►
Description
Security is a very important part of application and infrastructure development and should never be an afterthought. We must ensure that we do things like: authenticating users that come on our platform, checking against common vulnerabilities in our manifest files, scanning images for CVEs, etc. Whilst it is absolutely advised to check for security issues before going into production, many security breaches will/can only be detected at runtime. We will discuss Runtime Security and tools that can help us remain secure in production.
---
KCD Africa 2022 is the 2nd iteration of the Kubernetes Community Days Africa, a CNCF-powered free community event. Visit https://kcdafrica.com for more information.
A
A
A
The
first
thing:
when
we
talk
about
security,
you
know
a
lot
of
things
come
to
mind.
You
want
to
have
secure
systems,
that's
a
given!
You
know,
and
a
lot
of
people
talking
about
this
thing
that
you
call
shifting
security
to
the
left,
all
right,
it's
so
that
we
can
have
security,
not
as
an
aftertalks.
A
You
know
of
things
that
we
do.
Security
should
be
primary
in
any
system
that
we're
developing
or
building
you
know,
including
our
infrastructure
spirit,
should
not
be
an
afterthought
yeah.
So
you
know
you
can
have
when
you
build
systems
you
think
of
authenticating
users.
You
know
if
you're
a
software
developer.
You
definitely
want
to
do
that.
You
probably
want
to
have
some
authorization.
A
You
know
processes
in
place.
You
know
as
well
as
authentication
processes.
You
know
if
you're
an
infrastructure
engineer
you
want
to
do
things
like
static
analysis
of
your
manifest
files
to
ensure
that
you
know
there
are
no
vulnerabilities.
You
will
probably
want
to
scan
your
images.
You
know
before
you
go
into
production,
you
do
a
lot
of
things
before
hitting
production
and
that's
very
good.
You
know
we
should
always
do
that,
but
now
there
is
also
the,
but
I
will
talk
about
wrong
time
and
runtime
security
all
right.
So
now
my
slide
yeah.
A
I
made
a
mistake
in
that
site,
so
runtime
so
runtime
has
to
do
with
now
we're
live
now
when
production
we
are
running,
our
systems
are
up
and
functional,
but
how
secure
are
we
in
production?
You've
done
all
the
initial
checks
you
know
like
we
mentioned
you
put
authentication
in
place.
You've
scanned
your
manifestos,
your
images,
all
of
these
things,
but
we're
live.
How
do
you
you
know
check
for
for
issues
in
production?
How
do
you
check
that
things
are
not?
You
know,
working
as
they
should
not
in
production?
A
That's
where
runtime
security
comes
into
play,
and
so
runtime
security
has
to
do
with
observing
and
protecting
software.
As
they
run
like
it's
very
straightforward
right,
so
you're
running
your
systems
and
you
want
to
ensure
that
you're
seeing
things
are
happening,
you're
being
secured,
you
know
and
you're
protecting
your
systems
against
attacks.
So
that's
where
runtime
security
comes
into
play,
so
I'll
give
an
example.
A
You
know,
there's
this
thing
called
0d
vulnerability,
all
right,
and
what
this
refers
to
is
vulnerability,
attacks
or
vulnerabilities,
that
you
know
that
happen.
When
so
say
the
vendor,
your
application,
vendor
ships,
an
application
all
right
and
that
person
is
running
abroad,
but
you,
the
vendor,
did
not
take.
Of
course
they
do
all
of
the
initial
checks
and
they
find
you
know
these
are
the
arrows
to
start
the
box.
These
are
the
things
that
you
should
be
aware
of.
You
know
we
have
a
new
version.
A
These
are
the
errors
in
the
old
version,
but
zero.
The
vulnerability
are
vulnerabilities
that
the
vendor
is
unaware
of
all
right,
because
things
can
be
in
production
and
there
could
be
attacks
you
cannot
prevent.
You
certainly
cannot
be
aware
of
every
possible
attack
that
you
know
will
come
into
your
system
right.
So
that's
where
their
day
vulnerability
comes
into
play
and
for
this
kind
of
thing-
and
this
is
just
one
use
case
for
runtime
security-
we
want
to
be
able
to
detect
things
on
the
fly
we
won't
be
able
to.
A
You
know
know
how
our
systems
are
doing
on
on
as
we
go
and
you
know
protect
against
those
things.
So
that's
run
time.
That's
where
runtime
security
plays
a
very
major
role,
and
I
don't
have
too
many
slides,
of
course,
but
I'm
going
to
be
talking
about
falco
now,
harpoise
is
a
tool
you
know
from
it's
it's
part
of
the
cncf
landscape.
A
Now,
of
course,
it's
one
of
the
tools
that
helps
with
runtime
security,
and
so
how
did
that
come
across
falco
just
a
few
weeks
or
months
ago,
I
believe
I
was
taking
the
exam,
the
certificate
certified,
kubernetes
security
exam,
and
I
saw
that
purple
was
part
of
the
things
on
the
curriculum,
all
right.
It
means
okay.
What
that
means,
first
of
all,
is
that
for
the
cncf
to
put
this
in
the
certification,
it
means
that
it's
a
very
important
tool,
all
right
in
the
cncf
landscape
and
runtime
security
is
also
very.
A
You
know
in
the
cloud
native
world
so
look
at
think
of
it.
This
way
you
have
your
your
docker
image,
let's
say
docker
image
or
whatever
you
know
container
system
you're
using
you
have
your
image
and
your
application
has
been
gone
good.
You
push
this
image
to
a
registry,
and
somebody
takes
that
image
and
begins
to
just
runs
containers
out
of
your
image
right.
So
the
containers
are
running
fine.
A
Now
there
could
be
if
you
are
don't
check
like
static
analysis.
You
know
on
your
manifest
files.
You
probably
would
have
spotted
things
like
your
container
is
going
to
be
running
as
roots
and
you
might
have
blocked
all
of
those
things,
so
you
might
have
seen
some
of
those
issues
and
fixed
them,
but
say
you
fixed
all
of
those
and
you
find
out
that
there
is
an
attack
on
your
system,
something
is
happening
and
that
should
not
be
happening
all
right.
So
farco
helps
you
with
those
kinds
of
issues.
A
Those
kinds
of
problems
all
right
so
far
gives
you
something
called
a
roof
set.
You
can
have
rules
and
you
can
detect.
You
know,
operations.
Certain
operations
based
on
the
rule
sets
that
you
can
assert
certain
conditions.
You
know
you
can
check
that
this
is
happening.
This
should
not
happen,
for
instance,
if
by
a
container
something
is
being
written
to
a
particular
directory
all
right
and
it's
not
supposed
to
write
to
that
direction.
A
They
have
to
turn
if
it's,
if
it's
a
mutable
container,
which
you
know
which
you
don't
have,
you
should
have
mutable
images,
multiple
containers.
So
if
your
container
is
writing
to
a
particular
directory,
maybe
the
maybe
any
direction
that
you
just
feel
the
secure
direction
shouldn't
be
tampered
with
falco.
Can
you
can
specify,
in
a
falcon
rule,
set
that
if
something
is
being
written
to
this
direction,
allows
me
all
right?
You
can
definitely
send
a
lot
to
whatever
system
you
want.
You
can
have
a
lot
on
slack.
A
You
can
have
a
lot
wherever,
but
the
beauty
about
it
is
that
you
can
tell
when
things
are
happening
as
they
shouldn't
you
know,
but
by
default.
Falco
gives
you
a
reset
that
blocks
a
lot
of
things
all
right,
so
you
can
now
enable
certain
things.
So
by
default
you're
secure
all
right,
then
you
can
now
decide
to
enable
based
on
the
rules
that
you
set,
enable
certain
functionalities
in
your
system
at
wrong
time
all
right,
but
whatever
is
blocked,
falco
detects
and
allows
you
that
this
is
what's
happening
in
your
system.
A
Let
me
see
yeah,
so
falco
was
created
by
cystic
it's
now
a
csf
project,
of
course,
runtime
threat,
detection
engine,
like
I
said
earlier,
it
analyzes
the
behavior
of
the
system
and
compares
it
with
a
set
of
rules
and
triggers
an
alarm.
The
positive
match
is
found.
So
far,
can
I
I'll
just
give
some
run
down
my
system?
My
my
slides
are
not
too
much.
I'm
running
you're
doing
a
lot
of
talking
now
say
you
you,
because
some
people
ask
that.
Can
you
run
falco
on
kubernetes?
A
Can
you
run
it
on
your
bare
metal
servers
and
things
like
that
yeah
I'll?
Get
into
that
all
right?
But,
first
of
all,
let's
talk
about
the
event
sources.
How
does
falco,
you
know,
get
its
events?
How
does
it
know
what's
happening
so
there's
this
thing
called
system
calls
in
linux
all
right
and
what
that
means
is
that
as
a
linux
user,
you're
probably
trying
to
perform
an
operation,
maybe
you're,
reading
a
file
or
you're
writing
to
something
you're.
A
Writing
to
this,
whatever
operation
you're
doing
so
in
linux,
all
right-
and
I
know
there
was
a
linux
talk
just
a
few.
I
think
a
few
talks
back
migrate.
So
linux
has
this
because
system
calls
where
I'm
trying
to
write
to
a
file
all
right,
but
underneath
what's
happening,
is
that
a
system,
a
call
is
being
sent
all
right
to
carry
out
that
operation
on
my
behalf,
I'm
just
writing
to
the
file,
but
there
are
some
system
calls
there's
some
functions
in
the
linux
kernel
that
does
the
actual
work
all
right
so
far.
A
Now
so,
whatever
I'm
doing
on
my
linux
environment,
my
linux,
machine
or
device,
so
you
know
I'm
not
scared
of
whatever
I'm
doing
it.
It
has.
It
has
a
system
called
underneath
all
right,
and
so
how
good
will
it
be?
If
I
can
track,
I
can
have
a
look
at
those
calls.
All
right
system
calls
and
be
able
to
make
meaning
from
them.
A
So,
for
instance,
I
get
a
system
called
I'm,
not
a
I'm,
not
I'm
not
an
expert,
I'm
by
no
means
an
expert
on
the
linux
scanner,
all
right
but
say
you
have
a
function
that
maybe
is
read.
For
instance,
in
the
linux
kernel
now
I'm
trying
to
read
the
file
that
function
is
triggered
all
right
and
what
falco
does
is
it
takes
that
call?
A
He
takes
the
argument
that
for
and
it
builds
a
story-
and
it
gives
you
this
information,
so
you
can
now
say:
oh
okay,
this
particular
container,
for
instance,
is
trying
to
write
or
is
trying
to
read
from
this
directory
this
particular
file.
So
you
have
all
of
that
detection
and
your
rule
set
in
your
research.
You
might
have
specified
that.
Okay,
if
somebody
is
trying
to
read
from
this
direction,
that's
probably
an
attack.
Okay.
Now
this
is
run
time.
It's
not
something
baked
into
your
image.
It's
not!
This
is
actual
time.
A
Something
is
happening
at
wrong
time
and
they're.
Looking
at
they're
trying
to
read
off
the
files
from
your
system,
a
bit
of
documents
from
your
system-
and
you
know
forward-
can
give
you
all
of
these
things
on
decline
as
you
go.
So
this
is
runtime
security.
That's
that's!
Where
system
calls
coming
to
play
all
right,
linux
system
calls.
A
So
now
you
can
also
focus
and
also
get
because,
if
you're
using
linux,
for
instance
now
this
is
where
this
is
why
we
have
these
different
areas
right
where
you
can
get
events
from
so
typically,
you
take
falco
and
you
install
pop
on
your
machine.
All
right.
You
just
take
the
binary
and
you
begin
to
execute
the
banner
on
your
machine
and
it
begins
to
detect
system
calls.
But
if
you're
running
something
like
kubernetes
on
the
cloud,
gk.
A
A
So
what
you
just
have
is
you
just
have
cube
ctl
you're
talking
to
your
cluster
somewhere
all
right,
so
falco
can
also
retrieve
events
from
kubernetes
audit
events
all
right,
so
that
helps
you
in
your
kubernetes
environment
and
of
course,
you
can
also
read
off
cloud
logs
that
won't
got
rid
of
activities
from
cloud
laws
too.
So
that's
very
good.
Before
I
go
further.
A
Let
me
just
say
this:
this
is
my
thinking
and
I
think
this
is
preferable.
It's
better
to
have
so
look
at
this
scenario.
If
you
have
kubernetes
running
on
on
premises,
for
instance
right
on
your
servers,
you
have
a
popular
servers
distributed
and
kubernetes
running
there.
I
would
rather
install
you
know,
have
falco
running
on
those
servers
you
know
than
in
kubernetes
now.
The
reason
for
this
is,
if
I
get
an
attack
on
my
kubernetes
cluster
falco
is
gone.
A
There's
no
detection
anymore,
all
right,
but
if
I
have
powerpoint
on
my
servers,
just
stay
on
my
servers
all
right,
even
if,
if
something
happens
to
my
kubernetes
environment,
my
kubernetes
cluster
on
those
servers
purple
can
still
detect
those
things.
So
I
still
get.
I
get
more
information
as
to
what
happened
before
you
know.
Things
went
bad,
so
I
just
wanted
to
chip
that
in
if
you
have
access
to
your
host
machines
and
advice
that
you
could
file
for
them
directly
all
right.
A
I
think
I
have
about
10
minutes
more
yeah,
so
I
picked
some
resources.
I
was
going
to
go
into
a
demo
all
right,
but
because
I
I'm
stuck
somewhere
but
there's
this
tool
by
falco
on
lenses
from
101,
where
you
can,
you
know,
have
a
look
at
powerful
and
see
it
at
the
wrong
time
because
you
can
have
hands-on
tutorials
with
powerpuff.
So
I
mentioned
several
things
that
falcon
has
a
rule
set
that
you
accept
things
against
the
accept
behaviors
against
it.