►
From YouTube: We May See More Kubernetes Vulnerabilities In 2021
Description
In the last month of 2020, we saw some serious security issues plaguing Kubernetes. As K8s is being used more and more in production we will see more such vulnerabilities in 2021. However, Om Moolchandani, Co-Founder and CTO of Accurics, believes that this is the natural progression of any technologies. As Kubernetes matures it will go through its own challenging phase, but that doesn’t mean that users should worry about compromised systems. There are many technologies already in place to protect users. This interview covers many such topics.
Speakers:
Swapnil Bhartiya, TFiR
Om Moolchandani, Accurics
A
Hi
this
is
your
host
upton
bharti,
and
welcome
to
another
episode
of
tea
of
our
insights,
and
today
we
have
with
us
once
again
chandani
co-founder
and
city
of
acurites.
First
of
all,
it's
great
to
have
you
back
on
the
show.
In
the
last
few
weeks
we
have
heard
a
lot
of
now
so
great
things
about
clouded
your
kubernetes
security.
A
We
have
been
talking
about
it,
security
for
a
while
that
now
security
is
no
longer
an
afterthought
and
things
like
that,
but
as
all
these
technologies
are
moving
into
production
from
evaluation,
that's
when
we
we
have
to
get
worried
about
every
bug,
every
cv
out
there,
and
we
just
saw
two
cases
there.
So,
first
of
all
what
I
would
like
to
know
from
you:
how
serious
are
these
flaws?
Should
users
be
worried
about
them,
or
we
should
just
learn
from
our
old
lamp
or
windows
server
world
that
hey?
B
Are
you
know
there
are
two
you
know
vulnerabilities
that
have
come
out
in
recent
of
it.
One
is
still
to
come
out
completely.
You
know.
One
of
them
is
cve
2020,
eight,
five,
six,
nine
and
the
other
one.
You
know
which
kind
of
is
more,
I
would
say
useful
for
the
attackers
and
bad
for
the
defenders
is
cv
2020,
eight,
five,
five,
four,
so
both
these
issues,
you
know
eight
five,
five
four
is
very
recent.
B
B
Now
the
whole
narrative,
even
from
the
defense
side,
is
to
understand
what
offensive
capabilities
these
vulnerabilities
are
providing
to
the
attackers.
Both
of
them
provide
pretty
significant
capabilities
to
the
attackers.
One
provides
eight
five.
Six
nine
provides
loss
of
service
capabilities,
so
attackers
can
cause
denial
of
service
and
loss
of
service
on
your
kubernetes
cluster
and
the
other
one
which
is
more
latest,
provides
post
exploitation
and
persistence
capability
for
the
attackers
once
they
get
into
your
cluster.
B
If
you
know
this,
one
doubility
exists,
which
is
eight
five.
Five
four
they
will
be
able
to.
You
know,
persist
and
intercept
network
traffic,
which
is
outbound
and
inbound
to
your
cluster,
which
is
a
pretty
significant
attacker
capability,
so
yeah,
so
vulnerabilities
are
pretty
pretty
serious.
Yeah.
A
And
these
are
all
remote,
you
know
attacks
they're,
they
don't.
I
mean,
of
course,
there's
no
local
machine
when
you
talk
about
cloud
native,
but
you
know
no
user
interaction
is
needed.
So
while
these
are
kind
of
serious
from
that
perspective,
but
considering
the
the
whole
environment
and
architect
of
cloud
native
world,
where
you
know
you're
not
we're
not
talking
about
local
machine
access
to
local
because
sometimes
hey,
you
know
what
there
is
vulnerability,
but
you
need
attacker
needs
access
to
physical
machine.
A
You
know,
but
here
that
is
not
the
case
and,
as
you
were
saying,
even
in
this
case
of
security,
should
we
also
kind
of
play
the
game
of
cat
and
mouse
where
we
are
chasing
back
actors
versus
staying,
I
mean,
of
course
you
cannot
stay
ahead
because
you
have
to
be
right-handed
personal
time.
They
have
to
be
right
only
one
time,
that's
how
security
works
bad
guys,
so
so
talk
about.
First
of
all,
what
does
these
two?
You
know,
of
course
secure
this.
This
is
not
the
new
cv.
A
There
have
been
so
many
earlier,
so
this
is
not
a
new
trend
that
is
missing,
but
seriousness
of
these
number
two
is
how
how
is
this
going
to
change
the
way
we
look
at
cloud
native,
kubernetes
security,
and
then
we
also
saw
the
solar
wind
thing,
which
is
totally
unrelated,
but
the
thing
is
that
it's
getting
a
lot
of
attention
now.
Yes,
so.
B
This
is
mill
in
the
kubernetes
world.
Yes,
everything
is
cloud
native
everything
is
ephemeral.
Everything
is
immutable.
Ephemeral
means
something
that
that's
not
going
to
live
for
long
amount
of
time
right.
The
technologies
are
designed
to
remain
ephemeral
and
therefore
ephemeral,
technologies
bring
advantages.
B
You
know
ripple,
replace
strategies,
immutable
strategies,
but
they
can
also,
you
know,
present
security
challenges
as
well.
Now.
One
statement
that
you
know
has
become
very
popular
in
community.
Almost
every
kubernetes
expert
is
using
this
phrase
that
kubernetes
is
the
new
operating
system
for
internet
and
for
cloud
now
kubernetes
has
to
live
up
to
this
statement
as
well.
Now
that
means
that
if
it's
really
effectively
providing
a
lot
of
you
know,
compute
and
network
management
and
distributed
architecture
related
capabilities
like
how
operating
system
you
know
were
providing
at
one
given
point
of
time.
B
They
still
support
the
underlying
layers,
but
that
means
that
kubernetes
will
go
through
its
own
journey
of
security
maturity.
Imagine
what
level
of
security
we
had
in
operating
systems
many
years
ago,
and
what
is
the
level
of
security
we
have
today
within
them
baked
into
them?
It's
the
same
journey
that
kubernetes
is
going
to
go
through.
This
is
going
to
be
a
maturity
curve.
B
We
will
see
a
lot
of
security
issues,
that's
going
to
pop
up
in
next
few
years,
and
then
there
will
be
a
time
when
a
lot
of
stability
will
be
observed
as
well.
A
lot
of
new
capabilities
are
going
to
be
also
provided
from
the
today's.
You
know
scenario,
point
of
view:
there
are
multiple
strategies
that
are
available
to
the
defenders
to
address.
You
know
these
scenarios,
these
critical
vulnerabilities
that
are
coming
out-
you
are
right,
there
will
be.
Hundreds
of
vulnerabilities
are
going
to
come
out.
They
are
never
going
to
reduce
right.
B
Once
your
cost
of
remediation
is
low.
There
is
enough
incentive
and
encouragement
available
for
the
devops
teams
and
for
the
kubernetes
teams
to
remediate
you
remediate
fast.
You
eliminate
opportunities
for
the
attackers
right.
So
how
do
you
reduce
the
cost
of
remediation?
So
cost
of
remediation
has
its
own
cost
ladder.
B
It
is
minimum
when
you
are
doing
it
in
the
design
time
and
it
increases
a
notch
further
when
you
are
doing
it
in
a
pre-deployment
stage
and
then
it
is
highest
when
you
are
doing
it
in
the
run
time
right.
That's
where
a
lot
of
these
issues
if
they
can
be
detected
in
design
time,
that's
what
you
know
the
community
should
be
doing
and
they
should
be
adopting
that
strategy.
B
Good
thing
is
because
the
cloud
native
technologies
are
built
with
ephemeral
and
immutability
in
mind,
almost
all
cloud
native
technologies,
because
they
have
to
support
these
two
paradigms.
They
have
to
be
able
to
support
program,
programmability
and
programmability
means
that
they
have
to
support
infrastructures
code.
B
So
that
means
there
is
opportunity
for
you
to
detect
all
these
critical
issues
ahead
of
time.
So
as
an
example,
both
these
critical
vulnerabilities
that
have
come
out
terascan,
which
is
our
open
source,
offering,
was
able
to
put
together
security
detection
policies
which
can
be
used
to
detect
these
vulnerabilities
even
before
the
clusters
are
built
and
deployed
right
in
your
infrastructure's
code.
So
ise
and
new
cloud
native
technologies
are
also
presenting
opportunity
to
the
defender
to
the
defenders
to
detect
these
issues
before
runtime,
because
there's
so
much
of
capability
available
right.
A
You
and
earlier
mentioned
that
kubernetes
is
seen
as
an
operating
system.
I
would
just
like
to
push
back
a
little
bit
just
gently
on
that
one
is
if
we
are
using
public
cloud
and
yes,
of
course,
I
don't
have
to
worry
about
the
underneath
infrastructure
that
amazon
or
google
have
to
even,
but
even
if
they
have
to
worry.
Whenever
I
talk
to
linux
store
well
so
record,
they
say
the
linux
of
the
cloud
is
still
linux.
You
know
you're
running
kubernetes
on
top
of
some
operating
system.
A
So
so
you
still
need
the
holistic
approach,
because
kubernetes
is
just
one
layer.
There
is
so
much
underneath
that
layer
as
well.
So
if
you
are
on-prem,
you
cannot
hey
as
long
as
my
workload
is
secure,
I'm
safe.
That
is
not
the
case.
You
still
need
the
full
zero
test
and
all
those
kind
of
things
you
have
to
look
have
a
holistic
approach.
But
let's
just
focus
on
cloud
native
for
a
while.
Here
you
mentioned
terra
scan
and
also
you
mentioned,
the
approach
has
to
change.
Can
you
talk
about
that?
A
One
of
the
we
have
talked
about
it
in
our
previous
discussions,
but
what
are
some
of?
I
would
not
ask
you
to
provide
with
a
playbook
or
best
practices,
but
still
what
are
the
core
component?
Like
policies
can
be
there?
Zero
trust
can
be
there
that
do
play
a
big
role
in
this,
because
when
we
look
at
attackers
there
are
two
things
number
was
their
incentive
is
high
to
compromise
I
mean
somebody
may
want
to
depending
on
wha
what
is
their
motive.
You
know
somebody
just
want
visibility.
Somebody
is
doing
for
a
state
sponsor
attack.
A
Somebody
wants
to
steal
something
it
depends,
but
if,
if
we
can
kind
of
reduce
that
incentive
number
one
number
two
is
that
also
make
it
harder
for
them
that
they
have
to
just
put
way
too
much
effort
to
to
to
make
compromise?
So
it's
not
even
worth
it.
So
is
there
any
you
know
playable
or
some
tips,
how
you
can
do
that
so
just
to
add
more
layers
like
onion,
which,
of
course,
you
know,
there's
nothing
like
fully
secure
environment
but
still
add
more
layers.
There
yeah.
B
So
cloud
native
world,
you
know
there
are
you
know
it
is
layered,
it's
pretty
layered!
You
know
the
entire
cloud
native
stack
is
pretty
layered.
If
you
look
into
how
the
typical
you
know
containerized
applications
when
they're
deployed
there
are
multiple
layers
which
are
possible
for
the
end
users
to
to
adopt
say,
for
example,
if
you
want
to
deploy
a
containerized
application
on
aws,
you
have
multiple
choices
available
as
a
bottom
layer.
You
can
just
use
aws's
compute
and
then,
on
top
of
it,
you
can
deploy
your
own
kubernetes.
B
You
know
cluster
and
then
you
can
deploy
images.
You
know
container
images
on
top
of
it
or
you
can
go
ahead
and
use
a
full
abstract
layer
like
fargate.
You
can
deploy
it
on
top
of
it
or
you
can.
You
know,
select
a
managed
kubernetes
service
from
aws
azure
gcp
such
as
you
know,
eks,
aks
and
gke,
and
deploy
it
on
top
of
it.
So
there
are
multiple
layers
right
now.
These
layers
have
you
know
their
own
control
planes.
They
have
to
be
addressed
from
security
point
of
view,
also
in
layers.
B
So
how
do
you
do
that?
Well,
number
one!
You
know
issue
which
is
been
so
much
spoken
about
the
community
now
very
well
realizes
that
80
percent
of
the
security
issues
emerge
out
of
you
know,
lack
of
cyber
hygiene
and
cyber
hygiene
simply
means
best
practices
hardening
following
the
benchmarks
following
everything
that
is
available
to
the
community
through
public,
you
know,
standards
and
compliance.
You
know
literature
so
as
an
example,
cis
benchmarks
at
minimum.
B
B
To
take
advantage
of
terascan
is
one
such
option,
which
allows
you
to
do
cis
benchmarks,
testing
ahead
of
you,
know
life
cycle,
and
then
you,
once
you
have
achieved
a
level
in
your
cyber
hygiene,
ensure
that
you
are
identifying
your
crown
jewels
very
well,
because
the
point
that
you
were
raising,
how
should
we
lower
the
incentive
for
the
attackers
right?
The
incentive
for
the
attackers
is
when
they
know
there
are
crown
jewels
available
and
they
know
the
path
to
that.
B
So
before
the
attackers
get
to
know.
What
are
your
crown
jewels?
You,
as
an
organization
should
know
what
are
your
crown
jewels
and
then
focus
upon
building
a
fortified
approach
towards
it.
You
can
do
defense
in
depth
around
your
crown
jewels.
You
don't
have
to
protect
all
the
regions
of
your
network,
so
visibility
into
your
crown
jewels.
It's
a
very
important
factor.
I
think
that's
one
thing
which
so
first,
I
always
recommend
to
do
cyber
hygiene.
B
Sometimes
it's
number
one
or
number
two,
your
acid
classification,
acid
visibility,
that
is,
the
foundation
still
in
security
space
since
three
decades.
Everybody's
talking
about
asset
classification,
is
very
important,
something
that
you
don't
know
you
can't
protect.
So
you
need
to
have
visibility
into
that
and
then
number
three.
Is
you
identify
your
threat
model
and
then
design
your
security
controls?
According
to
that,
there's
no
point
deploying
security
controls
which
don't
align
with
your
threat
model.
B
It's
like
you
know
you
are
you've,
got
gold
nuggets.
You
know
sitting
in
one
room
in
your
home,
but
you're
putting
the
lock
somewhere
else
right.
You
need
to
identify
your
threat
model
and
then
design
the
controls
accordingly,
that
is
going
to
cover
you
up
for
the
remaining
percent.
But,
as
you
said,
you
know
any
motivated
attacker.
You
know
anybody
who
has
the
intent
opportunity
and
capability
is
a
threat
for
you
right.
B
You
know
these
three,
you
know
strategies
should
work
really
well
for
them
to
be
defended
and
protected,
protected
against
80
to
90
percent
of
adversaries,
which
are
scavenger
type
adversities
which
are
on
internet
right,
targeted,
adversary
protection
is
a
different
space
altogether.
It's
a
different
conversation
altogether.
You.
A
A
I
don't
want
to
repeat
that,
but
you're
scanning
what
you
know
right,
you
don't
you're
you're,
not
looking
at
the
places
so
how
to
kind
of
eliminate
or
avoid
the
street
lamp
effect,
because,
when
you're
talking
about
having
visibility,
when
you
talk
about
looking
at
assessment,
you
should
have
a
holistic
approach,
because
you
may
not
be
looking
at
the
areas
where
the
attacker
is
looking
at.
That.
B
Is
true,
it's
a
hard
problem
to
solve.
Let's
you
know,
first
start
with
that
admission,
because
otherwise
we
can't
improve,
and
one
of
the
approaches
that
I'm
observing
cso
community
is
taking
up,
is
they're
simply
going
after
something
which
is
called.
As
you
know,
this
has
become
a
term
in
at
least
the
community,
where
I'm
interacting
ksd
key
system
dashboard.
What
that
means
is
that
you
identify
your
key
systems
which
are
generating
revenue
for
you.
B
So
if
you
are
a
banking
organization,
if
you
are
insurance
organization,
there
must
be
30
40
apps,
which
you
are
giving
away
to
the
you
know:
users
which
basically
is
generating
revenue
for
you,
identify
those
key
systems
once
you
have
identified
them
now,
do
the
trickle-down
effect
on
them.
So
let's
say
you
have
identified.
This
is
my
key
application
figure
out.
This
application
runs
on
what
all
infrastructure
so
whether
it
runs
in
a
particular
cluster,
particular
vpc,
particular
region
or
it
is
scattered
around
it.
B
Has
you
know
dr
systems
work
downwards
from
identification
of
your
key
system,
which
is
revenue
generating
because
you
want
to
protect
at
the
end
of
the
day,
your
revenue
generating
assets?
First
right
once
you
build
this
model,
this
is
what
allows
you
to
then
create
a
architecture
diagram
which
becomes
the
basis
for
you
to
do
your
initial
threat
model,
identify
threats
and
then
build
your
monitoring
systems
accordingly,
to
monitor
your
threat
model
that
you
are
coming
up
with,
but
the
key
to
that
is
to
first
begin
with
understanding.
B
What
are
your
key
systems
once
you've
had
the
coverage
for
it?
That's
where
you
can
then
start
doing
some
lateral
adjustments,
and
you
start
looking
into
areas
which
are
other
than
the
key
systems.
Therefore,
security,
programs,
security
management
is
a
maturity.
You
know
cycle
cannot
be
done
in
one
day
and
requires
a
lot
of
experience
both
at
the
leadership
level
and
at
the
execution
level.
B
A
A
B
Score
is
the
most
effective
and
cost
cost-effective
way
of
achieving
you
know.
Cyber
hygiene
and
hardening
with
you
know,
capabilities
where
you
not
only
can
identify
your
security
gaps,
but
you
get
full
opportunity
to
fix
them
with
the
help
of
remediation
as
code
as
well.
Policy
as
code
enables
you
to
do
remediation
as
code
right.
So
when
you
are
codifying
your
policies
to
identify
the
gaps
and
deviations
the
same
codification
of
policy,
the
reverse
of
that
is
remediation
as
code
right.
B
Now
one
of
the
projects
from
cncf
opa,
open
policy
agent
has
kind
of
become
a
de
facto
standard
in
cloud
native
world
to
do
policy
as
code.
It
supports
a
language
called
as
rego
very
powerful
language.
Very
go-ish
kind
of
you
know
a
language
has
a
power
of
go
behind
it.
You
can
write
policies,
custom
policies
of
any
type
across
various
different
technology
stacks.
A
Well,
awesome
thanks
for
explaining
that
now
we're
almost
at
the
end
of
2020,
and
if
I
remember
I
think,
a
few
years
ago
there
was
attack-
and
you
know
when
all
these
companies
are
busy
sending
out.
You
know
the
packages
that
we
are
ordering
and
suddenly
you
really
don't
don't
want
to
be
the
guy
who
has
to
lose
sleep
at
night
because
of
some
chromeboys.
So
can
you
talk
about
what
the
areas
that
developers
still
need
to
focus
on
which
sometimes
they
overlook
so
that
they
really
look?
We
cannot
keep
up.
A
You
know
the
bucks
will
be
there.
Bucks
will
become
vulnerabilities,
that
that
is
something
we
don't
have
control
over.
But,
as
you
were
explaining
earlier
so
can
you
just
talk
about
what
are
the
areas
that
are
overlooked,
that
they
should
just
pay
attention
to,
especially
we
are
working
from
home.
Everybody
is
working
remotely.
Everybody
is
doing
everything
digitally
today
on
the
internet.
So
talk
about
that
yeah.
B
So
you
know
developers
if
I,
if
I
speak
about
the
multiple
types
of
developers
now
right
I
mean,
for
you
know,
for
our
discussion
sake.
We
can
pick
up
an
example
of
infrastructure
developers
right
you
know,
developers
who
are
putting
together
infrastructure
to
support
all
type
of
services
that
we
are
engaged
with.
You
know
talk
about.
You
know:
stock
services,
robinhood
right,
delivery,
services,
doordash
everything
is
running
on
cloud
today
right.
B
So
when
we
are
deploying
such
you
know,
environments
which
kind
of
have
become
lifeline
now,
including
kovitt
vaccine
analysis,
is
happening
on
cloud.
It's
not
happening
on
laptops,
you
know
anymore
or
no
desktops
anymore,
so
such
environments
have
become
societal
lifeline
now
and
they
are
very
critical.
B
What
one
aspect
that
I
believe,
which
gets
really
overlooked,
which
is
very
easy
to
implement,
is
configuration
management
so
a
lot
of
times
developers
and
it's
not
their
fault.
Their
job
is
to
deliver,
and
you
know
that's
where
you
know
the
lack
of
configuration
testing
can
sometimes
you
know
can
can
have
a
snowball
effect.
B
Detection
of
you
know
misconfigurations
at
an
early
stage
itself,
so
that,
and
it
has
to
be
contextualized
problem
with
development
teams.
Is
that
if
you
tell
them,
you
need
to
go
and
make
these
four
changes.
They
need
to
know
why
another,
why
part
has
become
very
important
from
security
point
of
view.
B
If
you
are
asking
a
developer
to
enable
or
disable
a
certain
configuration,
you
have
to
provide
enough
context
and
that's
when
you
will
be
able
to
see
adoption
happening
so
config
management,
I
believe,
is
one
area
which
can
really
go
a
long
way
in
terms
of
protection
which
is
getting
overlooked
and
due
to
lack
of
integrations
in
the
developer
life
cycles.
That's
where
a
lot
of
improvement
is
required
from
community.
A
Yeah,
because
if
you
look
at
it
vulnerabilities
that
you
have
no
control
over
vulnerabilities
bugs
and
misconfiguration,
these
are
the
two
main
factors
that
lead
to
that,
and
so
so
yeah
you're
you're,
absolutely
right
about
that,
and
thanks
for
sharing
those
playbooks,
those
ideas,
those
suggestions
to
them,
thanks
for
taking
time
out
today
and
talk
about
not
only
this,
these
two
vulnerability
in
general,
but
in
general,
the
cloud
nation,
kubernetes
security,
and
I
look
forward
to
talk
to
you
again
as
usual.
So
once
again,
thank
you.