This document provides an overview of attacking and defending Kubernetes clusters. It begins with introductions to containers, container orchestration with Kubernetes, and Kubernetes architecture and components. It then discusses the Kubernetes threat model and common attack vectors such as compromising nodes, pods, and secrets. The document outlines Kubernetes authentication and authorization methods like RBAC and discusses admission controllers. It covers securing Kubernetes with practices like pod security policies and network policies. Finally, it notes some limitations and gotchas regarding secrets management in Kubernetes.
This document provides an overview of Shield security for Elasticsearch. It discusses security requirements like preventing unauthorized access and preserving data integrity. It then describes alternative security approaches before focusing on Shield features such as IP filtering, authentication using realms, authorization with role-based access control, node authentication and encryption, and auditing. The document concludes with a demo and Q&A section.
This document discusses various methods for web security including HTTP authentication using usernames and passwords, digest authentication as an improvement over basic authentication, secure sockets layer (SSL) for encrypting communications, and the Java cryptographic packages including JCE for encryption/decryption, JSSE for SSL/TLS support, JAAS for authentication and authorization, Java GSS API for Kerberos support, and the Java Certification Path API for validating certificate chains.
Building IAM for OpenStack, presented at CIS (Cloud Identity Summit) 2015.
Discuss Identity Sources, Authentication, Managing Access and Federating Identities
Quick overview of Openstack architectureToni Ramirez
The document provides an overview of OpenStack, including:
- OpenStack is an open source cloud computing platform consisting of interrelated components that provide infrastructure as a service.
- The major components are Nova (compute), Glance (image), Swift (object storage), Cinder (block storage), Quantum (networking), Keystone (identity), and Horizon (dashboard).
- Each component has multiple sub-components that work together to provide services like compute, storage, networking, and identity/access management.
Security is often an afterthought; configured and applied at the last minute before rolling out a new system. Instaclustr has deployed Cassandra for customers with many different requirements.
From deployments in Heroku requiring total public access through to private data centres, we will walk you through securing Cassandra the right way.
Emad Alashi presented on RBAC in Azure Kubernetes Service (AKS). The presentation covered how RBAC works in both Azure Active Directory and Kubernetes, and how OAuth2 device flow authentication can be used to authenticate Kubernetes clients like Kubectl. Device flow allows authentication of CLI tools by redirecting the user to a browser to authenticate, then receiving an access token to use with the Kubernetes API.
Keystone is the OpenStack identity service that provides user, project and service catalog management. It implements the OpenStack Identity API. Keystone has four internal services - Identity, Token, Catalog and Policy. It uses a pluggable backend architecture that allows different storage backends. Keystone provides authentication for users and services in OpenStack and maps users to their authorized projects and roles.
Uploading the presentation given at the OpenStack Summit, Austin in April, 2016. The video link is here ,
https://www.openstack.org/videos/video/multi-tenancy-for-docker-containers-with-keystone-and-adding-quota-limits
CIS 2015- Building IAM for OpenStack- Steve MartinelliCloudIDSummit
The document discusses identity and access management (IAM) in OpenStack, focusing on the Keystone service. It provides an overview of Keystone and describes how it handles authentication, authorization, and identity management. It also discusses the different identity sources that Keystone supports, such as SQL, LDAP, and multiple backends. Authentication methods covered include password, token, and federated identity. Large scale deployments of Keystone are also described.
This document provides an overview of how to build secure architectures on AWS. It discusses modeling an on-premises network architecture in AWS, securing the cloud network using security groups and IAM roles, migrating to a serverless architecture with API Gateway and Lambda, securing the serverless components with encryption and authentication, and connecting to the on-premises network using VPN or Direct Connect. It also reviews the cloud architecture against the Cloud Adoption Framework and discusses next steps to learn more about the AWS Well-Architected Framework.
OpenStack Neutron Havana Overview - Oct 2013Edgar Magana
Presentation about OpenStack Neutron Overview presented during three meet-ups in NYC, Connecticut and Philadelphia during October 2013 by Edgar Magana from PLUMgrid
Prowler: Cloud Security Assessment, Auditing, Hardening, Compliance and Forensics Readiness Tool
Prowler helps to assess, audit and harden your AWS account configuration and resources. It also helps to check your configuration with CIS recommendations, and check if your cloud infrastructure is GDPR compliance or if you are ready for a proper forensic investigation. It is a command line tool that provides direct and clear information about configuration status related to security of a given AWS account, it performs more than 80 checks.
Ci/CD - Stop wasting time, Automate your deploymentsJerry Jalava
- Using CI/CD (continuous integration and continuous delivery) automates deployments and saves time and money while improving reliability.
- There are multiple CI/CD tool options with different capabilities for source code management, target systems like Kubernetes, and deployment approaches. Consider your specific code, infrastructure, and deployment needs.
- Google Cloud Build is demonstrated for automating builds, tests, and deployments to Cloud Run and Kubernetes Engine from source code in a Git repository with triggers on code changes.
This document provides guidance on designing secure Azure solutions. It discusses key considerations for infrastructure, topology, identity, authorization, data protection, logging/auditing, key management, and compliance. Specific recommendations are given for securing infrastructure, operating systems, application topology, passwords, access control, encryption, database access, logging, and key vault usage. Compliance with standards like ISO 27001 and audit requirements are also addressed.
Kerberoasting has become the red team’s best friend over the past several years, with various tools being built to support this technique. However, by failing to understand a fundamental detail concerning account encryption support, we haven’t understood the entire picture. This talk will revisit our favorite TTP, bringing a deeper understanding to how the attack works, what we’ve been missing, and what new tooling and approaches to kerberoasting exist.
The Blockchain for the Internet of Things (IoT) has considered to "change the future." Despite a myriad of studies on the blockchain IoT, few studies have investigated how an IoT blockchain system develops with open source technologies, open standards, web technologies, and a p2p network. In this presentation, Jollen will share the Flowchain case study, an open source IoT blockchain project in Node.js; he will discuss the practice, the technical challenges, and the engineering experiences. Furthermore, to provide the real-time data transaction capabilities for current IoT requirements, he will utilize the "virtual block" idea to facilitate such technical challenges.
In this webinar, we review the benefits of deploying a microservices architecture with Cassandra as your backbone in order to ensure your applications become incredibly reliable. We discuss in detail:
- How to create microservices in Node.js with ExpressJs and Seneca
- Tuning the Node.js driver for Cassandra: error handling, load balancing and degrees of parallelism
- Additional best practices to ensure your systems are highly performant and available
The sample service is available on GitHub: https://github.com/jorgebay/killr-service
12 Ways Not to get 'Hacked' your Kubernetes ClusterSuman Chakraborty
Kubernetes enable enterprises to automate many aspects of application deployment, providing tremendous business benefits. This talk aims to discuss best practices around Kubernetes security and how threats and exploits can be mitigated, minimizing service disruption on Kubernetes platform.
This document provides an overview of Keystone, the OpenStack identity service. It discusses key Keystone concepts like projects, domains, actors (users and groups), service catalogs, and identity providers. It also covers token types in Keystone including UUID, PKI, and Fernet tokens. The document outlines Keystone's architecture and APIs. It describes how tokens are used to authenticate to OpenStack services and how the service catalog provides endpoint information. Troubleshooting tips are also provided like checking Keystone logs and enabling debug output.
This document provides an overview of Kubernetes security concepts including the Kubernetes attack surface, TLS certificates, securing the Kubelet and etcd, authentication, authorization, admission controllers, tooling landscape, pod security policies, network policies, and secrets. It discusses key configuration recommendations and checks for securing different components like disabling privileged mode, setting TLS certificates, CIS benchmarks for etcd, and authentication methods in Kubernetes. The different types of admission controllers and CNCF security tooling are also briefly introduced.
This document provides an overview of Kasun Madura Rathnayaka and his experience with Kubernetes and AWS. It then lists 10 best practices for securing Kubernetes clusters deployed on AWS: 1) Update Kubernetes to the latest stable version, 2) Harden node security, 3) Secure cloud metadata access, 4) Enable role-based access control, 5) Secure Tiller or Helm 3, 6) Secure container image and registry usage, 7) Assess container privileges, 8) Implement auditing and alerts, 9) Consider deployment and runtime security, and 10) Properly manage credentials and secrets. Specific techniques are provided for implementing each best practice.
Runcy Oommen discusses security for cloud native workloads and containers. Some key points include:
1) The shared responsibility model where cloud providers and customers both have responsibilities for security.
2) Securing the container lifecycle from build to deploy to run through measures like limiting access, resource management, and network segmentation.
3) Kubernetes security improvements such as disabling anonymous authentication, configuring admission controllers, pod security policies, enabling RBAC, and using network policies.
This document provides an overview and summary of key releases and features for Azure Kubernetes Service (AKS) in 2019. It begins with introductions from the author and describes the major AKS releases for 2019, including availability zones, multiple node pools, cluster autoscaler, network policy, and more. It also summarizes major releases for Azure Container Registry and discusses upcoming features on the public roadmap. Other related cloud-native projects from Microsoft are listed as well. The document concludes with the author's perspectives on best practices for AKS at the end of 2019.
Kubernetes have been widely adopted. The next challenge of scaling Kubernetes through the organization is multi-tenancy. This session will walk through how we can do multi-tenancy on Kubernetes with access control, fair sharing, and isolation.
Youtube Recorded: https://youtu.be/oCEL-nWhc-w
TechTalkThai Conference: Kubernetes Trends
September 16, 2021
Appsecco Kubernetes Hacking Masterclass. The slides used during the class with links to the commands, scripts and setup information.
These slides are to be used with the masterclass video recording on YouTube -
Hands on exercises are highly recommended to get the most out of this class!
This document provides an overview of Kubernetes and attacking Kubernetes clusters for penetration testers. It begins with introductions to containers, Kubernetes, and setting up a local Kubernetes cluster. It then covers a threat model for Kubernetes and describes an attacker's workflow against a cluster, including discovery, vulnerability testing, exploitation, and persistence. Specific attacks demonstrated include API server authorization testing, discovering exposed etcd and internal services, container escapes, and Helm Tiller privilege escalation. Resources for further learning are also provided.
My cloud native security talk I gave at Innotech Austin 2018. I cover container and Kubernetes security topics, security features in Kubernetes, including opensource projects you will want to consider while building and maintaining cloud native applications.
The document provides an overview of secret management solutions and architectures. It discusses what secrets are and why secret management is important. Some key points:
- Secrets include authentication credentials, API keys, passwords, and certificates that need access control. As services increase, so do secrets.
- An ideal secret management solution provides security, encryption, access control, auditing, ease of use, and integration with other tools.
- Version control systems and orchestration tools like Kubernetes can be used for secrets but have limitations compared to dedicated secret management solutions.
- AWS offers Parameter Store, Secrets Manager, and KMS for secret management. Parameter Store is generally recommended, while Secrets Manager is better for database
The document discusses the Kubernetes Secrets Store CSI driver, which allows storing and retrieving secrets from an external secrets store and mounting them as volumes in pods. It provides an overview of the driver's architecture and capabilities, including supporting different secrets store providers like Azure Key Vault and HashiCorp Vault. It also covers using the driver with pod identity for access control and restricting which pods can access secrets in the store. Future plans are mentioned like adding more providers and syncing secrets to Kubernetes.
Consolidating Infrastructure with Azure Kubernetes ServiceEng Teong Cheah
In this session, see how Tailwind Traders took a containerized application and deployed it to Azure Kubernetes Service (AKS). You’ll walk away with a deep understanding of major Kubernetes concepts and how to put it all to use with industry standard tooling.
Everyone heard about Kubernetes. Everyone wants to use this tool. However, sometimes we forget about security, which is essential throughout the container lifecycle.
Therefore, our journey with Kubernetes security should begin in the build stage when writing the code becomes the container image.
Kubernetes provides innate security advantages, and together with solid container protection, it will be invincible.
During the sessions, we will review all those features and highlight which are mandatory to use. We will discuss the main vulnerabilities which may cause compromising your system.
Contacts:
LinkedIn - https://www.linkedin.com/in/vshynkar/
GitHub - https://github.com/sqerison
-------------------------------------------------------------------------------------
Materials from the video:
The policies and docker files examples:
https://gist.github.com/sqerison/43365e30ee62298d9757deeab7643a90
The repo with the helm chart used in a demo:
https://github.com/sqerison/argo-rollouts-demo
Tools that showed in the last section:
https://github.com/armosec/kubescape
https://github.com/aquasecurity/kube-bench
https://github.com/controlplaneio/kubectl-kubesec
https://github.com/Shopify/kubeaudit#installation
https://github.com/eldadru/ksniff
Further learning.
A book released by CISA (Cybersecurity and Infrastructure Security Agency):
https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF
O`REILLY Kubernetes Security:
https://kubernetes-security.info/
O`REILLY Container Security:
https://info.aquasec.com/container-security-book
Thanks for watching!
Container security Familiar problems in new technologyFrank Victory
Container adoption is on the rise across companies of every size and industry. While containerization is a new and exciting paradigm, it brings with it some of the same technical and organizational issues that security teams have always faced. This presentation will dive into a selection of these familiar issues and suggested solutions to help security teams get a better handle on containers and keep up with the deployment pace that DevOps requires.
Check out the Denver Chapter of OWASP!
meetup.com/denver-owasp and our annual conference
www.snowfroc.com
From Containerized Application to Secure and Scaling With KubernetesShikha Srivastava
Discuss following:
What does it really take to make sure your application is production ready?
With new privacy regulations being added, many aspects need to be taken into account when deciding when to deliver your final application is ready for production.
Can your application handle multiple users with different levels of access?
Can you extend your application to use existing authentication and authorization platforms?
Have you invested in using Mutual TLS for communication between components?
How do you manage the certificates and passwords used within your product?
Is CICD your friend or your enemy when it comes to delivering your product?
Have you considered the availability and scalability of the application?
The presentation was given on 11/12/2018 on CloudExpo NY. The presentation talks about software portability approaches and technologies on Kubernetes, microservices, service mesh, and serverless platforms
(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...Priyanka Aash
Kubernetes (K8s) is an open-source system for automating deployment, scaling, and management of containerized applications. K8s groups containers that make up an application into logical units for easy management and discovery. It was originally designed by Google and is now maintained by the Cloud Native Computing Foundation. As organizations accelerate their adoption of containers and container orchestrators, they will need to take necessary steps to protect such a critical part of their compute infrastructure.
How this topic is relevant 1 out of 5 organization going for container installation Container security attack vectors are rising Recently major vulnerability discovered in containers and got good media attention Duration (Mentioned on sacon.io, if not as per program committee call).
Similar to Attacking and Defending Kubernetes - Nithin Jois (20)
Measuring the Impact of Network Latency at TwitterScyllaDB
Widya Salim and Victor Ma will outline the causal impact analysis, framework, and key learnings used to quantify the impact of reducing Twitter's network latency.
YOUR RELIABLE WEB DESIGN & DEVELOPMENT TEAM — FOR LASTING SUCCESS
WPRiders is a web development company specialized in WordPress and WooCommerce websites and plugins for customers around the world. The company is headquartered in Bucharest, Romania, but our team members are located all over the world. Our customers are primarily from the US and Western Europe, but we have clients from Australia, Canada and other areas as well.
Some facts about WPRiders and why we are one of the best firms around:
More than 700 five-star reviews! You can check them here.
1500 WordPress projects delivered.
We respond 80% faster than other firms! Data provided by Freshdesk.
We’ve been in business since 2015.
We are located in 7 countries and have 22 team members.
With so many projects delivered, our team knows what works and what doesn’t when it comes to WordPress and WooCommerce.
Our team members are:
- highly experienced developers (employees & contractors with 5 -10+ years of experience),
- great designers with an eye for UX/UI with 10+ years of experience
- project managers with development background who speak both tech and non-tech
- QA specialists
- Conversion Rate Optimisation - CRO experts
They are all working together to provide you with the best possible service. We are passionate about WordPress, and we love creating custom solutions that help our clients achieve their goals.
At WPRiders, we are committed to building long-term relationships with our clients. We believe in accountability, in doing the right thing, as well as in transparency and open communication. You can read more about WPRiders on the About us page.
7 Most Powerful Solar Storms in the History of Earth.pdfEnterprise Wired
Solar Storms (Geo Magnetic Storms) are the motion of accelerated charged particles in the solar environment with high velocities due to the coronal mass ejection (CME).
Best Practices for Effectively Running dbt in Airflow.pdfTatiana Al-Chueyr
As a popular open-source library for analytics engineering, dbt is often used in combination with Airflow. Orchestrating and executing dbt models as DAGs ensures an additional layer of control over tasks, observability, and provides a reliable, scalable environment to run dbt models.
This webinar will cover a step-by-step guide to Cosmos, an open source package from Astronomer that helps you easily run your dbt Core projects as Airflow DAGs and Task Groups, all with just a few lines of code. We’ll walk through:
- Standard ways of running dbt (and when to utilize other methods)
- How Cosmos can be used to run and visualize your dbt projects in Airflow
- Common challenges and how to address them, including performance, dependency conflicts, and more
- How running dbt projects in Airflow helps with cost optimization
Webinar given on 9 July 2024
Advanced Techniques for Cyber Security Analysis and Anomaly DetectionBert Blevins
Cybersecurity is a major concern in today's connected digital world. Threats to organizations are constantly evolving and have the potential to compromise sensitive information, disrupt operations, and lead to significant financial losses. Traditional cybersecurity techniques often fall short against modern attackers. Therefore, advanced techniques for cyber security analysis and anomaly detection are essential for protecting digital assets. This blog explores these cutting-edge methods, providing a comprehensive overview of their application and importance.
Comparison Table of DiskWarrior Alternatives.pdfAndrey Yasko
To help you choose the best DiskWarrior alternative, we've compiled a comparison table summarizing the features, pros, cons, and pricing of six alternatives.
How Social Media Hackers Help You to See Your Wife's Message.pdfHackersList
In the modern digital era, social media platforms have become integral to our daily lives. These platforms, including Facebook, Instagram, WhatsApp, and Snapchat, offer countless ways to connect, share, and communicate.
UiPath Community Day Kraków: Devs4Devs ConferenceUiPathCommunity
We are honored to launch and host this event for our UiPath Polish Community, with the help of our partners - Proservartner!
We certainly hope we have managed to spike your interest in the subjects to be presented and the incredible networking opportunities at hand, too!
Check out our proposed agenda below 👇👇
08:30 ☕ Welcome coffee (30')
09:00 Opening note/ Intro to UiPath Community (10')
Cristina Vidu, Global Manager, Marketing Community @UiPath
Dawid Kot, Digital Transformation Lead @Proservartner
09:10 Cloud migration - Proservartner & DOVISTA case study (30')
Marcin Drozdowski, Automation CoE Manager @DOVISTA
Pawel Kamiński, RPA developer @DOVISTA
Mikolaj Zielinski, UiPath MVP, Senior Solutions Engineer @Proservartner
09:40 From bottlenecks to breakthroughs: Citizen Development in action (25')
Pawel Poplawski, Director, Improvement and Automation @McCormick & Company
Michał Cieślak, Senior Manager, Automation Programs @McCormick & Company
10:05 Next-level bots: API integration in UiPath Studio (30')
Mikolaj Zielinski, UiPath MVP, Senior Solutions Engineer @Proservartner
10:35 ☕ Coffee Break (15')
10:50 Document Understanding with my RPA Companion (45')
Ewa Gruszka, Enterprise Sales Specialist, AI & ML @UiPath
11:35 Power up your Robots: GenAI and GPT in REFramework (45')
Krzysztof Karaszewski, Global RPA Product Manager
12:20 🍕 Lunch Break (1hr)
13:20 From Concept to Quality: UiPath Test Suite for AI-powered Knowledge Bots (30')
Kamil Miśko, UiPath MVP, Senior RPA Developer @Zurich Insurance
13:50 Communications Mining - focus on AI capabilities (30')
Thomasz Wierzbicki, Business Analyst @Office Samurai
14:20 Polish MVP panel: Insights on MVP award achievements and career profiling
Implementations of Fused Deposition Modeling in real worldEmerging Tech
The presentation showcases the diverse real-world applications of Fused Deposition Modeling (FDM) across multiple industries:
1. **Manufacturing**: FDM is utilized in manufacturing for rapid prototyping, creating custom tools and fixtures, and producing functional end-use parts. Companies leverage its cost-effectiveness and flexibility to streamline production processes.
2. **Medical**: In the medical field, FDM is used to create patient-specific anatomical models, surgical guides, and prosthetics. Its ability to produce precise and biocompatible parts supports advancements in personalized healthcare solutions.
3. **Education**: FDM plays a crucial role in education by enabling students to learn about design and engineering through hands-on 3D printing projects. It promotes innovation and practical skill development in STEM disciplines.
4. **Science**: Researchers use FDM to prototype equipment for scientific experiments, build custom laboratory tools, and create models for visualization and testing purposes. It facilitates rapid iteration and customization in scientific endeavors.
5. **Automotive**: Automotive manufacturers employ FDM for prototyping vehicle components, tooling for assembly lines, and customized parts. It speeds up the design validation process and enhances efficiency in automotive engineering.
6. **Consumer Electronics**: FDM is utilized in consumer electronics for designing and prototyping product enclosures, casings, and internal components. It enables rapid iteration and customization to meet evolving consumer demands.
7. **Robotics**: Robotics engineers leverage FDM to prototype robot parts, create lightweight and durable components, and customize robot designs for specific applications. It supports innovation and optimization in robotic systems.
8. **Aerospace**: In aerospace, FDM is used to manufacture lightweight parts, complex geometries, and prototypes of aircraft components. It contributes to cost reduction, faster production cycles, and weight savings in aerospace engineering.
9. **Architecture**: Architects utilize FDM for creating detailed architectural models, prototypes of building components, and intricate designs. It aids in visualizing concepts, testing structural integrity, and communicating design ideas effectively.
Each industry example demonstrates how FDM enhances innovation, accelerates product development, and addresses specific challenges through advanced manufacturing capabilities.
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsMydbops
This presentation, delivered at the Postgres Bangalore (PGBLR) Meetup-2 on June 29th, 2024, dives deep into connection pooling for PostgreSQL databases. Aakash M, a PostgreSQL Tech Lead at Mydbops, explores the challenges of managing numerous connections and explains how connection pooling optimizes performance and resource utilization.
Key Takeaways:
* Understand why connection pooling is essential for high-traffic applications
* Explore various connection poolers available for PostgreSQL, including pgbouncer
* Learn the configuration options and functionalities of pgbouncer
* Discover best practices for monitoring and troubleshooting connection pooling setups
* Gain insights into real-world use cases and considerations for production environments
This presentation is ideal for:
* Database administrators (DBAs)
* Developers working with PostgreSQL
* DevOps engineers
* Anyone interested in optimizing PostgreSQL performance
Contact info@mydbops.com for PostgreSQL Managed, Consulting and Remote DBA Services
Are you interested in dipping your toes in the cloud native observability waters, but as an engineer you are not sure where to get started with tracing problems through your microservices and application landscapes on Kubernetes? Then this is the session for you, where we take you on your first steps in an active open-source project that offers a buffet of languages, challenges, and opportunities for getting started with telemetry data.
The project is called openTelemetry, but before diving into the specifics, we’ll start with de-mystifying key concepts and terms such as observability, telemetry, instrumentation, cardinality, percentile to lay a foundation. After understanding the nuts and bolts of observability and distributed traces, we’ll explore the openTelemetry community; its Special Interest Groups (SIGs), repositories, and how to become not only an end-user, but possibly a contributor.We will wrap up with an overview of the components in this project, such as the Collector, the OpenTelemetry protocol (OTLP), its APIs, and its SDKs.
Attendees will leave with an understanding of key observability concepts, become grounded in distributed tracing terminology, be aware of the components of openTelemetry, and know how to take their first steps to an open-source contribution!
Key Takeaways: Open source, vendor neutral instrumentation is an exciting new reality as the industry standardizes on openTelemetry for observability. OpenTelemetry is on a mission to enable effective observability by making high-quality, portable telemetry ubiquitous. The world of observability and monitoring today has a steep learning curve and in order to achieve ubiquity, the project would benefit from growing our contributor community.
Mitigating the Impact of State Management in Cloud Stream Processing SystemsScyllaDB
Stream processing is a crucial component of modern data infrastructure, but constructing an efficient and scalable stream processing system can be challenging. Decoupling compute and storage architecture has emerged as an effective solution to these challenges, but it can introduce high latency issues, especially when dealing with complex continuous queries that necessitate managing extra-large internal states.
In this talk, we focus on addressing the high latency issues associated with S3 storage in stream processing systems that employ a decoupled compute and storage architecture. We delve into the root causes of latency in this context and explore various techniques to minimize the impact of S3 latency on stream processing performance. Our proposed approach is to implement a tiered storage mechanism that leverages a blend of high-performance and low-cost storage tiers to reduce data movement between the compute and storage layers while maintaining efficient processing.
Throughout the talk, we will present experimental results that demonstrate the effectiveness of our approach in mitigating the impact of S3 latency on stream processing. By the end of the talk, attendees will have gained insights into how to optimize their stream processing systems for reduced latency and improved cost-efficiency.
Coordinate Systems in FME 101 - Webinar SlidesSafe Software
If you’ve ever had to analyze a map or GPS data, chances are you’ve encountered and even worked with coordinate systems. As historical data continually updates through GPS, understanding coordinate systems is increasingly crucial. However, not everyone knows why they exist or how to effectively use them for data-driven insights.
During this webinar, you’ll learn exactly what coordinate systems are and how you can use FME to maintain and transform your data’s coordinate systems in an easy-to-digest way, accurately representing the geographical space that it exists within. During this webinar, you will have the chance to:
- Enhance Your Understanding: Gain a clear overview of what coordinate systems are and their value
- Learn Practical Applications: Why we need datams and projections, plus units between coordinate systems
- Maximize with FME: Understand how FME handles coordinate systems, including a brief summary of the 3 main reprojectors
- Custom Coordinate Systems: Learn how to work with FME and coordinate systems beyond what is natively supported
- Look Ahead: Gain insights into where FME is headed with coordinate systems in the future
Don’t miss the opportunity to improve the value you receive from your coordinate system data, ultimately allowing you to streamline your data analysis and maximize your time. See you there!
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...Bert Blevins
Today’s digitally connected world presents a wide range of security challenges for enterprises. Insider security threats are particularly noteworthy because they have the potential to cause significant harm. Unlike external threats, insider risks originate from within the company, making them more subtle and challenging to identify. This blog aims to provide a comprehensive understanding of insider security threats, including their types, examples, effects, and mitigation techniques.
Quality Patents: Patents That Stand the Test of TimeAurora Consulting
Is your patent a vanity piece of paper for your office wall? Or is it a reliable, defendable, assertable, property right? The difference is often quality.
Is your patent simply a transactional cost and a large pile of legal bills for your startup? Or is it a leverageable asset worthy of attracting precious investment dollars, worth its cost in multiples of valuation? The difference is often quality.
Is your patent application only good enough to get through the examination process? Or has it been crafted to stand the tests of time and varied audiences if you later need to assert that document against an infringer, find yourself litigating with it in an Article 3 Court at the hands of a judge and jury, God forbid, end up having to defend its validity at the PTAB, or even needing to use it to block pirated imports at the International Trade Commission? The difference is often quality.
Quality will be our focus for a good chunk of the remainder of this season. What goes into a quality patent, and where possible, how do you get it without breaking the bank?
** Episode Overview **
In this first episode of our quality series, Kristen Hansen and the panel discuss:
⦿ What do we mean when we say patent quality?
⦿ Why is patent quality important?
⦿ How to balance quality and budget
⦿ The importance of searching, continuations, and draftsperson domain expertise
⦿ Very practical tips, tricks, examples, and Kristen’s Musts for drafting quality applications
https://www.aurorapatents.com/patently-strategic-podcast.html
6. Containers What??..
● OS level virtualization for running
multiple isolated* systems using
host resources
● Abstraction layer that packages
code and dependencies together
Copyright - we45, 2020
10. Copyright - we45, 2020
Image Registry
Node 4
Node 3
Node 2
Node 1
API
CLI
UI
User
Interface
Command Line
Interface
Kubernetes Master
API
Server
Scheduler Controller
etcd
Kubernetes Architecture
11. Kubernetes Terms
• Cluster = > A Collection of Worker Nodes (that run workloads) and a Kubernetes
Master (that controls the workers)
• Node => A Worker Machine
• Pod => Smallest K8s Object. Represents set of running containers in the cluster
• Deployment => Object that manages a replicated application.
• Service => An Object that how applications are accessed. Typically described Ports
and LoadBalancers
Copyright - we45, 2020
14. The Kubernetes Threat Model
Copyright - we45, 2020
K8s Threat Model
User compromises
the cluster
Users can access Cluster/Controller without authentication
Users can access the Cluster with stolen secrets/ tokens to perform sensitive operations on Cluster
User can tamper with user cert settings and gain access to Cluster as a genuine user
User has unrestricted access across the Cluster
User has highly privileged access across the Cluster
Malicious App (Container)
Compromises the Cluster
Attacker is able to RCE into a container and subsequently gain access
to other services, pods etc on the Cluster to steal sensitive information
Org runs backdoored/Compromised container in the Cluster, that is
able to access other resources on/ across the cluster and steal sensitive information
Attacker is able to perform CPU/mem intensive Ops across the cluster
and bring it down
Attacker gets a trojanized image to run on the cluster and
compromise sensitive information
Backdoored/ compromised container accesses shared resources
and runs ransomware / affects availability to shared resources
Compromise secrets
Gain access to DB/ FS/ Sensitive Information
Gain access to other namespaces for
Cross-Cluster compromise
Access Kube API and Controller to access
K8s Management Sensitive Info
Compromise secrets
Gain access to DB/ FS/ Sensitive Information
Gain access to other namespaces for
Cross-Cluster compromise
Access Kube API and Controller to access
K8s Management Sensitive Info
Malicious node
compromises
the cluster
Malicious node registers itself as a genuine node to the cluster and compromises the node therefrom
Exploit against Node escalates privileges to Kube deployment and compromises cluster
15. K8s Services - Cluster
Copyright - we45, 2020
Port Process Description
4149/TCP kubelet Default Port for Container Metrics
10250/TCP kubelet API that allows full node access
10255/TCP kubelet
Unauthenticated Read-only port with
access to node state
10256/TCP kube-proxy Health check server for Kube Proxy
9099/TCP calico-felix Healthcheck for Calico-Canal (SDN)
6443/TCP kube-apiserver K8s API Port
18. Application Layer
• Vulnerable Application - Insecure Deserialization
• Insecure Secrets Management - No Protection of
Encryption Key
• Redis - No Authentication
19. Container Layer
• Running as “root"
• No Hardening of Container Runtime
• Insecure Secrets in Container Environment
Variables
20. K8s Cluster Layer
• No Network Policy
• Especially Egress Controls
• No Authentication or Access Control
• No Logical Segmentation - Namespaces
• No Pod Security Controls
• Lack of Monitoring
22. K8s Security Model
Copyright - we45, 2020
• Restrict access to kubectl
• Use RBAC
• Use a network policy
• Use namespaces
• Bootstrap TLS
Set up a cluster
Follow security hygiene
• Keep Kubernetes updated
• Use a minimal OS
• Use minimal IAM roles
• Use private IPs on your nodes
• Monitor access with audit logging
• Verify binaries that are deployed
• Disable dashboard
• Disable default service
account token
• Protect node metadata
• Scan images for known
vulnerabilities
Prevent known attacks
• Set a pod security policy
• Protect secrets
• Consider sandboxing
• Limit the identity used by pods
• Use a service mesh for
authentication/ encryption
Prevent/limit impact of
microservice compromise
23. K8s Authentication and Access Control
•Authentication
•Access Control
•Admission Controller
Copyright - we45, 2020
24. K8s Authentication - Users
• Kubernetes has two types of users:
• Service Accounts => Managed by Kubernetes
• Managed by the K8s API, bound to specific namespaces
• Normal Users => Managed by an outside service
• The user typing kubectl must authenticate or be an anonymous user
Copyright - we45, 2020
25. K8s Authentication Methods
•Authentication Strategies:
•Client Certificates (X.509)
•HTTP Basic Authentication
•Bearer Tokens
•Authentication Proxies or Webhook
•LDAP, SAML, Kerberos
•You can use multiple authentication methods at once
Copyright - we45, 2020
26. Client Certificates
• Certificate Signing request for user “abhay” who is part of two groups, “app1” and
“app2”
• You can also use comprehensive secrets management system like Hashicorp Vault to
be the CA
Copyright - we45, 2020
openssl req -new -key abhay.pem -out abhay-csr.pem
-subj “/CN=abhay/O=app1/O=app2"
27. Static Token File
• Inject Bearer Tokens into the Kubernetes cluster with the
• -- token-auth-file=SOMEFILE CLI arg
• Token Files CANNOT be changed without restarting the API Server
• Tokens are FOREVER. They last indefinitely
Copyright - we45, 2020
token,user,uid,"group1,group2,group3"
Authorization: Bearer 31ada4fd-adec-460c-809a-9e56ceb75269
28. HTTP Basic Auth - Static Password Files
• Similar to tokens
• Inject Static password files into K8s cluster with the flag
• --basic-auth-file=SOMEFILE
• Password CANNOT be changed without starting the API Server
Copyright - we45, 2020
minikube mount $PWD:/var/lib/localkube/certs/pass
minikube start --extra-config=apiserver.basic-auth-
file=/var/lib/localkube/certs/pass/mypass
Authorization: Basic Base64Encoded(username:password)
29. Authentication Proxies/Webhooks
• Authentication using Proxies/Webhooks
• OpenID Connect Tokens (OAuth2 Flavor) - Azure Active Directory, Salesforce,
Google
• Access Token returned with ID Token (JWT)
Copyright - we45, 2020
X-Remote-User: fido
X-Remote-Group: dogs
X-Remote-Group: dachshunds
X-Remote-Extra-Acme.com%2Fproject: some-project
X-Remote-Extra-Scopes: openid
X-Remote-Extra-Scopes: profile
30. Service Accounts
• You can create service accounts for services (CI, Apps, etc) to access the cluster to perform operations
• Example: Jenkins builds a new docker image and deploys the image to the cluster on the staging
namespace
• Service accounts typically use JWTs signed with the API’s TLS Server OR a PEM file provided by the
user
Copyright - we45, 2020
kubectl create serviceaccount jenkins
serviceaccount "jenkins" created
$ kubectl get serviceaccounts jenkins -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
# ...
secrets:
- name: jenkins-token-1yvwg
31. Service Account Secrets
• Service Accounts for the namespace are injected into the Pod at the
• /run/secrets/kubernetes.io/serviceaccount path
Copyright - we45, 2020
kubectl get secret jenkins-token-1yvwg -o yaml
apiVersion: v1
data:
ca.crt: (APISERVER'S CA BASE64 ENCODED)
namespace: ZGVmYXVsdA==
token: (BEARER TOKEN BASE64 ENCODED)
kind: Secret
metadata:
# ...
type: kubernetes.io/service-account-token
32. Authorization - K8s
• K8s has a clear separation between Authentication (various strategies) and
Authorization
• Types of Authorization:
• Node
• RBAC => Role Based Access Control
• ABAC => Attribute Based Access Control
• Webhooks
Copyright - we45, 2020
33. RBAC K8s Authorization
• RBAC Authorization refers to Roles that contain
rules of Permissions
• Permissions are only additive (No Deny)
• Easy to manage, when you have a a clearly defined
set of privileges for the roles
• Two Types:
• ClusterRole => Role that applies across the
Cluster (across Namespaces)
• Role => applies to Permissions that work
across a single namespace
kind: Role
apiVersion:
rbac.authorization.k8s.io/
v1
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""] # ""
indicates the core API
group
resources: ["pods"]
verbs: ["get", "watch",
"list"]
35. ABAC Authorization
• ABAC == “Attribute Based Authentication System”
• Simple mapping (JSON) of user access to specific resources based on their attributes
• Load the ABAC Policy with a --authorization-policy-file=SomeFile, format of one object
per line
{"apiVersion":
"abac.authorization.kubernet
es.io/v1beta1", "kind":
"Policy", "spec": {"user":
"alice", "namespace": "*",
"resource": "*", "apiGroup":
"*"}}
user ‘alice’ has access to all
namespaces/resources in the
cluster
{"apiVersion":
"abac.authorization.kubernetes
.io/v1beta1", "kind":
"Policy", "spec": {"user":
"bob", "namespace": "owasp",
"resource": "pods",
"readonly": true}}
user ‘bob’ can only read pods in
the ‘owasp’ namespace
37. Admission Controllers
• Admission Controller is an additional Access Control Layer for the Kubernetes API
• Think of it like a Validation Filter that validates admission/rejection based on certain
rules/features enabled
• Admission Controllers work AFTER the user/account is authenticated and
authorized
• They are enabled based on the Cluster Administrator’s configuration of the same
Copyright - we45, 2020
kube-apiserver --enable-admission-
plugins=NamespaceLifecyle,LimitRanger ...
38. Useful Admission Controller Plugins
• AlwaysPullImages => forces the pod image pull policy to always. Ensures that
private images are authenticated when there’s a pull.
• DenyEscalatingExec => Deny ‘exec’ or ‘attach’ operations to Pods that run
with elevated privileges (host access). Pods => Privileges, Host IPC Namespace, Host
PID Namespace
• EventRateLimit => Rate Limit for K8s API. Prevents DoS
• LimitRanger => Enforce the LimitRange directive to protect against excessive
consumption by Pod
Copyright - we45, 2020
39. Useful Admission Controller Plugins - 2
• PodSecurityPolicy => Multiple Configuration Parameters (including Seccomp,
AppArmor), etc to protect Pod against attacks (rule based)
• NamespaceLifecycle => Prevents against loading resources in “to-be-deleted”
namespaces. Also prevents against resources being allocated in default, kube-system
and kube-public namespaces
• NodeRestriction => Node Authorization Privileges for the kubelet
• ResourceQuota => Enforces Consumable Resources by a Pod
Copyright - we45, 2020
40. Other Access Control Good Practices
• Secure/Disable Dashboard
• Never run LoadBalancer on Dashboard Service
• Leverage RBAC
• Create and Enforce controls on Namespaces
• Logical Segmentation (however weak)
• Better way to think about Access Control
Copyright - we45, 2020
42. Pod Security Policy
•Ruleset that defines specific rules for a
Pod to run in a K8s cluster
•Optional, but highly recommended
•Admission Controller - Disallows
containers from being loaded on the
Pod, if it violates the rules
43. Pod Security Policy - Parameters
• Privileged/UnPrivileged
• Host Namespaces
• Host Networking and Ports
• Volumes
• Paths
• User and Group IDs for the
Containers
Copyright - we45, 2020
• Linux Capabilities
• SELinux
• AppArmor/Seccomp
• ReadOnly RootFS
• Allow/Disallow PrivilegeEscalation
44. Copyright - we45, 2020
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities:
- ALL
# Allow core volume types.
45. Copyright - we45, 2020
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
# Assume that persistentVolumes set up by the cluster admin are safe to use.
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: 'MustRunAsNonRoot'
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
47. Pod Security Policy - Gotchas
•AppArmor/Seccomp is not a silver-bullet! Attackers can still perform
Network Layer Attacks, if your apps are vulnerable
•Profiling Syscalls for appropriate restrictions - especially of interpreted
languages, is 😥
•Doesn’t protect against Network Layer Attacks
Copyright - we45, 2020
49. K8s Secrets
• Kubernetes has a secrets object that you can use to store secrets
• Secrets can be injected into the containers as ENVVARs or Mounted FilePaths, or
injected from files
• Access to Secrets can also be restricted with Authorization Systems
Copyright - we45, 2020
# from file
kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./
password.txt
#from literal
kubectl create secret generic prod-db-secret --from-literal=username=produser --from-
literal=password=Y4nys7f11
50. Points to Ponder…
• Secrets are NOT encrypted at rest
• Not in Memory
• Not in etcd
• Injected Secrets (into Container) are in plaintext/base64encoded
• K8s has an experimental plugin that encrypts secrets in etcd:
• But, they are still decrypted and injected to the container in plaintext
Copyright - we45, 2020
51. Secret Input/Output
• Input
• Secrets from Literals
• Secrets from file/data
• Output
• Volume Mount
• Environment Variables
Copyright - we45, 2020
52. Secrets Gotchas
• Secrets get committed to repos (sometimes, public ones)
• Secrets can get exposed to unauthorized users within the cluster
• Secrets are available unencrypted in etcd and to cluster resources
Copyright - we45, 2020
54. Common Characteristics
• Secrets Management Solutions
• Centralized Storehouse of secrets and encrypted
datasets
• Secrets Management solutions in the cloud -
Plethora of APIs and reousrces to handle this
requirement
• Data is decrypted before being injected into the
cluster
• Data is (usually) stored in etcd with encryption
55. Kubeseal - Sealed Secrets
• New Third Party Resource from BitNami Engineering
• Idea => Anyone can create a secret, but nobody but the controller can decrypt the
secret
Copyright - we45, 2020
LifeofaSealedSecret
Secret
Sealed Secret
Kubeseal
encrypts secret
Safe to post publicly
Secret
Sealed Secret
Kubernetes cluster
Decrypted by
Controller
56. Sealed Secrets - Process
Copyright - we45, 2020
Encryption Process
Decryption Process
58. Dynamic Secrets
• Generated on-demand and unique to each client/pod
• Destroys secret/credential when lease expires
Copyright - we45, 2020
Vault
Request DB credential
Return dynamic credential
Valid for 7 days
Create user…
With password…
60. Auditing kube-apiserver
• Helps Cluster Admins and Security teams to answer the following:
Copyright - we45, 2020
•What happened?
•When?
•Who initiated it?
•What did it happen on?
•Where was it observed?
•Where was it initiated?
•Where was it going?
61. Audit policy Example
Copyright - we45, 2020
# Log all requests at RequestResponse level
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: RequestResponse
67. Potential flaws in K8s YAML Spec
● Storage of Sensitive Info in YAML resources
● Using unencrypted ENV vars and secrets
● Insecure Network, Volume/mountPath configurations
● Lack of resource limits in place
● Privileged access to pods
● Extensive Kernel Capabilities
Copyright - we45, 2020
68. K8s CIS-Benchmark Checks
● Setup Authentication and Authorization
● Secure Data in Transit
● Secure Data at Rest
● Employ Least Privileges
● Additional Runtime Controls
Copyright - we45, 2020
69. CIS Best-Practices - kube-bench
● Checks if K8s deployment is secure by
running checks documented in CIS-K8s-
Benchmark.
● Checks can be performed on both Master
and Node machines
● Checks performed are stored as YAML specs,
making it easy to modify
● Results are given in Pass, Fail and Info format
Copyright - we45, 2020
70. Scanning K8s Cluster - kube-hunter
● Scans for security issues on K8s clusters
● Has three scanning options
○ Remote Scanning: kube-hunter.py --remote some.node.com
○ Internal Scanning : kube-hunter.py --internal
○ Network Scanning: kube-hunter.py --cidr 192.168.0.0/24
● For a more ‘Attack’ like scan, ‘--active’ flag can be used.
○ Exploits vulnerabilities found to explore further
○ kube-hunter.py --remote some.domain.com --active
■ Can change state of the cluster, which could be harmful
Copyright - we45, 2020