►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Hello,
everyone
Welcome
to
Cloud
native,
live
where
we
dive
into
the
code
behind
Cloud
native
I'm,
Annie,
talvesto
and
I'm,
a
cncf
Ambassador
as
well
as
a
senior
product
marketing
manager
at
kamunda
and
I
will
be
your
host
tonight.
So
every
week
we
bring
a
new
set
of
presenters
to
Showcase
how
to
work
with
Cloud
native
Technologies.
They
will
build
things,
they
will
break
things
and
they
will
answer
all
of
your
questions,
so
you
can
join
us.
Every
Wednesday
to
watch
live
and
it's
a
fun
thing.
A
That's
happening
within
the
cloud
native
sphere
in
general.
There's
two
micro
surveys
going
on
that
you
can
complete,
there's
one
for
contributors
and
one
for
one
of
them
so
and
also
this
week
we
have
Christopher
here
with
us
to
talk
about
creating
a
paved
Road
for
security
and
kubernetes
operators,
and
as
always,
this
is
an
official
live
stream
of
the
CNC
app
and
as
such,
it
is
subject
to
the
cscf
code
of
conduct.
So
please
do
not
add
anything
to
chat
or
questions
that
would
be
in
violation
of
that
code
of
conduct.
A
Basically,
please
be
respectful
of
all
of
your
fellow
particular
depends.
As
well
as
presenters
and
today,
we'll
be
taking
most
of
the
questions
in
the
end
but
feel
free
to
pop
them
in
the
chat
throughout
the
session
as
well,
so
we
can
get
answers
to
them
all
of
them
towards
the
end
of
the
session,
but
I'll
hand
it
over
to
Christoph
to
kick
off
today's
presentation.
B
B
So
essentially
kubernetes
operator
isn't
an
extension
of
the
kubernetes
API
with
some,
which
is
provided
by
customer
Source
definitions
and
which
extends
the
capabilities
of
kubernetes
Beyond,
its
initial
Primitives.
B
So
there's
a
controller
that
reconciles
those
resources
for
you,
utilizing,
Automation
and
a
kubernetes
has
and
the
common
use
case,
for
it
could
be
Solutions
or
or
applications.
So
you
might
have
a
database
that
you
wish
to
update.
You
may
want
to
train
the
data
out
of
it.
You
may
want
to
rehydrate
it,
and
this
is
usually
a
very
good
pattern
to
use
and
try
to
keep
your
application
in
sync,
which
jokes.
B
So
introduce
we've
talked
about
custom
research,
the
resource
definitions
and
what
they
do,
but
they
can
basically
be
anything
that
you
want
them
to
be
to
run
your
cluster,
to
provide
all
the
operational
knowledge,
so
yeah
they're
awesome,
it's
a
custom
controller
which
essentially
gets
deployed
normally
in
a
dedicated
namespace,
with
a
dedicated
service
account,
but
this
isn't
mandatory.
B
So
you
can
leverage
existing
resources
if
you
wish
to
which
is
kind
of
a
bit
scary,
but
we
go
through
it
a
little
bit
later
and
then,
alongside
all
of
that,
we
would
like
to
do
with
the
operator
and
yeah
how
it's
going
to
work.
It
could
also
introduce
further
kubernetes
resources
and
resolve
those,
but
also
extend
further
outside
your
cluster
and
actually
start
configuring
Cloud
resources,
which
is
quite
scary,
stuff
too
and
yeah
last
on
the
list.
B
B
Now,
operators
are
administrative
tasks
and
to
solve,
as
you
probably
know,
they
are
highly
permissive
or
certainly
have
highly
permissive
service
accounts.
So
it
really
gets
compromised.
You
can
leverage
those
permissions
to
pretty
much
do
yeah
quite
a
lot
of
stuff
getting
close
to
Cluster
and
from
a
deployment
of
the
actual
controller
itself,
and
this
can
be
a
privileged
container
as
well
just
so
they
can
access
and
reach
the
resources
that
they
need
to,
and
also
they're
just
as
skeptical
as
any
any
other
container
or
image
to
vulnerability
or
dependencies.
B
That
would
but
I
think
the
biggest
thing
from
a
workload
perspective
in
kubernetes
is
the
scope
talking
operator,
because
not
only
could
we
just
namespace
bound
to
a
specific
namespace
that
you
would
want
to
resolve
your
resources
of
what
to
do
your
work
and
or
you
can
go
completely
cluster
right
or
even
multi-cluster-wide,
if
you
wanted
to
which
again,
it
extends
those
permissions
yeah,
but
even
further
can
be
externally
bound.
B
So,
let's
have
a
look
at
what
the
common
attack
path
may
look
like.
Well,
an
attacker
could
steal
some
credentials
and
entertain
cluster
excess
and
from
there
you
could
enumerate
maybe
notices
that
there's
an
operator
in
their
field
in
it
and
then
maybe
from
there.
You
want
to
start
enumerating
what
the
service
accounts
can
do.
Maybe
the
namespace
is
already
in
it.
B
If
it's
in
a
dedicated
one,
maybe
you
want
to
use
cheap
system
namespace
and
basically
from
there
you
can
leverage
the
classroom
findings
you
could
have,
has
those
another
delicious
container
into
it.
So,
for
instance,
in
the
cube
system,
namespace
and
then
you
start
the
private
start,
taking
over
other
resources
with
like
a
privileged
container
and
but
yeah
granted
that
there
are
a
lot
of
ifs
and
buts
and
other
controls
you
can
apply
within
them.
B
Now
the
functionality
of
operator
will
maybe
remain
the
same,
but
what
you
could
do,
then,
is
it's
not
like
a
malicious
sidecar,
and
that
sidecar
would
then
be
deployed
alongside
other
containers
and
then
intercept
a
lot
of
requests
that
come
through
to
get
a
sensitive
information
and
that
information
you
can
transfer
and
it's
an
adversely
controlled
cloud
provider
or
account,
for
example,
yeah.
It's
also
worth
mentioning
that
there
are
several
cves
you
can
find
to
kind
of
run
operator
and
they
are
not
always
just
about
the
operator
itself.
B
So
there
are
things
that
are
deployed
alongside
the
operator
that
affected
and
how
it's
done
so
you
can
see
that
with,
for
instance,
the
capsule
proxy.
Essentially,
the
vulnerability
is
within
there
because
the
proxy
is
running
as
cluster
admin.
It
gives
you
cluster
access,
transfer
on
to
the
operator
and
so
forth,
so
but
yeah.
It
just
gives
you
an
idea
that
operators
are
also
vulnerable
and
are
not
immune
to
this
topic,
so
yeah.
How
bad
is
it?
B
B
Now
this
is
for
security
context.
Red
is
bad,
so
red
is
basically
saying
that
for
specific
for
specific
security
context,
there's
a
lot
being
applied
from
operator
assets,
but
the
purple
ones
are
typically
the
opposite
of
what
you
want.
So
that
is,
if
you
have
privilege
escalation
Force,
for
example,
it
would
be
setting
it
to
true,
so
that
is
kind
of
a
bit
scary,
but
at
the
same
time,
some
operations
because
sometimes
have
like
accessing
or
setting
up
container
storage
interface,
for
instance,
which
could
justify
sub
settings.
B
So
next
up
are
the
classical
permissions.
There
were
a
lot
that
had
classroom
permissions
and
you
can
see
that
they
are
a
few
admin
or
just
admin
equivalent,
that
is
I,
have
access
to
every
single
resource
and
every
single
kubernetes
API
object,
and,
alongside
that
surprisingly,
about
10
of
The
Operators
have
binder
escalate
or
impersonate
cluster
roles.
So
the
breakdown
of
this
would
be
like.
90
of
this
have
dedicated
namespaces,
which
is
really
cool.
B
The
only
issue
is
that
maybe
four
percent
had
in
cluster
roles,
which
almost
defeats
on
the
point
completely
of
having
is
somewhat
the
presented
access
to
Secrets,
which
we'll
take
a
look
at
later
and
70
could
execute
into
Parts
58,
do
not
use
security
context
at
all
and
only
10
crop
Linux
capabilities.
B
So,
as
you
can
see,
you
have
to
be
careful
from
an
external
source
and
really
have
to
kind
of
review
with
the
settings
and
the
resources
matches
your
environment
security
guidelines
yeah.
So
I
guess,
that's
demo
part.
Let
me
just
switch
my
windows.
B
Right
so
I
have
a
basic
Japanese
capacity
with
three
master
and
three
worker
nodes.
B
B
Calls
that
robot
from
control
plane,
io1,
which
I
have
already
installed
on
my
local
machine,
and
this
is
basically
a
kubernetes
operator,
Outlet
tool.
You
can
say
it's
analysis
and
and
yeah
can
analysis,
demo
files
or
manifests
for
you
and
scan
configuration
and
gives
you
some
indications
in
front
of
the
score.
How
about
a
specific
configuration
and
like
a
cluster
ball
or
a
certain
security
context?
B
Permission
is
so
as
an
example,
let's
just
scan
the
rbsc
gamma
file
from
the
out
of
the
box
and
engine
X
Ingress
controller
deployment,
which
I
have
copied
here.
B
It
looks
like
this,
as
you
can
see,
there's
a
service
account
with
the
cluster
Road
and
other
permissions
through
resources
and
so
on.
B
And,
as
you
can
see
there,
yeah
there's
a
service
account
with
yeah.
B
Right,
it
basically
says
the
operator
service
account
or
the
cluster
world
has
permissions
to
read
secrets
in
our
name
spaces,
a
little
score
of
minus
12,
which
is
actually
pretty
bad,
but,
to
be
honest,
I'm
not
quite
sure
if
this
is
actually
new
in
order
to
let
the
investors
controller
work
as
intended,
but
and
yet
later
and
another
way
to
to
to
check
that
would
be
with
the
cube.
Ci
command
just
describe
the
cluster
role
and
you
could
see.
B
B
So
now,
let's
assume
that
an
attacker
site,
the
nginx
operator
container
and
maybe
his
goal-
is
to
deploy
a
malicious
pot
or
container
from
there,
and
so
an
option
could
be
that
he
finds
out
that
he
can
read
secrets
with
the
nginx
service
account
and
abuse.
It
was
another
service
account
with
this,
which
then
has
permissions
to
deprive
parts.
B
So,
for
example,
there
are
some
basic
default
kubernetes
service
accounts,
especially
in
a
cube
system
namespace,
and
we
have
those
rights.
So
maybe
let's
check
them
real,
quick.
B
B
And
let's
see
what
we
have
here
on,
of
course,
there's
no
chipcts,
we
don't
have
crowd
and
with
the
car
command,
we
are
able
to
send
requests
to
the
kubernetes
API
and
therefore
we
will
have
to
use
the
credentials
from
the
engineering
service
account
to
authenticate
against
the
API
server.
But
all
that
stuff
is
already
mounted
in
inside
the
container,
so
it
could
be
under
running
secrets.
B
B
It's
like
if
I,
certainly
close,
our
basic
and
kubernetes
default
service
and
name
of
the
service
account
name
of
the
namespace.
Then
we
have
our
token
and
the
certificate
you
will
need,
and
our
coconut
would
basically
look
like
this.
We
want
to
get
all
the
secrets
from
the
juices
namespace
and
then
just
type
it
into
this
correctly,
because.
B
B
B
B
B
B
It
just
leaves
that
bit
of
conditions
like
privilege
through
and
access
to
the
root
file
system
of
the
host,
and
it's
also
the
host
processes
and
so
on,
and
now
the
clear
commands
would
look
like
this.
We
want
to
place
this
part
in
the
Q
system.
Namespace
would
be
able
to
hit
the
template
file.
B
To
find
a
pot
into
system
next
guys,
so
let's
see
let
me
exit
here
and.
B
Yeah
here
it
is
up
and
running,
and
typically
an
attacker
would
play
some
kind
of
backdoor
into
that
container.
So
let's
execute
that
one
too.
B
Let's
assume
that
maybe
a
developer
has
a
q
config
file
and
it's
from
directory
on
like
this
and
looks
like
we
are.
We
are
cluster
happening
here
and
we
have
other
credentials.
B
We
would
need
and
also
the
IP
of
the
so
maybe
just
to
verify
that
you
could
do
config
at
context
and
then
just
use
this
config
file
we
found,
and
indeed
we
are
kubernetes
admin
and
you
should
probably
be
able
to
delete
a
note,
for
example,
and
you
could
also
check
that
and
instead
of
a
service
account,
you
know
use
the
to
config
file,
which
would
say
yes,
we
can
so
basically
an
attacker
now
managed
to
take
over
the
whole
club
so
to
say.
B
Right,
let
me
jump
like
so
how
do
we
start
to
secure
an
operator
I'm?
This
is
essentially
what
the
clcf
says
for
operator
security.
The
first
and
quite
quite
big
tribe
here-
is
transparency
and
documentation,
and
it
is
essential
that
you
define
exactly
what
things
doing
and
what
you're
trying
to
achieve.
So
in
that
sense,
you
can
then
start
breaking
down
what
permissions
you
need,
but
it
needs
to
be
externally
sold
or
so
far,
and
so
that's
very
important
thing
for
an
operator
to
do
and
signing
that
scope.
B
So,
like
cluster
white
external,
on
Xbox,
White,
so
cluster
right,
you
have
access
to
our
resources
that
you
need
external
Cloud
resources
in
the
namespace.
B
They
try
to
basically
respect
it,
obviously
permissions
as
much
as
possible
and
those
only
use
it
if
it's
necessary
so
and,
as
you
see
from
the
operator
Hub,
which
yeah
it
doesn't
contain,
all
the
operators
on
the
planet
that
that
is
not
true
and
quite
a
lot
of
them
had,
or
we
are
being
said
to
work.
Permissions,
then
to
bear
in
mind
I
should
think
is:
is
the
operator
does
have
access
to
external
resources
and
you're
going
to
need
to
review
that
as
well
yeah?
B
And
today's
say
that
probably
they
stated
you
should
leverage
as
any
rooms,
app
armor
and
second
profiles
as
well,
but
yeah
well
known
across
the
industry
and
as
always
stand
for
vulnerabilities
and
consider
your
supply
chain
security.
B
So
from
prevention
strategies,
point
of
perspective.
B
Maybe
let's
say
you
want
to
better
than
this
worth
mentioning
that
as
an
operator,
SDK
version
1.81
or
higher,
there
are
two
default
security
contacts
set
by
default,
like
run,
is
not
good
set
to
true
and
another
privilege.
B
Relations
are
too
false
as
part
of
developer.
Who
has
has
to
removed
you
kind
of
have
to
question
that
a
question.
Why
somewhat
so
yeah
it
may
be
bound
to
the
way
the
thing
works,
but
I
think
you
should
really
question
that
one.
B
So
my
advice
would
be
just
to
be
explicit
and
and
careful
the
resources
you
want
to
access
and
the
apis.
So
try
not
to
do
star
permissions,
try
not
to
do
call
Api
style,
and
that
is
just
being
quite
lazy.
So
the
only
issue
is
that
an
operator
might
actually
require
that
as
part
of
it
in
order
to
work
good
question
that
someone,
especially
when
you
get
into
around
rbsc
API,
because
that's
where,
if
you
buy
a
start
and
you
start
to
define
the
escalate
privileges.
B
B
Is
supposed
to
be
so
also
restricted
to
what
it
can
watch
as
well,
just
as
just
slightly
different
and
yeah
review
the
customer
permissions
and
make
sure
they're
not
overly
permissive
and
then
also
do
the
same
stuff
for
cloud
aim
and
also
make
sure
that
role
and
not
cluster
role
is
defined.
If
you
only
got
a
namespace
double
layer,
foreign.
B
So
we
speak
the
way
to
secure
operators
in
your
cluster
in
general,
as
shown
here,
I'm
gonna
remind
that
it
would
have
to
check
and
make
sure
the
operator
itself
still
works
as
intended
afterwards,
but
in
theory
it
hardens
your
cluster
security
when
using
operators
so
to
make
the
payload
in
your
cluster
from
operators,
so
payload
or
applications
should
be
in
a
different
namespace
than
the
operator.
B
There
should
be
no
payload
in
your
computer
next
days
and
and
vice
versa,
and
to
follow
great
payload
from
the
operator
you
can
use
as
well
as
possibility
policies
or
as
of
kubernetes
1.24
I
guess
the
cloud
security
admission
feature
so
that,
for
example,
the
operator
is
not
allowed
to
create
or
deploy
other
part
security
policies,
policies
in
its
own
namespace
and
no
other,
and,
as
I
have
already
mentioned,
the
service
account
for
the
operator
should
be
as
minimalistic
as
possible
regarding
its
permissions
as
well.
B
B
And
so
our
Engineers
English
controller
operator
was
applied
into
the
default
namespace,
as
you
might
have
noticed,
and
as
I
said,
you
want
to
what
what
you
operate
on
Wednesday.
So
maybe
let's
first
create
that
one
just
exit
from
here
and
say:
okay
next
thing
is.
B
B
Right
and
as
you
can
see,
we
won't
get
any
response
here
and
the
network
policy
seems
to
work
and
another
way
to
separate
or
restricted.
Permissions
would
be
to
change
cluster
levels
and
clusterable
bindings,
maybe
to
role
in
roll
bindings
bound
to
lead
operator
namespace.
B
So
let's
try
that
one
I
already
saved
the
cluster
Road
binding
and
cluster
mode
for
this
ever
and
set
it
to
roll
in
ball
binding.
So
they
are
bound
to
the
operator
namespace.
B
B
B
And,
as
you
can
see,
it
says,
our
service
account
is
for
different
three
secrets
and
I
keep
this
namespace,
and
now
we
should
only
be
able
to
read
the
secrets
in
the
operator
namespace,
since
the
role
in
role
binding
is
bounded
to
this
one.
So,
okay.
B
B
The
last
option
would
be
to
deploy
a
positivity
policy
and
maybe
let's
have
a
quick
look
at
what
I've
already
prepared
place
like
this,
and
now
this
one
respectful
device,
almost
anything
I'm
like
produced
at
false
now,
post
processes.
B
B
B
B
And
I
guess,
since
we
want
to
the
bad
part
again,
we
would
have
to
delete
the
old
one.
It's
running
already.
B
To
take
some
time,
but
let
us
move
in
a
few
seconds
yeah,
so
we
execute
in
the
next
part
again.
B
Yeah
now
we
have
the
secrets
again.
So,
let's
grab
for
the
replication
controller
again.
B
B
So
and
I
guess
we
have
to
recreate
our
that
pot
Json
template
since
missing
right
on.
B
A
Perfect,
thank
you
so
much
absolutely
lovely
demo
as
well.
A
A
So
there
was
a
question
essentially
on.
Will
these
yaml
and
Json
files
be
shared
on
GitHub,
so
people
maybe
want
to
try,
try
things
themselves
up.
A
Yeah
we
have
a
cloud
native
slack
Channel
within
the
cncf
slack.
So
if
you
decide
to
do
them,
you
can
plug
them
in,
for
example,
there
and
that's
gonna
be
great,
for
example,
in
the
audience
members
can
find
it
from
there
and
then
the
other
comment
is,
for
example,
it's
a
settings
such
as
must
run
as
non-root
and
privileged
escalation.
False
Etc
can
be
set
in
Port
security
policies,
Community
standpoint.
A
Yeah
all
good,
then
that
went
well
on
that
front
as
well,
but
yeah.
Those
were
the
two
questions
while
we
got
during
the
session,
but
let's
see
if
we
have
any
more
so
please
the
audience.
Members
type
them
away,
but
I
have
a
question.
Meanwhile.
Is
there
any
kind
of
learn
more
resources?
If
anyone
wants
to
dive
even
deeper
into
this
topic
that
you
could
recommend.
B
Yeah,
maybe
well
especially
because
for
operators
itself,
if
you
have
time
for
it,
it's
really
big
but
I
can
give
you.
The
link
is,
should
be
in.
A
Perfect,
we
can
find
it
over
there,
yeah
lovely
yeah.
Let's
see
no
new
questions
so
far,
then.
Actually
another
question
from
me:
do
you
have
I
always
love
asking
this
question
by
the
way?
So
do
you
have
any
predictions
on
this
space?
What's
going
to
happen
in
the
future?
What
will
be
the
next
steps
for
this.
A
Perfect
sounds
good,
let's
see
no
so
far,
but
so
we
will
start
wrapping
up
some
final
call
for
those
audience
questions
there.
Do
you
have
any
any
final
words
or
notes
that
you
want
to
share.
A
Okay,
perfect!
Well,
it's
been
absolutely
lovely.
Thank
you
so
much
and
thank
you,
everyone
for
joining
into
the
latest
episode
of
cloud
native
live.
It
was
great
to
have
a
session
about
creating
a
craved
road
for
security
and
communities,
operators
I,
really
like
the
the
audience
interaction.
There
was
a
lot
of
people
saying
hi
in
the
chat
as
well
so
hi
to
everyone
as
well,
and
as
always,
we
bring
you
the
latest
Cloud
native
code,
every
Wednesday
so
tune
in
in
the
future
as
well.