Stack security: cluster policies, secrets management, and building trust

Frenchie: Hi, my name is Frenchy and this is KubeFM.

Bart: What are three emerging Kubernetes tools that you are keeping an eye on?

Frenchie: The three tools that I'm keeping an eye on at the moment are in different spots. I think Tetragon from Isovalent. eBPF security is a really interesting space. So that's definitely one that I'm watching. GitTuf has recently been active and is doing really cool stuff around building trust around Git. I think that's really cool. And then also directly involved or direct consumers of OpenSSF Scorecard. All the OpenSSF projects, GUAC, they're all great. But Scorecard is the one that I've been using the most recently. So certainly those three. Tetragon, GitTuf, and OpenSSF Scorecard. If I can throw in a cheeky fourth, I'd definitely say GUAC as well.

Bart: One of our guests, Max, shared that he values Gatekeeper and the Open Policy Agent because they help ensure security by enforcing policies, especially in complex Helm charts. What's your advice on policing the cluster from bad practices? What tools or strategies have worked for you in the past that more people should be aware of?

Frenchie: Tools for administering policies and protecting against bad behavior in clusters. Admission control is a really powerful tool. What's worked for me in the past? A long time ago, we open-sourced a tool called K-Rail, which was admission control. I think Kyverno may not have existed as a project when we started it, but nowadays OPA and Kyverno are absolutely great tools. I definitely recommend using them with the big caveat that you probably lock down RBAC. Updates to admission control configuration can do some really nasty stuff. I can pilfer all secrets. I can send a copy of whatever I want. I can mutate it in whatever way I want. So really powerful tools for good and evil, depending on your inclination.

Bart: Mac also advocated using plain Kubernetes secrets, emphasizing their effectiveness in most scenarios. He shared how a threat model can support this reasoning and lead to simpler yet secure solutions. What is your advice on Kubernetes secrets? What worked for you in the past? And did you have a threat model to test against?

Frenchie: The threat model always depends on the organization itself. If you are coming from a world where you have no secrets management, you've just got... Secrets hard-coded in source control all over the place. Incremental steps forward, getting those tools out. There are great open-source tools like TruffleHog, for example, which let you find secrets in source and then move those into Kubernetes secrets. That's an incremental step forward. I'm all about practical, easy-to-use ways to improve security. But as an attacker, you often get access to the cluster and then you have access to the Kubernetes secrets. If they're long-lived secrets, well then, hey, that's a persistence mechanism that you can use later. I recommend moving towards shorter-lived credentials because it really does reduce the blast impact when inevitable leaks occur. Things like external operators of Vault to be able to inject short-lived secrets into clusters, big fan of that for sure. The threat model very much depends on the organization. There are a couple of different maturity levels I've covered there, but overall, secrets management is a super important story.

Bart: Kubernetes is turning 10 years old this year.

Frenchie: The stuff I'm personally most excited by is actually around building trust in software. At the moment, we stand on the shoulders of giants when we use open source software. We all pull in and rely on the amazing contributions of everyone around here, but it's a big ecosystem. Now we're also coming up against some of the challenges associated with where this stuff comes from and how we can know that we trust it. Unfortunately, organizations are getting compromised due to a lack of trust in some of the software we rely upon. Tools like The Update Framework for securely and in a trusted manner providing updates, the SIGSTORE and OpenSSF ecosystem around signing, container image verification, and OpenSSF scorecard for providing qualitative checks. I think there's a really interesting emerging story. From the top down, there are a lot of policy changes from different countries around how this is actually a question of security to some extent. I think trust in software is going to be a fascinating topic of conversation and it's only going to get more important over the next 10 years.

Bart: What's next for you?

Frenchie: This is my first KubeCon, so still wandering around, seeing a lot of friends. I have not yet actually attended a talk, so I should catch at least one, but I've just been doing HallwayCon a lot, seeing lots of friends. So what's next for Insignia? We're heads down hacking. We're an early-stage security startup at the moment. We've got some exciting stuff coming. We'd love to talk about it when the time's right, but right now it's just me writing a lot more front-end code than I ever thought I would. If there are any front-end developers out there, please hit me up.

Bart: How can people get in touch with you?

Frenchie: I'm on the internet. Hello at ensignia.com is the easiest way or nfFrenchie on Twitter. You usually see me posting out there.