►
From YouTube: Kubernetes Security and Governance made easy using Otomi by Abhimanyu Selvan & Jehoszafat Zimnowoda
Description
Otomi is an open-source, cloud-agnostic, Kubernetes application configuration and automation platform. Under the hood, Otomi leverages several OSS and CNCF projects like Calico, OPA Gatekeeper, Istio, Harbor to enhance security. Security is an ever-growing concern for organizations. Gartner predicts that 99% of all security incidents by 2025 will be due to misconfigurations. This talk will demonstrate, how teams can use Otomi to manage container and network security policies with sane defaults on Kubernetes through an intuitive web interface, thereby avoiding the need to write any YAML configurations that are prone to errors. A recorded video/demo is used to showcase a couple of use-cases using the integrated security best practices in Otomi to reduce the attack surface when running applications on Kubernetes.
A
The
next
session
is
going
to
be
kubernetes.
Security
and
governance
made
easy
using
utomi,
and
this
is
being
hosted
by
two
of
our
friends
here:
abhimanyo
and
zafad
zim
novoda,
so
I'll
give
a
brief
introduction
about
every
monument
aviva
salvan
is
the
developer
advocate
at
redcubes
he's
a
software
generalist
who
has
worked
in
industries
such
as
aerospace,
robotics,
e-health
and
has
landed
in
the
cloud
native
realm.
A
And
cycling
thanks
everyone
you
to
be
part
of
this
program
thanks
a
lot
yehozawa
novada
is
an
engineering
manager
at
red
cubes.
He
aims
to
empower
devops
teams
by
listening
to
them
and
providing
the
autonomous
environment
that
they
need.
He
specially
specialized
in
building
software,
for
different
engineering
teams,
from
system
platforms
for
telecom
equipment
to
pass
on
top
of
kubernetes.
A
He
has
a
strong
computer
network
background
which
helps
him
design
interconnected
and
distributed
systems
currently
he's
a
maintainer
of
the
atomic
core
project,
great
team
player,
who
loves
working
with
others
after
working
hours.
You
can
find
him
hiking
in
the
mountains
or
biking
on
the
road
cool.
That's
a
great
introduction!
Isn't
it
okay
about
this
session?
A
Yeah
thanks
thanks!
Yes,
thanks
to
like
for
being
with
us
and
about
this
session,
autome
is
an
open
source
cloud.
Diagnostic
kubernetes
application,
configuration
and
automation
platform
under
the
hood
automatically
leverages
several
oss
and
cncf
projects
like
calico
opa,
gatekeeper,
istio
harbor,
to
enhance
security
security
is
an
ever
growing
concern
for
organizations.
A
Gartner
predicts
that
99
of
all
security
incidents
by
2025
will
be
due
to
misconfigurations.
This
talk
will
demonstrate
how
teams
can
use
auto
me
to
manage
container
and
network
security
policies
with
same
defaults
on
kubernetes
through
an
intuitive
web
interface,
thereby
avoiding
the
need
to
write
any
amol
configurations
that
are
prone
to
errors.
A
recorded
video
demo
is
used
to
showcase
a
couple
of
use
cases
using
the
integrated
security
best
practices
in
automate
to
reduce
the
attack
surfacing
surface
when
running
applications
on
kubernetes.
A
C
On
kubernetes,
security
and
governance
made
easy
using
autome.
This
talk
will
demonstrate
how
teams
can
use
autome
or
open
source
project
to
enforce
container
and
network
security
policies
with
same
defaults
on
the
cluster
through
an
intuitive
web
interface,
thereby
avoiding
the
need
to
write
yaml
configurations
that
are
prone
to
errors.
We
will
also
see
how
leveraging
automation
and
git
ops
can
mitigate
the
misconfiguration
errors.
C
B
C
Here
is
the
agenda
for
the
talk,
we'll
give
you
a
general
introduction
about
our
open
source
project
automay
and
then
go
hands-on
demo
demonstrating
container
security
policies,
egress
control,
using
istio
network
policies
and
then
key
takeaways
from
this
talk.
Finally,
how
you
all
can
contribute
to
our
open
source
project
and
community.
B
Otomy
is
a
self-hosted
platform
as
a
service
for
kubernetes
that
aims
to
lower
the
burden
on
operation
and
make
developers
self-serving.
It
is
an
open
source
project.
It
can
be
installed
on
any
kubernetes
cluster
automate
integrates
more
than
20
open
source
projects
and
brings
multi-tenant
experience.
So
each
devops
team
has
its
own
self-sufficient
environment
to
work
with.
C
We
can
enforce
container
security
policies
and
network
policies
in
autome
without
having
the
need
to
write
any
ml
configurations.
Everything
through
a
single
intuitive
web
user
interface
automay
can
be
easily
installed
using
health
chart.
But
for
the
sake
of
this
demo,
we'll
only
focus
on
the
security
and
the
network
policy
enforcement
aspect
of
autonomy.
Welcome
to
the
demo
on
container
security
policies.
C
C
And
note
that
I
can
easily
gain
access
to
the
host
file
system
and
the
possibilities
to
create
havoc
is
endless.
We
can
easily
prevent
something
like
this
from
happening
by
enabling
the
bot
security
policies
from
the
automate
console.
Let's
check
it
out
so
now
we'll
be
logged
into
the
autome
console
as
a
team
admin.
A
C
A
A
C
A
B
Has
just
shown
the
importance
of
having
container
security
policies
which
can
limit
a
vast
majority
of
attacks.
The
next
level
of
enhancing
security
is
by
controlling
the
network
traffic,
which
may
play
a
key
role
in
highly
distributed
and
interconnected
environments
like
ports
in
kubernetes
cluster.
B
In
this
demo,
I
will
talk
about
controlling
network
traffic
from
a
pod
to
the
internet
network.
A
very
common
attack
is
so-called
remote
command
execution,
which
allows
an
adversary
to
run
an
arbitrary
shell
command.
It
often
results
in
leveraging
a
curl
command,
fetching
malicious
software
and
executing
it
in
memory.
Since
package
manager
is
available,
the
attacker
installs
the
occur
binary,
which
mimics
downloading
a
malicious
software
to
the
pot.
Then
http
request
is
performed
to
the
endpoint
outside
the
cluster.
B
B
We
are
going
to
inspect
the
side
car
configuration,
so
there
is
a
default
sidecar
configuration
deployed
for
a
team,
kcd
10i
automation,
forces,
external
egress
control
by
a
setting,
outbound
traffic
policy
to
registry.
Only
for
this
particular
team,
which
means
that
the
pod
cannot
access
any
endpoint
outside
the
service
mesh.
C
Yahoo
just
talked
about
controlling
the
external
egress
traffic,
but
what
about
the
interpod
communication?
For
the
sake
of
this
demo,
we
will
deploy
a
guestbook
application
that
consists
of
three
micro
services,
the
front
end,
the
redis
leader
and
the
redis
follower
in
the
team
case,
cd
chennai
namespace.
C
We
will
also
deploy
a
snooper
pod
that
will
be
able
to
communicate
with
the
redis
service.
This
demo
will
be
split
into
three
parts,
as
shown
in
the
figure.
First,
we
will
allow
all
the
traffic
to
flow
through,
so
the
services
will
be
talking
to
one
another.
The
snooper
pod
will
also
be
able
to
ping
the
redis
leader.
Then
we
will
log
into
the
automay
console
and
enable
the
network
policies
which,
by
default,
will
deny
all
the
incoming
traffic.
And
finally,
we
selectively
allow
the
traffic
to
flow
through
the
microservices
by
whitelisting.
B
B
B
After
enabling
network
policies,
the
front-end
service
is
not
able
to
communicate
with
the
redis
service
anymore.
We
head
back
to
the
terminal
where
we
inspect
kubernetes
resources
that
otome
has
deployed.
For
us.
There
are
two
network
policies:
the
first
one
blocks
all
incoming
traffic
to
any
pod
in
the
team,
kcd
chennai
namespace.
B
B
B
B
C
Kubernetes
is
complex:
implementing
security
across
dynamic
environments
of
organization
takes
a
toll
on
the
engineers
enabling
a
security
driven
mindset
to
build
secure
applications
is
paramount.
In
today's
world,
as
open
source
enthusiasts
and
contributors,
we
have
built
autome
by
honoring
several
open
source
projects
and
integrating
them
into
one
platform.
Autome
was
built
ground
up
from
a
developer's
point
of
view
where
we
have
abstracted
away
the
complexity
of
implementing
security
across
the
platform
by
providing
high-level
security
principles
that
are
easily
consumable.
C
The
most
important
part
of
this
talk
is
the
open
source
community,
as
mentioned
earlier,
autumny
is
100
open
source,
so
feel
free
to
check
out
our
repository
redcube
automecore
and
do
give
us
a
star
if
you
enjoy
it.
We
also
have
quick
start
repositories
to
help
you
quickly
install
autome
on
your
favorite
cloud
provider.
We
can
also
run
autome
on
mini
cube.
C
We
also
have
some
workshops
repository
where
you
can
try
out
different
labs
and
experience.
The
true
potential
of
autome
for
docs
you
can
visit
autome.io
and
to
join
the
community
or
slack
channel.
You
can
visit
redcubes.com
community
and
subscribe
to
our
events
and
slack
channel
from
there.
We
look
forward
to
hearing
back
from
you
all.
Thank
you
very
much.