Istio for Controls Compliance

Istio’s mTLS gets talked about a lot for security and compliance — but it’s only a tiny piece of the puzzle. In this talk, Zack Butcher — a NIST co-author on microservice security standards and zero trust — will break down how Istio can be used to satisfy controls for all kinds of regulatory regimes. We’ll look at specific use cases of folks using Istio to help implement a variety of controls for PCI DSS, FedRAMP, and GDPR compliance in production.

Finally, we’ll take a forward look at an upcoming NIST Special Publication on Zero Trust (which Zack is co-authoring) and discuss how Istio can be used as a stepping stone from a traditional perimeter based security model to a modern identity based model. You’ll leave this talk with a solid understanding of the types of controls Istio can be used to implement, how to actually implement a variety of them, and an understanding of how Istio can be used to iterate forward on your security posture.

Envoy Gateway Update

Come here about updates on Envoy Gateway, the OSS Envoy ingress controller that the community has been working on!

Revamping Kubernetes with Contextual and Structured Logging, a Deep Dive

Kubernetes is undergoing fundamental changes in its logging infrastructure to emit structured logs containing references to Kubernetes objects and the context of a log entry, making logging in Kubernetes uniform and machine-readable, bringing more automation to Kubernetes monitoring. Much effort has gone into enhancing klog and migrating Kubernetes components to achieve structured and contextual logging. We aim to cover a deep dive into the changes, a demo comparing performances and seamless log ingestion with log collection agents like Fluent Bit. It affects the complete code base of Kubernetes and needs collaboration between maintainers of different SIGs.

This talk will make adopting best practices easy as we advance. We welcome everyone contributing to Kubernetes or interested in understanding the modern way of Kubernetes logs collection. New contributors are most welcome as it gives a good starting point to familiarize themselves with the Kubernetes code base.

Automated Cloud-Native Incident Response with Kubernetes and Service Mesh

Security incident response is a well-understood operation, with established best practices like the MITRE Att&ck Framework and the Lockheed Martin Kill Chain. Tooling to aid and automate incident response exists, but not all of it is applicable to cloud-native platforms. For example, playbook apps are generally applicable, but the steps to move compromised workloads to an isolated forensics network are platform-specific, and new implementations are needed for the cloud-native world.

In this talk, Francesco and Matt will * Recap incident response 101 * Introduce some cloud-native tech including Kubernetes, Istio, and GitOps * Show an Operator built by Matt for dynamically adding complex layer-7 traffic rules in response to changes in the environment, which will be used as part of the demo * Walk you through a response to a log4shell attack against a workload in a k8s cluster: sensor alert, SIEM analysis, IRP automation (honeypots, isolation), building the IoC, and killing the attack.

Safe, Dynamic Middleware with Dapr and WebAssembly

Join us for a practical talk on how the Dapr event-driven runtime implements dynamic extensions with WebAssembly. We’ll cover how things work in general as well rationale and a peek into implementation. When you leave, you’ll have a good idea of how WebAssembly lets you extend cloud native architecture without RPC. Dapr allows custom processing pipelines to be defined by chaining a series of middleware components. A request goes through all defined middleware components before it’s routed to user code, and backwards through the same components before a response is returned to the client.

This talk shows how custom HTTP middleware can used without changing the Dapr binary, using WebAssembly technology. Dapr loads these dynamically and without requiring any system dependencies or RPC services. Specifically, we’ll review the http-wasm application binary interface (ABI) which SDKs implements, and how this relates to other ABI like proxy-wasm or waPC. Well cover how the middleware works, including the wazero runtime which Dapr embeds to run wasm without system dependencies. Finally, we’ll chat about how this fits into Dapr’s long-term strategy in extensibility.

Apiserver-Only Clusters for Fun and Profit

Kubernetes is a very extensible system, to the point that the apiserver and database can be run on their own. In this configuration there’s no controller-manager or scheduler, and no support for actually running workloads. However these components can support CRDs and Operators. This makes it a perfect host for lightweight control planes for other systems.

In this talk, Matt will show how an Operator can run on just a bare-bones control plane. The control-plane cannot run workloads and the Operator (Istio, in this case) doesn’t deal with anything in the cluster. However, together they functions as a small, lightweight unit providing services outside the cluster. Matt will explain the theory of this style of deployment, and how to set it up yourself. He will show a demo using the Istio control plane, which will provide networking services to a set of VMs (as there is no cluster).

The Top 10 List of Istio Security Risks and Mitigation Strategies

CNCF is developing its first ever Top 10 list of security risks facing Istio deployments. As a community-driven effort, it draws on the expertise of a wide range of security professionals and cloud native computing experts to ensure the list reflects the most current and relevant security risks facing cloud native applications.

The Top 10 will help organizations prioritize their security efforts and focus on the most significant security risks that they may face. By understanding and addressing these risks, organizations can better protect against malicious attacks, data breaches, and other security incidents.

In this talk we’ll cover what’s in the list, the selection criteria for it, and discuss strategies organizations should take to mitigate these critical risks to cloud native computing security.