►
From YouTube: Hey, Did You Hear About This New CVE? - A Vulnerabilit... Andrew Lytvynov & Alexandr Tcherniakhovski
Description
Don’t miss out! Join us at our upcoming events: EnvoyCon Virtual on October 15 and KubeCon + CloudNativeCon North America 2020 Virtual from November 17-20. Learn more at https://kubecon.io. The conferences feature presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Hey, Did You Hear About This New CVE? - A Vulnerability Response Playbook - Andrew Lytvynov, Independent & Alexandr Tcherniakhovski, Google
Kubernetes provides a lot of great ways to harden the security of your infrastructure. But despite how much you have it locked down, things will inevitably go wrong. Hope is not a strategy, so you need a contingency plan. In this prescriptive talk, you will learn how to prepare for complex vulnerabilities (like the Intel speculative execution or Go HTTP/2 DoS vulnerabilities), mitigate them and clean up afterwards. We’ll share our experiences with the GKE fleet, dealing with newly announced vulnerabilities, and lessons learned balancing both security and reliability of workloads. You will learn how to develop a response playbook for vulnerabilities. You will also learn about the tools that Kubernetes provides to help make your vulnerability response less hectic, such as audit logs, network policies and RBAC. This talk will not cover live attacks (attackers in your infrastructure).
https://sched.co/ZerA
A
A
A
A
A
The
result
of
their
investigation
was
an
incredible
piece
of
technology.
A
flight
checklist
in
the
end
checklists
allowed
model
299
to
fly
2.9
million
kilometers
without
one
incident
fast
forward
to
apollo
12
lunar
landing,
and
we
see
that
checklists
have
become
a
norm
in
the
aviation
and
space
exploration
industries.
A
A
A
As
we
go
through
this
checklist,
they
will
most
likely
appear
to
you
as
some
general
hardening
guidance,
which
you
probably
already
heard
before,
and
indeed
the
best
strategy
for
preparing
for
an
incident
is
to
reduce
the
chances
of
it
happening
in
the
first
place
and
hardening
of
kubernetes
infrastructure
is
the
best
approach
for
accomplishing
this
in
the
context
of
hardening.
You
may
have
heard
about
kubernetes
ces
benchmark,
which
is,
in
fact
a
checklist
that
is
designed
to
assess
the
overall
security
posture
of
your
kubernetes
environment
in
gke.
A
The
last
thing
that
you
want
to
learn
when
mitigating
an
incident
is
that
the
vulnerable
service
has
sensitive
cube
api
permissions,
which
which
it
actually
did
not
need.
Essentially,
this
is
a
gift
to
attackers,
therefore
review
our
back
profiles
of
all
your
critical
services
and
ensure
that
they
are
assigned
the
minimum
set
of
permissions
required.
A
A
A
A
A
However,
we
still
need
to
make
sure
that
we
are
collecting
exporting
and
retaining
such
network
logs
note
that
raw
log
records
may
not
be
sufficient.
Remember
that
kubernetes
in
kubernetes
internal
ip
addresses
are
not
guaranteed
to
persist.
Therefore,
additional
metadata
may
need
to
be
attached
to
the
to
the
network
records,
for
example.
Attaching
a
pod
name
will
definitely
be
more
helpful
than
just
looking
at
some
random
ip
address.
A
A
A
A
However,
in
addition
to
removing
the
protection
afforded
by
the
network
space
isolation,
the
setting
also
makes
network
log
analysis
much
harder,
because
source
addresses
are
four
components
that
are
running
in
host
network.
Namespace
will
be
the
same:
that
of
the
host,
thus
making
it
more
difficult
to
detect
rock
network
connections.
A
A
Regarding
linux
capabilities,
our
experience
has
shown
that
the
capabilities
included
in
the
default
docker
profile
are
too
permissive.
This
default
profile
contains
many
capabilities
that
are
not
required
by
most
applications.
However,
container
escape
attacks
may
utilize.
This
default
capabilities
to
their
advantage.
A
Hence
we
recommend
dropping
them
unless
your
application
has
some
very
specific
requirements
from
the
incident
preparedness
point
of
view.
When
containers
are
running
without
these
default
capabilities,
we
expect
that
container
escape
attacks
will
generate
access
to
night
errors,
which
will
be
recorded
by
the
linux
audit
subsystem.
A
A
A
A
A
A
A
One
last
point
on
distroless
containers
in
gke.
We
almost
exclusively
use
go
disrelease.
Containers
since
go
is
our
preferred
language.
However,
when
using
digitalis
containers
for
scripting
languages
like
python,
for
example,
attackers
may
still
be
able
to
execute
scripts
inside
such
containers.
So
please
keep
this
in
mind.
A
A
B
B
Well,
as
you
probably
expect
you
just
need
to
follow
another
checklist,
there
is
one
fundamental
difference
between
the
checklists
that
alex
just
talked
about
and
the
ones
we'll
look
at
next.
The
pre-incident
checklists
are
trying
to
centralize
all
the
power
and
decision-making
in
the
hands
of
the
single
person
who's
following
them.
B
B
We
will
break
down
the
incident
into
five
distinct
stages,
and
the
steps
for
all
of
these
will
should
be
written
down
in
your
internal
wiki
when
an
uncle
engineer
gets
notified
about
a
new
incident.
The
first
thing
to
do
is
reproduce
it
and
figure
out
the
impact.
So
you
want
to
know
whether
this
actually
affects
your
production
environment,
or
maybe
it's
a
false
alarm
due
to
some
funky
configuration
that
you
use.
B
B
And
so
on,
a
useful
tool
here
is
calculating
a
cvss
score,
which
is
an
industry
standard
for
rating
security
incidents.
It
gives
you
a
score
from
0
to
10
above
how
bad
the
issue
is.
After
you
have
successfully
reproduced
it.
You
want
to
write
down
those
steps
that
you
used.
This
will
be
useful
later
on
when
someone
else
is
rolling
out
a
fix
to
production,
and
they
want
to
confirm
that
it
actually
fixes
the
problem,
and
one
other
useful
thing
to
note
down
is
what
are
the
symptoms
of
an
active
exploit.
B
Now
that
you
have
confirmed
that
the
incident
is
real,
it's
time
to
start
the
actual
response
process?
First
thing
you
want
to
do
is
creating
communication
channels.
The
most
useful
thing
here
is
a
shared
document
that
you
can
collaborate
on
with
your
teammates.
It
should
usually
be
copied
from
some
template
that
you
have
created
ahead
of
time,
so
you
don't
have
to
figure
out
what
sections
need
to
be
present.
B
B
B
Is
the
main
decision
maker?
This
is
usually
the
on-call
engineer
who
responded
to
the
incident
originally
and
is
responsible
for
driving
it
from
start
to
finish.
Communications
lead
is
someone
who
will
communicate
externally
to
your
customers
or
partners
about
the
incident
or
any
impact
it
might
have
on
them.
You
might
want
to
onboard
some
subject
matter.
A
B
People
who
are
intimately
familiar
with
the
part
of
the
system,
that's
compromised,
just
to
advise
the
unfix
or
maybe
do
the
things
themselves
and
then
operations
lead
is
an
optional
role.
That
applies
when
you
have
a
large
incident
with
a
lot
of
moving
pieces
operations
lead
handles
only
the
mitigation
and
rollout
and
offloads
all
those
concerns
from
incident
commander's
plate
and
after
all,
this
prep
work
we
finally
get
to
patch
the
vulnerability.
B
B
A
B
Being
actively
abused,
you
might
want
to
choose
to
forgo
your
regular
safety
checks
and
get
it
out
the
door
much
faster.
Regardless
of
what
you
do.
You
should
avoid
outages,
consult
with
your
sres,
your
devops
engineers,
and
make
sure
that
whatever
you're
doing
is
not
going
to
bring
down
the
entire
service
and
then
after
the
reload
is
complete.
You
can
finally
call
all
clear
and
be
done
with
the
incident
just
kidding,
there's
more
work
to
do
so
after
you've
fixed
the
problem.
B
B
B
If
the
number
of
people
effect
is
not
zero,
you
want
to
follow
up
with
them
and
do
the
appropriate
next
steps
and
another
useful
thing
to
do
is
writing
a
postmortem.
This
is
the
same
postmodern
practice
that
sre
is
used
for
outages
and
it
has
been
covered
extensively
in
the
past.
So
here's
a
link
to
a
place.
You
can
start
learning
about
them
if
you're
not
familiar,
but
basically
you
write
down
what
went
wrong
when
it
happened.
What
did
you
do
in
response
and
how
can
you
improve
in
the
long
run?
B
I
hope
we
have
convinced
you
that
checklists
are
a
very
valuable
tool
both
before
the
incident
as
a
way
to
prepare
yourself
and
during
the
incident
to
make
sure
you
have
not
missed
any
critical
steps
and
remember
you
can
always
change
them
and
adapt
them.
If
there's
something
missing
a
step,
you
wish
you
had
taken,
add
it
to
the
checklist
and
save
and
the
longer
you
use
them
the
easier
your
incidents
will
become.