How to Address Container Misconfiguration with Kubernetes API Firewall

Presented by

Ran Ilany, CEO & Co Founder Alexei Kravtsov, R&D Team Lead, Portshift

About this talk

An Innovative approach to Kubernetes Security. With the rising adoption of Kubernetes, the need for security is increasing as well. If the key to your Kubernetes environment falls into the wrong hands, your entire runtime would be in jeopardy. With Kubernetes there are plenty of benefits, but it also brings some risks to consider. To that end, Kubernetes API-Server resources can be accessed via a set of APIs either by an external user or a pod within the cluster using its service account details and permissions. Kubernetes allows defining permissions to access resources using RBAC, where it records which users, groups, service accounts can access targeted resources and to what exact action. Creating RBAC rules requires complex human operation of mapping service accounts, roles/cluster roles and actions using role/cluster role bindings usually resulting with minimum misconfiguration or even non rules so that privileges are left wide open and cluster admins are left unaware. Our webinar will review the challenges of setting kubernetes RBAC rules and major security risks that can be caused due to misconfigurations, we will also present ways to overcome these pitfalls. We will also demo an easy way to review RBAC permissions and their associated risk scope with Portshift, and also cover a runtime audit of API usage and an advanced ,automatic method to enforce API policy for who can access what, where and in which action. Key Discussion Points: 1. The importance of securing K8s RBAC permissions 2. A comparison of current silos offerings 3. The advantages of having the workload identity at Runtime 4. Review and live demo of Portshift’s K8s API server protection

Related topics:

More from this channel

Upcoming talks (0)
On-demand talks (12)
Subscribers (1006)
Portshift is a Kubernetes-native security leader leveraging the power of Kubernetes and Service-Mesh to deliver a single source of truth for containers and cloud-native applications protection. Portshift is the only solution offering an agentless approach, with a single Kubernetes admission controller for seamless integration.