Call for Questions! sig-HONK AMA KubeCon NA keynote panel

Hello world! We are giving an Ask Me Anything keynote at KubeCon NA 2020, and we are calling for questions to be answered during our panel, SIG-Honk AMA Panel: Hacking and Hardening in the Cloud Native Garden. What would you like to ask us? We would like to answer!

Who we are
sig-HONK is @coldwater, @Brad_Geesaman, @raesene, @mauilion
We are a gaggle of friends who come from a bunch of different backgrounds in systems and security and have collectively worked to increase the understanding and security of Kubernetes over the years.

What we need from you
Review the responses in this thread. If there is a question that is important to you :heart: it!
If there’s something else you’d like to see answered, add your question below.

What will happen?
We will be reviewing the questions and choosing from them on October 17th. The questions selected will be answered in the keynote. Let us know if you’d like your name/handle mentioned if your question is selected, and we’ll answer it as best we can.

Thank you all so much for participating in this thread, and in KubeCon North America 2020!

See you there!


What tooling to do recommend for exploring kubernetes codebase?


Many of the attacks described in the preso on APT in k8s start with privileged access. Whats the most likely ways an attacker will get their hands on credentials that can be used against a cluster and what are different ways to prevent that?


What would ya’ll consider to be the top tools / methods for evaluating the attack surface of a “vanilla” cluster? Specifically from the outside probing in and workloads running internal.

I’m interested in practical tests over best practices; but happy to hear both :slight_smile:


What are the security and architectural challenges you guys have had come across on ipv6/dualstack k8s cluster dealing with container’s (docker) - given the lack of firewall integration and loosing some of the ipv4 capabilities like for example - outboud masquerade.

Would love to know the panel thoughts on “Security and Architecture Challenges On ipv6 Cluster”

  • In a regulated enterprise settings, is it better to have an air-gapped Kubernetes? knowing that images, and updates will be an overwhelming overhead? how about partial, that is limiting internet access to known vendor registries not dockerhub and just upstream 3rd party Kubernetes and security vendors?

  • What Kubernetes security tools work best in air-gapped environment? does not require to get updates online, but could be done via an offline process e.g trivy CVE updates offline

  • What are your three best security practices, tooling, people to follow?


Two questions…

  1. How many honks is too many?
  2. How are newly disclosed CVEs best handled in a K8s environment?
1 Like

1- How many honks are too many?
it depends