Open Source Summit + Embedded Linux Conference + OSPOCon 2021

When you adopt Kubernetes for production, how do you, a cluster administrator, enforce requirements from security and compliance teams? Like most systems, you put guardrails on the cluster to limit how teams (ab)use the cluster, but with Kubernetes those guardrails look quite different because Kubernetes differentiates runtime-state (what is actually happening) and desired-state (what is supposed to happen). Treating desired-state as separate from runtime enables you to put guardrails on the instructions developers give to Kubernetes and in so doing avoid runtime problems even before they happen. Kubernetes is simply too flexible to hand over to even relatively small teams without basic guardrails like ensuring images are pulled from trusted repositories. We discuss the mechanism the Kubernetes team developed to make it feasible to add desired-state security policies: Admission Control and we will also show how the Open Policy Agent(OPA) provides a declarative approach to Admission Control to enforce custom policies on Kubernetes objects without modifying any Kubernetes components. Finally, we will end with a list of architectural best practices and we hope that our audience will be able to leverage OPA for implementing desired-state security policies for the Kubernetes API.

There’s a false sense that containerized applications are inherently secure. It is true that: - Containers can make your environment more secure. - Isolated, well-understood processes can have a smaller attack surface. - Cloud native solutions can offer more intelligent, more agile management than legacy infrastructure. Kubernetes brings many security advantages, due to the software-defined nature of the workloads. However, mistakes in configuration happen and vulnerabilities are always being discovered. In this session, we will discuss protecting different attack vectors of your cloud workloads and infrastructure by seeing how Cloud Custodian, Falco, Trivy, and KubeAudit help secure modern day workloads.

Supply-chain security has lagged behind network and service security for years, but it's time to fix that! Zero-trust technologies have dramatically improved enterprise security, but haven't been applied to supply-chain security yet. Traditionally, workload security relied on trusted "perimeters". Firewalls, internal networks and physical security provided defense against attackers by keeping them out. This type of architecture is simple and effective when all assets are in one place, the firewall doesn't need many holes and all hardware is on the same physical network. This obviously isn't true today. The workplace is distributed. Devices are mobile and environments are ephemeral. Enter zero-trust security. Zero-trust focuses on protecting assets, not perimeters. Services authenticate users against hardware instead of network endpoints. Users authenticate with MFA and devices authenticate with hardware-roots-of-trust. The end result is a system focused on fine-grained access control. Instead of trusting everything on a network, you control exactly which users and systems have access to which services. This presentation explores how zero-trust can be applied to build systems **today**, with working demos of the Sigstore, TektonCD and SPIFFE/SPIRE projects.

NorthSec started as a yearly on-site Capture The Flag security event in Montreal. Over the years, it has grown to close to a thousand attendees representing as many as 80 teams, while also developing a large conference and a selection of professional trainings on the side. This 3 day CTF is somewhat unique for providing a completely distinct infrastructure for each participating team. In theory making it impossible for one team to affect any of the others. All while providing sometimes hundreds of different virtual servers and services for a team to attack. Providing all of that, to every team, in a reliable, fair and safe way has at times been a bit of a struggle. This talk will be going over the past few editions, looking both at the infrastructure used to provide the CTF and how it evolved as well as the various bugs and configuration issues that were encountered. This covers all kind of interesting problems, Linux kernel bugs, container namespacing issues, resource limits working in odd ways, information leakage and network and storage tuning. Those lessons are in no way specific to operating a CTF and should be of interest for anyone running a very large set of containers in production, especially when untrusted and/or malicious users are involved!

Users, devices, applications and data are moving outside traditional enterprise perimeter. A successful digital transformation demands a zero trust security model. This presentation will introduce a Zero Trust, Scalable Cloud VPN based on VPP and WireGuard, which shows high performance, scalability and end-to-end security. It can be used as K8s Cloud VPN and Edge VPN. This topic will cover below key points: 1) Implements a Zero Trust software Cloud VPN on VPP. 2) Implements VPP-based WireGuard protocol with high performance. 3) Leverages IPsec-MB library/AVX512 vector instructions and cryptographic hardware offloading to accelerate Wireguard HASH functions and Chacha20-Poly1305 cryptographic operations. 4) Service Discovery and Key Management to build up zero trust networking automatically.