Loading…
Attending this event?
Seattle, WA
December 10–13, 2018
Click Here for More Information & Registration
View Venue Map
View analytic
Tuesday, December 11 • 10:50am - 11:25am
How Symlinks Pwned Kubernetes (And How We Fixed It) - Michelle Au, Google & Jan Šafránek, Red Hat

Sign up or log in to save this to your schedule and see who's attending!

Log in to leave feedback.
Ever wonder how Kubernetes deals with security vulnerabilities? This talk illustrates the process by walking through the discovery, patching, and disclosure of CVE-2017-1002101.

In Nov 2017, we received a report about how misusing the volume subpath feature could result in access to host files. A team was assembled to investigate the vulnerability, develop a patch, and release it to all supported versions of Kubernetes -- ALL in secret.

As we walk through the story from discovery to disclosure, we will also deep dive into the technical details of how this feature allowed a container to escape to the host filesystem, and how it was fixed.

You will walk away with techniques for secure file handling in multi-tenant environments, best practices for restricting volume access in your Kubernetes clusters, and an understanding of how a large open source project manages security issues.

Speakers
avatar for Michelle Au

Michelle Au

Software Engineer, Google
Michelle Au is a software engineer at Google and is a Kubernetes SIG Storage maintainer, leading the volume topology, local persistent storage, and storage conformance projects as well as developing CSI drivers. She has spoken about Kubernetes storage at previous KubeCon and OpenStack... Read More →
avatar for Jan Šafránek

Jan Šafránek

Principal Software Engineer, Red Hat
Jan is a Principal Software Engineer working at Red Hat working on storage aspects of Kubernetes. He started developing Kubernetes more than 3 years ago and is one of the founding members of SIG-Storage. He’s the author of the PersistentVolume controller, dynamic provisioning and... Read More →



Tuesday December 11, 2018 10:50am - 11:25am
Ballroom 6C