►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Hello,
everyone
Welcome
to
Cloud
native,
live
where
we
dive
into
the
code
behind
Cloud
native
I'm,
Annie,
talvesto
and
I'm,
a
cncf
Ambassador
as
well
as
a
senior
product
marketing
manager
at
kamunda
and
I
will
be
your
host
tonight.
So
every
week
we
bring
a
new
set
of
presenters
to
Showcase
how
to
work
with
Cloud
native
Technologies.
They
will
build
things,
they
will
break
things
and
they
will
answer
all
of
your
questions,
so
you
can
join
us.
Every
Wednesday
to
watch
live
and
it's
a
fun
thing.
A
That's
happening
within
the
cloud
native
sphere
in
general.
There's
two
micro
surveys
going
on
that
you
can
complete,
there's
one
for
contributors
and
one
for
one
of
them
so
and
also
this
week
we
have
Christopher
here
with
us
to
talk
about
creating
a
paved
Road
for
security
and
kubernetes
operators,
and
as
always,
this
is
an
official
live
stream
of
the
CNC
app
and
as
such,
it
is
subject
to
the
cscf
code
of
conduct.
So
please
do
not
add
anything
to
chat
or
questions
that
would
be
in
violation
of
that
code
of
conduct.
A
Basically,
please
be
respectful
of
all
of
your
fellow
particular
depends.
As
well
as
presenters
and
today,
we'll
be
taking
most
of
the
questions
in
the
end
but
feel
free
to
pop
them
in
the
chat
throughout
the
session
as
well,
so
we
can
get
answers
to
them
all
of
them
towards
the
end
of
the
session,
but
I'll
hand
it
over
to
Christoph
to
kick
off
today's
presentation.
B
B
So
there's
a
controller
that
reconciles
those
resources
for
you,
utilizing,
Automation
and
a
kubernetes
has
and
the
common
use
case,
for
it
could
be
Solutions
or
or
applications.
So
you
might
have
a
database
that
you
wish
to
update.
You
may
want
to
train
the
data
out
of
it.
You
may
want
to
rehydrate
it,
and
this
is
usually
a
very
good
pattern
to
use
and
try
to
keep
your
application
in
sync,
which
jokes.
B
So
you
can
leverage
existing
resources
if
you
wish
to
which
is
kind
of
a
bit
scary,
but
we
go
through
it
a
little
bit
later
and
then,
alongside
all
of
that,
we
would
like
to
do
with
the
operator
and
yeah
how
it's
going
to
work.
It
could
also
introduce
further
kubernetes
resources
and
resolve
those,
but
also
extend
further
outside
your
cluster
and
actually
start
configuring
Cloud
resources,
which
is
quite
scary,
stuff
too
and
yeah
last
on
the
list.
B
Now,
operators
are
administrative
tasks
and
to
solve,
as
you
probably
know,
they
are
highly
permissive
or
certainly
have
highly
permissive
service
accounts.
So
it
really
gets
compromised.
You
can
leverage
those
permissions
to
pretty
much
do
yeah
quite
a
lot
of
stuff
getting
close
to
Cluster
and
from
a
deployment
of
the
actual
controller
itself,
and
this
can
be
a
privileged
container
as
well
just
so
they
can
access
and
reach
the
resources
that
they
need
to,
and
also
they're
just
as
skeptical
as
any
any
other
container
or
image
to
vulnerability
or
dependencies.
B
So,
let's
have
a
look
at
what
the
common
attack
path
may
look
like.
Well,
an
attacker
could
steal
some
credentials
and
entertain
cluster
excess
and
from
there
you
could
enumerate
maybe
notices
that
there's
an
operator
in
their
field
in
it
and
then
maybe
from
there.
You
want
to
start
enumerating
what
the
service
accounts
can
do.
Maybe
the
namespace
is
already
in
it.
B
If
it's
in
a
dedicated
one,
maybe
you
want
to
use
cheap
system
namespace
and
basically
from
there
you
can
leverage
the
classroom
findings
you
could
have,
has
those
another
delicious
container
into
it.
So,
for
instance,
in
the
cube
system,
namespace
and
then
you
start
the
private
start,
taking
over
other
resources
with
like
a
privileged
container
and
but
yeah
granted
that
there
are
a
lot
of
ifs
and
buts
and
other
controls
you
can
apply
within
them.
B
Now
the
functionality
of
operator
will
maybe
remain
the
same,
but
what
you
could
do,
then,
is
it's
not
like
a
malicious
sidecar,
and
that
sidecar
would
then
be
deployed
alongside
other
containers
and
then
intercept
a
lot
of
requests
that
come
through
to
get
a
sensitive
information
and
that
information
you
can
transfer
and
it's
an
adversely
controlled
cloud
provider
or
account,
for
example,
yeah.
It's
also
worth
mentioning
that
there
are
several
cves
you
can
find
to
kind
of
run
operator
and
they
are
not
always
just
about
the
operator
itself.
B
So
there
are
things
that
are
deployed
alongside
the
operator
that
affected
and
how
it's
done
so
you
can
see
that
with,
for
instance,
the
capsule
proxy.
Essentially,
the
vulnerability
is
within
there
because
the
proxy
is
running
as
cluster
admin.
It
gives
you
cluster
access,
transfer
on
to
the
operator
and
so
forth,
so
but
yeah.
It
just
gives
you
an
idea
that
operators
are
also
vulnerable
and
are
not
immune
to
this
topic,
so
yeah.
How
bad
is
it?
B
Now
this
is
for
security
context.
Red
is
bad,
so
red
is
basically
saying
that
for
specific
for
specific
security
context,
there's
a
lot
being
applied
from
operator
assets,
but
the
purple
ones
are
typically
the
opposite
of
what
you
want.
So
that
is,
if
you
have
privilege
escalation
Force,
for
example,
it
would
be
setting
it
to
true,
so
that
is
kind
of
a
bit
scary,
but
at
the
same
time,
some
operations
because
sometimes
have
like
accessing
or
setting
up
container
storage
interface,
for
instance,
which
could
justify
sub
settings.
B
So
next
up
are
the
classical
permissions.
There
were
a
lot
that
had
classroom
permissions
and
you
can
see
that
they
are
a
few
admin
or
just
admin
equivalent,
that
is
I,
have
access
to
every
single
resource
and
every
single
kubernetes
API
object,
and,
alongside
that
surprisingly,
about
10
of
The
Operators
have
binder
escalate
or
impersonate
cluster
roles.
So
the
breakdown
of
this
would
be
like.
90
of
this
have
dedicated
namespaces,
which
is
really
cool.
B
B
B
Calls
that
robot
from
control
plane,
io1,
which
I
have
already
installed
on
my
local
machine,
and
this
is
basically
a
kubernetes
operator,
Outlet
tool.
You
can
say
it's
analysis
and
and
yeah
can
analysis,
demo
files
or
manifests
for
you
and
scan
configuration
and
gives
you
some
indications
in
front
of
the
score.
How
about
a
specific
configuration
and
like
a
cluster
ball
or
a
certain
security
context?
B
Right,
it
basically
says
the
operator
service
account
or
the
cluster
world
has
permissions
to
read
secrets
in
our
name
spaces,
a
little
score
of
minus
12,
which
is
actually
pretty
bad,
but,
to
be
honest,
I'm
not
quite
sure
if
this
is
actually
new
in
order
to
let
the
investors
controller
work
as
intended,
but
and
yet
later
and
another
way
to
to
to
check
that
would
be
with
the
cube.
Ci
command
just
describe
the
cluster
role
and
you
could
see.
B
B
So
now,
let's
assume
that
an
attacker
site,
the
nginx
operator
container
and
maybe
his
goal-
is
to
deploy
a
malicious
pot
or
container
from
there,
and
so
an
option
could
be
that
he
finds
out
that
he
can
read
secrets
with
the
nginx
service
account
and
abuse.
It
was
another
service
account
with
this,
which
then
has
permissions
to
deprive
parts.
B
B
B
And
let's
see
what
we
have
here
on,
of
course,
there's
no
chipcts,
we
don't
have
crowd
and
with
the
car
command,
we
are
able
to
send
requests
to
the
kubernetes
API
and
therefore
we
will
have
to
use
the
credentials
from
the
engineering
service
account
to
authenticate
against
the
API
server.
But
all
that
stuff
is
already
mounted
in
inside
the
container,
so
it
could
be
under
running
secrets.
B
B
It's
like
if
I,
certainly
close,
our
basic
and
kubernetes
default
service
and
name
of
the
service
account
name
of
the
namespace.
Then
we
have
our
token
and
the
certificate
you
will
need,
and
our
coconut
would
basically
look
like
this.
We
want
to
get
all
the
secrets
from
the
juices
namespace
and
then
just
type
it
into
this
correctly,
because.
B
B
B
B
B
B
B
B
B
B
Right,
let
me
jump
like
so
how
do
we
start
to
secure
an
operator
I'm?
This
is
essentially
what
the
clcf
says
for
operator
security.
The
first
and
quite
quite
big
tribe
here-
is
transparency
and
documentation,
and
it
is
essential
that
you
define
exactly
what
things
doing
and
what
you're
trying
to
achieve.
So
in
that
sense,
you
can
then
start
breaking
down
what
permissions
you
need,
but
it
needs
to
be
externally
sold
or
so
far,
and
so
that's
very
important
thing
for
an
operator
to
do
and
signing
that
scope.
B
They
try
to
basically
respect
it,
obviously
permissions
as
much
as
possible
and
those
only
use
it
if
it's
necessary
so
and,
as
you
see
from
the
operator
Hub,
which
yeah
it
doesn't
contain,
all
the
operators
on
the
planet
that
that
is
not
true
and
quite
a
lot
of
them
had,
or
we
are
being
said
to
work.
Permissions,
then
to
bear
in
mind
I
should
think
is:
is
the
operator
does
have
access
to
external
resources
and
you're
going
to
need
to
review
that
as
well
yeah?
B
B
So
my
advice
would
be
just
to
be
explicit
and
and
careful
the
resources
you
want
to
access
and
the
apis.
So
try
not
to
do
star
permissions,
try
not
to
do
call
Api
style,
and
that
is
just
being
quite
lazy.
So
the
only
issue
is
that
an
operator
might
actually
require
that
as
part
of
it
in
order
to
work
good
question
that
someone,
especially
when
you
get
into
around
rbsc
API,
because
that's
where,
if
you
buy
a
start
and
you
start
to
define
the
escalate
privileges.
B
B
Is
supposed
to
be
so
also
restricted
to
what
it
can
watch
as
well,
just
as
just
slightly
different
and
yeah
review
the
customer
permissions
and
make
sure
they're
not
overly
permissive
and
then
also
do
the
same
stuff
for
cloud
aim
and
also
make
sure
that
role
and
not
cluster
role
is
defined.
If
you
only
got
a
namespace
double
layer,
foreign.
B
B
B
B
B
B
B
B
B
B
B
B
B
B
B
A
A
Yeah
we
have
a
cloud
native
slack
Channel
within
the
cncf
slack.
So
if
you
decide
to
do
them,
you
can
plug
them
in,
for
example,
there
and
that's
gonna
be
great,
for
example,
in
the
audience
members
can
find
it
from
there
and
then
the
other
comment
is,
for
example,
it's
a
settings
such
as
must
run
as
non-root
and
privileged
escalation.
False
Etc
can
be
set
in
Port
security
policies,
Community
standpoint.
A
Yeah
all
good,
then
that
went
well
on
that
front
as
well,
but
yeah.
Those
were
the
two
questions
while
we
got
during
the
session,
but
let's
see
if
we
have
any
more
so
please
the
audience.
Members
type
them
away,
but
I
have
a
question.
Meanwhile.
Is
there
any
kind
of
learn
more
resources?
If
anyone
wants
to
dive
even
deeper
into
this
topic
that
you
could
recommend.
B
A
Perfect,
we
can
find
it
over
there,
yeah
lovely
yeah.
Let's
see
no
new
questions
so
far,
then.
Actually
another
question
from
me:
do
you
have
I
always
love
asking
this
question
by
the
way?
So
do
you
have
any
predictions
on
this
space?
What's
going
to
happen
in
the
future?
What
will
be
the
next
steps
for
this.
A
A
Okay,
perfect!
Well,
it's
been
absolutely
lovely.
Thank
you
so
much
and
thank
you,
everyone
for
joining
into
the
latest
episode
of
cloud
native
live.
It
was
great
to
have
a
session
about
creating
a
craved
road
for
security
and
communities,
operators
I,
really
like
the
the
audience
interaction.
There
was
a
lot
of
people
saying
hi
in
the
chat
as
well
so
hi
to
everyone
as
well,
and
as
always,
we
bring
you
the
latest
Cloud
native
code,
every
Wednesday
so
tune
in
in
the
future
as
well.