Falco Feeds extends the power of Falco by giving open source-focused companies access to expert-written rules that are continuously updated as new threats are discovered.
\rKubecon EU returned to Spain. This time to Valencia, city of paella and horchata and, of course, a great place for big events. We had a great time meeting you all in person, and attending the talks. Here are our hot takes from the event.\r
\r
\r
\r
\r
\rThe main event started on Wednesday, but before that different co-located events took place: Ebpf Day, Cloud Native SecurityCon, and PrometheusDay among others. These events gathered a large number of attendees. In total, more than 7,000 people followed the event in person, and more than 11,000 did follow virtually. Events are safely back!\r
\r
\rIf you want to know more about these co-located events, read our Highlights on Prometheus Day 2022 EU.\r
\r
\rIn this article, we'll focus on the main event, the most important for the Kubernetes community in Europe.\r
\r\r\r
Overall takeaways from keynotes & sessions
\r
\rOne of the main takeaways that all the speakers highlighted is the need to facilitate the process for developers in the cloud-native ecosystem and Kubernetes.\r
\r
\rOn the first day, 7 Years of Running Kubernetes for Mercedes-Benz was a clear example of how to create the "golden paths" and keep improving. This is not the only talk covering this topic, From Kubernetes to PaaS to … Err, What's Next? also mentions the evolution of development profiles and how it is constantly evolving and learning.\r
\r
\r
\r
\r
\rAnother strong idea in this KubeCon is the importance of ecosystem and community maintained in a sustainable future.\r
\r
\rFinally, scaling security in Kubernetes is a growing concern, and something to keep in mind if we want to avoid future security incidents.\r
\r
\rDuring KubeCon, we observed high demand for beginners, or 101, content. Talks aimed at this demographic were consistently busy, with lots of attendees. This is a sign of Kubernetes being a healthy project with a growing adoption. One of these interesting talks is Seeing is Believing: Debugging with Ephemeral Containers, a deep explanation of containers and a comparison of attaching containers through docker exec, kubectl exec, and patching the pod definition.\r
\r\r\r
A focus on security
\r
\rAs we just mentioned, there was a big interest in the security side of things. Here are some hot takes from the talks we attended:\r
\r\r\r
A Treasure Map of Hacking (and Defending) Kubernetes
\r
\rBy: Andrew Martin, ControlPlane\r
\r
\rWith a focus on supply chain attacks, it provided an overview on how to understand the attacker and their behavior. It was refreshing to see this from a real attacker perspective, instead of the usual security-person perspective.\r
\r\r\r
Three Surprising K8s Networking "Features" and How to Defend Against Them
\r
\rBy: James Cleverley-Prance, ControlPlane\r
\r
\rSuper interesting talk about discovering details for a Kubernetes cluster using public exposed endpoints. It included a deep understanding of the overlay network rooting, and how to use IP spoofing to communicate with internal pods and services from outside the cluster.\r
\r\r\r
The Hitchhiker's Guide to Pod Security
\r
\rBy: Lachlan Evenson, Microsoft\r
\r
\rThis talk presented the new concept of Pod Security that will replace the deprecated PodSecurityPolicy. The major difference is a simplification, providing 3 levels of security: Restricted, Baseline, and Privileged.\r
\r\r\r
Make the Secure Kubernetes Supply Chain Work for You
\r
\rBy: Adolfo García Veytia, Chainguard\r
\r
\rAnother talk about upcoming Kubernetes features. In this case, the talk covers the work that the Kubernetes Release SIG is doing in order to attest, sign, promote and distribute artifacts in Kubernetes. It also discussed some limitations or things they are still not doing correctly but have plans to improve.\r
\r\r\r
Attacking & Defending Kubernetes TEE Enclaves in Critical Infrastructure
\r
\rBy: Robert Ficcaglia, SunStone Secure, LLC\r
\r
\rGood explanation of Trusted Execution Environment, where TEE prevents unauthorized access or modification of the data being used. Another example of the importance of a secure supply chain.\r
\r\r\r
Full Mesh Encryption in Kubernetes with WireGuard and Calico
\r
\rBy: Peter Kelly, Tigera\r
\r
\rCool and hacky. It explained how WireGuard and Calico work, and how both can be used together to encrypt the connections between nodes. Calico takes care of the WireGuard configuration automatically on the nodes.\r
\r\r\r
Throw Away Your Passwords: Trusting Workload Identity
\r
\rBy: Ric Featherstone, ControlPlane\r
\r
\rInteresting talk about identity management, and how OIDC, JWT tokens, bounded tokens and different identity providers can be used for authentication.\r
\r\r\r
Multi-Cloud Workload Identity With SPIFFE
\r
\rBy: Jake Sanders & Charlie Egan, Jetstack\r
\r
\rA talk about the SPIFEE protocol that presented an example of the SPIFEE connector, where an application (pod) can automatically obtain credentials to access 2 different cloud providers.\r
\r\r\r
How attackers use exposed Prometheus server to exploit Kubernetes clusters
\r
\rBy: David de Torres & Miguel Hernández, Sysdig\r
\r
\rThrough a few examples, they showed us that it is possible to do a lot of damage to the infrastructure and applications if we manage to get access to the Prometheus server. For example, one can retrieve information about the images used by the pods and thus exploit known vulnerabilities to alter its behavior or extract information.\r
\r
\r
\r
\r\r\r
Our takeaways from KubeCon EU
\r
\rOne of the best things at KubeCon EU was the opportunity to talk to attendees IRL, listen to their pains and find the opportunity to improve.\r
\r
\r
\r
\r
\rFor me personally, it was an eye opener to see that, although the KubeCon audience was IT related, and not very focused on security; everyone was up to speed and invested in the latest security news in the ecosystem. For example:\r
\r
- \r
- Log4shell stop internet .\r
- Supply chain attacks and abandoned open source projects.\r
- Spring4Shell attacks again.\r \r
\r
\rThis is why we, at Sysdig, think it's so important to close the gap between DevOps and security teams.\r
\r
\rAlso, an important key was the huge number of new adopters. This is just the beginning of the cloud native journey for them, and they are all going to face the same challenges: Understand this new paradigm, train their teams, migrate their infrastructure, scale properly, and implement security.\r
\r
\rIn summary, it's great to have KubeCon back, and we cannot wait for KubeCon NA in a few months.\r
\r