Hacking and Hardening K8s & K8s@AWS: Overcoming challenges of DIY Provisioning

Capital One - 1680 Capital One Dr McLean - View Map Reston
Thu, Oct 26, 2017, 6:00 PM (EDT)

About this event


6:00 pm : Meet, greet, & eat

6:30 pm : Presentations

Talk Description:

Hacking and Hardening Kubernetes Clusters by Example - 

Brad Geesaman - Symantec

While Kubernetes offers new and exciting ways to deploy and scale container-based workloads in production, many organizations may not be aware of the security risks inherent in the out-of-the-box state of most Kubernetes installations and the common practices for deploying workloads that could lead to unintentional compromise. Join Brad Geesaman, the Cyber Skills Development team lead at Symantec, on an eye-opening journey examining real compromises and sensitive data leaks that can occur inside a Kubernetes cluster, highlighting the configurations that allowed them to succeed, applying practical applications of the latest built-in security features and policies to prevent those attacks, and providing actionable steps for future detection.

The hardening measures taken in response to the attacks demonstrated will include guidelines for improving configurations installed by common deployment tools, securing the sources of containers, implementing firewall and networking plugin policies, isolating workloads with namespaces and labels, controlling container security contexts, better handling of secrets and environment variables, limiting API server access, examining audit logs for malicious attack patterns, and more.

Kubernetes at AWS: Overcoming the challenges of DIY provisioning - 

Keith Gasser, Bryce Frazier, Simon Kwame - Capital One

At Capital One, we’re now well along in our journey of leveraging ECS for stateless workloads, esp. RESTful APIs.  However, for managing an enmeshed ecosystems of stateful services, we’re using Kubernetes at AWS.  In this talk we will discuss some of the challenges we’ve faced in light of compliance requirements and a heavily regulated AWS environment.  We will highlight Ansible provisioning of our clusters and time-permitting discuss some of the security hardening we’ve done, including work with DEX.  Along the way, we will talk about projects/solutions we’ve tried but discarded as suitable to our use cases.  Also, we can provide hints to getting minikube, minishift, and Tectonic sandbox running behind enterprise proxy for those evaluating different distros.

Some of this talk will cover preview from our forthcoming Kubecon 2017 talk in December:


Speaker Bios:

Brad Geesaman - Symantec

Brad is a Senior Manager at Symantec in the Cyber Skills Development group where he supports the operations and delivery of ethical hacking learning simulations on top of Kubernetes in AWS. Although he spent several years as a penetration-tester, his real passion is educating others on the real-world security risks inherent in complex infrastructure systems through demonstration followed by practical, usable advice on detection and prevention.

Keith Gasser is a twenty-five year veteran of fintech architecture, software and security engineering, and is currently co-leading the Bonsai Kubernetes platform team in Capital One’s Consumer/Retail tech LOB.  In his spare time, he…he has no spare time.

Bryce Frazier is a DevOps practitioner and software engineer on the Bonsai Kubernetes team at Capital One/RDT.  In his spare time, he bags peaks only 14k and above

Simon Kwame is a DevOps practitioner and software engineer on the Bonsai Kubernetes team at Capital One/RDT.  In his spare time, he is also working on Kubernetes.


Thursday, Oct 26
6:00 PM - 9:00 PM (EDT)


Capital One
1680 Capital One Dr McLean