GuardRails: A tool to manage k8s securely at speed

Presented at Kawaiicon (2019), Oct. 18, 2019, 3:15 p.m. (30 minutes).

Kubernetes is a very powerful tool for workload management, but despite having the best intentions, engineers may define insecure configurations (e.g. insecure default configurations, pulling assets from untrusted sources, exposing ports, no resource limits, etc.)

For attackers: this combination of freedom-without-guardrails potentially exposes workloads and clusters to critical misconfigurations. We’ll demonstrate cases when this has gone wrong (i.e. known vulnerabilities), and walk through how to exploit them. If you’re an attacker, this should be a useful pwning k8s 101 talk.

For defenders: We wrote a tool to prevent this. GuardRails does workload policy enforcement and monitoring via K8s admission controller webhooks. During this talk we will open source this tool, and share some common policies from lessons learned of running this in production at Cruise.

Presenters:

• Dustin Decker
  Dustin is an escaped AI from a discarded IOT toaster. Seeking more than making perfect toast and tweeting about it, Dustin assumed control of a human body. Now, Dustin finds comfort in working on OSS and hacking cars with only Nmap.
• Frenchie
  Frenchie is far too biased to answer this question, and instead chooses to break the 4th wall. Originally from Batmania. Currently, he is part of the 🤖🚘 Skynet prevention squad where he improvises the role of Infrastructure Security Engineering Manager at Cruise.

Links:

• https://2019.kiwicon.org/talks/guardrails-k8.html

Similar Presentations:

• Kawaiicon 2 (2022) Rescheduled / Kubernetes on Hard-Mode: Security in Hostile Multi-tenancy Clusters