Loading…
Timezone
In-person + Virtual
October 24-28
Learn More and Register to Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon North America 2022 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Eastern Daylight Time (UTC -4). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change.
Back To Schedule
Wednesday, October 26 • 2:30pm - 3:05pm
Using the EBPF Superpowers To Generate Kubernetes Security Policies - Mauricio Vásquez Bernal & Alban Crequy, Microsoft

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Tweet Share
Feedback form is now closed.


Kubernetes has several security mechanisms that can be used to secure your applications: - limit network connectivity with network policies - block some system calls with seccomp profiles - restrict access to some Linux capabilities in security contexts Defining those policies is difficult. It usually happens that the team defining them is not the one that created the application, hence they might not have a good enough view of the architecture to know how to write them. We will present and demo different ways to automatically generate the 3 different kind of policies mentioned above by monitoring the application's events with the following eBPF-based tools: - Inspektor Gadget - Kubernetes Security Profiles Operator - oci-seccomp-bpf-hook We'll discuss the limitations of this approach and the future ahead of these tools. Finally, we will explain how applications can be audited to see if the security policies are respected.
Speakers
avatar for Alban Crequy

Alban Crequy

Principal Software Engineer, Microsoft
Alban is Principal Software Engineer at Microsoft. He has a particular interest in integrating BPF into Kubernetes. He is a maintainer of Inspektor Gadget, a set of tools introspecting and debugging Kubernetes applications using BPF.
avatar for Mauricio Vásquez Bernal

Mauricio Vásquez Bernal

Software Engineer, Microsoft
Mauricio works as a software engineer in the Kinvolk team at Microsoft. He is mainly interested in eBPF, Kubernetes, networking and tracing technologies. He has been working with eBPF for some years now. Currently he focuses on developing tools for debugging and observability on cloud... Read More →

Using eBPF Superpowers to generate Kubernetes Security Policies pdf
Wednesday October 26, 2022 2:30pm - 3:05pm EDT
420 AB
  Security + Identity + Policy