Level: Technical


There’s a lot of things to get right in order to have a Kubernetes environment your developers can use. Let’s try and figure out how they will do that, which tools they will use, and how will those tools impact your organization from a security perspective. In this talk, we’ll cover parts of Kubernetes attack surface from a development standpoint, tools your developers might want to use when interacting with Kubernetes clusters, and the overall impact making your clusters a part of your organization’s development workflow might have on your security posture.

Full description:

The Kubernetes ecosystem is broad, which in turn gives us an interesting and broad attack surface. We start off with a short introduction about Kubernetes and the state of Kubernetes security (in broad strokes). From there, we move into the motivation for this talk; one particular area in Kubernetes security that is not often looked at are the applications that developers use in order to improve their development experience. We will explore the “why” behind this motivation of bringing third-party tools into the development process and take a critical look at such applications.

We will look at the security evaluation process for bringing in new tools/applications into your Kubernetes environment. How should you choose what is brought into your environment, and what should that decision making process/guidelines look like from a security perspective? How much freedom do (or should) the developers really have? Where’s the thin line between productivity and opening an entirely new layer of attack surface? What is the current state of security of the commonly used tooling? How can we help developers in choosing a reasonable security baseline when evaluating software? How can we improve processes so that such software is brought in and security vetted at a company level?


Igor Vuk is a system administrator with a soft spot for Python, SELinux and Kubernetes. He thinks that software-defined things are the bee’s knees.

Tonimir Kišasondi juggles his time between running a consultancy and making and breaking new shiny stuff. He loves appsec, go, coffee and secure software/hardware.

Comments are closed.