Dimitrij Klesev & Andreas Zeissner

Enhancing Workload Security in Kubernetes

A single blocked syscall can prevent a file-less memory attack. Learn how to automate this level of security across your Kubernetes cluster with the Security Profiles Operator.

Enhancing Workload Security in Kubernetes
#1about 3 minutes

Understanding the Kubernetes securityContext for workloads

The securityContext field in a pod specification allows you to define privilege and access control settings for a pod or container.

#2about 4 minutes

Restricting kernel system calls with seccomp profiles

Seccomp profiles enhance security by allowing you to explicitly define which kernel system calls a containerized workload is permitted to make.

#3about 4 minutes

Hardening file system access with AppArmor profiles

AppArmor provides mandatory access control by defining profiles that restrict application capabilities like file reads, writes, and network access.

#4about 6 minutes

Implementing fine-grained control with SELinux contexts

SELinux uses a labeling system to enforce mandatory access control policies, providing granular control over process and object interactions.

#5about 2 minutes

Automating security with the Security Profiles Operator

The Security Profiles Operator simplifies the management and distribution of seccomp, AppArmor, and SELinux profiles across all nodes in a Kubernetes cluster.

#6about 5 minutes

Demo of blocking an in-memory execution attack

A live demonstration shows how a seccomp profile can block the `memfd_create` system call to prevent a fileless malware execution attack.

#7about 3 minutes

Demo of managing seccomp with the operator

This demo illustrates how the Security Profiles Operator uses a `ProfileBinding` to automatically apply a seccomp profile to workloads based on their image.

#8about 8 minutes

Demo of troubleshooting SELinux permissions

A practical demonstration shows how SELinux denies access by default and how to use audit logs and tools like `audit2allow` to diagnose and create new policies.

#9about 8 minutes

Q&A on AppArmor, fileless attacks, and eBPF

The speakers answer audience questions about applying AppArmor profiles, the nature of fileless malware, discovering system calls, and the role of eBPF.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Q&A on managed Kubernetes security in the cloud
02:52 MIN

Q&A on managed Kubernetes security in the cloud

Kubernetes Security - Challenge and Opportunity

Centralizing security services in a Kubernetes ecosystem
02:04 MIN

Centralizing security services in a Kubernetes ecosystem

DevSecOps: Security in DevOps

Understanding the Kubernetes threat landscape and adversaries
08:13 MIN

Understanding the Kubernetes threat landscape and adversaries

Hacking Kubernetes: Live Demo Marathon

The prevalence and impact of Kubernetes security incidents
01:27 MIN

The prevalence and impact of Kubernetes security incidents

Kubernetes Security Best Practices

Identifying common Kubernetes security vulnerabilities
04:28 MIN

Identifying common Kubernetes security vulnerabilities

Kubernetes Security - Challenge and Opportunity

Addressing unique data protection challenges in Kubernetes
03:37 MIN

Addressing unique data protection challenges in Kubernetes

It's all about the Data

Security best practices for containers and Kubernetes
06:25 MIN

Security best practices for containers and Kubernetes

Microservices: how to get started with Spring Boot and Kubernetes

Moving from perimeter defense to workload microsegmentation
03:04 MIN

Moving from perimeter defense to workload microsegmentation

You can’t hack what you can’t see

Featured Partners

Related Videos

See all videos
Kubernetes Security - Challenge and Opportunity
42:45

Kubernetes Security - Challenge and Opportunity

Marc Nimmerrichter

Hacking Kubernetes: Live Demo Marathon
46:36

Hacking Kubernetes: Live Demo Marathon

Andrew Martin

DevSecOps: Security in DevOps
33:20

DevSecOps: Security in DevOps

Aarno Aukia

A practical guide to writing secure Dockerfiles
42:25

A practical guide to writing secure Dockerfiles

Madhu Akula

You can’t hack what you can’t see
29:34

You can’t hack what you can’t see

Reto Kaeser

Securing secrets in the GitOps Era
58:52

Securing secrets in the GitOps Era

Davide Imola

Kubernetes Security Best Practices
23:08

Kubernetes Security Best Practices

Rico Komenda

Securing Your Web Application Pipeline From Intruders
44:30

Securing Your Web Application Pipeline From Intruders

Milecia McGregor

Related Articles

View all articles
Learning Kubernetes made easy with KubeCampus
Learning to use Kubernetes? KubeCampus by Kasten offers free educational content for all skill levels to get you started!Kubernetes is an open-source system for deploying, scaling and managing containerized applications. It allows you to deploy your ...
Learning Kubernetes made easy with KubeCampus
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
Chris Heilmann
Dev Digest 134 - Where pixels sing?
News and ArticlesWeAreDevelopers LIVE Data and Security Day is on Wednesday, 25/09/2024. Learn about OPC UA Updates, Best Practices for Using GitHub Secrets, Passwordless Web 1.5, Emerging AI Security Risks, Data Privacy in LLMs and get a chance to t...
Dev Digest 134 - Where pixels sing?
Dev Digest 105 - Security First
Last Friday's Dev Digest was mostly about security and game topics, so let's take a look what you didn't get in your inbox. We also covered some brand new online courses to get started as a developer or refresh your knowledge. And we wrapped up CODE1...
Dev Digest 105 - Security First

From learning to earning

Jobs that call for the skills explored in this talk.