19 min listen
Attacking and Defending Kubernetes, with Ian Coldwater
Attacking and Defending Kubernetes, with Ian Coldwater
ratings:
Length:
43 minutes
Released:
Aug 6, 2019
Format:
Podcast episode
Description
Ian Coldwater specializes in breaking and hardening Kubernetes, containers, and cloud native infrastructure. A pre-eminent voice in the Kubernetes security community, they are currently a Lead Platform Security Engineer at Heroku. Ian joins Adam and Craig to talk about the offensive and defensive arts.
Do you have something cool to share? Some questions? Let us know:
web: kubernetespodcast.com
mail: kubernetespodcast@google.com
twitter: @kubernetespod
Chatter of the week
Black Hat USA
DEFCON
Scavenger hunts
An example of Spot the Fed
An example of the Mystery Challenge
News of the week
Mesosphere becomes D2iQ
Google Cloud launches Migrate for Anthos in Beta
Google Cloud Game Servers coming soon
Episode 26: Agones, with Mark Mandel and Cyril Tovena
Announcing Kubernetes Summits in Seoul and Sydney
Security updates of the week
CVE-2019-11247: API server allows access to custom resources via wrong scope
CVE-2019-11249: kubectl cp (round 3!)
IBM and Red Hat:
OpenShift on IBM Cloud
OpenShift coming to Z Series and LinuxONE
Cloud Paks and services
Cisco Container Platform now supports Microsoft AKS
Helm deployments at the Kubedex
How Kubernetes can be used for genetic analysis by Mu Huan and Eric Li Alibaba Cloud
Announcing CloudBees Jenkins X Distribution
Episode 44, Continuous Delivery Foundation, with Tracy Miranda
TiDB Operator now Generally Available
Links from the interview
Red teams and penetration testing
Fuzzing
Attacking Helm’s Tiller
Black-box and white-box testing
DevSecOps: guard rails, not gates
OWASP - the Open Web Application Security Project
The math behind calculating security risk
CVSS score
etcd: encrypt it at rest!
Admission control
Technologies for isolation:
AppArmor
Seccomp
gVisor
Firecracker (not yet supported with Kubernetes)
“Kubernetes is powerful, and it’s insecure by design”
Ian and Duffie Cooley’s BlackHat talk
Cloud doesn’t make it better!
Threat modelling
hostpath - “a powerful escape hatch”
Trail of Bits blog: understanding Docker container escapes
Recommended watching:
Ship of Fools by Ian Coldwater (slides)
Hacking and Hardening Kubernetes by Example by Brad Geesaman (slides)
A Hackers Guide to Kubernetes and the Cloud by Rory McCune (and his upcoming Black Hat training)
DIY Pen Testing for your Kubernetes Cluster by Liz Rice (our guest on episode 19)
Ian Coldwater on Twitter
Do you have something cool to share? Some questions? Let us know:
web: kubernetespodcast.com
mail: kubernetespodcast@google.com
twitter: @kubernetespod
Chatter of the week
Black Hat USA
DEFCON
Scavenger hunts
An example of Spot the Fed
An example of the Mystery Challenge
News of the week
Mesosphere becomes D2iQ
Google Cloud launches Migrate for Anthos in Beta
Google Cloud Game Servers coming soon
Episode 26: Agones, with Mark Mandel and Cyril Tovena
Announcing Kubernetes Summits in Seoul and Sydney
Security updates of the week
CVE-2019-11247: API server allows access to custom resources via wrong scope
CVE-2019-11249: kubectl cp (round 3!)
IBM and Red Hat:
OpenShift on IBM Cloud
OpenShift coming to Z Series and LinuxONE
Cloud Paks and services
Cisco Container Platform now supports Microsoft AKS
Helm deployments at the Kubedex
How Kubernetes can be used for genetic analysis by Mu Huan and Eric Li Alibaba Cloud
Announcing CloudBees Jenkins X Distribution
Episode 44, Continuous Delivery Foundation, with Tracy Miranda
TiDB Operator now Generally Available
Links from the interview
Red teams and penetration testing
Fuzzing
Attacking Helm’s Tiller
Black-box and white-box testing
DevSecOps: guard rails, not gates
OWASP - the Open Web Application Security Project
The math behind calculating security risk
CVSS score
etcd: encrypt it at rest!
Admission control
Technologies for isolation:
AppArmor
Seccomp
gVisor
Firecracker (not yet supported with Kubernetes)
“Kubernetes is powerful, and it’s insecure by design”
Ian and Duffie Cooley’s BlackHat talk
Cloud doesn’t make it better!
Threat modelling
hostpath - “a powerful escape hatch”
Trail of Bits blog: understanding Docker container escapes
Recommended watching:
Ship of Fools by Ian Coldwater (slides)
Hacking and Hardening Kubernetes by Example by Brad Geesaman (slides)
A Hackers Guide to Kubernetes and the Cloud by Rory McCune (and his upcoming Black Hat training)
DIY Pen Testing for your Kubernetes Cluster by Liz Rice (our guest on episode 19)
Ian Coldwater on Twitter
Released:
Aug 6, 2019
Format:
Podcast episode
Titles in the series (100)
Kustomize, with Phillip Wittrock by Kubernetes Podcast from Google