►
From YouTube: How We Used Kubernetes to Host a Capture the Flag (CTF) - Ariel Zelivansky & Liron Levin, Twistlock
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
How We Used Kubernetes to Host a Capture the Flag (CTF) - Ariel Zelivansky & Liron Levin, Twistlock
CTF competitions are now commonly used for cybersecurity education purposes, and are solved by many enthusiast researchers looking for a challenge. In Twistlock, we decided to host an online CTF competition with unique challenges that required a live, dedicated persistent machine, for each participant. Using Kubernetes, we managed to successfully host the challenge, publicly open, without sacrificing the security of our infrastructure. We will discuss: Introduction to the CTF and why we choose to run it on Kubernetes Attack vectors for giving users untrusted shells to pods Container isolation technologies such as gvisor and network policies. Patterns for dynamically scaling pods and routes for new CTF participates In the end, attendees will learn the security building blocks of Kubernetes, and how it can be used for non conventional purposes such as hosting a one time live challenge.
https://sched.co/MPYd
A
So
before
we
start,
let's
introduce
ourselves
so
I
am
a
realtor
livanski
I
walk
for
twistlock
as
a
security
researcher,
I
lead
the
security
search
team.
What
we
do
is
basically
try
to
find
vulnerabilities
in
many
CN,
CF
and
open
source
project
that
we
and
our
customers
use.
We
allocate
CVS
and
write
articles
about
what
we
find,
but
the
main
thing
is,
we
always
feel
responsible
disclosure
when
we
release
our
findings,
so
we
basically
try
to
contribute
as
much
as
we
can
to
open
source
and
cloud
native
security.
So.
B
A
Ok,
so
what
are
going
to
do
today?
So,
first
of
all,
we're
gonna
talk
about
what
at
the
CDF
is,
how
many
of
you
have
tried
to
solve
city
ups
in
the
past?
Ok,
that
that's
pretty
good,
it's
mainly
for
security
researchers,
but
everybody
can
do
CIF.
So
once
you
get
others
over
this
room,
just
you
can
try
to
look
up
for
CDF's
and
try
to
solve
anything.
A
If
you
find
it's
really
good
for
you
to
try,
so
we'll
explain
why
we
chose
to
host
our
city
up
on
kubernetes
and
the
one
will
explain
about
the
engineering
of
the
infrastructure
and
how
it
was
all
done
in
the
background
and
then
we'll
be
about
the
security.
And
how
do
you
even
secure
kubernetes
cluster
when
you
give
outsiders,
shell
access
to
your
poets
by
design
and
then
we'll
just
briefly
show
the
results
of
the
CTS
and
what
we
took
from
hosting
it?
A
A
The
flags
are
usually
like
virtual
flags,
some
base64,
some
hash-
that
only
the
guys
that
solve
the
challenge
can
find
jeopardy
style
is
the
most
common
CDF
style,
where
you
have
just
many
different
challenges,
and
you
get
points
for
every
challenge
that
you
solve
and
you
try
to
get
as
many
points
as
you
can
to
win
the
challenge
attack.
Defense
is
my
favorite
CDF
type.
A
Cdf's
are
really
good
for
education
purposes.
So
when
some
guys
come
up
to
me
and
say
like
how
do
I
start
getting
good
at
security
like
how
do
I
learn,
exploitation,
I
always
say:
try
to
solve
CDF
the
city's
in
many
different
levels
like
there's
one,
the
Sun
for
beginners,
some
for
really
advanced
exploitations,
and
it's
a
good
way
to
study
security
and
many
many
times
you
see
security.
Researchers
create
CDF's
where
you
have
to
use
the
most
recent
techniques
to
solve
the
challenges,
so
it's
a
really
good
way
to
learn.
A
Sometimes
if
you
can
find
real
instances
to
try
to
do
things
and
conventions,
usual
security
conventions,
usually
Haas
CDF.
So
if
you
hit
up
one
of
the
security
conventions,
just
go
to
the
different
five
yeah.
So
what
if
we
decide
to
was
to
see
therefore
twist
lock,
it's
a
really
good
way
to
find
security.
Researchers,
security,
researchers,
including
myself,
will
love
solving
CDF.
A
So,
as
we
said,
we
wanted
to
find
good
security
researchers
we're
based
in
Israel,
so
we
advertised
on
Israeli
newspapers
like
neutral
site.
This
is
one
of
the
most
popular
Israeli
news
website,
so
we
put
up
this
ad
and,
as
you
can
see
like
this,
that
was
it
way.
It
was
not
like
clickable
like
you
couldn't
like
click
on
even
get
onto
the
website.
So
can
you
guys
tell
what
this
is
yeah
that's
base,
64
it
just
it
gets.
A
You
through
the
website,
as
soon
as
you
decode
this
base
64,
and
it
was
just
some
simple
way
to
filter
out
most
of
the
people
that
saw
the
ad
when
one
of
them
still,
you
have
to
be
interesting.
We
didn't
want
it
to
be
just
another
CDF.
So
what
we
had
in
mind
was
creating
a
single
machine
that
had
all
the
steps
of
the
challenge
instead
of
having
like
in
normal
CDF.
They
usually
saw
a
challenge.
A
You
get
a
flag,
you
input
it
into
the
website
of
the
CTF,
and
then
you
get
the
next
challenge
we
didn't
want
to
do
that.
We
wanted
to
have
single
machine
with
all
the
challenges
in
it
and
the
way
we
did
it
is
by
having
different
Linux
users
on
the
same
machine
and
you,
the
user,
would
have
to
get
access
to
these
users
by
escalating
these
privileges
to
get
the
actual
next
2nd
and
3rd
binaries
and
the
flags
were
just
files
and
solving
the
challenge
required
different
sets
of
skills.
A
The
first
challenge
was
like
web
exploitation,
the
second
one
we
call
reverse
engineering
of
some
binaries
and
then
to
solve
the
next
challenges.
You
would
need
to
get
like
real
deep
into
the
Linux
internals
and
no
more
than
citation
techniques
and
like
to
get
the
final
flag.
You
would
have
to
write
a
will
exploit
the
really
imitates
like
a
real
scenario.
When
you
exploit
a
binary.
A
So
this
is
how
the
challenge
look
like
soon,
as
you
got
into
our
like.
Domaine,
doesn't
look
back
on
story
about
this
CDF
like
there's
some
company.
You
have
to
act,
it's
not
a
real
company,
it's
our
company!
So
it's
okay
and
this
company
is
like
a
virus
database
company
and
they
have
they
put
a
hash
of
like
the
good
combat
19
company
and
that
we
want
to
get
off
their
website.
Okay.
A
A
So
it's
just
it's
something
you
wouldn't
really
use.
This
is
what
the
challenge
looks
like
like
from
the
first
entrance
point,
you
have
some
Ruby
server
that
we
vote
and
you,
like.
The
user
gets
an
API
for
uploading
the
file
and,
if
he
uploads
the
cat
it
gets
like
this
is
the
vibe
was
danger
and
you
would
want
to
get
rid
of
that
screen
and
have
it
pass
right
so
before
we
even
knew
the
hostage
and
kubernetes.
This
was
the
design
for
the
challenge.
A
It
would
be
a
Linux
machine,
it
would
be
a
ruby
server
and
it
would
be
a
client
binary
that
would
use
IPC
together
the
data
base,
which
would
hold
all
the
hashes,
and
each
of
these
binaries
would
be
accessible
only
by
the
light
users.
So
if
the
Ruby
server
is
just
like
a
simple
would
be
user,
then
the
client
would
be
some
other
user
that
you
have
to
access
as
soon
as
you
get
like.
Shell
access
from
this
user
and
the
DB
server
runs
as
good.
A
So
the
way
you
escalate
from
having
like
the
Ruby
server
has
some
flow
in
it
that
we
put
in
so
you
can
throw
a
shell
and
get
access
to
the
Machine.
This
is
like
the
first
entry
point,
and
so,
like
you
go
from
this
screen
to
like
an
actual
shell,
and
this
client
binary
is
SETI
ID
that
you
guys
know
what
the
ID
is.
Okay,
so
SETI
ID
is
some
Linux.
A
File
permission
that
makes
the
binary
like
the
client
by
name
we've
learned
us.
They
set
you
like
the
owner
of
the
file,
you
let
the
user
that
owns
the
file.
So
if
this
user
owns
the
client
file
when
this
use
advanced
this
binary,
the
effective
UID
of
the
process
would
be
that
of
this
user.
So
if
there
is
some
flow
in
the
client
code
that
allows
code
execution,
this
user
could
escalate
privileges
and
this
user
and
get
shell
for
this
user.
A
That
always
make
sure
this,
like
this
server,
is
running,
and
each
of
these
users
has
some
flag
that
they
could
input
to
our
like
CDF
platform,
and
they
would
get
points
for
each
flag,
but
they
don't
have
to
like.
They
can
actually
just
go
for
all
the
steps
and
get
the
DB
server
like
without
and
inputting
any
flags,
and
there
would
be
some
hidden
flag
that
we
put
to
anybody.
We
managed
to
get
root
access
in
the
machine,
all
right,
so
yeah,
why?
Why
did
we
decide
to
do
it
on
cloud?
A
So
it
was
pretty
apparent
that
we
can't
give
the
user
some
VM
binary
and
tell
them.
Okay
run
it
on
your
machine,
because
if
we
give
them
the
whole
machine
like
as
like
a
virtual
machine
image,
they
could
just
read
out
the
memory
and
extract
all
the
flags
and
they
wouldn't
have
to
solve
the
challenge
and
they
could
just
achieve
very.
We
didn't
want
people
to
do
that,
and
security
visitors
who
try
to
do
everything
they
can
cheating
or
not
to
win
the
challenge
and
yeah.
A
So
it
would
also
be
very
easy
for
us
to
manage
all
the
instances
of
the
challenge
and
control
them
and
make
changes
to
them,
and
it
finally
was
interesting
for
us
to
see
what
security
mr.
just
would
try
to
do
when
they
get.
Would
shell
on
our
pods,
like
deliberately,
there
was
some
similar
experiences
in
the
past
like
lambda
shell,
and
it
was
interesting
fastest,
is
what
people
would
do
and
why
specifically
kubernetes
it's
very
easy
to
scale
up
or
down
like
adding
more
instances.
A
We
didn't
know
how
many
participants
are
going
to
start
solving
it
and
the
place
makes
it
very
easy
to
scale
up
it's
easy
to
update.
If
we
want
to
make
changes
to
all
the
instances,
it
can
be
really
easy
with
communities
and
the
configuration
was
like
perfect
for
us.
You
have
many
Yammer
files
that
define
the
cluster
of
the
CDF,
and
if
we
want
to
first
try
and
hast
it
locally
with
twister
countries,
we
did
that
and
then
we
took
like
the
whole
configuration
file
and
we
put
it
on
gke
and
it
just
like.
B
Engineering
yeah
I'm,
hoping
this
I
did.
Thank
you,
okay,
so
engineering,
we
don't
believe
the
before
touching
a
lot
you
can
hear
me.
Can
you
hear
me?
Yes,
good?
Okay,
so
at
least
look.
We
believe
that,
before
rushing
to
implementation,
you
need
to
think
about
the
engineering
aspect
and
requirements,
and-
and
they
will
assist
you
later
when
you
build
a
solution.
So
what
are
the
requirements
of
building
the
city
of
challenge
over
kubernetes?
B
So
first
you
want
a
solution
that
is
simple,
simple,
but
not
simplistic,
simple
means
that
it's
easy
to
understand
it
easy
to
walk
in
it
and
you
don't
it'll
to
waste
lot
of
resources
and
engineering
time
to
build
it.
Second,
we
want
a
solution
that
is
cheap.
Okay,
so
remember
we're
going
to
give
each
participant
a
pod.
Pod
costume
anyway
cos
two
CPUs.
You
want
to
like
limit
the
amount
of
food
sources
that
you
technically
use.
Third,
we
want
a
solution
that
is
reproducible
now
everybody
knows
kubernetes.
B
Everything
is
reproducible
because
young
men,
but
a
you,
want
something
that
would
be
easy
for
you
if
you
want
to
be
deployed
into
a
solution
or
to
scare
it
out
to
do
it
in
a
very
simple
manner
and
it
can
be
partially
automated.
You
don't
have
to
be
fully
automated
you're
just
going
to
be
like
a
city
of
challenge.
You
don't
need
to
like
go
wild
and
build
it
like
a
very
complex
pipeline
infrastructure,
which
is
what,
which
is
what
we
did.
B
And
finally,
you
want
a
solution
that
is
a
secure
as
much
as
possible
by
different
now,
I
put
a
big
like
asteroids
negative
secure
because,
technically,
like
nothing
is
really
secure.
Okay,
so
everything
is
huggable
with
enough
resources,
but
you
need
to
think
about
how
to
use
your
like
cloud
native,
artifacts
and
solution
to
build
something
that
is
secure
as
much
as
possible.
So
I
will
show
you
all
of
this.
So
how
does
the
solution
look
like?
So
we
have
the
participant,
okay,
appeal,
okay
and
he
registers
to
a
portal.
B
The
t19
challenge
go
to
the
portal.
Then
we
here
we
have
a
registration
service.
So
in
the
legislation
service,
the
registration
service
talks
with
a
database
and
in
the
database
we
map
each
new
user
to
a
regular,
HTTP,
cookie,
okay,
the
cookie
returns
to
the
user.
Then
the
user
needs
to
go
to
another
portal,
which
I
will
show
you
the
virus
Express
where
he
manually
enters
the
cookie
okay.
B
This
goes
to
an
engineer's
instance,
which
is
a
simple
nginx
installed
on
our
kubernetes
cluster,
and
we
have
the
following
configuration
that
map's
each
cookie,
the
user,
receives
to
a
local
clustered
IP
of
service,
regular
community
service.
We
have
three
services
here.
Each
of
each
of
those
is
a
specific
IP,
ok
and
then
the
usually
just
get
redirected
to
one
of
the
instances
and
we're
done
right
good.
So,
let's
talk
about
how
to
make
P
realized.
If
I
do
I
just
talked
about
like
the
overview.
How
do
you
materialize
this?
B
So
we
set
and
discuss
the
solution
and
we
found
three
I
assumed
a
la
mode.
So,
let's
see
first,
there
is
the
solution
where
you
statically,
allocate
everything
you
statically
allocate
the
pods,
you
statically
allocates
the
services,
the
configuration
database
and
genex
everything
now.
This
is
a
very
good
solution
if
you
know
exactly
how
much
participant
you're
going
to,
but
you
can
never
know
that,
and
also
what
happened
in
our
challenge.
B
Well,
we
first
deployed
only
for
the
local
district
employees,
then
in
Israel,
then
in
the
entire
world,
using
actual
news
and
reddit,
so
you're
going
to
scale
you're
going
to
have
idle
instances,
so
a
static
solution,
popularly
not
the
best
second
possible
solution-
is
to
make
it
completely
automated
okay.
So
we
had
the
registration
service
every
time,
participant
register
to
the
challenge.
We
create
a
new
service.
We
create
a
new
pod.
Okay,
so
everything
is
completely
automatic,
sounds
good
right.
B
So
it
is
good
if
you
want
to
be
like
your
production
solution,
but
for
CTF
we
think
it's
a
little
bit
too
much.
First,
it's
a
little
bit
complex
and
second,
there
is
the
security
issue.
Where
now
the
registration
service
me
to
talk
with
the
API
server,
so
you
need
a
token,
so
we
kind
of
drop
that
and
finally,
we
reach
the
hybrid
solution,
which
is
what
we
showed
with
what
we
used,
and
it's
really
cool
I-
want
to
show
you
that,
so
how
does
it
work?
Okay?
So
it's
based
on
a
very
interesting
idea.
B
Okay,
so
the
idea
is
that
in
kubernetes
you
can
tell
kubernetes
the
subnet
the
the
subnet
to
use
when
creating
services.
Ok,
there
is
a
parameter
called
service
area
which
tell
kubernetes
which
subnet
to
allocate
to
all
new
services.
Then,
when
you
create
a
service,
you
can
predefine
the
IP.
The
service
is
going
to
use
why
this
so
why?
It
is
so
good
because
Services
Inc
were
natives,
doesn't
technically
cost
you
anything.
Those
are
just
like
route
in
IP
table.
B
That
tells
you
the
tells
like
the
system
we
have
to
redirect
a
packet
so
we'll
we
had
the
service.
We
also
have
a
selector,
often
up,
but
in
the
app
is
just
like
the
Polo
application
controller,
but
it
was
not
deployed.
We
just
deployed
their
services,
the
statics,
the
load
balancer
and
the
storage
was
statically
configured
like
we
created
10,000
cookies
and
and
made
them
to
10,000
services.
Everything
was
statically
allocated,
as
you
can
see
here
with
the
cookie
of
the
other,
the
cluster
IP
same
in
nginx.
B
Everything
is
the
same,
and
the
final
piece
is
the
on-demand
polar
location.
So
the
instance
says
the
user
was
going
to
use
was
not
created
in
advanced.
We
started
with
a
relatively
small
number,
okay
and
then
every
time
we
saw
a
like
we
reached
out
of
a
location.
We
just
allocate
more
instances.
We
start
we
can
then
100
200
and
1000.
Okay,
so
you
can
see
each
deployment
has
a
selector
which
lets
match
the
selector
that
was
on
the
load
balancer
only
on
the
on
the
nginx
instance.
B
So
this
was
a
solution
that
we
chose
now.
Let's
talk
about
security
challenges
when
building
such
a
solution,
so
remember
we're
going
to
give
arbitrary
user
forum
the
internet
hood
access
to
our
clusters
inside
the
container.
So
what
do
you
need
to
think
about
when
you're
going
to
implement
such
a
solution?
Now
there
are
a
lot
of
security
risk
when
you
do
stuff
like
that
and
I,
don't
recommend
anybody
to
do
that,
but
if
you
have
to
do
it,
those
are
the
things
we
think
you
need
to
think
about.
B
So
the
first
issue
you're
going
to
get,
is
it's
called
local
resource
exhaustion,
and
it's
when
someone
is
just
exploit
your
your
pot
to
do
something
malicious.
Now
it
can
be
something
stupid
like
just
kill
it
kill
the
pone.
Okay
Oh
waste
a
lot
of
memory
or
CPU.
Would
it
be
something
even
more
malicious,
like
installing
HIPPA,
which
is
a
very
common
thing
like
if
somebody
will
hear
that
twist
low
gives
you
free
computer
itself,
I'm
sure
that
somebody
will
like
install
crypto
minor
in
this
instance.
B
The
second
security
risk
is
what
happened
when
attacker
breaks
out
of
the
container.
This
can
actually
happen
and
it
can
happen
because
you
either
misconfigured
your
your
pods
or
your
urls,
or
you
have
somewhere
vulnerability
in
your
infrastructure.
Both
both
of
those
instances
really
happened,
and
the
sub
security
challenge,
which
also
happen
in
real
life,
is
when
somebody
uses
some
network
attack.
B
Okay,
to
do
a
cluster
compromised,
somehow
we
managed
to
access
your
magnetic
API
server
or
the
cloud
provider
API
server
and
there's
a
lot
of
talks
about
the
subject
and
image
to
complete
like
take
over
your
cluster
still
of
the
images
and
it's
game
over
for
you
because,
like
the
CTF
is
over,
and
these
things
happened.
I
have
two
examples
here.
So
let's
talk
about
mitigations,
so
there
are
two
simple
litigation
you
can
apply
if,
if
you
want
to
avoid
the
first,
the
first,
that's
a
security
risk.
B
Technically
when
you
collect,
if
you
do,
if
you
give
users
like
a
shell
inside
a
container,
what
you
want
to
do
to
avoid
like
a
crypto
manual
it
just
to
block
all
outgoing
traffic,
then
they
can't
get
out.
They
can
publish
anything
and
and
like
it
mitigates
most
of
the
issues
and,
however,
you
can
do
that
because
insidious
challenges,
usually
what
that's
what
the
attacker
does
after
he
like
to
form
the
first
exploit.
B
You
will
get
a
level
shell,
because
it's
more
comfortable
for
him,
so
you
can't
block
outgoing
ports
because
it
meets
an
outgoing
port,
but
you
can't
block
most
of
the
common,
a
outgoing
port
for
crypto
and
then
like.
If
you
waited
a
motel,
it
will
try
to
manually
install
a
crypto
minor.
It
will
not
work
and
if
you
just
give
up,
hopefully
again
not
able
to
bulletproof
solution,
but
it's
quite
good
and
it
works.
The
second
thing
you
want
to
do
is
to
apply
a
port
security
policy.
This
is
by
default,
not
configured
so
technically.
B
If
somebody
inside
your
pod,
it
can
consume
all
the
memory
on
the
machine
and
it's
game
over
for
this
node.
So
I
put
security
policy
defines
like
constraints
on
the
pod.
You
can
apply
to
relative
to
the
levant
constraints.
For
our
instance,
al
CPU
and
memory
it
uses.
The
group's
memory
constraint
means
did
like
the
amount
of
memory
the
container
is
going
to
use
is
is
capped.
B
If
the
container
overflows
this
amount,
it
will
get
killed
and
sip
and
CPU
constraint
means
that,
like
the
amount
of
CPU,
the
container
is
going
to
get
is
limited
and
it
will
just
it
would
just
can't
consume
more
resources
than
that
on
that
machine,
and
since
our
challenge
was
not
CPU
or
memory
a
constraint,
it's
not
a
real
problem.
Ok,
so
let's
talk
about
the
second
challenge.
Ok
contain
a
breakout.
B
Somebody
somehow
managed
to
get
out
from
your
container
to
the
host
why
this
can
happen.
How
can
we
prevent
that?
So?
First,
my
recommendation
create
a
classic
container.
You
look
at
a
lot
of
production
deployment
and
you
see
lots
of
configuration
secrets
mouth
stuff.
If
you
do
something
like
that,
keep
it
simple
only
the
minimal
stuff
on
these
things
that
you
really
understand.
B
The
second
thing
you
also
don't
want
to
touch
all
the
security
configuration
by
default,
the
containers
in
to
occur
and
container
they
completed
relatively
good
security
profile,
which
limits
all
the
capabilities
the
root
user
can
do
inside
the
container,
and
it
also
limits
the
system
course.
The
root
can
do
using
second
and
little
starting
of
capabilities.
Finally,
you
want
to
also
think
about
which
image
you
use
to
deploy
your
note.
Ok,
the
host
image.
B
It's
also
important
a
we
use,
DKA
a
google
kubernetes
engine
which,
by
default,
comes
with
a
container
optimized
OS,
which
is
a
very
good
and
hardened
operating
system,
and
one
very,
very
good
thing
about
it.
It
comes
with
read-only
what
partition,
meaning
the
binaries
on
the
node
on
the
host
can't
be
overwritten.
They
can
tell
it's
read-only,
and
this
is
very,
very
cool
because
it
automatically
mitigates
some
of
the
vulnerabilities
that
exist,
but
will
patched
in
in
containers.
Finally,
something
that
we
didn't
do,
but
you
will
probably
want
to
do
if
you
have.
B
A
A
In
case
something
does
happen,
and
somebody
managed
to
explode
a
CV
or
something
and
get
out
at
the
time
we
were
doing
this
CDF.
There
was
also
the
1c
CV
and
we
were
like
really
concerned.
Somebody
will
use
something
similar
to
break
out
of
a
container
one
more
thing.
You
want
to
remember
is
sometimes
in
cases
like
this
etf.
You
don't
want
users
from
inside
a
pod
or
container
to
access
the
kubernetes
api.
One
way
to
do
that
is
by
oops
is
by
disabling
disabling.
A
The
service
account
token
mounting,
which
would
disallow
users
from
inside
the
container
to
access
their
company.
This
api
and
one
more
important
thing,
is
preventing
access
to
the
metadata
API.
Now
the
metadata
API
is
something
you
have
in
all
the
cloud
providers.
Edible
yes,
says
it.
Gke
is
it.
It
is
some
IP
that
when
you
access
it,
you
can
usually
using
anonymous
user,
meaning
no,
no
user
login.
You
cannot
get
access
about
your
cluster,
so
you
could
see
all
the
images
you
could
see.
What
is
running
you
could
download
the
images.
A
Six
of
them
actually
managed
to
exploit
the
final
binary
and
get
good
access
in
the
machine,
which
was
pretty
impressive
because
we
find
most
participant
will
just
get
access
to
the
third
flag.
There
were
some
real
interesting
write-ups
about
solving
this
CTF
and
all
the
exploitation
method
that
they
used.
I
really
recommend.
Reading
this
after
you
try
to
solve
the
challenge
yourself,
the
prize
really
came
for.
The
participants
was
a
challenge
coin,
that
we
molded
with
twistlock
logo
and
the
t19
banner
t19
actually
stands
for
twist,
lock
19.
A
A
B
A
Are
the
key
take
outs
from
having
hosted
all
this
city?
Yes,
if
we
plan
the
engineering
Veidt
to
begin
with,
we
can
save
a
lot
of
money
now.
Money
is
also
resources
like
actual
running
pods,
that
we
didn't
statically
allocated
beforehand,
but
it's
also
saving
time.
We
didn't
create
a
really
complex
solution.
Cdf's
are
not
what
we
normally
do
at
twistlock,
so
we
could
like
cut
edges
and
sometimes
make
some
simple
solution.
That
is
not
the
best,
but
it
would
save
us
a
lot
of
time.
A
In
the
long
run,
it
was
real
important
to
have
good
security
and
kubernetes
is
a
really
good
platform
to
us
to
see
the
air
phone,
especially
if
you
wanted
to
go
live,
and
you
don't
want,
like
you,
don't
trust
the
user
that
they
won't
cheat
you.
You
really
can
control
what
is
happening
inside
your
pods
and
you
can
really
easily
monitor
what
is
going
on.
So
community
is
a
great
platform
to
house
to
see
the
iPhone.
A
You
can
go
to
this
URL
and
try
to
solve
the
challenge
yourself.
So
since
the
challenge
is
already
concluded,
you
do
get
an
image
you
can
play
with.
We
stop
for
like
we
don't
host
the
classroom
anymore,
so
you
get
an
image,
so
please
don't
cheat
and
try
to
solve
it.
The
right
way,
though,
instructions
and
see
you
in
the
next
challenge.