Level Up Your Security—A Practical Path from Default to Defended
2020-03-29, 17:00–17:30, Room 2

Do you know everything running in your clusters? Which pods would an attacker get to first, and would
they be able to burrow into the rest of your cluster?

This talk introduces a phased approach you can use to improve your Kubernetes security posture,
whether you’ve already made some progress or are just starting out. Find out practices that make
everyone’s lives easier, like writing useful annotations; controls you can adopt app-by-app, like ingress
network policies, read-only file systems, and resource limits; changes that are self-contained, like limiting
API server network access and replacing cluster-admins; and more. And, learn how you can encourage
security improvements by using enforcement with empathy.

You’ll leave with ideas on how to get your clusters in better security shape using native Kubernetes
controls, and how to stay friends with your teammates in the process.


It can be almost magical to see your Kubernetes cluster doing what you’ve asked it to do the first time.
It’s really easy to stop there and leave your experiment running as root, with a writable file system,
exposed to 0.0.0.0/0, able to talk to any of the other pods or infrastructure components in your cluster.
This is how a lot of apps end up deployed—I’ve seen clusters that still don’t even enable RBAC (by
disabling ABAC)!

The community has built lots of important security controls, but in my experience working with end users
across industries, many users are still don’t take advantage of these features. Wider use of existing
Kubernetes security features would help community members secure their apps and infrastructure;
solidify Kubernetes as a common ground where dev, ops, and security experts can collaborate; and
address an unfortunate perception that our community does not value security.

Whether people are just starting out, or they’re aware of security features but unsure how to make
progress, they can benefit from an action-oriented tour of security improvements. My goal in this talk is
to provide enough information to empower users across the various cloud-native communities—whether
they identify as developers, operators, security practitioners, IT pros, or something else entirely—to spur
security improvements in their own organizations. Kubernetes can be a catalyst and common ground
where we work together across teams to do security better, but only if we know how!