Config Management Camp

5 - 7 February, 2018

Gent, Belgium

Kubernetes Security Best Practices

Ian Lewis

Containers give developers the ability to isolate applications from one another, but that’s not enough. Resource isolation is much different that security isolation. How do we make applications deployed in containers more secure? How do we apply existing tools like SELinux and AppArmor, and seccomp to our containers running in Kubernetes? How can we apply policy to our network and services to make sure applications only have access to what they need and nothing more?

Kubernetes provides the ability to secure containers, and secure access to the API. But it also has a flexible enough architecture to allow for applying network and service policy to various pods and services.

In this talk we will learn about the risks and attack surfaces and how to use tools like SELinux, AppArmor and seccomp to improve the security of containers deployed in Kubernetes. We’ll then go up the stack and learn how to apply network policy to containers to further improve security. Finally we will look at the Istio service mesh and how we can add authentication, mutual TLS, and access policies to whole services greatly reducing application attack surfaces

About Speaker

Ian is originally from Washington DC but has been living in Tokyo since 2006. In 2008 he joined BeProud and has been active in the Python community. From 2011 he founded the PyCon JP conference with other Python developers. He also designed and developed the popular IT event website connpass.com.Ian is currently a Developer Advocate on the Google Cloud Platform team in Tokyo. He loves Python, Go, and container technology. He helps run the Kubernetes Meetup in Tokyo and blogs at www.ianlewis.org.