Oshrat Nir

Ben Hirschberg
Ben is a veteran cybersecurity and DevOps professional, as well as computer science lecturer. Today, he is the co-founder at ARMO, with a vision of making end-to-end Kubernetes security simple for everyone, and a core maintainer of the open source Kubescape project. He teaches advanced information security academically in both undergrad and graduate courses. In his previous capacities, he has been a security researcher and architect, pen-tester and lead developer at Cisco, NDS and Siemens.

The speaker's profile picture

Sessions

10-23
15:00
30min
Everything You Want to Know about Kubernetes RBAC and Were Too Afraid to Ask
Oshrat Nir

Role-based Access Control (AKA RBAC) is a continuous challenge with the growing complexity of cloud native operations, the sheer number of services involved, as well as the privileges required to manage and maintain complex systems with today's ironclad SLAs. Many modern microservices systems are built upon Kubernetes that has its own unique set of RBAC challenges.

In this talk I'll walk through some of the challenges with managing RBAC at scale in Kubernetes operations - from common mistakes (cluster-admin anyone?) and misconfigurations, as well as overly privileged roles including unnecessary access to secrets. Amir, as a Kubernetes RBAC expert will cover all the questions you always wanted to ask and never dared, such as including how to assign access to secrets (both from a technical and organizational perspective), who should be allowed to delete pods, as well as the age-old question of who really should be allowed to have cluster-admin access. We'll wrap up with some hard-earned tips for how to architect RBAC best-practices into your systems, and some good open source tools to manage privileges and access in the long term.

Main Room
10-23
18:15
5min
Demystifying Kubernetes Vulnerability Scanning
Oshrat Nir

Security like all technology disciplines has its buzzwords. You'll often hear acronyms like SAST, SCA, DAST, and much moreā€¦but what does it all really mean?

In this talk we will review the many kinds of vulnerability scanning with a focus on Kubernetes security scanning. We'll help you understand what kinds of vulnerabilities you can as well as cannot identify with these tools. We'll review some of the popular open source security scanning tools in the ecosystem, and help you understand where you can use each and what to scan - registries, clusters, CI/CD. This will be demoed through real code examples and scanning scenarios.

Main Room