Thursday 21st & Friday 22nd June 2018
The Clayton Hotel, Cork City

David Gonzalez
Continuous delivery DevSecOps with Kubernetes: stay safe at the speed of light

Nowadays, Continuous Delivery is a must. Nobody starts a new application without asking: how can we make deployments as painless as possible? The only answer to it is Kubernetes. Full stop. Kubernetes is the solution to 99% of the problems on a software development/deployment pipeline because it was engineered for it.

The problem with CD pipelines is the security: there are no standards for securing a CD pipeline as it is something new and security takes time to catch up with the requirements.

Attack vectors

Docker and orchestration platforms like Kubernetes, as well as your process, introduce new attack vectors that you haven’t even think of:

  • Flawed images
  • Shared volumes in containers exposing more than what they should
  • People deploying dangerous code into production (accidentally or intentionally).

We need to reinvent how do we approach security in order to be successful in the big enterprise by ensuring that the standards are at the same level as in a traditional software company which can only be achieved by creating new tools (like I did with Gammaray) and improving your process staying on the safety but allowing your engineers to move as quickly as they can by providing them early feedback of potential threats as well as training.

Mitigation

In order to mitigate the attack vectors stated above we need to get very very creative as DevOps is the wild West of the 21st century. We need a combination intellect and common sense to reduce its risks:

  • Security scanning
  • 4 eye policies
  • Hardened configurations

On this talk, I will introduce the problematic with real examples on how to compromise CD pipelines as well as solutions to the attack vectors mentioned above. I will also demo the process of, creating a Docker image with very high security standards, with an application that has already been scanned using Gammaray looking for vulnerabilities on its dependencies and deploy it on a secured Kubernetes cluster without any obstruction to the engineering team ensuring that we have visibility through the full process..

David Gonzalez

Consultant at nearForm

David is a DevOps enthusiast coming from a software engineering background that loves speaking at events.

He is the author of three books, and planning a 4th one (DevSecOps pipelines):

He is also the only Google Developer Expert in Kubernetes on Europe. Nowadays, he is a consultant in nearForm that enjoys facing new challenges with customers that require help with Software, infrastructure or security helping them to achieve their goals on the best possible way.

David is an open source enthusiast who contributes to a number of projects and created few of them such as:

  • Gammaray (vulnerability scanner)
  • Vishnu (circuit breaker for kubernetes, in progress)
  • Visigoth (a load balancer with circuit breaker incorporated)

On his free time, he loves riding my bike and walking his dogs on the green Ireland.

Sponsors

Follow RebelCon