Updated: Aug 21, 2020
Check out other days:
This virtual event is spread over four days including keynotes, lightning talks, conference sessions across 16 tracks, tutorials, and co-located events. It also includes an interactive Sponsor Showcase, attendee collaboration and networking tools...
All sessions will be recorded and available in the CNCF YouTube channel 8 weeks after the conference.
And congratulation to the Kubecon team for the virtual lobby app. It is not easy to represent such an event in a virtual way, well done !
Here are some feedbacks on some sessions, lightning Talk and tutorials we assisted:
A very interesting tutorial showing how an attacker can exploit a vulnerability: https://tutorial.kubernetes-security.info/ and what are the possible remediations using different approaches and tools.
There are several Kubernetes attack vectors:
They are several ways to secure your Kubernetes cluster and its components:
Multiple solutions for vulnerability scanning are available. This workshop uses the open source scanner Trivy.
Where to scan for vulnerabilities:
CI/CD: One way to "shift left" security is to include vulnerability scanning as an automatic step in CI/CD. Typically after the docker build you can have a stage that will scan your image.
Admission controllers: An admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized. So in the context of image scanning it can be used to prevent deploying a container image with known vulnerabilities.
Live workloads: New vulnerabilities are found all the time so you will need to regularly check if your running images are safe.
In the demo, Starboard was used. It is a tool for running security tools, including Trivy, within your Kubernetes cluster. This is an easy way to create and view scans of the container images used by your running workloads. Example (CLI) :
kubectl starboard init ## Add CRDs kubectl starboard find vulns kind/name kubectl get vulns --show -labels kind/name
Kubernetes cluster configuration
The CIS Benchmark: An objective, consensus-driven security guideline for Kubernetes.
Kube-bench: is a Go application that implements the CIS Benchmark and checks whether Kubernetes is deployed securely. There are three output states (Pass, Fail, Info) to indicate test results.
Policies are an important tool defining what is or is not allowed in the Kubernetes clusters
Principle of least privilege: requires that every module must be able to access only the information and resources that are necessary for its legitimate purpose.
Security Context: A security context defines privilege and access control settings for a Pod or Container (like running as privileged user or not, Linux Capabilities, …)
Network Policies: A network policy is a specification of how sets of Pods are allowed to communicate with each other and with other network endpoints. NetworkPolicy resources use labels to select Pods and define rules which specify what traffic is allowed to/from the selected Pods
OPA: is a general-purpose policy engine that comes with a rule-based policy language called Rego. The goal here is to define and enforce policies like: "Deny any image that doesn’t come from a trusted registry". This project is also based on Admission Controllers Gatekeepers (a CRD based : open-policy-agent/gatekeeper )
Using GitOps brings security out of the box:
Git being the source of truth, you benefit from RBAC, traceability and auditing.
It is based on Pull Requests so it enforces reviewers and communication
You don’t apply the change yourself, but rely on a process that applies automatically the desired state of the system.
This tutorial gives a lot of tips and tools how you can deal with security in your kubernetes cluster. Trivy, Kube-bench, Starboard and Gatekeeper are definitely on my list for a deeper look !
Jeff Poole (Director, Platform Engineering, Vivint Smart Home)
An interesting tutorial that shows how Kubernetes networking works: korvus81/k8s-net-labs
This tuto deals with:
Encapsulation in Networking
Docker / Container Networking
Node and Pod networking
If you are curious and want a deeper understanding on how Kubernetes network works then this session is definitely for you !
By Samuel Davidson (Security Engineer, Google Kubernetes Security for Google Cloud)
Summary to Container Security Fundamentals :
Assume you will be owned
Use a distress base image
Easy to rebuild containers
Sign your image
Don't use hostPath
Don’t use hostNetwork
Pay close attention to your pod’s Service Account
Isolate your node from Internet
Egress only internet access from private network
Keep the cluster up to date to avoid bugs and vulnerabilities
Ideally the entire cluster is in a private network (VPN, auth-proxy…) and no public IP for any cluster VMs
Solution to common needs :
Log Devs/bots into the network
External load balancer that can forward traffic to nodes if internet users needs access to services/pods
Egress only internet access from private network if cluster needs internet accesss
Use RBAC and groups
Use a policy agent to protect your cluster (typically a Kubernetes Admission Controller which fine granularly allows/denies based on rules or policies )
Hands-on : joellord/handson-tekton
Containers : Built for container apps and run on Kubernetes
Serverless : Runs server less with no CI/CD engine to manage and maintain
DevOps : Designeds with micro services and distributed teams
Tekton is a Kubernetes native tool which is : Composable, Declarative, Reproducible and CloudNative. It allow you to create CI/CD systems by abstracting away the underlying implementation details.
A presentation to raise awareness that a minikube or k3s which easily works on local computer is NOT PROD READY !!! Useful if you need to convince someone that Kubernetes setup is not a matter of 3 clicks.
They highlight several points that work without difficulty in a local environment contrary to production environment, like volumes/storage, network, RBAC… and show some common errors that can happen in production (like losing etcd, deleting a volume). It also demonstrated to really secure environment because in Kubernetes by default most of security features are disabled.
By Kaslin Fields (Developer Advocate, Google)
Funny way to introduce the Cloud Native concept. So what is it exactly ? It’s a way to develop an application using advantages offered by Cloud. It’s a flyover for beginners of the different parts that constitute the Cloud Native Landscape: container/registry, containerd, Kubernetes, serverless concept, function as a service, infra as code, observability monitoring/logging, security, data storage…
By Oliver Gould (Linkerd Creator, Buoyant), Daniel Berg (Distinguished Engineer, IBM), Lin Sun (Senior Technical Staff Member, IBM), Sven Mawson (Senior Staff Software Engineer, Google) , Christian Posta (Field CTO, solo.io).
A Q&A session about Service Mesh with lots of insights and tips:
What are Service Mesh advantages ?
quickly push changes without changing code
connecting applications and introducing some security points
programmatically define rules
When use a Service Mesh ?
When you have lot of things that have to communicate with each other
What’s the best Service Mesh implementation ?
It depends on your needs but favor the most used in production
What are the common pitfalls to avoid ?
DON'T implement business logic in service Mesh
What about latency and resources ?
A service Mesh provides a real load balancer compared to kube-proxy with more “intelligence”, it chooses not overloaded pods when it dispatches traffic. Resources management like memory is very weak compared to a proxy coded in an application using springboot, for example.
Some Lightning Talks :
Lightning Talk Sessions by Tom Hipwell (Principal Platform Engineer, Bulb)
SOPS is a tool to encrypt only values in a yaml (and not the keys). It uses AWS/Azure/GCP key Management Service (KMS) and a dedicated CLI. Very useful when you don’t want to use a heavier solution like HashiCorp Vault and when you use GitOps (you can securely store the encrypted file alongside your code).
By Matthew Robson (Principal Technical Account Manager, Red Hat)
A PodDisruptionBudget is an application owner created object that defines the minimum of replicas that must be available for an application to cooperate in a stable manner during a voluntary disruption.
When an application is owned by the application team and supported by the operation team, it allows to define the availability requirements and it is respected by the eviction API. It is valid for: Deployment, ReplicationController, StatefulSet and ReplicaSet.
Berkley Packet Filter (BPF) are tracing tools that help to debug distributed applications. But debugging inside Kubernetes is not easy. Kubernetes tracing tools like Inspektor Gadget and kubectl-trace ease the debugging distributed applications.
The slides are available here.
CONCLUSION FOR THE FIRST DAY:
Kubecon is very interesting event touching lots of subjects like Security, Networking, CI/CD, Service Mesh and many others topics...
We particularly enjoyed the tutorial on Tekton, a very promising and powerful CI/CD tool. We also appreciated the many sessions around Security in Kubernetes at different levels, it’s always important to keep this important concept in mind.
Keep connected for the second day!