SlideShare a Scribd company logo

The Art of Cloud Native Defense on Kubernetes

Jacopo Nardiello
Jacopo Nardiello

In this session, we'll unravel the core and essential pillars of any 'secure' Kubernetes cluster, that you absolutely can't ignore if you are running Kubernetes in production (or plan to). You'll discover the key concepts and strategies pivotal to safeguarding your Kubernetes environments. Our focus will be on practical, real-world applications, demystifying complex security challenges. Regardless if you are from a large organisation or from a small start-up, a seasoned DevOps professiyou will walk away with foundational knowledge and actionable insights, ready to implement stronger security measures in their Kubernetes deployments. Whether you're a seasoned DevOps professional or new to the cloud native arena, this talk will enhance your understanding of Kubernetes security, ensuring you're prepared for the evolving landscape of cloud native security.

Engineering
1 of 35
Download to read offline
The Art of Cloud Native Defense PILLARS OF KUBERNETES SECURITY
Intro
About Me - Jacopo Nardiello How to get in touch with me: @jnardiello Reach out if you want to talk about: - Infrastructure Automation & Cloud Native stuff (not just Kubernetes) - Practices, TDD, Testing - How to structure teams and your organization (Thanks! Stockholm Syndrome) Feedback, feedback, feedback & I love to discuss. Find me around conference venue and let’s talk! Founder & CEO SIGHUP - CNCF Ambassador - Linux Foundation Europe Founding Advisory Board - Infra engineer, automation freak, cowboy entrepreneur - Dad of 2 kiddos
About us SIGHUP IS AN ENGINEERING FIRM AND ENTERPRISE OPEN SOURCE COMPANY FOCUSED AND SPECIALIZED IN KUBERNETES AND INFRASTRUCTURE AUTOMATION. We help enterprises and organizations during their Cloud Native journey towards software-defined infrastructures and DevOps, leveraging the competitive advantage provided by automation. We have been crazy enough, since 2017, to create Kubernetes Fury Distribution - a maintained Kubernetes-based platform providing Enterprise-grade support on upstream CNCF technologies. In March 2024, we have been fully acquired by ReeVo - Secure Cloud & CyberSecurity
First thing first… Thank you for surviving the day (and for attending this session) Please: - Rate my talk - Provide constructive feedback - Don’t be a*hole - I love human interactions (I’m a devops weirdo!), if you have questions or there’s anything you want to discuss, reach out after the talk!
https://community.cncf.io/kcd-italy/ KCD Italy
What you will learn in this session - Understand exactly what “Security” means in the context of Cloud Native and Kubernetes - What matters, what doesn’t and where to focus - Provide you with an high-level, yet actionable framework and learning topics - We will try to keep it open and simple - I will not sell you anything - I will not position any paid enterprise tool - I will focus on open standards and avoid all confusing or exotic solutions/tools
The state of Cloud Native - The great orchestration war (2016 a.c.) - Kubernetes as a new standard and the rise of a new foundation: CNCF (2017 a.c.) - CNCF landscape and a new ecosystem of emerging standards (2018-2019 a.c.) - The mighty landscape consolidation (2019-2021 a.c.) This brings us today…
The state of Cloud Native 2022/2023, the year of Platforms - IDPs - A natural evolution of all the things we called devops for the past 10y - Fueled by remote work, supposedly leaner processes and digital accelerationism demanded by management - Kubernetes-as-a-silver-bullet for digital transformation (whatever that means) The good news: we are in prod! The bad news: we are in prod. Kubernetes is reaching maturity. Question is..
The maturity: Credits: someone on linkedin
Kubernetes is reaching maturity But there’s one thing that didn’t change… WHAT NOW? Credits: someone on linkedin
Sidenote: 💩 is hitting the fan - World is getting at war 😔 - New regulatory push 󰎾 We (the infra people) can’t ignore anymore security as a key component of the architectures we deliver and maintain.
2024: Chaos is now expanding to Security teams Standard security practices: - Threat modeling - Red/Blue/Purple/Whatever teams - Threat analysis and response Welcome to hell: - Ephemeral elastic workloads - Api-driven architectures - New paradigms that didn’t exist before (IaC, PaC, Operators & CRDs) - Microservice architectures pushed to the extreme These new challenges drifts significantly from the standard set of skills of traditional security teams.
What is Cloud Native Security?
A GPT Definition
A Definition Key Ideas: - Incorporate security practices into SDLC - Security as a FOUNDATIONAL component - Beyond securing cloud infrastructure
Identifying Key Macro Groups There are 3 macro areas to cover when it comes to Kubernetes Security: - Artefacts and dependencies management How to track your dependencies (both application and system) and vulnerabilities. How to patch them and reduce the probability of shipping compromised software. - SDLC & pipelines How to engineer your CI/CD pipelines so that they respect both your business and regulatory requirements, while reducing the probability of shipping compromised software to production. - Security of Kubernetes workloads at runtime Secure your productive and non-productive environments at runtime Each macro-area have its own unique set of challenges and solutions. Supply Chain
Pillars of Cloud Native Security
A description of the Golden Pillars of Cloud Native Security Follow the value chain While we won’t deep dive on each pillar, we will focus on the key aspects and provide a checklist of important stuff you need to address.
By definition your docker images isolate all the dependencies into a single, standardized, artefact. There are three set of dependencies you must be aware of: - Your application dependencies (software) - Your system dependencies - The dependencies you don’t know you have, embedded into your base images Key critical facts to handle the security around your artefacts and dependencies: - Ensure you have your SBOM (Software Bill of Material) Correctly track all your application and system container dependencies - Use secure base images and invest in your own Ensure that your standard base image catalog meets your security requirements (community images might not be enough). https://github.com/wolfi-dev https://sighup.io/secure-containers/ https://www.chainguard.dev/chainguard-images - Sign your images Use technologies like cosign, notary, or more recently openpubkey to sign your own artefacts and prevent tampering by malicious actors. Artefacts & Dependencies Management Investigating Pillar 1 and 2
Safe builds & pipelines Pillar 3 Secure pipelines have been for a long time the holy grail of anything devops/devsecops/secdevops/whateverops. At @SIGHUP we have our own reference architecture (pictured left) and implementation, vendor and technology agnostic. The key universal role of cicd pipelines is one of gatekeeping and ensuring quality and regulatory compliance. Key Architectural aspects: - Vulnerability checks on both your code and dependencies https://trivy.dev - Artifacts build and signing (see Pillars 1 & 2) - Push to safe, certified, registries - Linting, validation and other quality gatekeeping - Policy enforcing, our tools of choice for this are OPA and Kyverno, having a look at otterize as a new point-of-view on policies management in Kubernetes https://www.openpolicyagent.org https://kyverno.io
In-cluster Security Pillars 5-7, Starting from the basics Basic security in Kubernetes can be achieved using the native components present in any conformant Kubernetes cluster, more specifically you must put great effort in correctly using the following primitives: - RBAC Set of permissions on Kubernetes objects about “who can do what” on which namespace. - A CNI plugin that will introduce support to Network Policies Regulating in-cluster network interactions and packet flow. - Namespaces and quotas Namespaces introduce segmentation on your cluster, introducing base configurations, quotas and rbac access to resources - Pod Security Standards & Admission These define isolation policies for pods running into your cluster at namespace level - Ingress tuning and exposure Ingresses are meant to expose your service to the outside world. Depending on which ingress-controller you are working with, you can enforce rules, validation and much more on incoming requests. - ETCD data encryption and backups (self-managed Kubernetes only) As ETCD holds the state of your cluster, it gets mandatory to make sure data is encrypted whenever stored. RTFM: https://kubernetes.io/docs/concepts/security/
Not-so-good-defaults - Stored in base64 (basically plaintext) within Kubernetes etcd - Lack of automated rotation mechanisms, increasing the risk of credential misuse or compromise over time. - Insufficient access controls and auditing - Difficulty in managing secrets at scale, especially in distributed and complex environments. Pay attention to your secrets
Pay attention to your secrets What you really want: A secret manager! - Management of all secrets (tokens, certificates, passwords) through a dedicated solution. - Secrets stored at rest using strong symmetric cryptography. - Granular access controls, allowing only authorized users or services to access specific secrets. - Native integration with CI/CD pipelines and deployment workflows to securely provision and manage secrets throughout the application lifecycle. - Automated rotation, rollback, versioning and expiration policies to regularly update secrets and mitigate the risk of long-term exposure. - Integration with external identity providers and authentication mechanisms for enhanced security and identity management.
In-cluster Security: Advanced Topics - Advanced runtime security - Secure Container runtimes - Tools to monitor privilege escalation, Storage and files exfiltration - Anomaly detection on kubernetes audit logs, processes syscalls, PID monitoring (to mention a few) - Advanced dynamic secrets managements Secrets are a first-class citizen in Kubernetes and while It’s not within the scope of this presentation if you should use Kubernetes Secrets or not, running secured workloads in production requires you to integrate your cluster secrets management with external ad-hoc advanced tools. https://www.conjur.org https://secrets-store-csi-driver.sigs.k8s.io - Policy controllers and admission webhooks Kubernetes policies can become a super powerful tool to enforce security and compliance checks, with several comprehensive ecosystems. Relevant projects for this: https://github.com/open-policy-agent/gatekeeper https://github.com/sighupio/gatekeeper-policy-manager https://kyverno.io https://otterize.com - Securing north-south / east-west network traffic This can be achieved in different ways or different set of technologies, ranging from traditional service meshes or newer ebpf-based CNIs. - IAM and Identities Both user identities and workloads identities are crucial in ensuring correct validation of workloads. SPIFFE and SPIRE to the rescue. https://spiffe.io - Workloads Isolation, multi-tenancy and cluster isolation Let’s dive into the key aspects of in-cluster security to highlight the main things we should pay attention to when hardening any Kubernetes-based infrastructure: https://falco.org https://katacontainers.io
The case for multi-tenancy, workloads and cluster isolation - Soft multi-tenancy - Virtualized control planes - Dedicated clusters (managed or self-hosted) Credits to pineapple pizza on unsplash
- Kubernetes is NOT multi-tenant - You must/can implement soft-multitenancy using native k8s primitives PRO - Can be a great choice for partitioning clusters on teams and tenants - Can be leveraged within both self-hosted and managed Kubernetes - Great for platform engineering CONS - You can still (and likely will) be bitten by noisy neighbours in weird ways - From a security standpoint, there’s no workload isolation beyond logical isolation implemented with policies, rbac and namespaces - Not particularly recommended for mission critical environments https://github.com/clastix/capsule The case for multi-tenancy, workloads and cluster isolation - Multi-tenancy - Virtualized control planes - Dedicated clusters (managed or self-hosted)
Meta-clusters of control planes, leveraging CAPI or virtual kubeletes to automate cluster-creation PRO - It’s a really cool concept - It leverages open standards with profuse efforts from the community - It ensures workload isolation and a high degree of automation on multi-cluster management - Stands on the shoulders of giants CONS - I feel like adoption is still in its infancy - Not battle-tested - Does not guarantee full cluster isolation Promising technology, under heavy development and hence not recommended if you MUST ensure full cluster isolation in regulated environments. If you want to play around: - vclusters by loft - Kamaji by Clastix The case for multi-tenancy, workloads and cluster isolation - Multi-tenancy - Virtualized control planes - Dedicated clusters (managed or self-hosted)
Fully dedicated clusters (self-hosted or managed) are the only solution, to date, that I feel like recommending if you need full isolation for workloads and infrastructure. PRO - Full isolation - Full complaints and strong security can be applied - Full configurability and customization of the solution CONS - You need operators knowing what they are doing - High operational burden - You can automate, to a certain extent This is where we (SIGHUP) shine, let me promote a bit our own KFD and furyctl: https://docs.kubernetesfury.com/docs/quickstart/quickstart The case for multi-tenancy, workloads and cluster isolation - Multi-tenancy - Virtualized control planes - Dedicated clusters
Infrastructure Security Infra hardening & Cloud configurations Key recommendations: - Private control planes - Ensure as much as possible OS immutability - Verify signatures on Kubernetes executables - Make sure that your network configurations allow for data encryption for both traffic and storage consumption - If you are on cloud, managed services and integrations might be a good idea Don’t know where to start? Here is a practical IaC example with sane configurations: https://github.com/sighupio/fury-eks-installer
The ugly duckling of Cloud Native Security Pillar 8 - Compliance & Regulation There are currently no standardised solutions enabling human operators to monitor and validate cluster resources state, violations and ensure compliance. We have been therefore developing over the past few months Permission Monitor, soon available with KFD or standalone on any cncf-compliant distro. If you are interested, ping me to test it out.
Conclusions
It’s a wrap What we have learnt: - We have shared with you our core set of guiding pillars and principles when it comes to securing Kubernetes-based infrastructures. - You now know what matters and what to focus on as a starting learning point - You have an actionable list of items, projects, or sets of technologies to get started with, for each core pillar we have explored. - I’m aware that this is just scratching the surface, let’s talk beer (or spritz) & talk 🍻
PS: It’s a 💩ton of work, I know. Imagine, we do all this stuff for a living..
@jnardiello https://sighup.io

Recommended

diferencias y semejansas p2p y cliente servidor gabriel caro
diferencias y semejansas p2p y cliente servidor gabriel carodiferencias y semejansas p2p y cliente servidor gabriel caro
diferencias y semejansas p2p y cliente servidor gabriel caroGabriel Caro
 
Campus_Network_Design_with_ArubaOS-CX_-_Leading_Practices
Campus_Network_Design_with_ArubaOS-CX_-_Leading_PracticesCampus_Network_Design_with_ArubaOS-CX_-_Leading_Practices
Campus_Network_Design_with_ArubaOS-CX_-_Leading_PracticesRoanVillalobos1
 
Technical Best Practices for Veritas and Microsoft Azure Using a Detailed Ref...
Technical Best Practices for Veritas and Microsoft Azure Using a Detailed Ref...Technical Best Practices for Veritas and Microsoft Azure Using a Detailed Ref...
Technical Best Practices for Veritas and Microsoft Azure Using a Detailed Ref...Veritas Technologies LLC
 
Introduction to IBM Spectrum Scale and Its Use in Life Science
Introduction to IBM Spectrum Scale and Its Use in Life ScienceIntroduction to IBM Spectrum Scale and Its Use in Life Science
Introduction to IBM Spectrum Scale and Its Use in Life ScienceSandeep Patil
 
Point of View -Converged Infrastructure
Point of View -Converged InfrastructurePoint of View -Converged Infrastructure
Point of View -Converged InfrastructureChaitanya Gaajula
 
Peer-to-Peer Systems
Peer-to-Peer SystemsPeer-to-Peer Systems
Peer-to-Peer SystemsUwe Schmidt
 
Client Server Network By Usman Ihsan
Client Server Network By Usman IhsanClient Server Network By Usman Ihsan
Client Server Network By Usman IhsanSubhan_Virk_UAF
 
Hadoop basics
Hadoop basicsHadoop basics
Hadoop basicsPraveen Kumar Donta
 

Recommended

diferencias y semejansas p2p y cliente servidor gabriel caro
diferencias y semejansas p2p y cliente servidor gabriel carodiferencias y semejansas p2p y cliente servidor gabriel caro
diferencias y semejansas p2p y cliente servidor gabriel caroGabriel Caro
 
Campus_Network_Design_with_ArubaOS-CX_-_Leading_Practices
Campus_Network_Design_with_ArubaOS-CX_-_Leading_PracticesCampus_Network_Design_with_ArubaOS-CX_-_Leading_Practices
Campus_Network_Design_with_ArubaOS-CX_-_Leading_PracticesRoanVillalobos1
 
Technical Best Practices for Veritas and Microsoft Azure Using a Detailed Ref...
Technical Best Practices for Veritas and Microsoft Azure Using a Detailed Ref...Technical Best Practices for Veritas and Microsoft Azure Using a Detailed Ref...
Technical Best Practices for Veritas and Microsoft Azure Using a Detailed Ref...Veritas Technologies LLC
 
Introduction to IBM Spectrum Scale and Its Use in Life Science
Introduction to IBM Spectrum Scale and Its Use in Life ScienceIntroduction to IBM Spectrum Scale and Its Use in Life Science
Introduction to IBM Spectrum Scale and Its Use in Life ScienceSandeep Patil
 
Point of View -Converged Infrastructure
Point of View -Converged InfrastructurePoint of View -Converged Infrastructure
Point of View -Converged InfrastructureChaitanya Gaajula
 
Peer-to-Peer Systems
Peer-to-Peer SystemsPeer-to-Peer Systems
Peer-to-Peer SystemsUwe Schmidt
 
Client Server Network By Usman Ihsan
Client Server Network By Usman IhsanClient Server Network By Usman Ihsan
Client Server Network By Usman IhsanSubhan_Virk_UAF
 
Hadoop basics
Hadoop basicsHadoop basics
Hadoop basicsPraveen Kumar Donta
 
Cloud computing
Cloud computingCloud computing
Cloud computingSyam Lal
 
Big Data & Hadoop Tutorial
Big Data & Hadoop TutorialBig Data & Hadoop Tutorial
Big Data & Hadoop TutorialEdureka!
 
MuleSoft Meetup Singapore June 2021
MuleSoft Meetup Singapore June 2021MuleSoft Meetup Singapore June 2021
MuleSoft Meetup Singapore June 2021Julian Douch
 
Cloud computing information management
Cloud computing information managementCloud computing information management
Cloud computing information managementHallmark B-school
 
Icons and Stencils for Hadoop
Icons and Stencils for HadoopIcons and Stencils for Hadoop
Icons and Stencils for HadoopHortonworks
 
Introduction to Cloud Computing
Introduction to Cloud ComputingIntroduction to Cloud Computing
Introduction to Cloud ComputingAnimesh Chaturvedi
 
Unit 1
Unit 1Unit 1
Unit 1Ravi Kumar
 
GlusterFS As an Object Storage
GlusterFS As an Object StorageGlusterFS As an Object Storage
GlusterFS As an Object StorageKeisuke Takahashi
 
Cloud resilience, provisioning
Cloud resilience, provisioning Cloud resilience, provisioning
Cloud resilience, provisioning Integral university, India
 
What's New and Upcoming in HDFS - the Hadoop Distributed File System
What's New and Upcoming in HDFS - the Hadoop Distributed File SystemWhat's New and Upcoming in HDFS - the Hadoop Distributed File System
What's New and Upcoming in HDFS - the Hadoop Distributed File SystemCloudera, Inc.
 
Auditer les infrastructures cloud : risques et défis
Auditer les infrastructures cloud : risques et défisAuditer les infrastructures cloud : risques et défis
Auditer les infrastructures cloud : risques et défisPECB
 
Présentation Veritas Backup Exec 16
Présentation Veritas Backup Exec 16Présentation Veritas Backup Exec 16
Présentation Veritas Backup Exec 16Aymen Mami
 
Apache Ignite vs Alluxio: Memory Speed Big Data Analytics
Apache Ignite vs Alluxio: Memory Speed Big Data AnalyticsApache Ignite vs Alluxio: Memory Speed Big Data Analytics
Apache Ignite vs Alluxio: Memory Speed Big Data AnalyticsDataWorks Summit
 
Top 15 Tips for vGPU Success - Part 3-3
Top 15 Tips for vGPU Success - Part 3-3Top 15 Tips for vGPU Success - Part 3-3
Top 15 Tips for vGPU Success - Part 3-3Lee Bushen
 
Ahmedabad- Global Azure bootcamp- Azure Storage Services- Global Azure Bootca...
Ahmedabad- Global Azure bootcamp- Azure Storage Services- Global Azure Bootca...Ahmedabad- Global Azure bootcamp- Azure Storage Services- Global Azure Bootca...
Ahmedabad- Global Azure bootcamp- Azure Storage Services- Global Azure Bootca...Jalpesh Vadgama
 
Introduction to Elastic Compute Service on Alibaba Cloud to Power Your Busine...
Introduction to Elastic Compute Service on Alibaba Cloud to Power Your Busine...Introduction to Elastic Compute Service on Alibaba Cloud to Power Your Busine...
Introduction to Elastic Compute Service on Alibaba Cloud to Power Your Busine...Alibaba Cloud
 
MongoDB Breakfast Milan - Mainframe Offloading Strategies
MongoDB Breakfast Milan - Mainframe Offloading StrategiesMongoDB Breakfast Milan - Mainframe Offloading Strategies
MongoDB Breakfast Milan - Mainframe Offloading StrategiesMongoDB
 
Backup and Disaster Recovery in Hadoop
Backup and Disaster Recovery in Hadoop Backup and Disaster Recovery in Hadoop
Backup and Disaster Recovery in Hadoop DataWorks Summit/Hadoop Summit
 
AZ-900T00A-ENU-PowerPoint-02.pptx
AZ-900T00A-ENU-PowerPoint-02.pptxAZ-900T00A-ENU-PowerPoint-02.pptx
AZ-900T00A-ENU-PowerPoint-02.pptxTheGameSquad
 
File server
File serverFile server
File serverMd. Asifur Rahman Siddiki
 
AWS TechConnect 2018 - Container Adoption
AWS TechConnect 2018 - Container AdoptionAWS TechConnect 2018 - Container Adoption
AWS TechConnect 2018 - Container AdoptionAlex Rhea
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 

More Related Content

What's hot

Cloud computing
Cloud computingCloud computing
Cloud computingSyam Lal
 
Big Data & Hadoop Tutorial
Big Data & Hadoop TutorialBig Data & Hadoop Tutorial
Big Data & Hadoop TutorialEdureka!
 
MuleSoft Meetup Singapore June 2021
MuleSoft Meetup Singapore June 2021MuleSoft Meetup Singapore June 2021
MuleSoft Meetup Singapore June 2021Julian Douch
 
Cloud computing information management
Cloud computing information managementCloud computing information management
Cloud computing information managementHallmark B-school
 
Icons and Stencils for Hadoop
Icons and Stencils for HadoopIcons and Stencils for Hadoop
Icons and Stencils for HadoopHortonworks
 
Introduction to Cloud Computing
Introduction to Cloud ComputingIntroduction to Cloud Computing
Introduction to Cloud ComputingAnimesh Chaturvedi
 
GlusterFS As an Object Storage
GlusterFS As an Object StorageGlusterFS As an Object Storage
GlusterFS As an Object StorageKeisuke Takahashi
 
What's New and Upcoming in HDFS - the Hadoop Distributed File System
What's New and Upcoming in HDFS - the Hadoop Distributed File SystemWhat's New and Upcoming in HDFS - the Hadoop Distributed File System
What's New and Upcoming in HDFS - the Hadoop Distributed File SystemCloudera, Inc.
 
Auditer les infrastructures cloud : risques et défis
Auditer les infrastructures cloud : risques et défisAuditer les infrastructures cloud : risques et défis
Auditer les infrastructures cloud : risques et défisPECB
 
Présentation Veritas Backup Exec 16
Présentation Veritas Backup Exec 16Présentation Veritas Backup Exec 16
Présentation Veritas Backup Exec 16Aymen Mami
 
Apache Ignite vs Alluxio: Memory Speed Big Data Analytics
Apache Ignite vs Alluxio: Memory Speed Big Data AnalyticsApache Ignite vs Alluxio: Memory Speed Big Data Analytics
Apache Ignite vs Alluxio: Memory Speed Big Data AnalyticsDataWorks Summit
 
Top 15 Tips for vGPU Success - Part 3-3
Top 15 Tips for vGPU Success - Part 3-3Top 15 Tips for vGPU Success - Part 3-3
Top 15 Tips for vGPU Success - Part 3-3Lee Bushen
 
Ahmedabad- Global Azure bootcamp- Azure Storage Services- Global Azure Bootca...
Ahmedabad- Global Azure bootcamp- Azure Storage Services- Global Azure Bootca...Ahmedabad- Global Azure bootcamp- Azure Storage Services- Global Azure Bootca...
Ahmedabad- Global Azure bootcamp- Azure Storage Services- Global Azure Bootca...Jalpesh Vadgama
 
Introduction to Elastic Compute Service on Alibaba Cloud to Power Your Busine...
Introduction to Elastic Compute Service on Alibaba Cloud to Power Your Busine...Introduction to Elastic Compute Service on Alibaba Cloud to Power Your Busine...
Introduction to Elastic Compute Service on Alibaba Cloud to Power Your Busine...Alibaba Cloud
 
MongoDB Breakfast Milan - Mainframe Offloading Strategies
MongoDB Breakfast Milan - Mainframe Offloading StrategiesMongoDB Breakfast Milan - Mainframe Offloading Strategies
MongoDB Breakfast Milan - Mainframe Offloading StrategiesMongoDB
 
AZ-900T00A-ENU-PowerPoint-02.pptx
AZ-900T00A-ENU-PowerPoint-02.pptxAZ-900T00A-ENU-PowerPoint-02.pptx
AZ-900T00A-ENU-PowerPoint-02.pptxTheGameSquad
 

What's hot (20)

Cloud computing
Cloud computingCloud computing
Cloud computing
 
Big Data & Hadoop Tutorial
Big Data & Hadoop TutorialBig Data & Hadoop Tutorial
Big Data & Hadoop Tutorial
 
MuleSoft Meetup Singapore June 2021
MuleSoft Meetup Singapore June 2021MuleSoft Meetup Singapore June 2021
MuleSoft Meetup Singapore June 2021
 
Cloud computing information management
Cloud computing information managementCloud computing information management
Cloud computing information management
 
Icons and Stencils for Hadoop
Icons and Stencils for HadoopIcons and Stencils for Hadoop
Icons and Stencils for Hadoop
 
Introduction to Cloud Computing
Introduction to Cloud ComputingIntroduction to Cloud Computing
Introduction to Cloud Computing
 
Unit 1
Unit 1Unit 1
Unit 1
 
GlusterFS As an Object Storage
GlusterFS As an Object StorageGlusterFS As an Object Storage
GlusterFS As an Object Storage
 
Cloud resilience, provisioning
Cloud resilience, provisioning Cloud resilience, provisioning
Cloud resilience, provisioning
 
What's New and Upcoming in HDFS - the Hadoop Distributed File System
What's New and Upcoming in HDFS - the Hadoop Distributed File SystemWhat's New and Upcoming in HDFS - the Hadoop Distributed File System
What's New and Upcoming in HDFS - the Hadoop Distributed File System
 
Auditer les infrastructures cloud : risques et défis
Auditer les infrastructures cloud : risques et défisAuditer les infrastructures cloud : risques et défis
Auditer les infrastructures cloud : risques et défis
 
Présentation Veritas Backup Exec 16
Présentation Veritas Backup Exec 16Présentation Veritas Backup Exec 16
Présentation Veritas Backup Exec 16
 
Apache Ignite vs Alluxio: Memory Speed Big Data Analytics
Apache Ignite vs Alluxio: Memory Speed Big Data AnalyticsApache Ignite vs Alluxio: Memory Speed Big Data Analytics
Apache Ignite vs Alluxio: Memory Speed Big Data Analytics
 
Top 15 Tips for vGPU Success - Part 3-3
Top 15 Tips for vGPU Success - Part 3-3Top 15 Tips for vGPU Success - Part 3-3
Top 15 Tips for vGPU Success - Part 3-3
 
Ahmedabad- Global Azure bootcamp- Azure Storage Services- Global Azure Bootca...
Ahmedabad- Global Azure bootcamp- Azure Storage Services- Global Azure Bootca...Ahmedabad- Global Azure bootcamp- Azure Storage Services- Global Azure Bootca...
Ahmedabad- Global Azure bootcamp- Azure Storage Services- Global Azure Bootca...
 
Introduction to Elastic Compute Service on Alibaba Cloud to Power Your Busine...
Introduction to Elastic Compute Service on Alibaba Cloud to Power Your Busine...Introduction to Elastic Compute Service on Alibaba Cloud to Power Your Busine...
Introduction to Elastic Compute Service on Alibaba Cloud to Power Your Busine...
 
MongoDB Breakfast Milan - Mainframe Offloading Strategies
MongoDB Breakfast Milan - Mainframe Offloading StrategiesMongoDB Breakfast Milan - Mainframe Offloading Strategies
MongoDB Breakfast Milan - Mainframe Offloading Strategies
 
Backup and Disaster Recovery in Hadoop
Backup and Disaster Recovery in Hadoop Backup and Disaster Recovery in Hadoop
Backup and Disaster Recovery in Hadoop
 
AZ-900T00A-ENU-PowerPoint-02.pptx
AZ-900T00A-ENU-PowerPoint-02.pptxAZ-900T00A-ENU-PowerPoint-02.pptx
AZ-900T00A-ENU-PowerPoint-02.pptx
 
File server
File serverFile server
File server
 

Similar to The Art of Cloud Native Defense on Kubernetes

AWS TechConnect 2018 - Container Adoption
AWS TechConnect 2018 - Container AdoptionAWS TechConnect 2018 - Container Adoption
AWS TechConnect 2018 - Container AdoptionAlex Rhea
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
Kube Security Shifting left | Scanners & OPA
Kube Security Shifting left | Scanners & OPAKube Security Shifting left | Scanners & OPA
Kube Security Shifting left | Scanners & OPAHaggai Philip Zagury
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSEric Smalling
 
Tales of the mythical cloud-native platform - Container day 2022
Tales of the mythical cloud-native platform - Container day 2022Tales of the mythical cloud-native platform - Container day 2022
Tales of the mythical cloud-native platform - Container day 2022Jacopo Nardiello
 
Scalable full-stack development at the edge - Pascal Wolkotte - Codemotion Am...
Scalable full-stack development at the edge - Pascal Wolkotte - Codemotion Am...Scalable full-stack development at the edge - Pascal Wolkotte - Codemotion Am...
Scalable full-stack development at the edge - Pascal Wolkotte - Codemotion Am...Codemotion
 
Cybersecurity model and top cloud security controls for product development e...
Cybersecurity model and top cloud security controls for product development e...Cybersecurity model and top cloud security controls for product development e...
Cybersecurity model and top cloud security controls for product development e...James DeLuccia IV
 
The Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdfThe Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdfSavinder Puri
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxTurja Narayan Chaudhuri
 
Owasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chainOwasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chainMichele Chubirka
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling
 
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...Mirantis
 
Kernel Con 2022: Securing Cloud Native Workloads
Kernel Con 2022: Securing Cloud Native WorkloadsKernel Con 2022: Securing Cloud Native Workloads
Kernel Con 2022: Securing Cloud Native WorkloadsGabriel Schuyler
 
(SEC320) Leveraging the Power of AWS to Automate Security & Compliance
(SEC320) Leveraging the Power of AWS to Automate Security & Compliance(SEC320) Leveraging the Power of AWS to Automate Security & Compliance
(SEC320) Leveraging the Power of AWS to Automate Security & ComplianceAmazon Web Services
 
Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!Ken Owens
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices Hendri Karisma
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure SecurityRicky Sanders
 
CNCF Introduction - Feb 2018
CNCF Introduction - Feb 2018CNCF Introduction - Feb 2018
CNCF Introduction - Feb 2018Krishna-Kumar
 

Similar to The Art of Cloud Native Defense on Kubernetes (20)

AWS TechConnect 2018 - Container Adoption
AWS TechConnect 2018 - Container AdoptionAWS TechConnect 2018 - Container Adoption
AWS TechConnect 2018 - Container Adoption
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
Kube Security Shifting left | Scanners & OPA
Kube Security Shifting left | Scanners & OPAKube Security Shifting left | Scanners & OPA
Kube Security Shifting left | Scanners & OPA
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
 
Tales of the mythical cloud-native platform - Container day 2022
Tales of the mythical cloud-native platform - Container day 2022Tales of the mythical cloud-native platform - Container day 2022
Tales of the mythical cloud-native platform - Container day 2022
 
Scalable full-stack development at the edge - Pascal Wolkotte - Codemotion Am...
Scalable full-stack development at the edge - Pascal Wolkotte - Codemotion Am...Scalable full-stack development at the edge - Pascal Wolkotte - Codemotion Am...
Scalable full-stack development at the edge - Pascal Wolkotte - Codemotion Am...
 
Cybersecurity model and top cloud security controls for product development e...
Cybersecurity model and top cloud security controls for product development e...Cybersecurity model and top cloud security controls for product development e...
Cybersecurity model and top cloud security controls for product development e...
 
The Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdfThe Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdf
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
 
Owasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chainOwasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chain
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
 
Kernel Con 2022: Securing Cloud Native Workloads
Kernel Con 2022: Securing Cloud Native WorkloadsKernel Con 2022: Securing Cloud Native Workloads
Kernel Con 2022: Securing Cloud Native Workloads
 
(SEC320) Leveraging the Power of AWS to Automate Security & Compliance
(SEC320) Leveraging the Power of AWS to Automate Security & Compliance(SEC320) Leveraging the Power of AWS to Automate Security & Compliance
(SEC320) Leveraging the Power of AWS to Automate Security & Compliance
 
Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!
 
Código Seguro
Código SeguroCódigo Seguro
Código Seguro
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure Security
 
CNCF Introduction - Feb 2018
CNCF Introduction - Feb 2018CNCF Introduction - Feb 2018
CNCF Introduction - Feb 2018
 

More from Jacopo Nardiello

Monitoring Cloud Native Applications with Prometheus
Monitoring Cloud Native Applications with PrometheusMonitoring Cloud Native Applications with Prometheus
Monitoring Cloud Native Applications with PrometheusJacopo Nardiello
 
Eventsourcing with PHP and MongoDB
Eventsourcing with PHP and MongoDBEventsourcing with PHP and MongoDB
Eventsourcing with PHP and MongoDBJacopo Nardiello
 
Ultimate Introduction To AngularJS
Ultimate Introduction To AngularJSUltimate Introduction To AngularJS
Ultimate Introduction To AngularJSJacopo Nardiello
 

More from Jacopo Nardiello (7)

Breaking the monolith
Breaking the monolithBreaking the monolith
Breaking the monolith
 
Monitoring Cloud Native Applications with Prometheus
Monitoring Cloud Native Applications with PrometheusMonitoring Cloud Native Applications with Prometheus
Monitoring Cloud Native Applications with Prometheus
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
 
Becoming a developer
Becoming a developerBecoming a developer
Becoming a developer
 
Eventsourcing with PHP and MongoDB
Eventsourcing with PHP and MongoDBEventsourcing with PHP and MongoDB
Eventsourcing with PHP and MongoDB
 
Ultimate Introduction To AngularJS
Ultimate Introduction To AngularJSUltimate Introduction To AngularJS
Ultimate Introduction To AngularJS
 
Testing AngularJS
Testing AngularJSTesting AngularJS
Testing AngularJS
 

Recently uploaded

College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...ranjana rawat
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performancesivaprakash250
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxAsutosh Ranjan
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlysanyuktamishra911
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college projectTonystark477637
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130Suhani Kapoor
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Christo Ananth
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxpranjaldaimarysona
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130Suhani Kapoor
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxupamatechverse
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxupamatechverse
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Christo Ananth
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...Soham Mondal
 

Recently uploaded (20)

College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
 
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINEDJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college project
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptx
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptx
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
 
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesRoadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
 
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
 

The Art of Cloud Native Defense on Kubernetes

  • 1. The Art of Cloud Native Defense PILLARS OF KUBERNETES SECURITY
  • 3. About Me - Jacopo Nardiello How to get in touch with me: @jnardiello Reach out if you want to talk about: - Infrastructure Automation & Cloud Native stuff (not just Kubernetes) - Practices, TDD, Testing - How to structure teams and your organization (Thanks! Stockholm Syndrome) Feedback, feedback, feedback & I love to discuss. Find me around conference venue and let’s talk! Founder & CEO SIGHUP - CNCF Ambassador - Linux Foundation Europe Founding Advisory Board - Infra engineer, automation freak, cowboy entrepreneur - Dad of 2 kiddos
  • 4. About us SIGHUP IS AN ENGINEERING FIRM AND ENTERPRISE OPEN SOURCE COMPANY FOCUSED AND SPECIALIZED IN KUBERNETES AND INFRASTRUCTURE AUTOMATION. We help enterprises and organizations during their Cloud Native journey towards software-defined infrastructures and DevOps, leveraging the competitive advantage provided by automation. We have been crazy enough, since 2017, to create Kubernetes Fury Distribution - a maintained Kubernetes-based platform providing Enterprise-grade support on upstream CNCF technologies. In March 2024, we have been fully acquired by ReeVo - Secure Cloud & CyberSecurity
  • 5. First thing first… Thank you for surviving the day (and for attending this session) Please: - Rate my talk - Provide constructive feedback - Don’t be a*hole - I love human interactions (I’m a devops weirdo!), if you have questions or there’s anything you want to discuss, reach out after the talk!
  • 7. What you will learn in this session - Understand exactly what “Security” means in the context of Cloud Native and Kubernetes - What matters, what doesn’t and where to focus - Provide you with an high-level, yet actionable framework and learning topics - We will try to keep it open and simple - I will not sell you anything - I will not position any paid enterprise tool - I will focus on open standards and avoid all confusing or exotic solutions/tools
  • 8. The state of Cloud Native - The great orchestration war (2016 a.c.) - Kubernetes as a new standard and the rise of a new foundation: CNCF (2017 a.c.) - CNCF landscape and a new ecosystem of emerging standards (2018-2019 a.c.) - The mighty landscape consolidation (2019-2021 a.c.) This brings us today…
  • 9. The state of Cloud Native 2022/2023, the year of Platforms - IDPs - A natural evolution of all the things we called devops for the past 10y - Fueled by remote work, supposedly leaner processes and digital accelerationism demanded by management - Kubernetes-as-a-silver-bullet for digital transformation (whatever that means) The good news: we are in prod! The bad news: we are in prod. Kubernetes is reaching maturity. Question is..
  • 11. Kubernetes is reaching maturity But there’s one thing that didn’t change… WHAT NOW? Credits: someone on linkedin
  • 12. Sidenote: 💩 is hitting the fan - World is getting at war 😔 - New regulatory push 󰎾 We (the infra people) can’t ignore anymore security as a key component of the architectures we deliver and maintain.
  • 13. 2024: Chaos is now expanding to Security teams Standard security practices: - Threat modeling - Red/Blue/Purple/Whatever teams - Threat analysis and response Welcome to hell: - Ephemeral elastic workloads - Api-driven architectures - New paradigms that didn’t exist before (IaC, PaC, Operators & CRDs) - Microservice architectures pushed to the extreme These new challenges drifts significantly from the standard set of skills of traditional security teams.
  • 14. What is Cloud Native Security?
  • 16. A Definition Key Ideas: - Incorporate security practices into SDLC - Security as a FOUNDATIONAL component - Beyond securing cloud infrastructure
  • 17. Identifying Key Macro Groups There are 3 macro areas to cover when it comes to Kubernetes Security: - Artefacts and dependencies management How to track your dependencies (both application and system) and vulnerabilities. How to patch them and reduce the probability of shipping compromised software. - SDLC & pipelines How to engineer your CI/CD pipelines so that they respect both your business and regulatory requirements, while reducing the probability of shipping compromised software to production. - Security of Kubernetes workloads at runtime Secure your productive and non-productive environments at runtime Each macro-area have its own unique set of challenges and solutions. Supply Chain
  • 18. Pillars of Cloud Native Security
  • 19. A description of the Golden Pillars of Cloud Native Security Follow the value chain While we won’t deep dive on each pillar, we will focus on the key aspects and provide a checklist of important stuff you need to address.
  • 20. By definition your docker images isolate all the dependencies into a single, standardized, artefact. There are three set of dependencies you must be aware of: - Your application dependencies (software) - Your system dependencies - The dependencies you don’t know you have, embedded into your base images Key critical facts to handle the security around your artefacts and dependencies: - Ensure you have your SBOM (Software Bill of Material) Correctly track all your application and system container dependencies - Use secure base images and invest in your own Ensure that your standard base image catalog meets your security requirements (community images might not be enough). https://github.com/wolfi-dev https://sighup.io/secure-containers/ https://www.chainguard.dev/chainguard-images - Sign your images Use technologies like cosign, notary, or more recently openpubkey to sign your own artefacts and prevent tampering by malicious actors. Artefacts & Dependencies Management Investigating Pillar 1 and 2
  • 21. Safe builds & pipelines Pillar 3 Secure pipelines have been for a long time the holy grail of anything devops/devsecops/secdevops/whateverops. At @SIGHUP we have our own reference architecture (pictured left) and implementation, vendor and technology agnostic. The key universal role of cicd pipelines is one of gatekeeping and ensuring quality and regulatory compliance. Key Architectural aspects: - Vulnerability checks on both your code and dependencies https://trivy.dev - Artifacts build and signing (see Pillars 1 & 2) - Push to safe, certified, registries - Linting, validation and other quality gatekeeping - Policy enforcing, our tools of choice for this are OPA and Kyverno, having a look at otterize as a new point-of-view on policies management in Kubernetes https://www.openpolicyagent.org https://kyverno.io
  • 22. In-cluster Security Pillars 5-7, Starting from the basics Basic security in Kubernetes can be achieved using the native components present in any conformant Kubernetes cluster, more specifically you must put great effort in correctly using the following primitives: - RBAC Set of permissions on Kubernetes objects about “who can do what” on which namespace. - A CNI plugin that will introduce support to Network Policies Regulating in-cluster network interactions and packet flow. - Namespaces and quotas Namespaces introduce segmentation on your cluster, introducing base configurations, quotas and rbac access to resources - Pod Security Standards & Admission These define isolation policies for pods running into your cluster at namespace level - Ingress tuning and exposure Ingresses are meant to expose your service to the outside world. Depending on which ingress-controller you are working with, you can enforce rules, validation and much more on incoming requests. - ETCD data encryption and backups (self-managed Kubernetes only) As ETCD holds the state of your cluster, it gets mandatory to make sure data is encrypted whenever stored. RTFM: https://kubernetes.io/docs/concepts/security/
  • 23. Not-so-good-defaults - Stored in base64 (basically plaintext) within Kubernetes etcd - Lack of automated rotation mechanisms, increasing the risk of credential misuse or compromise over time. - Insufficient access controls and auditing - Difficulty in managing secrets at scale, especially in distributed and complex environments. Pay attention to your secrets
  • 24. Pay attention to your secrets What you really want: A secret manager! - Management of all secrets (tokens, certificates, passwords) through a dedicated solution. - Secrets stored at rest using strong symmetric cryptography. - Granular access controls, allowing only authorized users or services to access specific secrets. - Native integration with CI/CD pipelines and deployment workflows to securely provision and manage secrets throughout the application lifecycle. - Automated rotation, rollback, versioning and expiration policies to regularly update secrets and mitigate the risk of long-term exposure. - Integration with external identity providers and authentication mechanisms for enhanced security and identity management.
  • 25. In-cluster Security: Advanced Topics - Advanced runtime security - Secure Container runtimes - Tools to monitor privilege escalation, Storage and files exfiltration - Anomaly detection on kubernetes audit logs, processes syscalls, PID monitoring (to mention a few) - Advanced dynamic secrets managements Secrets are a first-class citizen in Kubernetes and while It’s not within the scope of this presentation if you should use Kubernetes Secrets or not, running secured workloads in production requires you to integrate your cluster secrets management with external ad-hoc advanced tools. https://www.conjur.org https://secrets-store-csi-driver.sigs.k8s.io - Policy controllers and admission webhooks Kubernetes policies can become a super powerful tool to enforce security and compliance checks, with several comprehensive ecosystems. Relevant projects for this: https://github.com/open-policy-agent/gatekeeper https://github.com/sighupio/gatekeeper-policy-manager https://kyverno.io https://otterize.com - Securing north-south / east-west network traffic This can be achieved in different ways or different set of technologies, ranging from traditional service meshes or newer ebpf-based CNIs. - IAM and Identities Both user identities and workloads identities are crucial in ensuring correct validation of workloads. SPIFFE and SPIRE to the rescue. https://spiffe.io - Workloads Isolation, multi-tenancy and cluster isolation Let’s dive into the key aspects of in-cluster security to highlight the main things we should pay attention to when hardening any Kubernetes-based infrastructure: https://falco.org https://katacontainers.io
  • 26. The case for multi-tenancy, workloads and cluster isolation - Soft multi-tenancy - Virtualized control planes - Dedicated clusters (managed or self-hosted) Credits to pineapple pizza on unsplash
  • 27. - Kubernetes is NOT multi-tenant - You must/can implement soft-multitenancy using native k8s primitives PRO - Can be a great choice for partitioning clusters on teams and tenants - Can be leveraged within both self-hosted and managed Kubernetes - Great for platform engineering CONS - You can still (and likely will) be bitten by noisy neighbours in weird ways - From a security standpoint, there’s no workload isolation beyond logical isolation implemented with policies, rbac and namespaces - Not particularly recommended for mission critical environments https://github.com/clastix/capsule The case for multi-tenancy, workloads and cluster isolation - Multi-tenancy - Virtualized control planes - Dedicated clusters (managed or self-hosted)
  • 28. Meta-clusters of control planes, leveraging CAPI or virtual kubeletes to automate cluster-creation PRO - It’s a really cool concept - It leverages open standards with profuse efforts from the community - It ensures workload isolation and a high degree of automation on multi-cluster management - Stands on the shoulders of giants CONS - I feel like adoption is still in its infancy - Not battle-tested - Does not guarantee full cluster isolation Promising technology, under heavy development and hence not recommended if you MUST ensure full cluster isolation in regulated environments. If you want to play around: - vclusters by loft - Kamaji by Clastix The case for multi-tenancy, workloads and cluster isolation - Multi-tenancy - Virtualized control planes - Dedicated clusters (managed or self-hosted)
  • 29. Fully dedicated clusters (self-hosted or managed) are the only solution, to date, that I feel like recommending if you need full isolation for workloads and infrastructure. PRO - Full isolation - Full complaints and strong security can be applied - Full configurability and customization of the solution CONS - You need operators knowing what they are doing - High operational burden - You can automate, to a certain extent This is where we (SIGHUP) shine, let me promote a bit our own KFD and furyctl: https://docs.kubernetesfury.com/docs/quickstart/quickstart The case for multi-tenancy, workloads and cluster isolation - Multi-tenancy - Virtualized control planes - Dedicated clusters
  • 30. Infrastructure Security Infra hardening & Cloud configurations Key recommendations: - Private control planes - Ensure as much as possible OS immutability - Verify signatures on Kubernetes executables - Make sure that your network configurations allow for data encryption for both traffic and storage consumption - If you are on cloud, managed services and integrations might be a good idea Don’t know where to start? Here is a practical IaC example with sane configurations: https://github.com/sighupio/fury-eks-installer
  • 31. The ugly duckling of Cloud Native Security Pillar 8 - Compliance & Regulation There are currently no standardised solutions enabling human operators to monitor and validate cluster resources state, violations and ensure compliance. We have been therefore developing over the past few months Permission Monitor, soon available with KFD or standalone on any cncf-compliant distro. If you are interested, ping me to test it out.
  • 33. It’s a wrap What we have learnt: - We have shared with you our core set of guiding pillars and principles when it comes to securing Kubernetes-based infrastructures. - You now know what matters and what to focus on as a starting learning point - You have an actionable list of items, projects, or sets of technologies to get started with, for each core pillar we have explored. - I’m aware that this is just scratching the surface, let’s talk beer (or spritz) & talk 🍻
  • 34. PS: It’s a 💩ton of work, I know. Imagine, we do all this stuff for a living..