Call for Questions! sig-HONK AMA KubeCon NA keynote panel

coldwater · October 6, 2020, 10:27pm

Hello world! We are giving an Ask Me Anything keynote at KubeCon NA 2020, and we are calling for questions to be answered during our panel, SIG-Honk AMA Panel: Hacking and Hardening in the Cloud Native Garden. What would you like to ask us? We would like to answer!

Who we are
sig-HONK is @coldwater, @Brad_Geesaman, @raesene, @mauilion
We are a gaggle of friends who come from a bunch of different backgrounds in systems and security and have collectively worked to increase the understanding and security of Kubernetes over the years.

What we need from you
Review the responses in this thread. If there is a question that is important to you it!
If there’s something else you’d like to see answered, add your question below.

What will happen?
We will be reviewing the questions and choosing from them on October 17th. The questions selected will be answered in the keynote. Let us know if you’d like your name/handle mentioned if your question is selected, and we’ll answer it as best we can.

Thank you all so much for participating in this thread, and in KubeCon North America 2020!

See you there!
~sig-HONK

mauilion · October 7, 2020, 6:21pm

What tooling to do recommend for exploring kubernetes codebase?

marc.boorshtein · October 7, 2020, 7:19pm

Many of the attacks described in the preso on APT in k8s start with privileged access. Whats the most likely ways an attacker will get their hands on credentials that can be used against a cluster and what are different ways to prevent that?

jimangel · October 7, 2020, 8:48pm

What would ya’ll consider to be the top tools / methods for evaluating the attack surface of a “vanilla” cluster? Specifically from the outside probing in and workloads running internal.

I’m interested in practical tests over best practices; but happy to hear both

sam17 · October 8, 2020, 5:47am

What are the security and architectural challenges you guys have had come across on ipv6/dualstack k8s cluster dealing with container’s (docker) - given the lack of firewall integration and loosing some of the ipv4 capabilities like for example - outboud masquerade.

Would love to know the panel thoughts on “Security and Architecture Challenges On ipv6 Cluster”

walidshaari · October 10, 2020, 6:08pm

In a regulated enterprise settings, is it better to have an air-gapped Kubernetes? knowing that images, and updates will be an overwhelming overhead? how about partial, that is limiting internet access to known vendor registries not dockerhub and just upstream 3rd party Kubernetes and security vendors?
What Kubernetes security tools work best in air-gapped environment? does not require to get updates online, but could be done via an offline process e.g trivy CVE updates offline
What are your three best security practices, tooling, people to follow?

Er1ck · October 16, 2020, 6:45pm

Two questions…

How many honks is too many?
How are newly disclosed CVEs best handled in a K8s environment?

walidshaari · October 17, 2020, 12:54pm

1- How many honks are too many?
it depends

Topic	Replies	Views
Kubernetes Podcast from Google: Research, Steering and Honking, with Bob Killen General Discussions	402	October 21, 2020
Kubernetes Podcast: Kubernetes CVE-2018-1002105, with Jordan Liggitt General Discussions podcast	656	December 18, 2018
Kubernetes Podcast: SIG-Node, with Dawn Chen General Discussions podcast	865	September 26, 2018
Kubernetes Podcast: Kubernetes SIG-PM, with Ihor Dvoretskyi General Discussions podcast	718	September 19, 2018
Kubernetes Podcast from Google: KubeCon NA 2020, with Stephen Augustus General Discussions podcast	1013	November 18, 2020

Call for Questions! sig-HONK AMA KubeCon NA keynote panel

Related Topics