OIDC and CICD: Why Your CI Pipeline Is Your Greatest Security Threat
Your CI/CD Process is chock full of credentials, and almost anyone in your company has access to it. Configuring your CI correctly is vital to supply chain security. We discuss how to reduce that attack surface by enforcing proper branch permissions and using OIDC to reduce long-lived credentials and tie branches to roles.
Improving Secure Pod-to-Pod Communication Within Kubernetes Using Trust Bundles
New features are being added to Kubernetes which allow for roots of trust to be specified for applications on a cluster. These mechanisms are being added as “trust bundles” (or trust anchor sets). We demonstrate the updates to our previous work in creating convenient mechanisms to provide certificates to every pod, allow pods access to them and use them for mutual authentication. Our work leverages work being done by the cert-manager project, the SPIFFE project and KEP-3257 for trust anchor sets to automate the creation of TLS certificates for every pod and establish patterns for mTLS. Finally, we compare and contrast this to current methods for providing cluster communication security (service meshes) and present areas for refinement. This is a significant rework of our previous presentation and software to work with changes to the Kubernetes Ecosystem as the concepts have been refined and evolved.
We will present practical advice for leveraging TLS to secure communications across your infrastructure. This applies to nodes and pods on Kubernetes or on other large deployment infrastructure. The current tools set for large leaves various gaps for deploying TLS and also causes friction within your infrastructure.
Protocols like ACME and tools like service meshes provide some support for distributing certificates but do not help with the larger problems of certificate authority architecture, nor provide advice for how to build certificates that strengthen your security posture.
PKI can be used to reduce security risks and simplify reporting. Public key infrastructure can be used to identify services to one another with a very different set of tradeoffs than shared-secret infrastructure.
Achieving Mutual TLS: Secure Pod-to-Pod Communication Without the Hassle
Security is important in almost all applications and TLS is used to secure communications between components and to end users or outside APIs. One difficulty with TLS can be managing certificates.
Control Theory is a long and well-studied discipline in engineering. Nearly every large scale industrial process has dedicated control engineers, creating and maintaining safety and quality systems by assuring that parameters remain within bounds—or alert appropriately.
This session will teach you how to create a PID (Proportional, Integral, Derivative) controller to autoscale your Kubernetes deployment based on a custom target. This controller ensures smooth scale-up and scale down.
OIDC and CICD: Why Your CI Pipeline Is Your Greatest Security Threat
Your CI/CD Process is chock full of credentials, and almost anyone in your company has access to it. Configuring your CI correctly is vital to supply chain security. We discuss how to reduce that attack surface by enforcing proper branch permissions and using OIDC to reduce long-lived credentials and tie branches to roles.
Presented at SRECon 2024 and BSides Seattle 2024
Improving Secure Pod-to-Pod Communication Within Kubernetes Using Trust Bundles
New features are being added to Kubernetes which allow for roots of trust to be specified for applications on a cluster. These mechanisms are being added as “trust bundles” (or trust anchor sets). We demonstrate the updates to our previous work in creating convenient mechanisms to provide certificates to every pod, allow pods access to them and use them for mutual authentication. Our work leverages work being done by the cert-manager project, the SPIFFE project and KEP-3257 for trust anchor sets to automate the creation of TLS certificates for every pod and establish patterns for mTLS. Finally, we compare and contrast this to current methods for providing cluster communication security (service meshes) and present areas for refinement. This is a significant rework of our previous presentation and software to work with changes to the Kubernetes Ecosystem as the concepts have been refined and evolved.
Presented at Cloud Native Security Con NA 2023
Practical TLS Advice for Large Infrastructure
We will present practical advice for leveraging TLS to secure communications across your infrastructure. This applies to nodes and pods on Kubernetes or on other large deployment infrastructure. The current tools set for large leaves various gaps for deploying TLS and also causes friction within your infrastructure.
Protocols like ACME and tools like service meshes provide some support for distributing certificates but do not help with the larger problems of certificate authority architecture, nor provide advice for how to build certificates that strengthen your security posture.
PKI can be used to reduce security risks and simplify reporting. Public key infrastructure can be used to identify services to one another with a very different set of tradeoffs than shared-secret infrastructure.
Presented at SRECon Americas 2021
Achieving Mutual TLS: Secure Pod-to-Pod Communication Without the Hassle
Security is important in almost all applications and TLS is used to secure communications between components and to end users or outside APIs. One difficulty with TLS can be managing certificates.
Presented at SRECon Americas 2020
Control Theory for SRE
Control Theory is a long and well-studied discipline in engineering. Nearly every large scale industrial process has dedicated control engineers, creating and maintaining safety and quality systems by assuring that parameters remain within bounds—or alert appropriately.
This session will teach you how to create a PID (Proportional, Integral, Derivative) controller to autoscale your Kubernetes deployment based on a custom target. This controller ensures smooth scale-up and scale down.
Presented at SRECon EMEA 2019