►
From YouTube: The Evolution of Kubernetes Security: What's Next - Kirsten Newcomer (Red Hat) OSCG 2022 Spain
Description
The Evolution of Kubernetes Security: What's Next
Speaker: Kirsten Newcomer (Red Hat)
OpenShift Commons Gathering Kubecon EU
May 17, 2022 Live from Kubecon EU in Valencia, Spain
Full Agenda here: https://commons.openshift.org/gatherings/OpenShift_Commons_Gathering_at_Kubecon_Europe_2022.html
Learn more at: https://commons.openshift.org
A
Hi
everybody
it's
nice
to
see
people
in
person,
I'm
sure
everybody's
been
saying
that
I'm
kirsten
newcomer
director
of
product
security,
security,
product
management
for
openshift
team
and
here,
to
tell
you
a
little
bit
about
what
we're
doing
with
openshift
and
security.
A
So
just
a
quick
comment,
some
of
the
ways
that
we
contribute
to
the
community
participation
in
the
kubernetes
security
sig,
the
api
server,
sig
kube,
authsig,
cncf
security
tag,
techton
chain,
sig
store,
which
you
heard
a
good
bit
about
from
luke
earlier
key
lime,
spiffy
spire
and
just
also
from
here
talking
a
bit
about.
What's
driving
our
security
investment.
It
was
a
great
pleasure
to
listen
to
yasmine.
She
is
the
saudi
aramco
is
one
of
the
type
of
customers
who
need
the
security
investment
that
we're
making.
They
help
to
drive.
Our
thinking
so
appreciate.
A
Seeing
that
presentation
earlier
today.
The
approach
we
take
within
red
hat
towards
security
is
build
security
capabilities
into
our
offerings
to
enable
a
continuous
and
holistic
approach
to
security
security
throughout
the
application
stack
and
throughout
the
application
life
cycle
built
in
not
bolted
on
enabling
our
customers
to
meet
their
security,
posture
and
regulatory
requirements.
A
A
It
also
includes
red
hat,
advanced
cluster
management,
red
hat,
advanced
cluster
security,
red
hat
quay
and
open
shift
data
foundation,
essentials
right
and,
as
you
can
see,
really
working
to
kind
of
provide,
a
complete
platform
for
app
developers
and
also
when
it
comes
to
containers
and
kube.
I
mentioned
devsecops
earlier.
A
The
reason
I
do
that
is,
you
know
most
of
you
here,
I'm
sure
aware,
but
I
still
run
into
teams
security
teams
in
particular,
who
don't
realize
this
yet
in
a
kubernetes
environment,
best
practice,
never
patch
a
running
container
right
if
you
apply
a
fix
to
a
running
container
and
that
particular
instance
of
the
image
goes
down
kube
or
openshift
they're,
going
to
redeploy
from
the
image
itself
and
you're
going
to
lose.
Whatever
fix
you
did.
So
it's
really
important
that
organizations
design
for
automated
build
and
deployment
as
much
as
possible.
A
So
when
we
think
about
devsecops
kind
of
the
capabilities
fall
into
three
buckets
that
we're
delivering
with
platform,
plus
that's
capabilities
that
help
with
controlling
application,
security,
features
that
help
with
protecting
the
platform
and
finally
features
that
help
detect
and
respond
to
runtime
threats.
A
So
I'm
not
going
to
walk
through
all
of
these
I'll
just
mention
that
the
white
boxes.
These
are
the
capabilities
available
with
openshift
container
platform.
Security
capabilities
in
these
three
buckets
blue
is
red
hat
advanced
cluster
security.
For
those
of
you
who
haven't
heard
of
acs
before
that
came
to
red
hat
through
our
acquisition
of
stack
rocks
a
little
bit
of
a
year
over
a
year
ago,
you'll
be
hearing
more
about
acs
and
stack
rocks
in
this
session
later
later.
A
Today,
and
then
the
red
blocks
boxes
are
acm,
acm,
being
very
strong,
both
acm
and
acs,
doing
multi-cluster
capabilities,
multi-cluster
management,
multi-cluster
security,
so
step
into
the
road
map
kind
of
three
key
categories
for
our
security
roadmap,
identity,
integrity,
observability,
so
again,
supply
chain
security
has
been
a
very
hot
topic.
Certainly,
since
the
solar
winds
breach,
a
lot
of
great
work
has
been
done
in
the
community.
I
was
really
you
know.
I
had
an
opportunity
to
listen
to
solarwinds
talk
about
how
they
are
using.
A
This
was
in
october
of
last
year
at
kubecon,
north
america
solarwinds
talking
about
how
they're,
using
sigstor
and
tekton
chains
to
improve
their
particular
their
own
internal
supply
chain.
More
on
that
later,
very
proud
that
red
hat
is
one
of
the
founders
of
six
store
started
that
project
a
lot
going
on
there.
You
heard,
if
you
were
here
this
morning,
you
heard
luke
talk
about
what
it
means
to
have
keyless
signatures
and
how
that
makes
it
much
easier
to
integrate
signing
capabilities
into
a
ci
cd
pipeline.
A
A
A
Now
there
are
a
couple
of
things
on
here
that
a
little
bit
further
out
encrypted
containers
right
when
we
think
about
managing
for
trust
or
a
zero
trust
environment
being
able
to
store
and
then
run
encrypted
containers
is
a
piece
of
the
puzzle.
We're
working
on
and
also
rootless,
builds
right
as
mean
mentioned
podman
needing
privileges
in
the
environment.
Today
we
want
to
make
it
possible
to
leverage
components
like
that
to
do
builds
in
an
open
shift
environment
without
needing
privileges.
A
When
it
comes
to
the
platform
integrity
matters,
especially,
you
heard
the
the
micro
shift
presentation
and
the
conversation
about
edge,
that's
happening
there
edge
devices
in
particular,
or
single
node,
open
shift,
environments
and
environments
that
have
that
are
in
malls
on
devices,
need
more
control
or
need
more
security.
I
should
say
they're,
subject
to
physical
theft,
they're
subject
to
physical
tampering
being
able
to
go
beyond
secure
boot
to
remote
attestation
of
an
environment
at
the
edge
is
also
an
area
of
investment.
This
is
starting
with
rel
nine.
A
It's
a
tighter
integration
with
the
integrity
measurement
architecture
as
we
build
rel
nine
binaries.
Those
will
all
have
signatures
stored
in
the
kernel
enabling
remote
attestation,
and
then
we
will
pick
that
up
in
open
shift
for
rel
core
os
when
open
shift
moves
to
to
rel
nine,
when
rel
core
os
moves
to
real
nine
binaries.
A
We've
also
been
working
upstream
with
the
community
to
get
kubernetes
to
add
support
for
user
name
spaces.
Our
container
runtime
cryo
already
supports
user
name
spaces
right.
This
allows
you
to
run
a
container
as
root
within
the
container.
If
there
were
an
escape,
the
process
would
not
be
root
outside
of
the
container.
A
The
kubernetes
community
has
not
yet
added
that
support
work
in
progress.
There's
a
cap,
one
of
our
key
engineers,
has
been
actively
working
upstream
on
that
derek
carr
and
and
again,
that's
just
needed
to
be
sure
that
all
the
elements
of
kubernetes
can
work
with
and
understand.
The
runtime
features
that
are
already
available
trusted
execution
environments
right.
So
this
is
going
beyond
you
know.
Kind
of
this
is
this
is
tied
to
confidential
containers
and
some
of
the
work
we're
doing
with
that's.
A
You
know
a
common
phrase
in
the
security
field.
Is
people
talk
about
security
by
obscurity,
but
that
really
isn't
security
right?
You
can't
secure
what
you
can't
see,
and
so
observability
is
really
a
key
part
of
the
security
story
here,
we'll
touch
on
and
I'm
going
to,
I'm
not
going
to
spend
a
lot
of
time
on
acs
a
couple
of
things
on
this,
this
slide
or
acs,
because
conor
gorman's
going
to
do
a
deeper
dive
on
that
later.
A
So
again,
as
I
think
you
saw
earlier,
we're
really
focused
with
openshift
4
these
days
on
providing
standardization
capabilities
across
multiple
clusters.
We
find
that
more
and
more
of
our
customers
are
using
multiple
clusters
for
many
different
reasons.
Yes
mean
gave
us
some
of
hers
and
they
need
a
consistent
way
to
manage
configuration,
governance
and
security
across
those
clusters
and
storage
whoop
wrong
direction.
A
Okay,
so
with
acm,
one
of
the
key
areas
of
improvement
for
acm
and
the
security
pers
in
the
security
space
focused
on
improving
secrets
management,
making
it
easier
to
do
management
of
secrets
across
various
elements
of
solutions
that
you're
using
or
you
know,
secrets
for
your
applications,
but
also
again,
if
we
circle
back
to
sig
store,
we
want
to
think
about
not
just
signing
container
images,
but
acm's
job
right
is
to
ensure
consistent
configuration
across
your
fleet
while
giving
you
the
ability
to
have
some
customizations
of
your
different
fleet.
A
All
of
that
work
is
done
in
yaml
right.
All
of
those
configurations
are
stored
as
yaml
files,
you
want
to
be
sure
those
yaml
files
aren't
tampered
with,
and
so
digital
signing
of
your
yaml
files
helps
to
ensure
that
this
is
done
with
an
integration
called
integrity.
Shield
and
again
is
using
cosign
signatures
as
an
option.
There
also
an
update
to
ensure
that
acm
can
leverage
cloud
keys
and
tokens
when
managing
deployments.
A
I
don't
want
to
steal,
conor's
thunder
but
again,
like
acm
acs
works
with
openshift,
also
with
gke,
eks
and
aks.
So
both
multi-cluster
environment
helps
provide
both
runtime
security,
as
well
as
the
ability
to
integrate
security
capabilities
into
your
pipeline.
We'll
talk
a
little
bit
more
about
some
of
those
as
we
go
so
most
of
acs
content
and
roadmap
is
going
to
be
covered
by
connor,
so
so
we'll
just
kind
of
keep
going
here
when
it
comes
to
compliance.
A
Red
hat
has
had
a
long
history
of
providing
the
ability
to
automate
compliance
with
technical
controls
that
are
tied
to
security
and
regulatory
frameworks.
So
rel
has
openscap
openscap
scap
stands
for
security
content
automation.
Protocol
openscap
is
a
nist
certified
scanner.
You
can
use
with
your
rel
servers
to
check
for
to
configure
and
check
for
compliance
against
things
like
pci
dss.
A
We've
taken
the
same
approach
with
openshift,
so
the
openshift
compliance
operator
is
available
with
any
openshift
subscription
we're
shipping.
The
profiles
that
you
see
in
the
available
now
box
today,
you
can
run
those
profiles
on
any
openshift
cluster
you'll
get
a
report
back
as
to
which
controls
are
compliant
and
which
are
not.
If
you
wish
you
can
automatically,
you
can
rerun
and
remediate
your
cluster
applying
those
technical
controls.
A
You
can
also
tailor
your
profiles
so,
for
example,
the
cis
open
shift
benchmark
and
cis
has
moved
to
having
benchmarks
per
kubernetes
distribution.
Now
so
there
is
a
cis
openshift
benchmark
recommends
encrypting
at
cd
that
cd
data
store.
Not
every
customer
chooses
to
do
that.
Some
people
feel
it's
sufficient
to
encrypt
the
underlying
storage
rather
than
at
cd
itself,
and
so
the
compliance
operator
gives
you
information,
but
also
a
way
to
tailor
to
your
needs.
A
A
Nerc
is
also
u.s
bcidss
financial
kind
of
mostly
around
the
world,
both
acs
and
acm,
are
integrated
with
the
compliance
operator.
To
give
you
a
visualization
of
compliance,
controls
acs
also
provides
workload.
Compliance
assessments
as
well
one
of
the
new
things
we're
working
towards
with
the
compliance
operator
is
we're
going
we're
working
to
support
that
on
the
star
ks
clusters
that
I
mentioned
earlier:
eks,
aks
and
gke
and
we'll
also
be
adding
profiles
for
the
cis
benchmarks
for
those
particular
cube,
distros,
so
work
in
progress.
A
One
of
the
interesting
you
know,
conversations
in
the
at
the
cloud
native
security
con
across
the
hall
earlier
today
is
how
it
can
be
well.
Many
of
us
in
this
room
right,
are
sending
collecting
logs
and
sending
them
to
a
seam,
a
security
information
and
event
monitoring
system
for
processing
that
can
be
sort
of
somewhat
time.
Consuming.
We've
been
investing
in
multiple
ways
to
do
that,
including
event
streaming
as
a
way
to
forward
your
logs
and
then,
of
course,
visualization
matters
right
now.
This
is
again,
you
know
mostly
about
monitoring.
A
Okay,
and
if
you're,
not
using
network
policies,
are
you
using
server
mesh
service
mesh
anybody
using
service
mesh,
one?
Okay?
Are
people
using
network
policies
and
service
mesh
together,
one
small,
so
still
low,
still
slow
adoption
of
service
mesh?
That's
interesting,
so
so
network
policies,
then,
is
your
key
way
of
ensuring
that
the
traffic
is
only
going
where
you
expect
it
to
go.
A
So
this
is
one
of
the
places
where
also
you
know
right
now.
It's
not
the
simplest
thing
for
folks
to
configure
and
manage.
You
can,
of
course,
deploy
a
policy
that
sort
of
says
by
default.
All
of
the
pods
in
a
single
openshift
project
can
talk
to
each
other,
but
they
can't
go
outside
that
project.
But
if
you
want
to
do
something,
that's
more
interesting
or
more
involved
or
perhaps
more
controlled.
A
That
can
take
some
additional
work.
So
there
are
a
couple
of
places
where
we're
gonna.
First
of
all,
today
with
acs,
you
can
get
network
policy
visualization.
So
you
can
see
the
what
the
traffic
pattern
is.
That's
been
implemented
in
your
network
policies.
Acs
will
also
automatically
recommend
ways
that
you
can
tighten
network
policy
controls.
A
It'll,
give
you
the
yaml.
You
can
simulate
what
that
looks
like
in
acs
and
then
you
can
use
acm
to
deploy
those
policies
wherever
that
application
runs.
If
you
wish
we're
also
investing
in
some
shift
left
security
there
I'll,
let
connor
tackle
that,
but
in
addition
to
what
you
get
with
acs
network
visualization,
we
think
this
is
an
area.
That's
really
important
and
we're
adding
this
into
the
core
platform
as
well
right.
A
Multi-Cluster
gateway
again
more
and
more
we're
seeing
you
know
multiple
clusters
and
cross
our
across
our
customer
environment.
Some
of
them
are
on
premises.
Some
of
them
are
in
the
cloud
so
having
an
opportunity
having
a
way
to
manage
ingress
and
egress
from
a
single
gateway
becomes
more
important.
A
Okay
and
ip
I
just
mentioned
ipv6
single
and
dual
stack
ebpf,
that's
that's
something
that
we're
investing
in
around
network
observability
ebpf
is
already
something
that
acs
is
using
to
do
additional
system
data
collection
and
most
of
the
rest
of
these
are
a
little
bit
more
performance
oriented.
A
Then,
of
course,
you
know
if
you
have
applications
that
may
need
to
talk
with
each
other
or
across
clusters.
Cross-Cluster
networking
is
also
important.
So
at
the
moment
that's
the
work
is
being
driven
by
acm
with
submariner
strong
investment
there
as
well,
and
a
little
bit
more
about
mesh.
So
again,
I'm
sorry.
If
I
go
back
to
submariner
for
a
minute
that
also
will
enable
some
ipsec
tunnels
or
okay
networking
mesh
multi-cluster
mesh
gives
you
ipsec.
A
How
many
for,
for
you
all,
does
ipsec
matter
in
terms
of
you
know
north
south
traffic
in
the
cluster
or
any
of
you
using
ipsec,
not
so
much
yet
so
mostly
it
comes
up
for
me.
The
customers
I
hear
it
from
are
in
the
telco
space,
where
the
three
gpp
regulations
tend
to
tend
to
require
this
and
again
service
mesh
with
federation
sounds
like
that's
a
little
bit.
A
You
know,
that's
something
you
all
are
still
thinking
about,
whether
to
go
to
service
mesh
or
not
ready
yet,
but
when
you're
ready,
we'll
have
multi-cluster
service
mesh
there
as
well,
and
then,
of
course,
with
multi-cluster
storage,
openshift
data
foundation,
essentials
comes
with
openshift
platform
plus
upgrade
to
openshift
data
foundation,
full
enterprise,
a
couple
of
things
you
get.
We
already
have
the
ability
in
odf
to
encrypt
per
pv
per
persistent
volume,
additional
investments
being
made
there
for
encryption
on
multiple
levels.
A
Out
of
the
box,
replication
disaster
recovery
right,
some
people
think
of
security
fairly
narrowly.
But
recovery
is
a
key
part
of
your
security
story
with
quay.
Again,
one
of
the
things
we'll
be
working
on
is
we've
already
added
thanks
to
daniel,
have
added
support
for
storing
cosine
signatures
in
quay.
Acs
has
a
scanner.
So
when
we
acquired
stack,
rocks
the
stack
rock
scanner
or
the
acs
scanner
is
built
from
a
fork
of
claire
we've
been
improving.
Claire
over
the
time
that,
since
that
fork
was
done
so
we
now
currently
have
two
clear
based
scanners.
A
We
have
clear
v4
and
we
have
the
acs
scanner
we'll
be
working
in
this
year
to
get
to
one
red
hat,
clear,
based
scanner
that
has
language
based.
You
know
kind
of
has
the
best
of
both
worlds
right.
A
So
if
you
haven't
had
a
chance
to
check
it
out,
definitely
worth
your
time
back
to
supply
chain
security,
we
actually
have
many
features
within
the
product
today
that
you
can
leverage
to
design
a
pipeline
that
will
get
you
stronger
security.
So,
let's
start
with
building
that
that
actual
cluster
right,
how
do
I
deliver
my
configuration
and
my
policies
for
the
cluster
itself?
A
A
A
I
can
actually
build
a
cloud,
a
kube
native
pipeline
that
has
enough
security
gates
built
in
that
I
can
meet
sla
slsa
level
2
with
the
features
that
are
coming
or
are
already
available,
and
I
don't
know
if
folks
are
familiar
with
what's
known
as
salsa
slsa
salsa
is
a
set
of
standards
for
how
to
ensure
that
you've
got
a
secure
supply
chain.
A
So
you
can
use
open
shift
pipelines.
Basically,
techton.
You
can
use
code
ready
containers
to
do
a
dependency
scan
in
your
ide.
I'm
sorry
code,
ready
dependency
analytics
with
eclipse
chase,
supports
intellij
vs
code
plugins.
You
can
use
acs
to
well.
You
build
your
image
with
build
tools
in
in
openshift.
You
store
that
image
in
clay
use
the
acs
scanner
or
the
clair
scanner
to
scan
that
image.
A
For
known
vulnerabilities
vulnerabilities
are
not
the
only
thing
you
need
to
think
about
here,
however,
so
acs
also
will
analyze
configuration
data
deployment,
yamls,
helm,
charts
for
things
like
excess
privileges,
misconfigurations
embedded
secrets,
so
you
really
want
to
have
both
the
vulnerability
scanning
and
the
app
config
data.
This
is
important
part
of
shifting
left
and
devsecops.
A
A
So
once
I've
got
that
ready
to
go,
I
can
now
you
know.
Techton
chains
is
now
a
piece
of
the
puzzle.
I
can
attest
all
the
steps
in
my
techton
in
my
openshift
pipeline.
I
can
use
the
signing
capability
with
tecton
chains
as
part
of
that
attestation
again
store.
My
final
image
in
quay
store
the
other
data
and
leverage
git
ops
for
that
deployment.
A
A
A
Okay,
so
one
of
the
other
big
initiatives-
and
I
was
not
here
this
morning-
so
I
don't
know
how
much
we
touched
on
hypershift
this
morning-
a
little
bit
okay.
So
for
me
from
the
security
perspective,
what
I
really
like
about
hypershift
is
the
separation
of
the
data
plane
and
the
control
plane
that
this
provides
right.
A
That
is
not
something
that
has
been
available
in
the
kube
community
yet,
and
it
is
a
request
that
I
hear
from
our
more
security
minded
customers
so
again
having
that
ability
to
have
that
separation
really
enables
a
whole
series
of
use
cases
that
we've
not
been
able
to
address
before
again
and
reduces
spend,
but
also
gives
you
you
know,
network
trust
and
segmentation
and
and
a
whole
and
and
again
that
multi-architecture
support.