KubeCon & CloudNativeCon 2020 - Takeaways

Jon Zeolla, Phil Blackburn

The Seiso team recently had the pleasure of virtually attending the 2020 iteration of KubeCon and CloudNativeCon. Even with the new virtual format, there were many great sessions that covered interesting new topics, tools, and practices for Kubernetes and other projects in the cloud native ecosystem.

Among those, we noted a handful of tools and themes that stood out to our team from an adoption and security perspective.

If you’d like to check out any of the talks, most are now available to watch freely on YouTube here.

Open Policy Agent

Open Policy Agent is a policy engine that is quickly becoming an integral part of the Kubernetes security ecosystem and standardization.

Key takeaways:

  • Queries can be run against the engine to return whether a new input violates a policy decision.
  • Deployment options include a validating or mutating admission controller endpoint, sidecar, or integrated library to allow a container to query different conditions (e.g. performance or security concerns) and receive a response.
  • OPA could be used for limiting the access of containerized resources and detecting attempted policy violations that could indicate malicious behavior.
  • Related tools like Gateway can apply governance to Kubernetes manifests to control what can or cannot be done.
  • Other similar tools in this space include Regula, Conftest, OPA Gateway Policy Manager, and Konstraint.

We think it’s likely Open Policy Agent will become the de-facto way to write Kubernetes security controls given the number companies that already seem to be adopting it with interesting use cases.

Runtime Container Security

One of our favorite projects at Seiso is Falco, an incubating CNCF project for providing runtime container security through monitoring of policies and automated responses.

Key takeaways:

  • Falco can be used to detect malicious behavior by monitoring container system calls for policy violations, such as an application attempting to listen on an unauthorized TCP port, or attempting to access a privileged file.
  • Policy violations can be responded to in real-time using Falco’s APIs.
  • It can enrich kernel-level events with metadata passed from Kubernetes and its underlying containers.
  • Falco relies on a rules engine for specifying the types of events that should be monitored and alerted on.
  • We were particularly impressed by the talk “Bypass Falco” where a core Falco developer showed specific examples of how Falco rules could be subverted.
  • The upcoming site SecurityHub has Falco rules that can be used to get started quickly.

We see Falco continuing to gain traction as a top contender for runtime monitoring and automated response of Kubernetes clusters.

Cloud Native Monitoring and Dependency Mapping

We noticed a couple projects pushing new advances in cloud native security monitoring and dependency mapping.

Key takeaways:

  • Cartography from Lyft uses dependency graphs between applications and events to track relationships that might not otherwise be clear.
  • Attempting to form relationships between disparate applications within the same ecosystem was referenced as a response to a typical malicious actor’s perspective based on the quote – “Defenders think in lists, attackers think in graphs”.
  • Aqua Security’s Starboard is an upcoming project in the form of a Kubernetes kubectl plugin that can be used for combining disparate security tools into a single interface and generating unified reports.

Container Image Scanning

Just as we recommend dynamic and static scanning of software, we’re excited to see solutions for security testing container images becoming more prevalent.

Key takeaways:

  • Tools such as Trivy from Aqua Security can be used similar to DAST to detect container vulnerabilities via run-time testing.
  • Trivy is CI-ready and can be used for detecting and reporting vulnerabilities before deploying a new image. In fact, we use it in some of our open source tools (like this one!).
  • Related tools like Tracee (also from Aqua) can be used to capture live memory from a running container, which could be extremely valuable for incident response.