Attacking and Defending Kubernetes, with Ian Coldwater

Kubernetes Podcast from Google

Episode | Podcast

Date: Tue, 06 Aug 2019 14:46:12 +0000

<p><a href="">Ian Coldwater</a> specializes in breaking and hardening Kubernetes, containers, and cloud native infrastructure. A pre-eminent voice in the Kubernetes security community, they are currently a Lead Platform Security Engineer at Heroku. Ian joins <a href="">Adam and Craig</a> to talk about the offensive and defensive arts.</p> <p>Do you have something cool to share? Some questions? Let us know:</p> <ul> <li>web: <a href=""></a></li> <li>mail: <a href=""></a></li> <li>twitter: <a href="">@kubernetespod</a></li> </ul> <h3 id="chatter-of-the-week">Chatter of the week</h3> <ul> <li><a href="">Black Hat USA</a></li> <li><a href="">DEFCON</a> <ul> <li><a href="">Scavenger hunts</a></li> <li><a href=""> An example of Spot the Fed</a></li> <li><a href="">An example of the Mystery Challenge</a></li> </ul> </li> </ul> <h3 id="news-of-the-week">News of the week</h3> <ul> <li><a href=""> Mesosphere becomes D2iQ</a></li> <li><a href=""> Google Cloud launches Migrate for Anthos in Beta</a></li> <li><a href="">Google Cloud Game Servers coming soon</a> <ul> <li><a href="">Episode 26: Agones, with Mark Mandel and Cyril Tovena</a></li> </ul> </li> <li><a href=""> Announcing Kubernetes Summits in Seoul and Sydney</a></li> <li><a href="!topic/kubernetes-security-announce/vUtEcSEY6SM"> Security updates of the week</a> <ul> <li><a href="">CVE-2019-11247: API server allows access to custom resources via wrong scope</a></li> <li><a href="">CVE-2019-11249: kubectl cp</a> (round 3!)</li> </ul> </li> <li>IBM and Red Hat: <ul> <li><a href="">OpenShift on IBM Cloud</a></li> <li><a href=""> OpenShift coming to Z Series and LinuxONE</a></li> <li><a href=""> Cloud Paks and services</a></li> </ul> </li> <li><a href="">Cisco Container Platform now supports Microsoft AKS</a></li> <li><a href="">Helm deployments at the Kubedex</a></li> <li><a href=""> How Kubernetes can be used for genetic analysis</a> by Mu Huan and Eric Li Alibaba Cloud</li> <li><a href=""> Announcing CloudBees Jenkins X Distribution</a> <ul> <li><a href=""> Episode 44, Continuous Delivery Foundation, with Tracy Miranda</a></li> </ul> </li> <li><a href=""> TiDB Operator now Generally Available</a></li> </ul> <h3 id="links-from-the-interview">Links from the interview</h3> <ul> <li><a href="">Red teams</a> and <a href="">penetration testing</a></li> <li><a href="">Fuzzing</a></li> <li><a href=""> Attacking Helm’s Tiller</a></li> <li><a href="">Black-box</a> and <a href="">white-box</a> testing</li> <li><a href=""> DevSecOps: guard rails, not gates</a></li> <li><a href="">OWASP</a> - the Open Web Application Security Project</li> <li><a href=""> The math behind calculating security risk</a></li> <li><a href=""> CVSS score</a></li> <li><a href=""> etcd: encrypt it at rest!</a></li> <li><a href=""> Admission control</a></li> <li>Technologies for isolation: <ul> <li><a href="">AppArmor</a></li> <li><a href=""> Seccomp</a></li> <li><a href="">gVisor</a></li> <li><a href="">Firecracker</a> (not yet supported with Kubernetes)</li> </ul> </li> <li>“Kubernetes is powerful, and it’s insecure by design” <ul> <li><a href=""> Ian and Duffie Cooley’s BlackHat talk</a></li> <li><a href="">Cloud doesn’t make it better!</a></li> </ul> </li> <li><a href="">Threat modelling</a></li> <li><a href="">hostpath</a> - “a powerful escape hatch” <ul> <li><a href=""> Trail of Bits blog</a>: understanding Docker container escapes</li> </ul> </li> <li>Recommended watching: <ul> <li><a href="">Ship of Fools</a> by Ian Coldwater (<a href="">slides</a>)</li> <li><a href="">Hacking and Hardening Kubernetes by Example</a> by Brad Geesaman (<a href="">slides</a>)</li> <li><a href="">A Hackers Guide to Kubernetes and the Cloud</a> by Rory McCune (and his <a href=""> upcoming Black Hat training</a>)</li> <li><a href="">DIY Pen Testing for your Kubernetes Cluster</a> by Liz Rice (<a href="">our guest on episode 19</a>)</li> </ul> </li> <li><a href="">Ian Coldwater on Twitter</a></li> </ul>