https://kubernetespodcast.com/episode/065-attacking-and-defending-kubernetes/
Ian Coldwater specializes in breaking and hardening Kubernetes, containers, and cloud native infrastructure. A pre-eminent voice in the Kubernetes security community, they are currently a Lead Platform Security Engineer at Heroku. Ian joins Adam and Craig to talk about the offensive and defensive arts.
Do you have something cool to share? Some questions? Let us know:
- web: kubernetespodcast.com
- mail: kubernetespodcast@google.com
- twitter: @kubernetespod
Chatter of the week
News of the week
- Mesosphere becomes D2iQ
- Google Cloud launches Migrate for Anthos in Beta
- Google Cloud Game Servers coming soon
- Announcing Kubernetes Summits in Seoul and Sydney
- Security updates of the week
- IBM and Red Hat:
- Cisco Container Platform now supports Microsoft AKS
- Helm deployments at the Kubedex
- How Kubernetes can be used for genetic analysis by Mu Huan and Eric Li Alibaba Cloud
- Announcing CloudBees Jenkins X Distribution
- TiDB Operator now Generally Available
Links from the interview
- Red teams and penetration testing
- Fuzzing
- Attacking Helm’s Tiller
- Black-box and white-box testing
- DevSecOps: guard rails, not gates
- OWASP - the Open Web Application Security Project
- The math behind calculating security risk
- CVSS score
- etcd: encrypt it at rest!
- Admission control
- Technologies for isolation:
- AppArmor
- Seccomp
- gVisor
- Firecracker (not yet supported with Kubernetes)
- “Kubernetes is powerful, and it’s insecure by design”
- Threat modelling
-
hostpath - “a powerful escape hatch”
- Trail of Bits blog: understanding Docker container escapes
- Recommended watching:
- Ship of Fools by Ian Coldwater (slides)
- Hacking and Hardening Kubernetes by Example by Brad Geesaman (slides)
- A Hackers Guide to Kubernetes and the Cloud by Rory McCune (and his upcoming Black Hat training)
- DIY Pen Testing for your Kubernetes Cluster by Liz Rice (our guest on episode 19)
- Ian Coldwater on Twitter