Overcoming CVE Shock Adding Perspective in Vulnerability Scanning by Ben Hirschberg

"You just have deployed your first Kubernetes cluster. You are about to make it accessible to your developers, but your CISO falls on you: he asks you to present all the measures taken to secure the cluster." We will start by auditing the technical configuration of a Kubernetes cluster in order to identify vulnerabilities and apply patches to technical components. We will continue with the exploitation of Kubernetes primitives to implement security mechanisms (RBAC, AdmissionController, NetworkPolicy, SecurityContext, ...). We will then enrich the cluster with Open Policy Agent, a rules engine allowing us to apply finer control than Kubernetes primitives. We will also integrate Falco, a behavior analyzer to detect suspicious actions performed within containers and at the Kubernetes API Server level. We will end with the implementation of a CI/CD pipeline integrating a vulnerability analysis carried out with Clair in order to detect compromised images during the build.