Shopify and Security, with Jon Pulsifer

Kubernetes Podcast from Google

Episode | Podcast

Date: Tue, 21 Aug 2018 16:26:35 +0000

<p><a href="">Jon Pulsifer</a> is a Production Security Engineer at <a href="">Shopify</a>, and Canada’s biggest Kubernetes fan. <a href="">Adam and Craig</a> dig into why, and what Adam’s new mode of transport is going to be.</p> <p>Do you have something cool to share? Some questions? Let us know:</p> <ul> <li>web: <a href=""></a></li> <li>mail: <a href=""></a></li> <li>twitter: <a href="">@kubernetespod</a></li> </ul> <h3 id="chatter">Chatter</h3> <ul> <li><a href="">Sling TV using Kubernetes</a> <ul> <li><a href="">Tesla using Kubernetes?</a></li> </ul> </li> <li><a href="">MITMproxy</a>, <a href="">Charles</a> and <a href="">Fiddler</a> <ul> <li><a href="">Intercept HTTP traffic exiting a docker container</a></li> </ul> </li> <li>Adam has a lot of <a href="">EconoLodge</a> points <ul> <li>Not as many as <a href="">Software Defined Talk</a> hosts <a href="">Matt Ray</a> and <a href="">Michael Coté</a></li> <li>Craig thinks he should spend them on the <a href=",_Inc.">Pepsi jet</a> as seen in this <a href="">wonderful video</a></li> </ul> </li> </ul> <h3 id="news-of-the-week">News of the week</h3> <ul> <li><a href=""> Service Networking in a Hybrid Infrastructure</a> by <a href="">Praveen Shukla</a> from GoJek</li> <li><a href=""> KubeCon and CloudNativeCon China</a> <ul> <li><a href="">Craig’s session</a></li> </ul> </li> <li><a href=""> 7 best practices for operating containers</a> by Théo Chamley from Google Cloud</li> <li><a href="">kustomize on Homebrew for macOS</a></li> <li><a href=""> Understanding the Container Storage Interface (CSI)</a> by Anoop Vijayan Maniankara</li> <li>The <a href="">Istio 1.0 Release Stream</a> or jump straight to <a href="">the part with Dan Ciruli</a> from <a href="">episode 15</a></li> </ul> <h3 id="links-from-the-interview">Links from the interview</h3> <ul> <li><a href="">Royal Canadian Navy</a> - Canadian Forces NOC</li> <li><a href="">SANS institute</a> and <a href="">instructors</a></li> <li><a href="">Jon Pulsifer</a> is a Production Security Engineer at <a href="">Shopify</a> <ul> <li><a href=""> Why Shopify Moved to The Production Engineering Model</a></li> <li><a href="">Production Engineering from Facebook</a></li> <li><a href="">SRE from Google</a></li> <li><a href=""> They’re hiring!</a></li> </ul> </li> <li><a href=""> Shopify’s adopting Kubernetes and Google Cloud</a></li> <li>The evolution of Kubernetes security <ul> <li>Before RBAC, you used to have to <a href="">mount an empty directory over the service account</a> to disable access to it</li> <li><a href=""> seccomp and AppArmor</a></li> <li><a href="">RBAC</a></li> <li><a href="">PodSecurityPolicy</a></li> <li><a href="">gVisor</a> and <a href="">Kata Containers</a></li> <li><a href=""> Planning for Secure Container Isolation in Kubernetes</a></li> <li><a href=""> RuntimeClass</a> enhancement proposal</li> </ul> </li> <li><a href="">Binary Authorization</a> <ul> <li><a href=""> Launch blog post</a></li> <li><a href="">Kritis</a> - open source reference implementation of Binary Authorization (the judge)</li> <li><a href="">Grafaes</a> - API spec for Container Analysis API</li> <li><a href="">Shopify Voucher</a>, a tool that creates attestations for Binary Authorization and prevents the deployment of images that don’t meet Shopify’s security requirements.</li> <li>Jon’s talk on Binary Authorization at Google Cloud Next: <a href="">Securing the Software Supply Chain</a></li> </ul> </li> <li><a href="">Shopify’s $25,000 Kubernetes bug bounty payout</a> <ul> <li><a href=""> What is a server-side request forgery?</a></li> </ul> </li> <li>Getting started with security by reading <a href=""></a></li> <li>Around Ottawa <ul> <li><a href="">Kubernetes Ottawa meetup</a></li> <li><a href="">GDG Cloud Ottawa</a></li> <li><a href="">Jon’s car</a></li> </ul> </li> <li><a href="">Jon Pulsifer on Twitter</a></li> </ul>