BlogTop Security Talks from KubeCon Europe 2023

Top Security Talks from KubeCon Europe 2023

KubeCon Europe is the largest open-source community conference in Europe with hundreds of talks. We picked our favorite Kubernetes security sessions available online.

2 minutes read

KubeCon + CloudNativeCon Europe 2023 took place last week in Amsterdam with over 10,000 attendees, nearly 280 sessions, and multiple keynote speeches. All the conference’s videos have been released on YouTube.

Here are some of our favorite KubeCon 2023 talks:

Can You Keep a Secret? on Secret Management in Kubernetes – Every production application today utilizes secrets. Gal Cohen and Liav Yona from Firefly provide an overview of the use cases and challenges of secrets in Kubernetes. They then discuss the benefits of secret store providers before delving into the Secrets Container Storage Interface (CSI), a novel, secure way of using secrets. Both the architecture and the demo presented during the talk are extremely helpful to practitioners.

Practical Challenges with Pod Security Admission – Now is the time to migrate from Pod Security Policies (PSP) to Pod Security Standards (PSS). The problem is, many workloads require some degree of privilege not easily mappable to PSS. In this timely talk, V. Körbes and Christian Schlotter from VMware tackle K8s workload migration to Pod Security Admission and describe the steps needed to identify issues with node deployments and the Container Storage Interface (CSI) controller. It is gratifying that a technical process as complex as PSP migration is getting the attention it deserves.

Least Privilege Containers: Keeping a Bad Day from Getting Worse – “Don’t run containers as root” is the security mantra that has been with us for years. Nevertheless, most containers run as root because of migration difficulties and the privileges required by numerous processes. Greg Castle and Vinayak Goyal from Google offer their unique perspective on migrating GKE containers to non-root at scale. They explain the challenges they faced and the design choices behind their solutions. The last part of the talk is devoted to an increasingly relevant topic: Kubernetes adoption of user namespaces and its game-changing potential for container security.

Canals and Bridges: Using Amsterdam’s Transit System to Secure K8s Networks – Cailyn Edwards from Shopify provides a fresh take on Kubernetes by comparing it to the Amsterdam canal system. This analogy proves effective in explaining general Kubernetes security controls with an emphasis on secure networking within its components. Her demo contains an application of the inspektor gadget tool to showcase how easy it is to create a workload seccomp profile and a network policy. This is a useful talk for those looking to upgrade their cluster security via stricter policies.

What Can Go Wrong When You Trust Nobody? Threat Modeling Zero Trust – In another solid modeling session by Control Plane, James Callaghan and Richard Featherstone present Zero Trust environment threat modeling. Their demos are especially valuable in showing the practical applications of security controls (including Spire and OPA) used during the mitigation stage.

Last but not least, if you run managed GKE, AKS, or EKS clusters and want to know what kind of security risks they carry, you are invited to watch our talk, Cluster Grey Zone: Risks in Managed Cluster Middleware. It sheds a light on an overlooked attack surface in managed Kubernetes clusters and reveals some cool attack chains originating from middleware components that you might not be aware of.

This has been both the largest KubeCon + CloudNativeCon and largest open-source conference in Europe so far, with 58% of participants attending for their first time. Given the exponential growth this community has been experiencing recently, we are sure there are more record-breaking events to come.

We are now looking ahead to the next conference: KubeCon NA in Chicago.

Continue reading

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management