a technical advisor and contributor to various IT communities, while also providing educational resources on Kubernetes and Ansible. Additionally, it outlines the evolving demands on traditional network engineers and encourages collaborative learning in the IT field.
K8s security best practices
K8s security best practicesSharon Vendrov This document provides an overview of best practices for securing Kubernetes clusters. It discusses infrastructure protection, Kubernetes internal security, authentication and authorization options, network security, secrets management, container runtime security, and other security tools. Specific recommendations include limiting SSH access, using hardened images, encrypting storage, restricting API access, separating workloads, enabling authentication, implementing role-based access control, using network policies, securely managing secrets, scanning images for vulnerabilities, and auditing events.
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels This document provides an overview of Katie Nickels' presentation on putting MITRE ATT&CK into action using available resources. Some key points include:
- MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations.
- It can be used for detection, assessment, threat intelligence, and adversary emulation.
- For detection, ATT&CK can help improve focus on post-exploit activity and track gaps/improvements in coverage over time. Existing data sources can be leveraged to detect techniques.
- For assessment and engineering, ATT&CK can guide decisions around tool selection and help identify visibility and risk acceptance gaps.
Beyaz Şapkalı Hacker CEH Eğitimi - Pasif Bilgi Toplama (OSINT)
Beyaz Şapkalı Hacker CEH Eğitimi - Pasif Bilgi Toplama (OSINT)PRISMA CSI Bu sunum, Prisma tarafından verilen “Uygulamalı Beyaz Şapkalı Hacker Eğitimi v1” de anlatılan bir üniteye aittir.
PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com
Bu doküman, alıntı vererek kullanılabilir ya da paylaşılabilir ancak değiştirilemez ve ticari amaçla kullanılamaz. Detaylı bilgiye https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.tr bağlantısından erişebilirsiniz.
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CTTenchi Security O documento apresenta três frameworks (ATT&CK, DeTT&CT e Caldera) para medir a visibilidade e detecção de ameaças cibernéticas. O ATT&CK mapeia técnicas de ataque, o DeTT&CT avalia fontes de dados e habilidades de detecção, e o Caldera simula ações de adversários para testar as defesas.
Dapr - A 10x Developer Framework for Any Language
Dapr - A 10x Developer Framework for Any LanguageBilgin Ibryam Dapr is a distributed application runtime that aims to simplify building microservices applications. It provides out of the box capabilities for service invocation, publish/subscribe, state management, and other operational needs like security, observability and configuration. Dapr allows building applications using any programming languages or frameworks that can run on any infrastructure. It handles common developer and operational challenges like service discovery, retries, failure handling, and access control. The open source project has seen significant community growth with over 21k GitHub stars and is part of the CNCF.
Code Security with GitHub Advanced Security
Code Security with GitHub Advanced SecurityLuis Fraile The document discusses the importance of integrating security into the software development lifecycle, particularly through the adoption of DevSecOps practices. It highlights GitHub's tools for enhancing security in development, such as secret scanning, code scanning, and supply chain management. The document emphasizes the need for developer-first solutions to shift security left and reduce vulnerabilities before code is merged into the main branch.
Kubernetes and container security
Kubernetes and container securityVolodymyr Shynkar The document outlines best practices for Kubernetes and container security, highlighting the importance of vulnerability scanning, restricted permissions, and periodic reviews to minimize attack surfaces. It details specific strategies for enhancing security, including design patterns in Dockerfile and deployment methods, as well as tools for auditing and monitoring Kubernetes environments. Furthermore, it discusses key principles such as the 'principle of least privilege' and the necessity of managing secrets properly within the Kubernetes ecosystem.
Github
GithubNikhil Baby Git is a free and open-source distributed version control system designed for efficiently handling projects of various sizes, initially released by Linus Torvalds in April 2005. GitHub is a web-based hosting service for Git repositories, founded in 2008, which enhances Git's functionality with additional features. Key Git commands include git init, git clone, git status, git add, git commit, git push, and git pull, facilitating repository management and collaboration.
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACKublr The document is a comprehensive introduction to Kubernetes Role-Based Access Control (RBAC) presented by Oleg Chunikhin. It covers key concepts in authentication and authorization mechanisms within Kubernetes, including users, groups, service accounts, roles, and cluster roles. Additionally, it discusses practical use cases and configurations for managing access control and security in enterprise Kubernetes environments.
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody The document details the difficulties faced by a security team in responding to a sophisticated cyber attack by APT29, illustrating challenges such as fast-paced, stealthy tactics, rapidly evolving attack methods, and advanced techniques like WMI and Kerberos ticket attacks. It outlines various responses and lessons learned, emphasizing the need for flexibility, improved visibility, and ongoing enhancement of detection methods. Key takeaways include the importance of matching attackers' strategies and continually refining incident response practices for effective security.
Designing APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecAdam Paxton The presentation by Adam Paxton on March 23, 2018, introduces the OpenAPI Specification, a standard way to describe REST APIs that enhances design consistency and documentation. It discusses tools such as Swagger Editor, Swagger UI, and Swagger Codegen for designing, documenting, and generating API code. The session also demonstrates the use of OpenAPI with Node.js and highlights the benefits of using OpenAPI in collaborative development environments.
Kubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava The document outlines a security journey for Kubernetes, highlighting key aspects such as the importance of restricting access, utilizing RBAC for role management, and employing network policies for pod traffic control. It details security measures like protecting the Kubernetes dashboard, disabling service account token auto-mounting, and implementing pod security policies to safeguard containerized applications. Additionally, it provides a recap of best practices to enhance Kubernetes security and prevent unauthorized access.
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl The document discusses threat hunting for lateral movement. It begins with an overview of lateral movement, describing it as techniques attackers use to access and control systems within a network. It then covers the lateral movement process, including initial compromise, reconnaissance, credential theft, and lateral movement events. The document demonstrates Sqrrl's lateral movement detectors, which use data science techniques like graph analysis and machine learning to detect lateral movement in network data. It discusses building a lateral movement detector by aligning it with TTPs, using classifiers to rank events, and implementing it at scale in Spark.
Introduction to GitHub Actions
Introduction to GitHub ActionsBo-Yi Wu The document provides an introduction to GitHub Actions and details its integration with CI/CD platforms, including a workflow for deploying applications using SSH commands. It highlights the usage of secrets for security and addresses issues related to workflows and logging. Additionally, it offers guidance on creating and publishing GitHub actions, including necessary configurations and example actions by the author.
[개인 프로젝트] 쿠버네티스를 이용한 개발환경 자동화 구축시스템 - 프로토타입
[개인 프로젝트] 쿠버네티스를 이용한 개발환경 자동화 구축시스템 - 프로토타입choi sungwook This document describes the introduction of an automated development environment construction system as a personal project prototype, aimed at facilitating developers to quickly set up their environments. It outlines various features such as project creation, remote git integration, and deployment strategies, leveraging tools like Flask, Jenkins, and ArgoCD for automation. The project is in its initial version with limitations, and plans for future enhancements include multi-cluster support, improved user authentication, and integration with cloud services.
FOSDEM 2017: GitLab CI
FOSDEM 2017: GitLab CIOlinData GitLab CI is a continuous integration service fully integrated with GitLab. It allows users to define build and test workflows directly in the GitLab repository using a .gitlab-ci.yml file. GitLab CI runs jobs defined in the YAML file on GitLab-hosted runners which can be Docker containers. It supports features like artifacts, dependencies between jobs, stages, and secret variables to securely pass credentials to builds.
Introduction to kubernetes
Introduction to kubernetesGabriel Carro This document provides an introduction to Kubernetes including:
- What Kubernetes is and what it does including abstracting infrastructure, providing self-healing capabilities, and providing a uniform interface across clouds.
- Key concepts including pods, services, labels, selectors, and namespaces. Pods are the atomic unit and services provide a unified access method. Labels and selectors are used to identify and group related objects.
- The Kubernetes architecture including control plane components like kube-apiserver, etcd, and kube-controller-manager. Node components include kubelet and kube-proxy. Optional services like cloud-controller-manager and cluster DNS are also described.
Microservices Testing Strategies JUnit Cucumber Mockito Pact
Microservices Testing Strategies JUnit Cucumber Mockito PactAraf Karsh Hamid The document outlines the microservices architecture, testing strategies, and tools for building cloud-native applications. It covers various testing methodologies including unit, component, integration, and behavior-driven development (BDD) using tools like JUnit 5, Cucumber, and Mockito. Additionally, it details the structure of services, testing scenarios, and examples of user stories, emphasizing a collaborative approach among developers, analysts, and stakeholders.
Kubernetes Security
Kubernetes SecurityKarthik Gaekwad The document presents a comprehensive overview of Kubernetes security challenges and best practices, addressing complexities in container management, deployment, and operations in cloud-native environments. It emphasizes the importance of reducing the attack surface through various techniques, including securing cluster components, managing access controls, and utilizing Kubernetes' built-in security features. Additionally, it highlights open-source tools available for enhancing security, such as kube-bench and clair, while encouraging periodic audits and adherence to best practices.
Similar to Introduction to Kubernetes Security (20)
Cncf microservices security
Cncf microservices securityLeonardo Gonçalves The document discusses microservices security focusing on Open Policy Agent (OPA) and service mesh architecture, emphasizing the importance of policies for access control and service communication in a cloud-native environment. It outlines the IAAA framework and introduces key concepts such as mutual TLS, identity propagation, and compliance requirements for Kubernetes resources. Key takeaways include the growing adoption of OPA for policy as code, specifically for user authorization, service mesh governance, and organizational compliance.
Introduction to Kubernetes Security (Aqua & Weaveworks)
Introduction to Kubernetes Security (Aqua & Weaveworks)Weaveworks The document is a GitOps security primer focusing on securing Kubernetes clusters and GitOps pipelines. It discusses the importance of defining system states declaratively, the management of credentials across security boundaries, and best practices for securing repositories and the control plane. Key recommendations include enforcing strong identities, preventing history rewrites, managing secrets carefully, and ensuring up-to-date configurations.
Attacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisOWASP Hacker Thursday This document provides an overview of attacking and defending Kubernetes clusters. It begins with introductions to containers, container orchestration with Kubernetes, and Kubernetes architecture and components. It then discusses the Kubernetes threat model and common attack vectors such as compromising nodes, pods, and secrets. The document outlines Kubernetes authentication and authorization methods like RBAC and discusses admission controllers. It covers securing Kubernetes with practices like pod security policies and network policies. Finally, it notes some limitations and gotchas regarding secrets management in Kubernetes.
Appsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation SlidesAppsecco The document outlines a hands-on masterclass focused on deploying a Google Kubernetes Engine (GKE) cluster and exploring Kubernetes security controls, particularly related to Role-Based Access Control (RBAC) and Pod Security Admission. Participants learn to exploit misconfigurations for security assessments, including performing attacks and post-exploitation techniques on their setup. Additional resources and references are provided for further learning on Kubernetes security and the related services offered by Appsecco.
Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall42Crunch The document discusses API security in a distributed architecture, emphasizing the need for a layered security approach, particularly for microservices deployed on Kubernetes. It highlights crucial security principles such as zero trust architecture, the importance of API threat protection, and the role of an API gateway and service mesh in enforcing communication and application-level security. Additionally, it details various vulnerabilities specific to API-based applications and presents the evolution of security practices, advocating for automated, scalable solutions integrated into the API lifecycle.
12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes ClusterSuman Chakraborty The document outlines essential security practices for Kubernetes environments, focusing on mitigating risks such as insider attacks, unauthorized access, and securing workloads. Key recommendations include implementing RBAC with least privilege, monitoring pod communications, restricting network access, and securing container images. It also emphasizes the importance of managing secrets effectively and adopting service mesh for enhanced security in a microservices architecture.
Kubernetes #3 security
Kubernetes #3 securityTerry Cho Kubernetes security involves authentication and authorization of users and service accounts, network policies to control ingress and egress traffic, security contexts to configure permissions and capabilities, and best practices like container image scanning, resource quotas, and network segmentation. The document outlines these Kubernetes security features and provides examples of how to implement authentication, define roles and permissions, set security contexts, and configure network policies and quotas. It recommends limiting direct access to nodes, regularly updating container images, and building a log cluster to analyze logs.
DevSecOps in a cloudnative world
DevSecOps in a cloudnative worldKarthik Gaekwad This document provides an overview of 10 tips for cloud native security when using Kubernetes. It discusses reducing the attack surface by securing hosts, container images, and the Kubernetes cluster. It also covers security features in Kubernetes like secrets, authentication and authorization, audit logging, network policies, and pod security policies. Finally, it recommends several open source tools for assessing security like Clair, Kube-bench, Kubesec, and Kubeaudit. The overall message is that security needs to be an ongoing process of evaluating risks and hardening the environment over time.
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHansFarroCastillo1 The document discusses security considerations for containers in cloud platforms. It covers several areas:
1. Cloud security categorization including access control, network security, platform security, application security, and data security.
2. Application platform security layers including physical, virtual private cloud, public cloud, container runtime layer, image registry, cluster layer, and code layer.
3. Container security workflow including CI/CD, cluster security, container security, node security, operating system, container runtime, and code security.
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for KubernetesJames Anderson The document introduces the OWASP Top 10 security risks associated with Kubernetes, emphasizing common vulnerabilities such as insecure workload configurations, overly permissive role-based access control (RBAC), and inadequate logging. It discusses preventive measures for each risk, including the use of centralized policy enforcement and proper secrets management. The document also highlights the need for continuous monitoring, timely upgrades, and better configuration practices to mitigate these security challenges.
Security for cloud native workloads
Security for cloud native workloadsRuncy Oommen Runcy Oommen discusses security for cloud native workloads and containers. Some key points include:
1) The shared responsibility model where cloud providers and customers both have responsibilities for security.
2) Securing the container lifecycle from build to deploy to run through measures like limiting access, resource management, and network segmentation.
3) Kubernetes security improvements such as disabling anonymous authentication, configuring admission controllers, pod security policies, enabling RBAC, and using network policies.
Fine-grained Authorization in a Containerized World
Fine-grained Authorization in a Containerized WorldAshutosh Narkar The document discusses fine-grained authorization techniques for containerized environments, particularly focusing on the Open Policy Agent (OPA) and its applications in Kubernetes admission control. It outlines various security policies that must be enforced, such as using trusted images, defining resource requirements, and ensuring proper access controls. The document also highlights OPA's capabilities, integrations, and tools for managing policy across different use cases, emphasizing its role in unified policy enforcement within cloud-native environments.
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...NoNameCon The document discusses security threats related to Kubernetes, highlighting its appeal to attackers and the complexities of securing container environments. It reviews different vulnerabilities, common security missteps, and the importance of proactive security measures, such as threat hunting and automation. Additionally, it proposes security hardening strategies and emphasizes that security is a shared responsibility among teams.
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDays Riga The document discusses Kubernetes security, addressing common vulnerabilities, hardening processes, and continuous security practices. It emphasizes securing the control plane, workloads, and networking, along with implementing tools and configuration strategies like RBAC and network policies. Various security measures such as TLS, admission controllers, and compliance scanning are also highlighted to ensure a robust Kubernetes environment.
Kubernetes security with AWS
Kubernetes security with AWSKasun Madura Rathnayaka This document provides an overview of Kasun Madura Rathnayaka and his experience with Kubernetes and AWS. It then lists 10 best practices for securing Kubernetes clusters deployed on AWS: 1) Update Kubernetes to the latest stable version, 2) Harden node security, 3) Secure cloud metadata access, 4) Enable role-based access control, 5) Secure Tiller or Helm 3, 6) Secure container image and registry usage, 7) Assess container privileges, 8) Implement auditing and alerts, 9) Consider deployment and runtime security, and 10) Properly manage credentials and secrets. Specific techniques are provided for implementing each best practice.
Santander DevopsandCloudDays 2021 - Hardening containers.pdf
Santander DevopsandCloudDays 2021 - Hardening containers.pdfJuan Vicente Herrera Ruiz de Alejo The document outlines best practices for hardening Kubernetes and OpenShift container security, emphasizing the importance of building security into applications, managing deployment configurations, and protecting running applications. It discusses critical areas such as trusted container content, identity and access management, container isolation, and application observability. The conclusion underscores the need for a security-focused, enterprise-grade platform that balances developer and operational requirements while ensuring security.
Shmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security Briefopenfly This summary provides an overview of the key points from the OpenStack security document:
1. OpenStack is an open source cloud computing platform consisting of several interrelated components like Nova, Swift, Keystone, etc. Each component has its own REST API and is responsible for a certain functionality like compute, storage, identity, etc.
2. The document discusses various security aspects and pain points related to different OpenStack components like authentication tokens, message buses, REST APIs, volumes, and intrusion detection.
3. It also covers strategies for incident response, forensics, and reporting vulnerabilities in OpenStack. Maintaining chain of custody for evidence and providing forensic access to tenants are highlighted.
4. Finally, the
Security considerations while deploying Containerized Applications by Neepend...
Security considerations while deploying Containerized Applications by Neepend...Agile India This document discusses various security considerations for containerized applications running on Kubernetes, including:
- Scanning container images for vulnerabilities during the build process and signing images.
- Ensuring container images are minimal in size by using smaller base images like Alpine Linux, running as a non-root user, and mounting the filesystem read-only.
- Implementing role-based access control (RBAC) in Kubernetes using roles and role bindings to control access at the namespace and cluster level.
- Auditing Kubernetes API access for security and compliance purposes.
- Managing secrets securely using Kubernetes secrets rather than environment variables or volumes.
Practical Guide to Securing Kubernetes
Practical Guide to Securing KubernetesLacework This document provides an overview and best practices for securing Kubernetes (K8s) clusters. It discusses common threats like exposed dashboards, APIs, and etcd stores. It also covers risks from within the cluster like compromised nodes and pods or vulnerabilities in container images. The document recommends 10 essential practices for securing K8s like image scanning, role-based access control, security boundaries, upgrades, pod security policies, node hardening, audit logging, and host/container logging. It emphasizes the importance of a security-aware development process and provides resources for further information.
OpenStack: Security Beyond Firewalls
OpenStack: Security Beyond FirewallsGiuseppe Paterno' The document discusses enhancing cloud security in OpenStack environments, emphasizing that user identity has become the ultimate perimeter in distributed models. It details various security mechanisms, such as network namespaces and identity management through OpenStack Keystone, while showcasing best practices for API security and identity protection. Additionally, it provides a case study demonstrating a secure virtual desktop solution for remote access, highlighting the importance of multi-factor authentication and VPNs.
Ad
More from All Things Open (20)
Agentic AI for Developers and Data Scientists Build an AI Agent in 10 Lines o...
Agentic AI for Developers and Data Scientists Build an AI Agent in 10 Lines o...All Things Open Presented at All Things Open RTP Meetup
Presented by William Hill - Developer Advocate, NVIDIA
Title: Agentic AI for Developers and Data Scientists
Build an AI Agent in 10 Lines of Code and the Concepts Behind the Code
Abstract: In this talk we will demonstrate building a working data science AI agent in 10 lines of basic Python code in a Colab notebook. Our AI Agent will perform LLM prompt-driven visual analysis using open-source libraries. In this session we will show how to develop an AI Agent using GPUs through NVIDIA’s developer program and Google Colab notebooks. After coding our AI Agent, we will break down the 10 lines of code. We will show the key components and open source library integrations that enable the agent's functionality, focusing on practical implementation details and then the theoretical concepts. The presentation concludes with a survey of current LLM technologies and the latest trends in developing AI applications for enthusiasts and enterprises
Big Data on a Small Budget: Scalable Data Visualization for the Rest of Us - ...
Big Data on a Small Budget: Scalable Data Visualization for the Rest of Us - ...All Things Open Presented at All Things Open 2024
Presented by Robert Gove - CrowdStrike
Title: Big Data on a Small Budget: Scalable Data Visualization for the Rest of Us
Abstract: As large-scale data has become commonplace, developing scalable data visualizations for common data sizes is increasingly inaccessible for many teams. Typical solutions require a big team and expensive compute clusters; other solutions, like WebGL, require specialized skills that can hurt maintainability. Furthermore, commonly proposed solutions often don’t solve performance bottlenecks teams encounter in practice.
In this talk, Robert will discuss common backend, algorithmic, data transfer, and rendering bottlenecks for data visualization web apps and how to diagnose them. He will demonstrate intermediate and advanced solutions using open source technology that anyone can use, even if they don’t have the resources of a big tech company. Audience members will come away with a suite of solutions accessible to teams with a range of sizes, budgets, and skill sets. Many of these solutions also apply to other types of data-intensive applications.
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
Bluesky: https://bsky.app/profile/allthingsopen.bsky.social
2024 conference: https://2024.allthingsopen.org/
AI 3-in-1: Agents, RAG, and Local Models - Brent Laster
AI 3-in-1: Agents, RAG, and Local Models - Brent LasterAll Things Open Presented at All Things Open RTP Meetup
Presented by Brent Laster - President & Lead Trainer, Tech Skills Transformations LLC
Talk Title: AI 3-in-1: Agents, RAG, and Local Models
Abstract:
Learning and understanding AI concepts is satisfying and rewarding, but the fun part is learning how to work with AI yourself. In this presentation, author, trainer, and experienced technologist Brent Laster will help you do both! We’ll explain why and how to run AI models locally, the basic ideas of agents and RAG, and show how to assemble a simple AI agent in Python that leverages RAG and uses a local model through Ollama.
No experience is needed on these technologies, although we do assume you do have a basic understanding of LLMs.
This will be a fast-paced, engaging mixture of presentations interspersed with code explanations and demos building up to the finished product – something you’ll be able to replicate yourself after the session!
Let's Create a GitHub Copilot Extension! - Nick Taylor, Pomerium
Let's Create a GitHub Copilot Extension! - Nick Taylor, PomeriumAll Things Open Presented at All Things Open AI 2025
Presented by Nick Taylor - Pomerium
Title: Let's Create a GitHub Copilot Extension!
Abstract: Get hands-on in this talk where we'll create a GitHub Copilot Extension from scratch.
We'll use the Copilot Extensions SDK, https://github.com/copilot-extensions/preview-sdk.js, and Hono.js, covering best practices like payload validation and progress notifications and error handling.
We'll also go through how to set up a dev environment for debugging, including port forwarding to expose your extension during development as well as the Node.js debugger.
By the end, we'll have a working Copilot extension that the audience can try out live.
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
Bluesky: https://bsky.app/profile/allthingsopen.bsky.social
2025 conference: https://2025.allthingsopen.org/
Leveraging Pre-Trained Transformer Models for Protein Function Prediction - T...
Leveraging Pre-Trained Transformer Models for Protein Function Prediction - T...All Things Open Presented at All Things Open AI 2025
Presented by Tia Pope - North Carolina A&T
Title: Leveraging Pre-Trained Transformer Models for Protein Function Prediction
Abstract: Transformer-based models, such as ProtGPT2 and ESM, are revolutionizing protein sequence analysis by enabling detailed embeddings and advanced function prediction. This talk provides a hands-on introduction to using pre-trained open-source transformer models for generating protein embeddings and leveraging them for classification tasks. Attendees will learn to tokenize sequences, extract embeddings, and implement machine-learning pipelines for protein function annotation based on Gene Ontology (GO) or Enzyme Commission (EC) numbers. This session will showcase how pre-trained transformers can democratize access to advanced protein analysis techniques while addressing scalability and explainability challenges. After the talk, the speaker will provide a notebook to test basic functionality, enabling participants to explore the concepts discussed.
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
Bluesky: https://bsky.app/profile/allthingsopen.bsky.social
2025 conference: https://2025.allthingsopen.org/
Gen AI: AI Agents - Making LLMs work together in an organized way - Brent Las...
Gen AI: AI Agents - Making LLMs work together in an organized way - Brent Las...All Things Open Presented at All Things Open AI 2025
Presented by Brent Laster - Tech Skills Transformations
Title: Gen AI: AI Agents - Making LLMs work together in an organized way
Abstract: AI Agents are combinations of LLMs, tools, and custom roles that can autonomously perform tasks and make decisions based on context and user input. Multiple agents can be managed together to cooperatively handle individual tasks that are part of a larger project to accomplish an overall goal.
By combining capabilities like tool access, multi-step reasoning, and real-time adjustments, agents can construct and complete complex workflows and intelligent solutions. In this presentation, we'll look at what AI agents are, how they work, and how you can create and put them to work.
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
Bluesky: https://bsky.app/profile/allthingsopen.bsky.social
2025 conference: https://2025.allthingsopen.org/
You Don't Need an AI Strategy, But You Do Need to Be Strategic About AI - Jes...
You Don't Need an AI Strategy, But You Do Need to Be Strategic About AI - Jes...All Things Open Presented at All Things Open AI 2025
Presented by Jessica Hall - Hallway Studio
Title: You Don't Need an AI Strategy, But You Do Need to Be Strategic About AI
Abstract: There’s so much noise about creating an “AI strategy,” it’s easy to feel like you’re already behind. But here’s the thing: you don’t need an AI strategy or a data strategy. Those things need to serve your business strategy and that requires strategic thinking.
Here’s what you’ll get:
A clear understanding of why AI is a means to an end—not the end itself—and how to use it to solve problems traditional methods can’t touch.
How to align AI with strategy using questions like “Where do we play? How do we win?” from Roger L. Martin and A.G. Lafley.
What successful AI initiatives have in common: clear value, smart use of unique data, and meaningful business impact.
A checklist to evaluate AI opportunities—covering metrics, workflows, and the human factors that make or break AI efforts.
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
Bluesky: https://bsky.app/profile/allthingsopen.bsky.social
2025 conference: https://2025.allthingsopen.org/
DON’T PANIC: AI IS COMING – The Hitchhiker’s Guide to AI - Mark Hinkle, Perip...
DON’T PANIC: AI IS COMING – The Hitchhiker’s Guide to AI - Mark Hinkle, Perip...All Things Open Presented at All Things Open AI 2025
Presented by Mark Hinkle - Peripety Labs
Title: DON’T PANIC: AI IS COMING – The Hitchhiker’s Guide to AI
Abstract: AI is coming of age, and much like discovering intergalactic travel, it’s equal parts thrilling and terrifying. Fears of job loss, doomsday scenarios, and bureaucratic AI overlords dominate the conversation—but I think the reality is far less apocalyptic and far more exciting. With the right guide, you can navigate this new universe, adapt, and even thrive. That’s what AllThingsOpen.AI is all about—building a community where people and businesses don’t just survive AI’s rise but flourish in it. So grab your towel, keep an open mind, and let’s explore the future—without the panic. Listen to Conference Co-Producer and publisher of the Artificially Intelligent Enterprise, Mark Hinkle, provide a vision on how AI will play out in our lives.
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
Bluesky: https://bsky.app/profile/allthingsopen.bsky.social
2025 conference: https://2025.allthingsopen.org/
Fine-Tuning Large Language Models with Declarative ML Orchestration - Shivay ...
Fine-Tuning Large Language Models with Declarative ML Orchestration - Shivay ...All Things Open Presented at All Things Open AI 2025
Presented by Shivay Lamba - Couchbase
Title: Fine-Tuning Large Language Models with Declarative ML Orchestration
Abstract: Large Language Models used in tools like ChatGPT are everywhere; however, only a few organisations with massive computing resources are capable of training such large models. While eager to fine-tune these models for specific applications, the broader ML community often grapples with significant infrastructure challenges.
In the session, the audience will understand how open-source ML tooling like Flyte (a Linux Foundation open-source orchestration platform) can be used to provide a declarative specification for the infrastructure required for a wide array of ML workloads, including the fine-tuning of LLMs, even with limited resources. Thus the attendee will learn how to leverage open-source ML toolings like Flyte's capabilities to streamline their ML workflows, overcome infrastructure constraints, reduce cost and unlock the full potential of LLMs in their specific use case. Thus making it easier for a larger audience to leverage and train LLMs.
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
Bluesky: https://bsky.app/profile/allthingsopen.bsky.social
2025 conference: https://2025.allthingsopen.org/
Leveraging Knowledge Graphs for RAG: A Smarter Approach to Contextual AI Appl...
Leveraging Knowledge Graphs for RAG: A Smarter Approach to Contextual AI Appl...All Things Open Presented at All Things Open AI 2025
Presented by David vonThenen - DigitalOcean
Title: Leveraging Knowledge Graphs for RAG: A Smarter Approach to Contextual AI Applications
Abstract: In the ever-evolving field of AI, retrieval-augmented generation (RAG) systems have become critical for delivering high-quality, contextually relevant answers in applications powered by large language models (LLMs). While vector databases have traditionally dominated RAG applications, graph databases, specifically knowledge graphs, offer a transformative approach to contextual AI that’s often overlooked. This approach provides unique advantages for applications requiring deep insights, intelligent search, and reasoning over both structured and unstructured sources, making it ideal for complex business scenarios.
Attendees will leave with an understanding of how to build a RAG system using a graph database and practical skills for data querying and insights retrieval. By comparing graph and vector database approaches, we’ll highlight when and why graph databases may offer superior benefits for managing complex data relationships. The session will provide concrete examples and advanced techniques, empowering participants to incorporate knowledge graphs into their AI systems for better data-driven outcomes and improved LLM performance. This discussion will conclude with a live demo showcasing key techniques and insights covered in this talk.
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
Bluesky: https://bsky.app/profile/allthingsopen.bsky.social
2025 conference: https://2025.allthingsopen.org/
Artificial Intelligence Needs Community Intelligence - Sriram Raghavan, IBM R...
Artificial Intelligence Needs Community Intelligence - Sriram Raghavan, IBM R...All Things Open Presented at All Things Open AI 2025
Presented by Sriram Raghavan - IBM Research AI
Title: Artificial Intelligence Needs Community Intelligence
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
Bluesky: https://bsky.app/profile/allthingsopen.bsky.social
2025 conference: https://2025.allthingsopen.org/
Don't just talk to AI, do more with AI: how to improve productivity with AI a...
Don't just talk to AI, do more with AI: how to improve productivity with AI a...All Things Open Presented at All Things Open AI 2025
Presented by Sheng Liang - Acorn Labs
Title: Don't just talk to AI, do more with AI: how to improve productivity with AI agents
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
Bluesky: https://bsky.app/profile/allthingsopen.bsky.social
2025 conference: https://2025.allthingsopen.org/
Open-Source GenAI vs. Enterprise GenAI: Navigating the Future of AI Innovatio...
Open-Source GenAI vs. Enterprise GenAI: Navigating the Future of AI Innovatio...All Things Open Presented at All Things Open AI 2025
Presented by Dr. Ruth Akintunde - SAS Institute Inc.
Title: Open-Source GenAI vs. Enterprise GenAI: Navigating the Future of AI Innovation
Abstract: This talk explores the critical differences between Open-Source Generative AI and Enterprise Generative AI, highlighting their respective strengths and challenges. Open-Source GenAI fosters innovation through community collaboration, accessibility, and adaptability, while Enterprise GenAI prioritizes security, scalability, and reliability. Key aspects such as cost, ethical considerations, and long-term sustainability are examined to understand their impact on AI development and deployment. Ultimately, the talk advocates for a hybrid approach, leveraging the best of both worlds to drive AI innovation forward.
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
Bluesky: https://bsky.app/profile/allthingsopen.bsky.social
2025 conference: https://2025.allthingsopen.org/
The Death of the Browser - Rachel-Lee Nabors, AgentQL
The Death of the Browser - Rachel-Lee Nabors, AgentQLAll Things Open Presented at All Things Open AI 2025
Presented by Rachel-Lee Nabors - AgentQL
Title: The Death of the Browser
Abstract: In ten years, Internet Browsers may be a nostalgic memory. As enterprises face mounting API costs and integration headaches, a new paradigm is emerging. The internet's evolution from an open highway into a maze of walled gardens and monetized APIs has created significant challenges for businesses—but it has also set the stage for accessing and organizing the world’s information.
This lightning talk traces our journey from the invention of the browser to the arms race of scraping for data and access to it to the dawn of AI agents, showing how the challenges of today opened the door to tomorrow. See how technologies refined by the web scraping community are combining with large language models to create practical alternatives to costly API integrations.
From the rise of platform monopolies to the emergence of AI agents, this timeline-based exploration will help you understand where we've been, where we are, and where we're heading. Join us for a glimpse of how AI agents are enabling a return to the era of free information with the web as the API.
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
Bluesky: https://bsky.app/profile/allthingsopen.bsky.social
2025 conference: https://2025.allthingsopen.org/
Making Operating System updates fast, easy, and safe
Making Operating System updates fast, easy, and safeAll Things Open The document discusses streamlining operating system updates through an open-source approach, likening system management to a performance art. It emphasizes the use of container images and registries to manage deployments across various environments, including servers and cloud platforms. Additionally, it includes links to resources and acknowledgments to contributors and artists involved in the project.
Reshaping the landscape of belonging to transform community
Reshaping the landscape of belonging to transform communityAll Things Open The document discusses Winstina Hughes and her organization, Support Inclusion in Tech, aimed at fostering a sense of belonging and diversity in the tech community. It emphasizes the importance of support in overcoming barriers, particularly for underrepresented individuals, and outlines structured processes for inclusive participation in events. Key highlights include the focus on transparency, community partnerships, and adaptive leadership in pursuing diversity and inclusion within open-source projects.
The Unseen, Underappreciated Security Work Your Maintainers May (or may not) ...
The Unseen, Underappreciated Security Work Your Maintainers May (or may not) ...All Things Open The document discusses the challenges of unpaid security work in open-source software, emphasizing the importance of maintaining security practices like two-factor authentication, vulnerability scanning, and support for both old and new software versions. It highlights findings from interviews with over 400 maintainers, indicating that paid maintainers are more effective in implementing critical security measures. The document calls for sustained investment in open-source projects to improve their security and support the developers behind them.
Integrating Diversity, Equity, and Inclusion into Product Design
Integrating Diversity, Equity, and Inclusion into Product DesignAll Things Open The document emphasizes a culture-driven approach to designing inclusive products that resonate with diverse audiences. It discusses practical strategies for integrating inclusivity at every stage of the design process and highlights the benefits of companies embracing diversity. Denitresse Ferrell, founder and CEO of Culture Refinery, advocates embedding empathy in product development for creating connections, rather than just adding features.
The Open Source Ecosystem for eBPF in Kubernetes
The Open Source Ecosystem for eBPF in KubernetesAll Things Open The document discusses eBPF (enhanced Berkeley Packet Filter), a powerful technology that allows for the extension and observation of kernel behavior in Linux without modifying the kernel source code. It highlights the challenges of using eBPF within Kubernetes environments, particularly regarding the privilege requirements for application pods and the distribution of bytecode. The document introduces BPFMan, an open-source project designed to simplify the use of eBPF in Kubernetes by handling privileges and bytecode management, while promoting community engagement and collaboration.
Open Source Privacy-Preserving Metrics - Sarah Gran & Brandon Pitman
Open Source Privacy-Preserving Metrics - Sarah Gran & Brandon PitmanAll Things Open Divvi Up, launched in October 2020 by a nonprofit focused on privacy-preserving metrics, enables the private aggregation of sensitive data while ensuring that original measurements are never visible to unauthorized parties. Its applications include telemetry and survey results, with notable deployments by Mozilla and Horizontal for sensitive measurement collection. The service is grounded in the Distributed Aggregation Protocol (DAP), which is currently undergoing standardization at the IETF, and incorporates techniques like Oblivious HTTP and differential privacy to enhance data security.
Ad
Recently uploaded (20)
Integration of Utility Data into 3D BIM Models Using a 3D Solids Modeling Wor...
Integration of Utility Data into 3D BIM Models Using a 3D Solids Modeling Wor...Safe Software Jacobs has developed a 3D utility solids modelling workflow to improve the integration of utility data into 3D Building Information Modeling (BIM) environments. This workflow, a collaborative effort between the New Zealand Geospatial Team and the Australian Data Capture Team, employs FME to convert 2D utility data into detailed 3D representations, supporting enhanced spatial analysis and clash detection.
To enable the automation of this process, Jacobs has also developed a survey data standard that standardizes the capture of existing utilities. This standard ensures consistency in data collection, forming the foundation for the subsequent automated validation and modelling steps. The workflow begins with the acquisition of utility survey data, including attributes such as location, depth, diameter, and material of utility assets like pipes and manholes. This data is validated through a custom-built tool that ensures completeness and logical consistency, including checks for proper connectivity between network components. Following validation, the data is processed using an automated modelling tool to generate 3D solids from 2D geometric representations. These solids are then integrated into BIM models to facilitate compatibility with 3D workflows and enable detailed spatial analyses.
The workflow contributes to improved spatial understanding by visualizing the relationships between utilities and other infrastructure elements. The automation of validation and modeling processes ensures consistent and accurate outputs, minimizing errors and increasing workflow efficiency.
This methodology highlights the application of FME in addressing challenges associated with geospatial data transformation and demonstrates its utility in enhancing data integration within BIM frameworks. By enabling accurate 3D representation of utility networks, the workflow supports improved design collaboration and decision-making in complex infrastructure projects
FIDO Seminar: Perspectives on Passkeys & Consumer Adoption.pptx
FIDO Seminar: Perspectives on Passkeys & Consumer Adoption.pptxFIDO Alliance FIDO Seminar: Perspectives on Passkeys & Consumer Adoption
Data Validation and System Interoperability
Data Validation and System InteroperabilitySafe Software A non-profit human services agency with specialized health record and billing systems. Challenges solved include access control integrations from employee electronic HR records, multiple regulations compliance, data migrations, benefits enrollments, payroll processing, and automated reporting for business intelligence and analysis.
War_And_Cyber_3_Years_Of_Struggle_And_Lessons_For_Global_Security.pdf
War_And_Cyber_3_Years_Of_Struggle_And_Lessons_For_Global_Security.pdfbiswajitbanerjee38 Russia is one of the most aggressive nations when it comes to state coordinated cyberattacks — and Ukraine has been at the center of their crosshairs for 3 years. This report, provided the State Service of Special Communications and Information Protection of Ukraine contains an incredible amount of cybersecurity insights, showcasing the coordinated aggressive cyberwarfare campaigns of Russia against Ukraine.
It brings to the forefront that understanding your adversary, especially an aggressive nation state, is important for cyber defense. Knowing their motivations, capabilities, and tactics becomes an advantage when allocating resources for maximum impact.
Intelligence shows Russia is on a cyber rampage, leveraging FSB, SVR, and GRU resources to professionally target Ukraine’s critical infrastructures, military, and international diplomacy support efforts.
The number of total incidents against Ukraine, originating from Russia, has steadily increased from 1350 in 2021 to 4315 in 2024, but the number of actual critical incidents has been managed down from a high of 1048 in 2022 to a mere 59 in 2024 — showcasing how the rapid detection and response to cyberattacks has been impacted by Ukraine’s improved cyber resilience.
Even against a much larger adversary, Ukraine is showcasing outstanding cybersecurity, enabled by strong strategies and sound tactics. There are lessons to learn for any enterprise that could potentially be targeted by aggressive nation states.
Definitely worth the read!
FIDO Seminar: Evolving Landscape of Post-Quantum Cryptography.pptx
FIDO Seminar: Evolving Landscape of Post-Quantum Cryptography.pptxFIDO Alliance FIDO Seminar: Evolving Landscape of Post-Quantum Cryptography
Floods in Valencia: Two FME-Powered Stories of Data Resilience
Floods in Valencia: Two FME-Powered Stories of Data ResilienceSafe Software In October 2024, the Spanish region of Valencia faced severe flooding that underscored the critical need for accessible and actionable data. This presentation will explore two innovative use cases where FME facilitated data integration and availability during the crisis. The first case demonstrates how FME was used to process and convert satellite imagery and other geospatial data into formats tailored for rapid analysis by emergency teams. The second case delves into making human mobility data—collected from mobile phone signals—accessible as source-destination matrices, offering key insights into population movements during and after the flooding. These stories highlight how FME's powerful capabilities can bridge the gap between raw data and decision-making, fostering resilience and preparedness in the face of natural disasters. Attendees will gain practical insights into how FME can support crisis management and urban planning in a changing climate.
OWASP Barcelona 2025 Threat Model Library
OWASP Barcelona 2025 Threat Model LibraryPetraVukmirovic Threat Model Library Launch at OWASP Barcelona 2025
https://owasp.org/www-project-threat-model-library/
OpenACC and Open Hackathons Monthly Highlights June 2025
OpenACC and Open Hackathons Monthly Highlights June 2025OpenACC The OpenACC organization focuses on enhancing parallel computing skills and advancing interoperability in scientific applications through hackathons and training. The upcoming 2025 Open Accelerated Computing Summit (OACS) aims to explore the convergence of AI and HPC in scientific computing and foster knowledge sharing. This year's OACS welcomes talk submissions from a variety of topics, from Using Standard Language Parallelism to Computer Vision Applications. The document also highlights several open hackathons, a call to apply for NVIDIA Academic Grant Program and resources for optimizing scientific applications using OpenACC directives.
Creating Inclusive Digital Learning with AI: A Smarter, Fairer Future
Creating Inclusive Digital Learning with AI: A Smarter, Fairer FutureImpelsys Inc. Have you ever struggled to read a tiny label on a medicine box or tried to navigate a confusing website? Now imagine if every learning experience felt that way—every single day.
For millions of people living with disabilities, poorly designed content isn’t just frustrating. It’s a barrier to growth. Inclusive learning is about fixing that. And today, AI is helping us build digital learning that’s smarter, kinder, and accessible to everyone.
Accessible learning increases engagement, retention, performance, and inclusivity for everyone. Inclusive design is simply better design.
Securing Account Lifecycles in the Age of Deepfakes.pptx
Securing Account Lifecycles in the Age of Deepfakes.pptxFIDO Alliance Securing Account Lifecycles in the Age of Deepfakes
Edge-banding-machines-edgeteq-s-200-en-.pdf
Edge-banding-machines-edgeteq-s-200-en-.pdfAmirStern2 מכונת קנטים המתאימה לנגריות קטנות או גדולות (כמכונת גיבוי).
מדביקה קנטים מגליל או פסים, עד עובי קנט – 3 מ"מ ועובי חומר עד 40 מ"מ. בקר ממוחשב המתריע על תקלות, ומנועים מאסיביים תעשייתיים כמו במכונות הגדולות.
National Fuels Treatments Initiative: Building a Seamless Map of Hazardous Fu...
National Fuels Treatments Initiative: Building a Seamless Map of Hazardous Fu...Safe Software The National Fuels Treatments Initiative (NFT) is transforming wildfire mitigation by creating a standardized map of nationwide fuels treatment locations across all land ownerships in the United States. While existing state and federal systems capture this data in diverse formats, NFT bridges these gaps, delivering the first truly integrated national view. This dataset will be used to measure the implementation of the National Cohesive Wildland Strategy and demonstrate the positive impact of collective investments in hazardous fuels reduction nationwide. In Phase 1, we developed an ETL pipeline template in FME Form, leveraging a schema-agnostic workflow with dynamic feature handling intended for fast roll-out and light maintenance. This was key as the initiative scaled from a few to over fifty contributors nationwide. By directly pulling from agency data stores, oftentimes ArcGIS Feature Services, NFT preserves existing structures, minimizing preparation needs. External mapping tables ensure consistent attribute and domain alignment, while robust change detection processes keep data current and actionable. Now in Phase 2, we’re migrating pipelines to FME Flow to take advantage of advanced scheduling, monitoring dashboards, and automated notifications to streamline operations. Join us to explore how this initiative exemplifies the power of technology, blending FME, ArcGIS Online, and AWS to solve a national business problem with a scalable, automated solution.
FME for Good: Integrating Multiple Data Sources with APIs to Support Local Ch...
FME for Good: Integrating Multiple Data Sources with APIs to Support Local Ch...Safe Software Have-a-skate-with-Bob (HASB-KC) is a local charity that holds two Hockey Tournaments every year to raise money in the fight against Pancreatic Cancer. The FME Form software is used to integrate and exchange data via API, between Google Forms, Google Sheets, Stripe payments, SmartWaiver, and the GoDaddy email marketing tools to build a grass-roots Customer Relationship Management (CRM) system for the charity. The CRM is used to communicate effectively and readily with the participants of the hockey events and most importantly the local area sponsors of the event. Communication consists of a BLOG used to inform participants of event details including, the ever-important team rosters. Funds raised by these events are used to support families in the local area to fight cancer and support PanCan research efforts to find a cure against this insidious disease. FME Form removes the tedium and error-prone manual ETL processes against these systems into 1 or 2 workbenches that put the data needed at the fingertips of the event organizers daily freeing them to work on outreach and marketing of the events in the community.
Viral>Wondershare Filmora 14.5.18.12900 Crack Free Download
Viral>Wondershare Filmora 14.5.18.12900 Crack Free DownloadPuppy jhon ➡ 🌍📱👉COPY & PASTE LINK👉👉👉 ➤ ➤➤ https://drfiles.net/
Wondershare Filmora Crack is a user-friendly video editing software designed for both beginners and experienced users.
Can We Use Rust to Develop Extensions for PostgreSQL? (POSETTE: An Event for ...
Can We Use Rust to Develop Extensions for PostgreSQL? (POSETTE: An Event for ...NTT DATA Technology & Innovation Can We Use Rust to Develop Extensions for PostgreSQL?
(POSETTE: An Event for Postgres 2025)
June 11, 2025
Shinya Kato
NTT DATA Japan Corporation
June Patch Tuesday
June Patch TuesdayIvanti Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
AI VIDEO MAGAZINE - June 2025 - r/aivideo
AI VIDEO MAGAZINE - June 2025 - r/aivideo1pcity Studios, Inc AI VIDEO MAGAZINE - r/aivideo community newsletter – Exclusive Tutorials: How to make an AI VIDEO from scratch, PLUS: How to make AI MUSIC, Hottest ai videos of 2025, Exclusive Interviews, New Tools, Previews, and MORE - JUNE 2025 ISSUE -
Security Tips for Enterprise Azure Solutions
Security Tips for Enterprise Azure SolutionsMichele Leroux Bustamante Delivering solutions to Azure may involve a variety of architecture patterns involving your applications, APIs data and associated Azure resources that comprise the solution. This session will use reference architectures to illustrate the security considerations to protect your Azure resources and data, how to achieve Zero Trust, and why it matters. Topics covered will include specific security recommendations for types Azure resources and related network security practices. The goal is to give you a breadth of understanding as to typical security requirements to meet compliance and security controls in an enterprise solution.
Reducing Conflicts and Increasing Safety Along the Cycling Networks of East-F...
Reducing Conflicts and Increasing Safety Along the Cycling Networks of East-F...Safe Software In partnership with the Belgian Province of East-Flanders this project aimed to reduce conflicts and increase safety along a cycling route between the cities of Oudenaarde and Ghent. To achieve this goal, the current cycling network data needed some extra key information, including: Speed limits for segments, Access restrictions for different users (pedestrians, cyclists, motor vehicles, etc.), Priority rules at intersections. Using a 360° camera and GPS mounted on a measuring bicycle, we collected images of traffic signs and ground markings along the cycling lanes building up mobile mapping data. Image recognition technologies identified the road signs, creating a dataset with their locations and codes. The data processing entailed three FME workspaces. These included identifying valid intersections with other networks (e.g., roads, railways), creating a topological network between segments and intersections and linking road signs to segments and intersections based on proximity and orientation. Additional features, such as speed zones, inheritance of speed and access to neighbouring segments were also implemented to further enhance the data. The final results were visualized in ArcGIS, enabling analysis for the end users. The project provided them with key insights, including statistics on accessible road segments, speed limits, and intersection priorities. These will make the cycling paths more safe and uniform, by reducing conflicts between users.
Tech-ASan: Two-stage check for Address Sanitizer - Yixuan Cao.pdf
Tech-ASan: Two-stage check for Address Sanitizer - Yixuan Cao.pdfcaoyixuan2019 A presentation at Internetware 2025.
Can We Use Rust to Develop Extensions for PostgreSQL? (POSETTE: An Event for ...
Can We Use Rust to Develop Extensions for PostgreSQL? (POSETTE: An Event for ...NTT DATA Technology & Innovation
Introduction to Kubernetes Security
- 2. https://openunison.github.io / @mlbiam / @[email protected] Who Am I? ● CTO Tremolo Security ● Identity Management expert for 20+ years ● Experience in commercial and federal agencies ● Kubernetes since 2015 ● Co-Author Kubernetes an Enterprise Guide: 2nd Ed
- 3. Agenda ● Part I - Cluster Security ○ What is Kubernetes? ○ How users access the cluster ○ How pipelines access the cluster ○ Dashboards ○ NetworkPolicies ○ Secrets ○ Node Security ○ Defense-in-Depth ○ Multi-tenancy https://openunison.github.io / @mlbiam / @[email protected]
- 4. Agenda ● Part II - Container Security ○ How your application can be be a security risk ○ Basics of a secure image ○ SBOMs ○ Farm-to-Table Supply Chain Security https://openunison.github.io / @mlbiam / @[email protected]
- 5. https://openunison.github.io / @mlbiam / @[email protected] What is Kubernetes? ● Scheduler - Determines what containers should run and where ● Kubelet - Works with the scheduler to run and manage containers ● API Server - API for interacting with the Kubelet and Scheduler
- 6. https://openunison.github.io / @mlbiam / @[email protected] How users access the cluster
- 7. https://openunison.github.io / @mlbiam / @[email protected] How users access the cluster ● Kubernetes supports multiple authentication mechanisms: ○ Certificates ○ OpenID Connect ○ Impersonating proxy ○ TokenRequest API ○ Custom Webhooks
- 8. https://openunison.github.io / @mlbiam / @[email protected] How users access the cluster - Certificates ● “Break Glass” authentication ● Can’t be revoked ● Hardware certificates aren’t supported ● External CAs not supported ● Groups only supported through static subject mapping ● Requires point-to-point connectivity between the client and server
- 9. https://openunison.github.io / @mlbiam / @[email protected] How users access the cluster - OpenID Connect ● Use of a JSON Web Token (JWT) ● Bearer token ● Easily maps groups ● Should be short lived (1-2 minutes with clock skew) ● Allows for network segmentation ● Can not be revoked ● JWT Demo
- 10. https://openunison.github.io / @mlbiam / @[email protected] How users access the cluster - Impersonating Proxy ● Reverse Proxy authenticates users ● Reverse proxy sends headers with the user’s request to tell the API server who the user is ● Impersonation proxy is responsible for authorizing inbound impersonation ● ServiceAccount for Impersonating Proxy is a privileged account ● Important to tie API access back to original request ● Impersonation Demo
- 11. https://openunison.github.io / @mlbiam / @[email protected] How users access the cluster - TokenRequest API ● JWT issued by API Server ● Intended for identifying workloads to the API Server ● Intended for identifying workloads to external services ● Not meant for use from outside of the cluster ● Demo of a container talking to the API server
- 12. https://openunison.github.io / @mlbiam / @[email protected] How users access the cluster - Custom Webhooks ● If you’re not a cloud provider, don’t do it
- 13. https://openunison.github.io / @mlbiam / @[email protected] How users access the cluster - RBAC ● How the API server authorizes access ● Two Scopes ○ Cluster - Objects that impact everyone ○ Namespaced - Objects that are contained inside of a Namespace ■ Namespaces are Cluster scoped ● Roles/ClusterRoles → Define permissions ● RoleBindings/ClusterRoleBindings → Assign permissions ● Rights are enumerated ● No “negative” rights ● Don’t use “*” ● Bindings - Groups, not Users
- 14. https://openunison.github.io / @mlbiam / @[email protected] How users access the cluster - RBAC Aggregate Roles ● Create large Roles & ClusterRoles without maintaining large objects ● Uses labels to assemble a Role/ClusterRole from smaller Roles/ClusterRoles ● Examples are admin, editor ● How to let an admin create a new instance of a CRD
- 15. https://openunison.github.io / @mlbiam / @[email protected] How pipelines access the cluster ● Don’t use long lived tokens ● Use a local identity to get short lived token ● Spire (project) & SPIFFE (standards)
- 16. https://openunison.github.io / @mlbiam / @[email protected] Dashboards ● Centralized ○ Can be secured via reverse proxy and impersonation ○ Should never have a privileged identity ○ Rely on the user’s identity ● Local ○ Uses user’s kubectl configuration ○ Opens a local port on loop-back with no TLS or authentication
- 17. https://openunison.github.io / @mlbiam / @[email protected] NetworkPolicies ● “Firewalls” of the cluster ● Control both inbound and outbound traffic ● Dependent on CNI implementation ● Not on by default ● Important to add ● Demo of network policy
- 18. https://openunison.github.io / @mlbiam / @[email protected] Secrets ● Stored in etcd as base64 encoded string ○ Encoded to preserve binary data ● Threat model your Secrets ○ Plain Kubernetes Secrets are Fine - https://bit.ly/3K1nEcU ● Externalize Secrets ○ Mount directly to Pods ○ Synchronize Secrets ● DON’T EVER STORE SECRETS IN GIT OR HELM, EVEN WHEN ENCRYPTED
- 19. https://openunison.github.io / @mlbiam / @[email protected] Node Security ● Don’t run containers as root ○ Unless you need to run a container as root ○ Init containers ● Limit, or drop all, capabilities ● You don’t need a port under 1024 ● Admission Controller Webhooks - Enforce rules ● Mutating Webhooks - Enable sane defaults ● Common Tools ○ Pod Security Standards ○ OPA/GateKeeper ○ Kyverno ○ JSPolicy
- 20. https://openunison.github.io / @mlbiam / @[email protected] Defense-in-depth ● Don’t rely on a single layer ● Strong Identity+RBAC+Policy Enforcement ● Multi-factor Authentication ● Short lived tokens ● Self Service
- 21. https://openunison.github.io / @mlbiam / @[email protected] Multitenancy ● Better utilization of resources ● Manage sprawl ● “Something” needs to be multitenant ● Self Service ● Combination of all of the above ● Virtual clusters
- 23. https://openunison.github.io / @mlbiam / @[email protected] How Your Application Can Be A Security Risk ● ServiceAccount token mounted to your Pod ● RCE from an app can lead to access to your Pod’s tokens ● Lack of sane defaults and policies lead to a container breakout ● Leaking bearer tokens ● Debug tools ○ “Distroless” containers ○ Ephemeral Containers
- 24. https://openunison.github.io / @mlbiam / @[email protected] Basics of a Secure Image ● Switch from root ● Assume no Linux userid ● Write only to volumes ○ emptyDir for “scratch space” ● Rebuild often ● Be mindful of where you get base images from ● Take contracts and policies into consideration
- 25. https://openunison.github.io / @mlbiam / @[email protected] Software Bill of Materials ● Multiple standards ● Stored with containers ● Signed?
- 26. https://openunison.github.io / @mlbiam / @[email protected] Farm-to-table Supply Chain Security Container registry Proof
- 27. https://openunison.github.io / @mlbiam / @[email protected] Farm-to-table Supply Chain Security Test Lab Build Infrastructure
- 28. Connect with us ● Web - https://openunison.github.io / http://tremolo.io ● Twitter - @tremolosecurity / @mlbiam ● Masstodon - @[email protected] / @[email protected] ● GitHub - http://github.com/tremolosecurity/ / http://github.com/openunison/