Fixing a misconfigured Kubernetes Cluster by Rob Kenefeck

• First big docker project was to separately build and test application, hardware and OS

• First k8s job was focused on making tech work, not the security model around it

• Still considers k8s in Australia to be fairly bleeding edge

• OWASP Kubernetes Top 10

• First released in 2022

• New list version out soon

• VMs vs Containers

• People Treat Containers like they are VMs

• Lots of things in Linux are not namespace in containers

• Kernel Modules, /sys , /dev

• Docker Damon will often run as root

• Shared Kernel

• Container Security: Opportunities

• Hardened Kernels – GRSEC, PAX

• Security Policies/Whitelisting – Seccomp, AppArmor, SELinux

• Container Security

• Drop to unprivileged user in Docker

• Reduce Attack surface – Run from scratch, Multi-Stage container builds

• Drop all capabilities, add back only what you need

• Mount volumes with ro, noexec, nosuid, nodev

• Software bill of materials

• K02 – Insecure Workload config

• Apps running as root

• Ro filesystems

• Privileged containers disallowed

• Resource constraints enforced

• K02 – Supply Chain Vulnerability

• K03 – Overly Permissive RBAC

• K8s Secrets are not secret.

• Openbao is OS alternative to Hashicorp Vault

• K04 – Policy Enforcement

• Pod Security Standards via Admission Controller

• Privileged, Baselines, Restricted

• K05 – Logging

• K06 – Broken Authentication

• tokens left lying around

• K07 – Network Segmentation

• K8s networks are flat by default

• K08: Secrets management

• Secrets are Environment variables

• Anyone who can query node or container/pod can see them.

• K09 – Misconfiguration Cluster Components

• Dashboards, MCP agents

• K10 – Outdated and Vulnerable Components

• Demo with Capture the Flag and vulnerable container

• https://github.com/controlplaneio/simulator

Everything Open Everywhere All At Once by Steven De Costa

• “ChatGPT: Please create an interesting keynote about random philosophical concepts strung together in a vaguely meaningful way and themed around Chickens”

Lightning Talks

• End Security by Obscurity

• mygov code generator app

• enrol + TOPT

• is it secure? Is it spyware?

• Only availbale via the app store

• Made Freedom of Information in 2021 and gone through multiple appeals/reviews after being denied

• Looking for money to appeal further

• High Altitude Balloons and and ASN.1

• Need a protocol with various requirements to help recovered balloon and get data from it.

• Existing protocol not ideal

• asn.1 old protocol that might be useful

• What would it take to run everything Open in New Zealand

• Running a conference is hard

• Small team and Harder

• Good idea?

• What will this actually take

• Contact Chelsea if interested.

• Open source is not all you need to fight inshitification

• No but other freedoms are needed

• Brain Model in your Hand

• I’m doing a talk in front of 300 people. My brain thinks I’m being chased by a Lion

• Learn an Indigenous Language

• How to Eat Fruit

• Help is at Hand

• Join a Union

• My Community

• Open Source Institute

• My $50 question now costs a trip to fench

• Pycon did battle decks

• What is the most popular emoji on github?

• Ran a big query on Bigquery

• Grabbed the software heritage project

• Lots of small files. Hard to query or mirror

• 3 Petabytes. Too might to download

• Solid Open Source Package

• 6 talks about deplatforming and/or self hosting this week

• SOLID is a decentralized Social data

Post navigation