# Kubecon Questions Intro music: UGG soundtrack and fanfare 0) Intro - welcome (I) greetings from snowy Minneapolis where it's just as cold as Boston if we were all in the same place, and welcome to the sig-HONK AMA panel! sig-HONK is not an official K8s SIG. We're a hacker crew and a group of friends who have been working on various aspects of Kubernetes security for a few years now, and we're answering questions that came from you, the community! Thanks for being here with us. + intros for people - I D R B * name? pronouns? what you do? * Ian they/them! I come from a devops turned pentesting background, now co-chair of SIG security, twilio * D I am Duffie Cooley PRONOUNS!!! I've been playing with networks, distributed systems and people for quite a while and work to help make projects like Kubernetes more approachable inclusive. * R Hi I'm Rory McCune My pronouns are He/Him. I'm a principal consultant at NCC Group, where I focus on completing security assessments and pentests for customers and I've been looking at container security for 4-5 years now. 1) (B to I) What's up with all the honking? I - goose game! honk 2) (I to D,R,B) How does k8s change security over the old way? D - the old way in my mind is applications deployed to some subset of servers. And all the conflicting library problems that comes with. Container orchestration is still applications R - moving away from individually built servers, and the move to automation and infrastructure as code, repeatability as a benefit, , problems of secrets management and everything in the cloud (e.g. exposure via GH or other repo's) B 3) (B to I, D) What do you feel developers of (upstream or downstream) cloud native tech should be thinking about, security-wise? I - what's old is new again. check your assumptions! look at your system from an attacker perspective, threat model accordingly. D - what tools did I leave behind for my attackers.. privilege? gdb? bash? 4) (D to B,R,I) how do you go about evaluating the attack surface of a cluster/actually attacking it? B R - 2 ways of assessing things (white box, black box). White box about analyzing data, finding patterns. Black box about working through scenarios looking at the attack surface (e.g. container breakout, looking at sandbox and things like mounted filesystems) I - pattern recognition. you can learn this too! CTFS :) 5) (I to D,B) what are some indicators that your k8s has been compromised? how can you tell? D - Falco System call interface! B - audit logs 6) (B to R,I) How do you go about evaluating an external project's security posture? R - CNCF Security audit reports, Security contacts and information, (in)secure defaults, what defaults have the project chosen, what's the "happy path" install I - how does it work? what does it even do in there? how does it fit? 7) (I to D,R,I,B) How do you find inspiration for where to honk next? How do you develop intuition about the emergent behavior of complex systems? D - poke at it! be curious! this is how we develop intuition! R - Trying to answer questions, from the course, from SO/Sec.SE. You can find CVEs there too. Also Reading GH Issues on places like k/k you can find CVEs there too I - read the docs, interesting keywords. what sparks imagination? B - 8) (B to D,R,B,I) What is the biggest area ripe for honks that has yet to be explored in the cloud native space D - container runtimes syscalls R - Interaction of layers, use of historically complex things (HTTP, PKI), ((new layers like operators, this segues nicely into brads CRD)) B - crds and making other infra I - low levels! 9) (I (honk chorus)) sigs and call to action! I - Call to Action! D - transition to THANKS SLIDE D - All of these questions were provide by you thanks so much! D - And one more thing D - Transition back to group ALL - HONK the Planet! (queue rickroll) Fade to circle slide #### All in questions: R B I D - [from @thatmightbepaul](https://twitter.com/ThatMightBePaul/status/1317612636922646533?s=20) - `Aside from third-party security audits, what should the average k8s fan look for when evaluating a project's security? Specifically, looking for signals that convey that a project is invested in good security Versus those that are phoning it in and hoping no one notices.` `And I mean to ask more about components you might install on your k8s cluster, rather than a k8s distro.` D R B I - [from @redteamwrangler](https://twitter.com/redteamwrangler/status/1317587851635281920?s=20) - `Has containerization and kubernetes itself, by way of their patterns, made application deployments more, less or similarly secure over legacy pipelines? Why?` D R I B - [From @rawkode](https://twitter.com/rawkode/status/1317553968369774593?s=20) - `I think I do OK with securing systems, y'all have shown us many things we need to do to reduce vectors. What I'm still not great at is knowing when I've been compromised or breached. What are the tools or techniques I need to research to get that alert when something bad happens?` D - [From @worldwise001](https://twitter.com/worldwise001/status/1277462639216480257?s=20) - `as more and more infrastructure becomes harder or more expensive to self-start (e.g. k8s), what can we do to help folks self-start to become the next generation of devops/sysadmins? what can we do to make this process sustainable?` ## From Discuss.k8s.io - [From @marc.boorshtein](https://discuss.kubernetes.io/t/call-for-questions-sig-honk-ama-kubecon-na-keynote-panel/13159/4?u=raesene) - `Many of the attacks described in the preso on APT in k8s start with privileged access. Whats the most likely ways an attacker will get their hands on credentials that can be used against a cluster and what are different ways to prevent that?` - [From @jim.angel](https://discuss.kubernetes.io/t/call-for-questions-sig-honk-ama-kubecon-na-keynote-panel/13159/5?u=raesene) - `What would ya’ll consider to be the top tools / methods for evaluating the attack surface of a “vanilla” cluster? Specifically from the outside probing in and workloads running internal. I’m interested in practical tests over best practices; but happy to hear both` - [From @sam17](https://discuss.kubernetes.io/t/call-for-questions-sig-honk-ama-kubecon-na-keynote-panel/13159/6?u=raesene) - `What are the security and architectural challenges you guys have had come across on ipv6/dualstack k8s cluster dealing with container’s (docker) - given the lack of firewall integration and loosing some of the ipv4 capabilities like for example - outboud masquerade. Would love to know the panel thoughts on “Security and Architecture Challenges On ipv6 Cluster”` - [From @walidshaari](https://discuss.kubernetes.io/t/call-for-questions-sig-honk-ama-kubecon-na-keynote-panel/13159/7?u=raesene) - `In a regulated enterprise settings, is it better to have an air-gapped Kubernetes? knowing that images, and updates will be an overwhelming overhead? how about partial, that is limiting internet access to known vendor registries not dockerhub and just upstream 3rd party Kubernetes and security vendors?` - `What Kubernetes security tools work best in air-gapped environment? does not require to get updates online, but could be done via an offline process e.g trivy CVE updates offline` - `What are your three best security practices, tooling, people to follow?` - [From @Er1ck](https://discuss.kubernetes.io/t/call-for-questions-sig-honk-ama-kubecon-na-keynote-panel/13159/8?u=raesene) - `How many honks is too many?` - `How are newly disclosed CVEs best handled in a K8s environment` containers and/or kernel? ## From Twitter - [from @greggawatt](https://twitter.com/greggawatt/status/1317553031928442880?s=20) - `How do I get a hacker crew? Mine all decided to be new parents including myself` - [from @EchoRior](https://twitter.com/EchoRior/status/1317618224633204736?s=20) - `Do you see there being a large future for managed k3s/microk8s, and if so, for what use cases?` - [also from @EchoRior](https://twitter.com/EchoRior/status/1317624952338698243?s=20) - `Some more general questions: Exited about cgroups v2 in k8s, or will it make little difference? Is k3s any more/less secure than k8s?` Dupe - [From @tomkivlin](https://twitter.com/tomkivlin/status/1317573644764254209?s=20) - `Add someone new to the community, what is the honking all about? Is it an "in" joke or am I missing something obvious? It makes me smile but I have no idea as to the origin!` - [From @sboger](https://twitter.com/sboger/status/1317554738271932416?s=20) - `Experts thoughts on VMware Tanzu offering?` - [From @rothgar](https://twitter.com/rothgar/status/1317592154206736384?s=20) - `What's your favorite fictional depiction of hacking in books, tv, or movies? Who is a real life hacker you look up to?` - [From @jgatre](https://twitter.com/JGartre/status/1317560136781590528?s=20) - `k8s is built to be agnostic in public/private/hybrid clouds. Applications can run get to users without some of the issues of “vendor lock-in”. As the VMware of containers, it allows managing what containers to run, and where in the amorphous infrastructure to run them.But complexity. Managing a k8s means managing k8s and, as you have illustrated, also managing the k8s servers and the containers servers. That’s k8s upgrades, server upgrades, CI-CD on containers, secrets, balancing, scaling, and the C2 some goose is running next to you.So, basically managing all the clouds which, I hear, may be broken anyway. What is on the horizon, or just over it, in managed services that can help deal with this complexity? Or does everyone get their own set of super heroes like you?` 0) Intros * name? pronouns? what you do? 1) What's up with all the honking? 2) how does k8s change security over the old way? 3) What are your opinions on tradeoffs in configurability vs attack surface? - @vllry` 4) What do you feel developers of (upstream or downstream) cloud native tech should be thinking about, security-wise? If I need to do just one thing as an AppSec Engineer helping developers running apps on Kubernetes, what it should be?` 5) how do you go about evaluating the attack surface of a cluster? 6) what are some indicators that your k8s has been compromised? how can you tell? - @rawkode 7) how do you go about evaluating an external project's security posture? - @thatmightbepaul 8) How do you find inspiration for where to honk next? How do you develop intuition about the emergent behavior of complex systems? ~Tinkerfairy 9) What is the biggest area ripe for honks that has yet to be explored in the cloud native space? - DeTiber