11-17, 17:00–17:30 (UTC), The Gallery
A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. It will be used by cluster operator to segment resources based on organization policies and enforce access control based on security requirements. In this talk, we will introduce what is network policy and network plugins, then we will show how to enforce network policy to protect a demo application, finally we show step by step examples how to bypass the network policy in the following scenarios: Abuse of privileges, insecure host mounts and misconfiguration of kubelet. Attendees should come away with the idea of securing kubernetes cluster in holistic way.
Kaizhe Huang is Security Researcher in Sysdig where he spent a lot time in security research in kubernetes. Previously, as Senior Security Engineer at Oracle Database Security Group, he helped building security products including: Database Vault, Database Privilege Analyzer and Database Assessment Tool. Kaizhe holds M.S. degrees in Information Security from Carnegie Mellon University.