Date: Wed, 03 Mar 2021 09:55:27 +0000
<p><a href="https://www.linkedin.com/in/kamilpotrec/">Kamil Potrec</a> is a Senior Security Engineer at Snyk, working on security around Kubernetes and cloud platforms. He joins the show to discuss how to think about securing your infrastructure, the different arts (and colors) of offensive and defensive security, and what not to lose sleep over.</p> <p>Do you have something cool to share? Some questions? Let us know:</p> <ul> <li>web: <a href="https://kubernetespodcast.com">kubernetespodcast.com</a></li> <li>mail: <a href="mailto:kubernetespodcast@google.com">kubernetespodcast@google.com</a></li> <li>twitter: <a href="https://twitter.com/kubernetespod">@kubernetespod</a></li> </ul> <h3 id="chatter-of-the-week">Chatter of the week</h3> <ul> <li><a href="https://kubernetespodcast.com/episode/023-ci-and-cd/">Episode 23, with Andrew Philips and Lars Wander</a></li> <li><a href="https://twitter.com/craigbox/status/713788846312398849">A pile of mail and a bike</a></li> </ul> <h3 id="news-of-the-week">News of the week</h3> <ul> <li><a href="https://www.openshift.com/blog/red-hat-openshift-4.7-is-now-available"> Red Hat OpenShift 4.7 is GA</a></li> <li><a href="https://www.fairwinds.com/blog/fairwinds-insights-3.0">Fairwinds Insights 3.0</a></li> <li><a href="https://groups.google.com/g/envoy-security-announce/c/Hp16L27L00Q"> Envoy zero-day patched</a> <ul> <li><a href="https://istio.io/latest/news/security/istio-security-2021-001/">Istio security bulletin</a></li> </ul> </li> <li><a href="https://sysdig.com/blog/sysdig-contributes-falco-kernel-ebpf-cncf/"> Sysdig contributes Falco modules to the CNCF</a></li> <li><a href="https://storageos.com/a-new-funding-round-opens-a-world-of-possibilities-for-storageos"> StorageOS raises $10m in Series B</a></li> <li><a href="https://platform9.com/press/platform9-raises-additional-series-d-funding-led-by-wrvi-capital-reports-145percent-yoy-growth-in-saas-managed-kubernetes/"> Platform9 raises $12.5m in Series D</a></li> <li><a href="https://www.cncf.io/blog/2021/03/01/relaunching-kubernetes-community-days-with-kcd-africa-bengaluru/"> CNCF relaunches Kubernetes Community Day with KCD Africa and Bengaluru</a></li> </ul> <h3 id="links-from-the-interview">Links from the interview</h3> <ul> <li><a href="https://en.wikipedia.org/wiki/American_football#Offensive_unit">Offensive unit in American Football</a></li> <li><a href="https://knowyourmeme.com/memes/handegg">Hand-egg</a></li> <li><a href="https://www.crowdstrike.com/cybersecurity-101/red-team-vs-blue-team/"> Red and blue teams</a></li> <li><a href="https://en.wikipedia.org/wiki/Unreal_Tournament">Unreal Tournament</a></li> <li><a href="https://en.wikipedia.org/wiki/Capture_the_flag">Capture the flag</a></li> <li><a href="https://kubernetes.io/docs/concepts/configuration/secret/">Kubernetes secrets</a> <ul> <li><a href="https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auth/secrets.md"> Design document</a></li> <li><a href="https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets"> Encrypting secrets at the application layer</a></li> </ul> </li> <li><a href="https://en.wikipedia.org/wiki/Antivirus_software">Antivirus software</a></li> <li><a href="https://www.youtube.com/watch?v=SXmv8quf_xM">Tracer-tee</a></li> <li><a href="https://en.wikipedia.org/wiki/2020_United_States_federal_government_data_breach"> SolarWinds attack</a></li> <li><a href="https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf"> Reflections on Trusting Trust</a> by Ken Thompson</li> <li><a href="https://qz.com/646467/how-one-programmer-broke-the-internet-by-deleting-a-tiny-piece-of-code/"> left-pad deleted from NPM</a></li> <li><a href="https://snyk.io/product/open-source-security-management/">Snyk Open Source</a> <ul> <li><a href="https://github.com/snyk/snyk">The open source parts</a></li> </ul> </li> <li><a href="https://snyk.io/vuln">Snyk vulnerability database</a></li> <li><a href="http://cve.mitre.org/">MITRE CVE database</a></li> <li><a href="https://snyk.io/learn/kubernetes-security/">Kubernetes security at Snyk</a></li> <li><a href="https://cloud.google.com/binary-authorization">Deploy only trusted containers to GKE</a></li> <li><a href="https://owasp.org/www-community/Threat_Modeling">Application threat modeling</a></li> <li><a href="https://speakerdeck.com/ianlewis/kubernetes-security-best-practices"> Kubernetes security best practices</a>, including security context, AppArmor, gVisor etc</li> <li><a href="https://groups.google.com/g/kubernetes-announce/c/GPpZzVtGwiI/m/mN2nRETUAgAJ"> CVE-2020-8554: man-in-the-middle attack using ExternalIP services</a></li> <li><a href="https://unit42.paloaltonetworks.com/cve-2020-14386/">CVE-2020-14386: packet socket vulnerability with user namespaces enabled</a> <ul> <li>Earlier related work: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7308">CVE-2017-7308</a> and <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8655">CVE-2016-8655</a></li> <li><a href="https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html"> Project Zero writeup</a></li> </ul> </li> <li><a href="https://www.infoq.com/presentations/os-rust/">Rewrite it in Rust</a><a href="https://github.com/ansuz/RIIR">!</a></li> <li><a href="https://www.linkedin.com/in/kamilpotrec/">Kamil Potrec</a> on LinkedIn</li> </ul>