Dimitrij Klesev & Andreas Zeissner

Enhancing Workload Security in Kubernetes

A single blocked syscall can prevent a file-less memory attack. Learn how to automate this level of security across your Kubernetes cluster with the Security Profiles Operator.

Enhancing Workload Security in Kubernetes
#1about 3 minutes

Understanding the Kubernetes securityContext for workloads

The securityContext field in a pod specification allows you to define privilege and access control settings for a pod or container.

#2about 4 minutes

Restricting kernel system calls with seccomp profiles

Seccomp profiles enhance security by allowing you to explicitly define which kernel system calls a containerized workload is permitted to make.

#3about 4 minutes

Hardening file system access with AppArmor profiles

AppArmor provides mandatory access control by defining profiles that restrict application capabilities like file reads, writes, and network access.

#4about 6 minutes

Implementing fine-grained control with SELinux contexts

SELinux uses a labeling system to enforce mandatory access control policies, providing granular control over process and object interactions.

#5about 2 minutes

Automating security with the Security Profiles Operator

The Security Profiles Operator simplifies the management and distribution of seccomp, AppArmor, and SELinux profiles across all nodes in a Kubernetes cluster.

#6about 5 minutes

Demo of blocking an in-memory execution attack

A live demonstration shows how a seccomp profile can block the `memfd_create` system call to prevent a fileless malware execution attack.

#7about 3 minutes

Demo of managing seccomp with the operator

This demo illustrates how the Security Profiles Operator uses a `ProfileBinding` to automatically apply a seccomp profile to workloads based on their image.

#8about 8 minutes

Demo of troubleshooting SELinux permissions

A practical demonstration shows how SELinux denies access by default and how to use audit logs and tools like `audit2allow` to diagnose and create new policies.

#9about 8 minutes

Q&A on AppArmor, fileless attacks, and eBPF

The speakers answer audience questions about applying AppArmor profiles, the nature of fileless malware, discovering system calls, and the role of eBPF.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Centralizing security services in a Kubernetes ecosystem
22:09 MIN

Centralizing security services in a Kubernetes ecosystem

DevSecOps: Security in DevOps

Understanding the Kubernetes threat landscape and adversaries
01:46 MIN

Understanding the Kubernetes threat landscape and adversaries

Hacking Kubernetes: Live Demo Marathon

Security best practices for containers and Kubernetes
56:21 MIN

Security best practices for containers and Kubernetes

Microservices: how to get started with Spring Boot and Kubernetes

Addressing unique data protection challenges in Kubernetes
07:14 MIN

Addressing unique data protection challenges in Kubernetes

It's all about the Data

Q&A on managed Kubernetes security in the cloud
39:53 MIN

Q&A on managed Kubernetes security in the cloud

Kubernetes Security - Challenge and Opportunity

Moving from perimeter defense to workload microsegmentation
18:57 MIN

Moving from perimeter defense to workload microsegmentation

You can’t hack what you can’t see

Demo: Verifying deployment and monitoring runtime security
29:55 MIN

Demo: Verifying deployment and monitoring runtime security

Open Source Secure Software Supply Chain in action

The benefits of a modern workload-centric security architecture
25:41 MIN

The benefits of a modern workload-centric security architecture

You can’t hack what you can’t see

Featured Partners

Related Videos

See all videos
Kubernetes Security Best Practices23:08

Kubernetes Security Best Practices

Rico Komenda

Kubernetes Security - Challenge and Opportunity42:45

Kubernetes Security - Challenge and Opportunity

Marc Nimmerrichter

Hacking Kubernetes: Live Demo Marathon46:36

Hacking Kubernetes: Live Demo Marathon

Andrew Martin

Securing secrets in the GitOps Era58:52

Securing secrets in the GitOps Era

Davide Imola

Securing Secrets in the GitOps era58:57

Securing Secrets in the GitOps era

Alex Soto

DevSecOps: Security in DevOps33:20

DevSecOps: Security in DevOps

Aarno Aukia

Developing locally with Kubernetes - a Guide and Best Practices39:20

Developing locally with Kubernetes - a Guide and Best Practices

Dan Erez

Turning Container security up to 11 with Capabilities28:47

Turning Container security up to 11 with Capabilities

Mathias Tausig

Related Articles

View all articles
AG
Andre Braun, GitLab
Now is the time for industrialized software development
Now is the time for industrialized software development Recently, I received a letter from my car’s manufacturer alerting me to a recall. They had discovered a defective part and wanted to replace it. It was easily fixed, and I might have forgotten a...
Now is the time for industrialized software development
Learning Kubernetes made easy with KubeCampus
Learning to use Kubernetes? KubeCampus by Kasten offers free educational content for all skill levels to get you started!Kubernetes is an open-source system for deploying, scaling and managing containerized applications. It allows you to deploy your ...
Learning Kubernetes made easy with KubeCampus
CH
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?

From learning to earning

Jobs that call for the skills explored in this talk.