Talks

What happens if an attacker escapes a container and compromises your node? Is it game over for the whole cluster, or can you limit the blast radius? Whether it be for defense in depth or multi-tenancy, it is important to understand the security boundaries in your cluster. In this talk, we’ll discuss various isolation approaches and evaluate them through the eyes of an attacker who has compromised a node and is looking to propagate.

We’ll deep dive on ‘node isolation’: using Kubernetes scheduling to execute workloads on separate nodes, and demonstrate live attacks and defences to educate about strengths and weaknesses of this strategy. We’ll also discuss progress made by SIG-Auth in this area over the past few releases. After this talk you will understand when node isolation is or isn’t an appropriate security mechanism, the steps to implement it, and what some alternatives are.

Last year we presented on the state of Kubernetes Security across the past, present, and future. This year, we’ll continue that tradition by:

• Reviewing the major security vulnerabilities and milestones of 2019
• Reviewing progress on the Big Problems we highlighted in 2018, and highlighting other work in progress
• Looking forward to 2020 with predictions of major themes and open issues

Container orchestration enables higher bin-packing and utilization of machines, but native linux containers do not offer the same degree of isolation between workloads as separate VM instances can. Attackers could abuse this lack of isolation to move through a Kubernetes cluster after gaining a foothold in a container. Fortunately, there are many tools in the defenders’ toolbox that can be applied across multiple levels of the stack.

In this survey talk, we will look at several recent or upcoming advancements in container isolation. You will learn about new kernel features, several “sandboxing” approaches, and features being developed in Kubernetes to harden the Pod and Node boundaries. After the talk you will have a better understanding of how to secure your Kubernetes applications and clusters with the latest features.

First, we’ll stroke your egos by reviewing the history of Kubernetes security and marvelling in the progress we’ve made. Next, we’ll examine some of the hottest new features, and how you might be affected. We’ll conclude with a call to arms by highlighting a few of the most gnarly issues on the horizon.

How much isolation can you reasonably expect between two applications in the same cluster? Should every application have its own namespace? Every service? Between containers, pods, nodes, namespaces, and even clusters, it can be hard to know how to architect a secure system, and what layers of isolation can be depended on.

In this talk we will start at the bottom and build up. You will learn which resources are isolated between two containers in the same pod, and which are not. From there we will explore what changes as the workloads are increasingly separated. You will see examples of real-world attacks, and how these attacks are mitigated at different layers of the stack. By the end, you will have a better understanding of how workloads can and should be separated for your own threat models.

What is a “secure pod”? What does it mean for a Kubernetes workload to have strong isolation? With the announcement of Kata Containers and the overflowing multitenancy deep-dive at the last Kubecon, it’s clear that these topics are building momentum.

This talk will cover the current state of container isolation and why there is a need for technologies like hypervisor-based containers in order to provide stronger security boundaries. It will also include a discussion of how these technologies fit into Kubernetes and a roadmap for secure pods.

This is a rapidly evolving area, and Tim anticipates that a proposal for secure pods will be finalized by May. This talk will be shaped by the status or outcome of that proposal.