Get Past the Default Configs: Lessons from the k8s Security Audit
11-16, 10:25–10:55 (UTC), The Gallery

The Kubernetes security audit turned up some bugs in Kubernetes, but did you know it also includes important security advice for end users? Find out about the security recommendations from the audit and learn how you can apply them in your apps today.


Once you get your Kubernetes deployments and services up, it’s tempting to take a break. But don’t stop with the default configurations—k8s has a ton of built-in options and features you can use to improve your security.

Using the Kubernetes security audit whitepaper as a guide, we’ll discuss what controls you can apply to make your apps more secure. We’ll pick apart the security context and see how to run deployments with read-only root file systems, non-root users, and limited capabilities. Then we’ll dig into features like network policies, RBAC, and admission control; configs like resource limits; and practices like namespacing and consistent metadata. And, of course, we’ll learn how these help you deliver a more reliable and secure app.

Using all we’ve learned, we’ll see how native Kubernetes security controls help you block entire classes of vulnerabilities in a live demonstration.

See also: Slides (6.2 MB)

Connor Gilbert is a product manager at StackRox, a Kubernetes security company. He recently spoke at BSides SF about achieving least-privilege configurations in Kubernetes, hosted a CNCF webinar on operationalizing Kubernetes security controls, and co-presented on related security threats at Google Next. Connor previously worked in software engineering at StackRox. Before that, as Security Research Scientist at Qadium (now Expanse), he built tools to uncover network perimeter exposures and conducted DARPA Internet security research. His formal training is in computer science. He first discovered Kubernetes in 2015 and has been using it ever since.