CoreOS Fest 2017 has ended
View analytic
Thursday, June 1 • 1:50pm - 2:30pm
Using Kubernetes in Hostile Networks - Bryan Richardson, Dark3 Inc.

Sign up or log in to save this to your schedule and see who's attending!

Feedback form is now closed.
We (Dark3, Inc. DBA Dark Cubed - https://darkcubed.com) pride ourselves in being a different type of cyber security company that is cheaper, easier to deploy, and faster to innovate. One of the ways we've been able to do this is by deploying our network security appliances as Kubernetes nodes. However, this came with a new security risk: operating our appliances as Kubernetes nodes in environments wherein we do not maintain full physical control of the appliances once they are deployed exposes our Kubernetes cluster authentication token to anyone with physical access to our appliances (via single-user mode,coreos.autologin mode, etc). Thus, we needed a way to limit the impact of a bad actor gaining access to an authentication token present on an appliance. Our approach to this is to sandbox each Dark Cubed customer in their own namespace and limit the scope of a customer's appliance token (the "default" service account token for their namespace) to the bare minimum necessary to access resources and run pods in that namespace using Kubernetes rule-based access control (RBAC).

This talk will highlight the advantages we've seen in running our appliances as Kubernetes nodes on Container Linux, describe the bare minimum access requirements we identified for sandboxing customers in namespaces, how we went about identifying them, and the resulting RBAC resourcess and procedures we developed for securely deploying Dark Cubed customer appliances.

avatar for Bryan Richardson

Bryan Richardson

CTO, Dark3, Inc.
Bryan Richardson is currently a husband, a father of two boys, and CTO of Dark3, Inc. His CTO duties at Dark3 include architecting and developing the Dark Cubed Platform, researching and testing new distributed system technologies, and every so often supporting red team activities... Read More →

Thursday June 1, 2017 1:50pm - 2:30pm
Secure/Wildcard Room

Attendees (35)