►
From YouTube: Keynote: Liz Rice, Technology Evangelist, Aqua Security
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
Keynote: Liz Rice, Technology Evangelist, Aqua Security
To learn more: https://sched.co/GsxV
A
Thank
you
Jason
right.
This
is
where
I
get
to
talk
about
security,
so
I
work
with
a
company
called
aqua
in
container
security
and
I'm
interested
in
helping
people
protect
their
deployments.
So
I
want
to
share
a
few
thoughts
today
on
some
of
the
things
some
of
the
tools
we
have
in
the
cloud
Native
community
and
some
of
the
things
that
we
can
do
to
save
ourselves
from
being
attacked.
A
Even
if
you're,
not
a
security
person,
there
are
things
that
you
can
do
to
help
secure
deployments.
My
own
background
is
in
development
and
I
definitely
used
to
think
security
is
some
kind
of
big
scary
thing
that
other
people
they
always
and
to
some
extent.
That
is
true.
We
do
have
specialist
security
teams
they're
the
people
who
deal
with
incidents
and
handle
what
have
what
to
do
when
a
new
vulnerability
gets
disclosed.
A
I'm
gonna
take
this
tweet
and
just
modify
it
a
little
bit
to
add
in
the
other
members
of
the
security
team
and
I
think
we
also
need
to
mention
Baron
Shepherd
from
Rancher,
who
was
responsible
for
finding
the
problem
in
the
first
place,
and
this
team
of
people
could
well
have
saved
all
our
deployments
from
being
victims
of
a
big
data
breach.
So
I
would
like
to
give
this
team
a
massive
round
of
applause.
Thank
you
to
them.
A
Now
every
system
has
our
abilities
as
Maya
says
in
her
suite
and
Kiva
Nettie's
is
a
complex
system.
We
should
not
be
surprised.
We
should
not
be
afraid
of
the
fact
that
issues
have
been
found
in
kubernetes
from
time
to
time.
Every
system
has
vulnerabilities.
This
has
been
found
and
fixed,
it's
kind
of
an
obvious
thing
to
say,
but
if
you
haven't
already,
please
do
update
your
cluster
to
take
that
fix.
A
So,
if
you're,
up-to-date
with
the
underlying
platform,
what
else
should
you
be
doing
to
improve
security?
Well,
the
application
code
that
you're
running
is
potentially
full
of
weak
points
that
could
be
exploited.
A
lot
of
security
issues
come
about
because
we're
running
code
that
contains
vulnerabilities
and
sometimes
we're
running
that
code
due
to
user
error
or
maybe
user
laziness.
A
So,
let's
suppose
that
you
have
some
problem
that
you
want
to
solve
and
you
go
to
Google
and
you
find
the
solution
to
your
problem
on
some
Stack
Overflow
page
or
some
documentation,
or
maybe
on
some
github
page
somewhere,
and
we
would
all
totally
do
something
like
this
right.
Yeah
we
just
go.
Yeah
I'll.
Take
this!
That's
fine
and
I
will
totally
just
copy
some
yeah
more
into
my
deployment.
A
I,
don't
know
what
I've
run
there
and
okay
hands
up
if
you
have
ever
copied
some
yeah
more
from
the
Internet
and
run
it
in
a
cluster
yeah,
so
it
happens
now.
I
want
you
to
imagine
that
I'm,
like
super,
malicious
and
I,
have
I've
solved
the
problem
that
we
were
trying
to
solve.
I've,
given
you
some
yam
all
that
does
exactly
what
it
was
that
you
were
googling
for
in
the
first
place.
A
A
Now
every
pod
runs
under
a
service
account,
so
it
can
have
the
permissions
of
that
service
account
by
default
the
credentials
for
that
service.
Account
are
mounted
into
the
pod.
So
we
can
do
something
like
this
secrets
because
yeah
it's
a
secret
Kuban
access
service
account
taken
and
we've
got
a
variable
that
has
the
credentials
for
accessing
the
kubernetes
api,
and
then
we
could
do
something
like
this,
where
we
could
set
up
an
authorization.
That's
if
I
can
spell
it.
Authorization
with
a
bearer
token.
A
A
So
from
this
part,
that
I
have
maliciously
run
on
the
cluster
by
getting
somebody
to
copy
some
yeah
more
from
the
internet.
I've
got
access
to
the
kubernetes
api
and
I
also
make
my
life
easier
by
mountain
cube
control
in
here,
and
not
only
can
I
do
things
like
get
pods
I
have
given
myself
permission
that
I
could
do
things
like
create
poets.
A
Yes,
I
could
create
pods
so
that
power
is
because
of
the
service
account
that
I'm
using.
So
if
we
go
back
to
the
yam,
all
that
I
deployed
as
well
as
deploying
some
application
code,
it
deployed
a
service
account
and
a
role
binding
and
if
I
look
at
the
contents
of
that
role,
binding
binding,
Gatti
cow-house,
oh
I,
need
an
extra
T,
always
helps
fight
spell
things
right,
so
we
can
see
that
service
account
was
bound
to
a
role
that
has
admin
privileges.
A
This
is
definitely
not
something
you
want
people
to
be
just
doing
right
and
because
I
didn't
look
yeah
more
before
I
deployed
it
I
didn't
notice
that
this
was
gonna
happen,
giant
security,
hole.
Okay,
it
would
be
a
good
idea
if
we
had
something
to
stop
that
service
account
from
being
created
and
then,
if
we
couldn't
create
a
service
account,
we
wouldn't
have
these
permissions.
Incidentally,
the
default
service
account
is
has
very,
very
few
permissions,
so
we
wouldn't
be
able
to
do
too
much
with
that.
A
So
how
could
I
prevent
this
service
account
from
being
created?
I
could
use
an
admission
controller.
There
are
lots
of
different
types
of
a
mission
controller
and
what
I'm
going
to
use
is
a
it's
called
a
validating,
webhook
admission
controller,
so
an
API
request
gets
made.
Here's
the
definition
of
my
validating
web
mission
controller
in
my
case,
I'm,
going
to
look
for
the
creation
of
service
accounts
when
we
see
a
request
to
create
a
service
account,
it's
going
to
send
a
web
hook.
A
To
my
admission,
controller
and
I
had
to
write
some
code
to
put
this
admission
controller
together.
It's
I'd,
probably
like
three
hundred
lines
of
code:
I'm
not
going
to
show
you
all
of
it,
but
basically
it's
a
web
server.
It
receives
a
mission
review.
You
can
look
at
it
on
github
by
the
way
it's
fine
and
if
it's
a
service
account
I'm
going
to
say
this
not
allowed
not
allowed
not
going
to
allow
a
service
account
to
be
created.
A
A
Okay
and
now,
if
I
try
to
apply
my
totally
fine
yeah
Mille
that
I
downloaded
from
the
internet,
it
gets
denied,
I
can't
create
the
service
account.
My
admission
controller
did
its
job
and
I.
Now
don't
have
the
application
running
and
I
can't
just
go
into
my
got.
Ikaw
powers
and
magically
creates
bad
things
in
the
cluster.
A
So
admission,
control,
validating
webhook
admission
controllers
are
super
powerful.
We
could
write
them
to
do
anything
we
like,
but
I,
had
to
write
like
300
lines
of
code
to
do
a
really
simple
thing
like
just
stop
blocking
service
accounts,
and
it
would
be
kind
of
crazy
if
we
all
had
to
write
our
own
custom
admission
controllers
for
doing
really
standard
things
enter
open
policy
agent.
So
the
open
policy
agent
is
a
sandbox
project
and
we
can
use
it.
A
It
acts
as
an
admission
controller,
one
of
these
validating
webhook
admission
controllers,
and
it
can
be
a
much
easier
way
of
the
rules
that
we
want
to
apply
so
I'm,
just
gonna
delete
the
things
that
I,
basically
reset
I
need
to
delete
mission
controller
that
I
just
set
up
and
I've
actually
already
got
an
open
policy
agent
running,
but
I
just
don't
have
any
rules
defined
yet,
and
this
is
the
rule
that
I
can
set
up
to
say.
Don't
allow
me
to
create
a
service
account.
A
A
Think,
okay,
so
I
have
a
config
map.
That
includes
my
rule.
That
says:
don't
let
me
create
any
service
accounts
and
now,
if
I
run
my
apply,
if
I
try
and
apply
my
random
Y
amyl
that
I
downloaded
from
the
internet
again,
it's
not
permitted
and
it's
not
permitted
because
my
open
policy
agent
applied
that
rule
and
didn't
accept
that
request.
A
So
we
can
use
admission
controllers,
potentially
the
open
policy
agents,
to
check
that
when
we,
if
we
are
going
to
deploy
some
random
yeah,
all
that
we've
downloaded
from
somewhere
that
it
meets
some
rules
that
we
want
to
specify,
and
we
probably
want
to
have
much
more
complex
or
sophisticated
or
meaningful
rules
than
what
I
just
showed
in
a
demo
to
say.
Let's
just
have
a
blanket
ban
on
service
accounts.
A
The
open
policy
agent
is
still
in
the
sandbox,
so
I'm,
considering
it
kind
of
experimental
and,
to
be
honest,
I'm
just
learning
about
it.
But
from
what
I've
seen
so
far,
it
looks
like
a
promising
way
to
define
these
kind
of
rules
that
might
save
ourselves
from
these
crazy
things
that
we
might
download.
A
So
what
kind
of
rules
would
we
like
to
be
enforcing
when
we
deploy
application
code?
It's
a
good
idea
to
check
that
the
application
images
come
from
a
registry
that
we
expect
and
actually
the
container
spec
Yam.
All
that
defines
what
image
to
run
can
potentially
be
another
attack
vector
as
a
human
being,
it's
pretty
hard
to
spot
the
the
difference
between
these
two.
We
might
never
spot
if
a
bad
actor
set
up
a
registry
with
a
very
slightly
different
URL
than
the
one
we
intended
to
you.
A
A
A
Okay,
now
I
don't
want
to
scare
you,
but
basically
any
code
can
have
problems,
and
sometimes,
even
when
it
comes
from
a
trusted
source,
it
can
still
be
very
problematic,
particularly
as
the
world
is
using
more
and
more
open
source
software
that
trust
might
be
misplaced.
We
have
to
be
very
careful
who
we
trust
who's
using
node
if
you're
using
now,
you
very
likely
familiar
with
this
problem
from
just
a
couple
of
weeks
ago.
A
A
So
this
is
what
community
can
be
really
important
when
we're
in
this
open-source
world.
We
need
governance
to
ensure
we
don't
just
hand
administrative
privileges
to
some
random
person.
We
just
met
on
the
internet
five
minutes
ago,
foundations
like
the
Linux
Foundation
and
the
CNCs
they're,
not
just
here
to
organize
glitzy
events
and
Corral
vendors
into
sponsoring
them
and
giving
us
all
free
t-shirts.
The
Foundation's
are
also
there
to
help
us
coordinate
as
a
community,
and
one
of
the
things
that
they
do
is
help
us
ensure
we've
got
proper
governance
in
place.
A
That
proper
governance
makes
it
much
harder
to
hand
the
admin
privileges
to
some
random
dude,
and
this
is
increasingly
important
as
we
have
businesses
relying
on
open
source
software.
We
need
our
foundations
to
help
ensure
that
people
are
incentivized
to
do
the
right
thing
and
that
we
have
the
right
processes
in
place
to
make
sure
that
projects
are
maintained
responsibly.