Call for Questions! sig-HONK AMA KubeCon NA keynote panel

coldwater · October 6, 2020, 10:27pm

Hello world! We are giving an Ask Me Anything keynote at KubeCon NA 2020, and we are calling for questions to be answered during our panel, SIG-Honk AMA Panel: Hacking and Hardening in the Cloud Native Garden. What would you like to ask us? We would like to answer!

Who we are
sig-HONK is @coldwater, @Brad_Geesaman, @raesene, @mauilion
We are a gaggle of friends who come from a bunch of different backgrounds in systems and security and have collectively worked to increase the understanding and security of Kubernetes over the years.

What we need from you
Review the responses in this thread. If there is a question that is important to you it!
If there’s something else you’d like to see answered, add your question below.

What will happen?
We will be reviewing the questions and choosing from them on October 17th. The questions selected will be answered in the keynote. Let us know if you’d like your name/handle mentioned if your question is selected, and we’ll answer it as best we can.

Thank you all so much for participating in this thread, and in KubeCon North America 2020!

See you there!
~sig-HONK

mauilion · October 7, 2020, 6:21pm

What tooling to do recommend for exploring kubernetes codebase?

marc.boorshtein · October 7, 2020, 7:19pm

Many of the attacks described in the preso on APT in k8s start with privileged access. Whats the most likely ways an attacker will get their hands on credentials that can be used against a cluster and what are different ways to prevent that?

jimangel · October 7, 2020, 8:48pm

What would ya’ll consider to be the top tools / methods for evaluating the attack surface of a “vanilla” cluster? Specifically from the outside probing in and workloads running internal.

I’m interested in practical tests over best practices; but happy to hear both

sam17 · October 8, 2020, 5:47am

What are the security and architectural challenges you guys have had come across on ipv6/dualstack k8s cluster dealing with container’s (docker) - given the lack of firewall integration and loosing some of the ipv4 capabilities like for example - outboud masquerade.

Would love to know the panel thoughts on “Security and Architecture Challenges On ipv6 Cluster”

walidshaari · October 10, 2020, 6:08pm

In a regulated enterprise settings, is it better to have an air-gapped Kubernetes? knowing that images, and updates will be an overwhelming overhead? how about partial, that is limiting internet access to known vendor registries not dockerhub and just upstream 3rd party Kubernetes and security vendors?
What Kubernetes security tools work best in air-gapped environment? does not require to get updates online, but could be done via an offline process e.g trivy CVE updates offline
What are your three best security practices, tooling, people to follow?

Er1ck · October 16, 2020, 6:45pm

Two questions…

How many honks is too many?
How are newly disclosed CVEs best handled in a K8s environment?

walidshaari · October 17, 2020, 12:54pm

1- How many honks are too many?
it depends

Topic		Replies	Views
Kube-hunter: open source pen-testing for Kubernetes Announcements	1	1249	August 16, 2018
Office Hours for Jan 2021 General Discussions office-hours	0	866	January 20, 2021
Heads up, Tim Hockin is doing a Kubernetes Ask Me Anything on Reddit General Discussions	0	695	June 5, 2019
Kubernetes Prod Readiness: Help by filling out a quick survey General Discussions	0	1726	February 3, 2020
A Blog Post on Encrypting Communications between Kubernetes Objects General Discussions development , security	0	533	January 27, 2021

Call for Questions! sig-HONK AMA KubeCon NA keynote panel

Related Topics