Seattle, WA
December 10–13, 2018
Click Here for More Information & Registration
View Venue Map

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Security+Identity+Policy [clear filter]
Tuesday, December 11


How Symlinks Pwned Kubernetes (And How We Fixed It) - Michelle Au, Google & Jan Šafránek, Red Hat
Ever wonder how Kubernetes deals with security vulnerabilities? This talk illustrates the process by walking through the discovery, patching, and disclosure of CVE-2017-1002101.

In Nov 2017, we received a report about how misusing the volume subpath feature could result in access to host files. A team was assembled to investigate the vulnerability, develop a patch, and release it to all supported versions of Kubernetes -- ALL in secret.

As we walk through the story from discovery to disclosure, we will also deep dive into the technical details of how this feature allowed a container to escape to the host filesystem, and how it was fixed.

You will walk away with techniques for secure file handling in multi-tenant environments, best practices for restricting volume access in your Kubernetes clusters, and an understanding of how a large open source project manages security issues.

avatar for Michelle Au

Michelle Au

Software Engineer, Google
Michelle Au is a software engineer at Google and is a Kubernetes SIG Storage maintainer. She has worked on Kubernetes volume security, the Container Storage Interface, volume topology, and local persistent storage.
avatar for Jan Šafránek

Jan Šafránek

Principal Software Engineer, Red Hat
Jan is a Principal Software Engineer at Red Hat working on storage aspects of Kubernetes. He started developing Kubernetes more than 4 years ago, and is one of the founding members of SIG-Storage. He’s the author of PersistentVolume controller, dynamic provisioning and StorageClass... Read More →

Tuesday December 11, 2018 10:50am - 11:25am
Ballroom 6C


Securing Kubernetes With Admission Controllers - Dave Strebel, Microsoft
An admission controller allows you to intercept or mutate request to the Kubernetes API before it's persisted as an object in Kubernetes . By utilizing admission controllers to intercept objects we have to the flexibility to enforce enterprise security policies for developers and operators of Kubernetes.

In this demo heavy session, we will review admission controller capabilities and use cases for extending Kubernetes security. We will also demonstrate how to use an admission controller to restrict access to specific service types in a Kubernetes cluster.

Attendees will leave understanding how to utilize admission controllers to extend security in their Kubernetes environment. They will also learn about use cases of using admission controllers to provide enterprise grade security policies.

avatar for David Strebel

David Strebel

Open Source Architect, Microsoft
Dave Strebel is a Global Open Source Architect on the Microsoft Global Black Belt team. Dave focuses on containers, microservice architecture and the cloud-native ecosystem. Dave has been working in technology for over 15 years and has a mixed background across application development... Read More →

Tuesday December 11, 2018 11:40am - 12:15pm
Ballroom 6C


Recent Advancements in Container Isolation - Tim Allclair & Adin Scannell, Google
Container orchestration enables higher bin-packing and utilization of machines, but native linux containers do not offer the same degree of isolation between workloads as separate VM instances can. Attackers could abuse this lack of isolation to move through a Kubernetes cluster after gaining a foothold in a container. Fortunately, there are many tools in the defenders’ toolbox that can be applied across multiple levels of the stack.

In this survey talk, we will look at several recent or upcoming advancements in container isolation. You will learn about new kernel features, several "sandboxing" approaches, and features being developed in Kubernetes to harden the Pod and Node boundaries. After the talk you will have a better understanding of how to secure your Kubernetes applications and clusters with the latest features.

avatar for Tim Allclair

Tim Allclair

Google, Software Engineer
Tim Allclair joined the Kubernetes project with Google just after the 1.0 launch in 2015. He co-chairs sig-auth, is an active sig-node contributor, and a member of the Kubernetes Product Security Team (responsible for responding to vulnerabilities in Kubernetes). His most recent charter... Read More →

Adin Scannell

Software Engineer, Google
Adin Scannell is a Software Engineer at Google, where he leads the gVisor team and focuses on container security and isolation. Adin has been virtualizing things for a while: he was previously co-founder and CTO at Gridcentric, which pioneered rapid virtual machine cloning technology... Read More →

Tuesday December 11, 2018 1:45pm - 2:20pm
Ballroom 6C


Hardening Kubernetes Setups: War Stories from the Trenches of Production - Puja Abbassi, Giant Swarm
When you run Kubernetes in production and at scale, you encounter many issues both on the infrastructure side as well as in user-space. Some of these issues come with time and increased usage and size of clusters as well as amount of workloads, some might only come once you go global and into regions that have vastly different technology landscapes like China.
This talk goes into detail on learnings from concurrently operating 100+ clusters for big enterprises in production on different clouds and data centers around the globe. Over the years we have fixed 100s of post mortems and want to share both operations and development best-practices that can help avoid the issues we ran into. A big focus of this talk is getting towards a hardened and reliable cluster setup and the handling of multi-tenancy in clusters that are used by a multitude of teams.

avatar for Puja


Developer Relations & Product, Giant Swarm
Puja Abbassi is a Developer Advocate and Product Owner at Giant Swarm. As a CNCF ambassador, he's passionate about bringing cloud native technologies to more developers and their companies around the globe. In Kubernetes he focuses on security and authentication as well as extending... Read More →

Tuesday December 11, 2018 2:35pm - 3:10pm
Ballroom 6C


Athenz with Istio: Single Access Control Model in Cloud Infrastructures - Tatsuya Yano, Yahoo Japan Corporation
Most Cloud computing environments are based on self-service thus authorization configurations are frequent and dynamic.
Furthermore, in Microservices architecture, each service communicates via Web APIs thus it is important to have precise and frequently configurable access controls with low cost.
Athenz is an open source platform for X.509 certificate based service authentication
and fine-grained access control in dynamic infrastructures that provides options to run multi environments with a single access control model.
We also plan to provide integration with SPIFFE and Istio.
In this session, the speaker is going to explain the benefits of using Athenz and demonstrate how to use Athenz in a Cloud computing environment by showing use case of the integration with Istio.


avatar for Tatsuya Yano

Tatsuya Yano

Platform Developer, Yahoo Japan Corporation
Platform developer in Yahoo Japan Corporation. Principal engineer for Dev/Ops of identities and access management. Contributor for development of open-source product "Athenz". (https://github.com/yahoo/athenz)

Tuesday December 11, 2018 3:40pm - 4:15pm
Ballroom 6C


This Year, It’s About Security - Maya Kaczorowski & Brandon Baker, Google
The message was resoundingly clear at KubeCon EU, “this year, it’s about security”. Kubernetes has made giant strides in 2018 to improve security for end users.

We’ll start with an overview of what’s happened in 2018, including the first container security attacks. Then, we’ll cover focus on three hot topic areas to dive deeper and demo: (1) Isolation, using projects like gVisor, Kata containers, and Nabla; (2) Software supply chain security, and (3) Security by default and hardening. You’ll leave with an understanding of new security features in Kubernetes, and how you can contribute to making Kubernetes secure.

avatar for Brandon Baker

Brandon Baker

Cloud Security Horizontal Lead, Google
Brandon is Tech Lead for Cloud Security at Google. He started the Cloud Security organization at Google Seattle 8 years ago, building core encryption, sandboxing, mitigation, detection, and security features to protect our Cloud users and Google’s infrastructure. Prior to Google... Read More →
avatar for Maya Kaczorowski

Maya Kaczorowski

Product Manager, Software Supply Chain Security, GitHub
Maya is a Product Manager for Software Supply Chain Security at GitHub. She was previously at Google, focused on container security, and encryption at rest and encryption key management. Prior to Google, she was at McKinsey & Company, and before that, completed her Master\'s in mathematics... Read More →

Tuesday December 11, 2018 4:30pm - 5:05pm
Ballroom 6C
Wednesday, December 12


Friends Don’t Let Friends Leave Their Kubernetes Data Unprotected - Rita Zhang, Microsoft
In recent headlines, there are increasing news about cloud resources getting hacked caused by attacks on Kubernetes clusters. Failing to properly secure your Kubernetes data can result in cloud resources getting hacked and your application secrets getting stolen. The etcd database contains information that may grant an attacker significant visibility into the state of your cluster.

This presentation focuses on how to use the encryption at rest feature to encrypt secret resources in etcd, preventing parties from gaining access to view the content in etcd and etcd backups. Starting from Kubernetes v1.10, we have added --experimental-encryption-provider-config that controls how API data is encrypted in etcd by KMS providers. We will also look at how you can securely leverage KMS providers as stores for your application secrets, keys, and certs.

avatar for Rita Zhang

Rita Zhang

Principal Software Engineer, Microsoft
Rita Zhang is a software engineer at Microsoft, based in San Francisco. She is on the Azure Cloud Native Compute team building features for Kubernetes upstream and for Azure Kubernetes Service. Rita is passionate about open source and running distributed workloads at scale.

Wednesday December 12, 2018 10:50am - 11:25am
Ballroom 6B


So You Want to Run Vault in Kubernetes? - Seth Vargo, Google
Kubernetes is great for running applications, but can it run secure workloads like HashiCorp Vault, a popular open source secrets management tool? This two-part, demo-driven talk explores the answers to that question.

The first part showcases how to run Vault securely on Kubernetes. We walk through different deployment architectures and strategies for making sure Vault is run in the most secure manner on Kubernetes.

The second part focuses on how services deployed in Kubernetes interact with Vault. We discuss the implementation details and tradeoffs for authenticating pods and services to Vault to retrieve dynamic credentials like database passwords and Google Cloud IAM credentials.

Attendees we leave with an understanding of how to operationalize better run secure workloads like Vault inside Kubernetes and how to expose secure workloads to other services in the cluster.

avatar for Seth Vargo

Seth Vargo

Engineer, Google
Seth Vargo is an engineer at Google Cloud. Previously he worked at HashiCorp, Chef Software, CustomInk, and some Pittsburgh-based startups. He is the author of Learning Chef and is passionate about reducing inequality in technology. When he is not writing, working on open source... Read More →

Wednesday December 12, 2018 11:40am - 12:15pm
Ballroom 6B


Using Application Identity to Correlate Metrics: A Look at SPIFFE and SPIRE - Priyanka Sharma, GitLab
In an ideal world, we would have a standardized way to identify running software systems that our monitoring tools could easily lean on, even when spread over multiple teams, geographies, and platforms. But real-world deployments are rarely so simple. I will explain how application identity can be used as the basis for correlating metrics from multiple sources (with the help of OpenTracing) and detail some of the challenges inherent in defining application identity in different contexts (such as virtual machines, functions, and different Kubernetes primitives). I then offer an overview of open source projects like SPIFFE and SPIRE, which have modernized identity authentication across microservices, and demonstrates how SPIRE, Fluentd, Prometheus, and Jaeger can be used together to precisely correlate logs, metrics, and traces to improve and diagnose real-world production issues.

avatar for Priyanka Sharma

Priyanka Sharma

Director of Technical Evangelism, GitLab
Priyanka Sharma is the Director of Cloud-Native Alliances at GitLab Inc. She also serves on the board of the Cloud Native Computing Foundation (CNCF) and has deep expertise in DevOps and observability. A former entrepreneur with a passion for growing developer products through open... Read More →

Wednesday December 12, 2018 1:45pm - 2:20pm
Ballroom 6B


How We Survived Our First PCI/HIPAA Compliant Check with Kubernetes - Travis Jeppson, Nav
At a high level, Travis will go over what it took for Nav to pass their first compliance check with their application in Kubernetes.
 At a lower level, he'll discuss what PCI/HIPAA compliance is like in a world of containers. How to translate, and prioritize, the requirements from a traditional model, using virtual machines, to using a containerized model. What tools are already provided with Kubernetes, such as taints and tolerances, which tools are plug-ins, such as network policies; and what is missing and requires an external service.
He'll briefly cover Nav's build pipelines and why adding in security checks into the docker builds is important to maintaining a compliant environment.
 Finally, he'll discuss how moving forward you can reach a point of attaining a state of constant compliance; there is no reason to struggle to "become" compliant on a quarterly, or yearly, cadence.

avatar for Travis Jeppson

Travis Jeppson

Director of Engineering, Nav
I am a bald husband and father. I have always been interested in learning as much as I possibly can. I have recently found myself learning a lot about self-improvement, and of course technology. I find these two subjects to be very difficult to ever get right. I love Star Wars, and... Read More →

Wednesday December 12, 2018 2:35pm - 3:10pm
Ballroom 6B


Scrutinizing SPIRE to Sensibly Strengthen SPIFFE Security - Matt Moyer, Heptio & Evan Gilman, Scytale
SPIFFE (Secure Production Identity Framework For Everyone) is an open source standard for giving identities to services in dynamic and heterogeneous environments. SPIRE is an implementation of SPIFFE that provides a solid bedrock for secure infrastructure -- at least that's what we hope! In this talk, we'll attempt to rationalize that notion. We’ll introduce a formalized threat model for SPIRE and show how it helps suggest practical security improvements.

First, we'll introduce the components of SPIFFE and show how applications can use it to build secure service-level authorization systems. Then we'll show how the components of SPIRE work together to enforce useful security properties. Finally, we'll walk through our findings and show some of the incremental improvements we've made to strengthen SPIRE.

avatar for Evan Gilman

Evan Gilman

Engineer, Scytale
Evan Gilman is an engineer with a background in computer networks. With roots in academia, and currently working on the SPIFFE project, he has been building and operating systems in hostile environments his entire professional career. An open source contributor, speaker, and author... Read More →
avatar for Matt Moyer

Matt Moyer

Security Engineer, Heptio
Matt Moyer is an engineer at Heptio working to make Kubernetes more secure. Prior to his current position, he worked in security and infrastructure engineering at a consumer financial services company. He enjoys long passphrases, secure defaults, and writing about himself in the third... Read More →

Wednesday December 12, 2018 3:40pm - 4:15pm
Ballroom 6B


Navigating Workload Identity in Kubernetes - Michael Danese, Google & Spike Curtis, Tigera
If your application accepts network connections, you need to know with confidence who is on the other end. If your application is composed of many microservices, it pays to take a managed approach to this identity question.

Identity is a foundational but complex component of secure systems. This talk provides a conceptual overview of how workload identity is established with a focus on practical application. In this talk Mike and Spike will compare and contrast some different options for establishing identity in your Kubernetes cluster.

We will explore recent work in the Kubernetes Container Identity working group and discuss patterns and pitfalls in case studies like Istio and SPIFFE. You'll learn how to decide between these different approaches and how to go about integrating them into your cluster and your application.

avatar for Spike Curtis

Spike Curtis

Senior Software Engineer, Tigera
Spike Curtis is a software developer at Tigera. He co-leads the Istio Security Working Group and is a contributing author of SPIFFE specifications.  He is also a core developer for Calico.
avatar for Mike Danese

Mike Danese

Software Engineer, Google
Mike is a software engineer at Google. He has worked on Kubernetes and GKE for over four years and is currently the lead of the GKE Identity Team. He is a chair and TL of the Kubernetes Auth Special Interest Group. He develops and maintains authentication infrastructure in Kubernetes... Read More →

Wednesday December 12, 2018 4:30pm - 5:05pm
Ballroom 6B
Thursday, December 13


Single Sign-On for Kubernetes - Joel Speed, Pusher
User management is hard. At Pusher, with an expanding engineering team, we wanted to build a simple identity management experience within our Kubernetes infrastructure. In this talk, I explore authentication options and demonstrate how Single Sign-On works within our Kubernetes clusters.

Kubernetes supports a Single Sign-On protocol called OpenID Connect (OIDC). I’ll take a deep dive into how OIDC authentication flows work before showing how we created a simple log-in experience for our Developers with features such as short-lived tokens, automatic refreshing, group management and a unified identity between the command line (Kubectl) and the browser (Kubernetes Dashboard).

avatar for Joel Speed

Joel Speed

Cloud Infrastructure Engineer, Pusher
Joel is a Cloud Infrastructure engineer who has been working with Kubernetes for the last year. He has been working in DevOps for over 3 years and is currently helping Pusher build their internal Kubernetes Platform. Recently he has been focusing on projects to improve autoscaling... Read More →

Thursday December 13, 2018 3:40pm - 4:15pm
Ballroom 6C


Shopify’s $25k Bug Report, and the Cluster Takeover That Didn’t Happen - Greg Castle, Google & Shane Lawrence, Shopify
In May, a security researcher reported a vulnerability in a Shopify microservice and demonstrated how it could be used to access keys from the Google Cloud metadata API. This could have led to a cluster takeover, for which Shopify awarded $25k through its bug bounty program.

Shane will share his experience responding to the report, analyzing Kubernetes audit logs, and hardening the cluster to block the escalation path. Together, Greg and Shane will describe some example Kubernetes audit log queries that can help discover unusual activity in the form of Kubernetes API access, and assess the impact of credential exposure, such as in this report. The collection of example queries will be released for use by the Kubernetes community and we will also share some hardening best practices.

avatar for Greg Castle

Greg Castle

Kubernetes/GKE Security Tech Lead, Google
Greg is the tech lead for the Kubernetes and Google Kubernetes Engine (GKE) security team at Google, and is a regular at SIG-Auth. Greg has 15 years of experience in a number of security roles including product security, penetration testing, incident response, platform hardening... Read More →
avatar for Shane Lawrence

Shane Lawrence

Senior Infrastructure Security Engineer, Shopify
Shane is a Senior Security Infrastructure Engineer at Shopify, where he's working on a multi-tenant platform that allows developers to build secure, scalable apps and services. His previous work includes SIEM and Log Management at CGI MSS, and IDS Engineering at CFNOC.

Thursday December 13, 2018 4:30pm - 5:05pm
Ballroom 6C