filmov
tv
Cloud Flight Simulator Part 4: Least Privileged Pods with Kubernetes Workloads
Показать описание
Before you can help DevOps teams solve security problems and improve their security programs, you need to understand how they think, how they work, and the tools that they use.
In the final part of the Cloud Security Flight Simulator series, SEC540 lead author and instructor Eric Johnson teaches how to enable workload identity for AWS Elastic Kubernetes Service (EKS) and Azure Kubernetes Service (AKS).
Rather than issuing long-lived credentials to individual pods or inheriting excessive permissions from the node, Kubernetes service accounts can use an internal OpenID Connect (OIDC) provider to obtain a signed identity token (JWT). Then, cloud administrators can configure their identity services (IAM, Entra ID) to trust the Kubernetes cluster's OpenID Connect provider and grant the service account to obtain temporary, least privilege credentials.
Explore the rest of the Cloud Flight Simulator Series:
Part 1: GitLab CI, Workflows, and Secrets
Part 2: Protecting Kubernetes Clusters with Admission
Part 3: Safeguarding the Software Supply Chain
About the Speaker: Eric Johnson
SANS Cloud Security focuses the deep resources of SANS on the growing threats to The Cloud by providing training, GIAC certification, research, and community initiatives to help security professionals build, deploy and manage secure cloud infrastructure, platforms, and applications.
Twitter: @SANSCloudSec
In the final part of the Cloud Security Flight Simulator series, SEC540 lead author and instructor Eric Johnson teaches how to enable workload identity for AWS Elastic Kubernetes Service (EKS) and Azure Kubernetes Service (AKS).
Rather than issuing long-lived credentials to individual pods or inheriting excessive permissions from the node, Kubernetes service accounts can use an internal OpenID Connect (OIDC) provider to obtain a signed identity token (JWT). Then, cloud administrators can configure their identity services (IAM, Entra ID) to trust the Kubernetes cluster's OpenID Connect provider and grant the service account to obtain temporary, least privilege credentials.
Explore the rest of the Cloud Flight Simulator Series:
Part 1: GitLab CI, Workflows, and Secrets
Part 2: Protecting Kubernetes Clusters with Admission
Part 3: Safeguarding the Software Supply Chain
About the Speaker: Eric Johnson
SANS Cloud Security focuses the deep resources of SANS on the growing threats to The Cloud by providing training, GIAC certification, research, and community initiatives to help security professionals build, deploy and manage secure cloud infrastructure, platforms, and applications.
Twitter: @SANSCloudSec
0:59:07
0:00:43
0:56:40
0:00:29
0:00:28
0:12:03
0:20:16
0:00:27
3:25:33
1:00:01
0:10:54
0:06:56
0:00:38
0:00:19
0:42:30
0:16:00
0:06:21
0:00:40
0:01:46
0:02:34
0:50:57
0:11:17
0:28:02
0:00:29