Kubernetes Podcast: Shopify and Security, with Jon Pulsifer

https://kubernetespodcast.com/episode/017-shopify-security/
Jon Pulsifer is a Production Security Engineer at Shopify, and Canada’s biggest Kubernetes fan. Adam and Craig dig into why, and what Adam’s new mode of transport is going to be.

Do you have something cool to share? Some questions? Let us know:

• web: kubernetespodcast.com
• mail: kubernetespodcast@google.com
• twitter: @kubernetespod

Chatter

• Sling TV using Kubernetes
  • Tesla using Kubernetes?
• MITMproxy, Charles and Fiddler
  • Intercept HTTP traffic exiting a docker container
• Adam has a lot of EconoLodge points
  • Not as many as Software Defined Talk hosts Matt Ray and Michael Coté
  • Craig thinks he should spend them on the Pepsi jet as seen in this wonderful video

News of the week

• Service Networking in a Hybrid Infrastructure by Praveen Shukla from GoJek
• KubeCon and CloudNativeCon China
  • Craig’s session
• 7 best practices for operating containers by Théo Chamley from Google Cloud
• kustomize on Homebrew for macOS
• Understanding the Container Storage Interface (CSI) by Anoop Vijayan Maniankara
• The Istio 1.0 Release Stream or jump straight to the part with Dan Ciruli from episode 15

Links from the interview

• Royal Canadian Navy - Canadian Forces NOC
• SANS institute and instructors
• Jon Pulsifer is a Production Security Engineer at Shopify
  • Why Shopify Moved to The Production Engineering Model
  • Production Engineering from Facebook
  • SRE from Google
  • They’re hiring!
• Shopify’s adopting Kubernetes and Google Cloud
• The evolution of Kubernetes security
  • Before RBAC, you used to have to mount an empty directory over the service account to disable access to it
  • seccomp and AppArmor
  • RBAC
  • PodSecurityPolicy
  • gVisor and Kata Containers
  • Planning for Secure Container Isolation in Kubernetes
  • RuntimeClass enhancement proposal
• Binary Authorization
  • Launch blog post
  • Kritis - open source reference implementation of Binary Authorization (the judge)
  • Grafaes - API spec for Container Analysis API
  • Shopify Voucher, a tool that creates attestations for Binary Authorization and prevents the deployment of images that don’t meet Shopify’s security requirements.
  • Jon’s talk on Binary Authorization at Google Cloud Next: Securing the Software Supply Chain
• Shopify’s $25,000 Kubernetes bug bounty payout
  • What is a server-side request forgery?
• Getting started with security by reading kubesec.io
• Around Ottawa
  • Kubernetes Ottawa meetup
  • GDG Cloud Ottawa
  • Jon’s car
• Jon Pulsifer on Twitter