Anton Sankov
Senior Software Engineer at Cast AI
Sofia, Bulgaria
Actions
Anton is a Senior Software Engineer at Cast AI. At Cast AI, he is working on a product that aims to redefine the security landscape via automation. He has a strong engineering background, having previously worked at market leaders in multiple industries - from payments to cloud and infrastructure provisioning. The Kubernetes ecosystem interests him because of its elegant solutions to real-world problems and constant drive for innovation.
Area of Expertise
Topics
Overview of Kubernetes Security practices
Over the past years, Security has become an important topic when speaking about Kubernetes. The reason is simple - Kubernetes has become the de-facto development platform for many teams. Securing your platform is just as important as securing the applications running on top of it.
Kubernetes gives you many security constructs which you can use. This can be both a good and a bad thing. It is good because you get a lot of security instruments out of the box, and it's straightforward to enable and benefit from them. But it can also be bad because you have so many options that it's easy to get lost in them and get confused about what you need and what you don't. It can also give you a false sense of security.
Do you need to use both seccomp and AppArmor? Do you need to enable admission control if you use RBAC? What about NetworkPolicies and PodSecurityStandards? It is easy for a newcomer (and even a more mature user) to get lost in this sea of tools and terminology.
In this session, Anton will attempt to go over all existing security mechanisms, outline their use-cases, and explain where they overlap and where they complement each other.
Securing Kubernetes with Open Policy Agent
The security posture and configuration of our Kubernetes resources are essential if we care about our Kubernetes cluster (and workloads inside) being secure.
Kubernetes gives us the building blocks for implementing this security via extensible admission control and the ability to deploy custom checks for our resources.
However, writing everything from scratch is tedious, error-prone, and unnecessary, where there are open-source projects that can do the job for us.
Two such projects are Open Policy Agent and Gatekeeper.
Open Policy Agent (OPA) is an open-source policy agent that utilizes the powerful Rego language to implement policies and check for our data(resources).
Gatekeeper is an open-source implementation of a validating webhook that uses OPA as a policy agent and CRDs for storing our configuration (policies).
These two combined give us a powerful, flexible, Kubernetes-native way to implement admission control for the resources in our cluster.
This presentation will go over this theory in bigger detail, showing how these things fit together and why they are important in the first place. It will also include a practical demonstration of deploying and enforcing a policy.
Attendees will get the most value out of this presentation if they already have some experience with Kubernetes.
KubeHuddle Sessionize Event
OSCAL 2022
Securing Kubernetes with Open Policy Agent
Go 101 workshop, with Boris Stoyanov - https://github.com/asankov/go-101-workshop
Security BSides Sofia Sessionize Event
ISTA 2021
Next phases of Kubernetes - https://www.youtube.com/watch?v=yim8NnYjODY
HackConf 2021
Go 101 workshop, with Boris Stoyanov - https://github.com/asankov/go-101-workshop
DevConf 2020
Building the Twelve-Factor App - https://www.youtube.com/watch?v=xyeXx2qtfLI
Open Expo Europe
Building the Twelve-Factor App (no recording)
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top