<!-- .slide: data-background="images/chuttersnap-fN603qcEA7g-unsplash.jpg" class="vertical-center" style="padding: 1em 1em 1em 1em; color: white; background: rgba(0, 0, 0, 0.5); width: 90%; margin: auto;" --> # Kubernetes Security<br/>Platform-as-a-Service *Nicholas Dille, Haufe Group* <i class="fa-brands fa-docker" style="width: 1.5em; text-align: center;"></i> Docker Captain <i class="fa-brands fa-windows" style="width: 1.5em; text-align: center;"></i> Microsoft MVP <i class="fa-brands fa-twitter" style="width: 1.5em; text-align: center;"></i> [@nicholasdille](https://twitter.com/nicholasdille) <i class="fa-brands fa-mastodon" style="width: 1.5em; text-align: center;"></i> [@nicholasdille@freiburg.social](https://freiburg.social/@nicholasdille)

## Kubernetes Platform Kubernetes is an ops platform Requires interface between dev and ops discipline  <!-- .element: style="width: 70%; padding-top: 0.5em;" --> ### Flavours Cluster-as-a-Service Namespace-as-a-Service --- ## Operational responsibility Who owns the Kubernetes platform?  <!-- .element: style="float: right; width: 35%; padding-top: 0.5em;" --> ### Inside team Vague separation of concerns Administrative permissions available to all team members  <!-- .element: style="float: right; width: 35%; padding-top: 0.5em;" --> ### Outside team Strict separation of concerns Delegation of necessary permissions --- ## Security <i class="fa-duotone fa-shield-keyhole fa-8x"></i> <!-- .element: style="float: right;" --> Omnipresent topic ### Many aspects Separation of concerns Isolation of components Vulnerability tracking Automated updates Dependency updates --- ## Agenda Part 1: Platform-as-a-Service (2023-04-24) - <span class="fa-li"><i class="fa-duotone fa-object-ungroup"></i></span> Namespaces - <span class="fa-li"><i class="fa-duotone fa-scale-balanced"></i></span> RBAC and <i class="fa-duotone fa-people-arrows"></i> Impersonation - <span class="fa-li"><i class="fa-duotone fa-user-police-tie"></i></span> Service Accounts - <span class="fa-li"><i class="fa-duotone fa-castle"></i></span> Pod Security Standards <!-- .element: class="fa-ul" --> Part 2: Network Policies (2023-05-03) <!-- .element: style="color: grey;" --> Part 3: Policies (2023-05-10) <!-- .element: style="color: grey;" --> Part 4: Supply Chain Security (2023-05-17) <!-- .element: style="color: grey;" --> ### Hourly breaks <i class="fa fa-mug-hot"></i>

<!-- .slide: class="center" --> ## <i class="fa-duotone fa-object-ungroup"></i> Namespaces

<!-- .slide: class="center" --> ## <i class="fa-duotone fa-scale-balanced"></i> Role-Based Access Control

<!-- .slide: class="center" --> ## <i class="fa-duotone fa-people-arrows"></i> RBAC Impersonation

<!-- .slide: class="center" --> ## <i class="fa-duotone fa-user-police-tie"></i> Service Accounts

<!-- .slide: class="center" --> ## <i class="fa-duotone fa-file-certificate"></i> Certificate Authentication

<!-- .slide: class="center" --> ## <i class="fa-duotone fa-shoe-prints"></i> Auditing

<!-- .slide: class="center" --> ## <i class="fa-duotone fa-castle"></i> Pod Security Standards

## Summary - <span class="fa-li"><i class="fa-duotone fa-object-ungroup"></i></span> Namespaces do not provide hard boundaries - <span class="fa-li"><i class="fa-duotone fa-scale-balanced"></i></span> RBAC is hard to control - <span class="fa-li"><i class="fa-duotone fa-people-arrows"></i></span> RBAC impersonation protect from mistakes - <span class="fa-li"><i class="fa-duotone fa-shoe-prints"></i></span> Auditing helps to find loop holes - <span class="fa-li"><i class="fa-duotone fa-castle"></i></span> Pod Security can be enforced <!-- .element: class="fa-ul" --> ### Upcoming webinars 2023-05-03 - Network Policies 2023-05-10 - Policies 2023-05-17 - Supply Chain Security