In late 2017 and throughout 2018 we witnessed the advent of a new class of CPU-level information disclosure vulnerabilities, commonly known as “Spectre”, “Meltdown”, and (later in 2018) “Level 1 Terminal Fault” (l1tf in short, also known as “Foreshadow”).

This talk will give a brief introduction of related CPU design concepts and their concrete exploitation by the above-mentioned vulnerabilities, and discuss available mitigations.

After we’ve established (or refreshed) our knowledge of the problem field, the main part of the talk will focus on keeping your Kubernetes clusters secured from those vulnerabilities: we will take a full-stack approach and look at common OS and container abstraction layers in cloud-native scenarios individually - bare metal kernel space, user space, (optional) virtualization, and container runtime - to discuss weaknesses and mitigations at each of the layers.