Illusion Control

Kubernetes Redacted

Keidrych Anton-Oates <[email protected]>

Developer Driven Isolation

  • HyperVisor

  • User / Workspace

  • Application

  • LXC

HyperVisor Virtualization

  • Sandbox for programmers debugging and developing operating systems.

  • Allowed working without using all the hardware’s resources.

  • Evolved into running multiple environments on one machine concurrently

Type 1 HyperVisor

  • @1972 IBM CP-67 was referred to as CP/CMS.

  • CP Stands for Control Program, a program which created Virtual Machines.

  • CMS stands for Console Monitor System, a small single-user operating system designed to be interactive.

Type 2 HyperVisor

  • July 1963 Massachusetts Institute of Technology (MIT) announced Project MAC.

  • MAC → MultiCS (equal sharing) → Unix.

  • January 1987, Insignia Solutions demonstrated a software emulator called SoftPC.

  • SoftPC allowed users to run Dos applications on their Unix workstations.

  • 1999 VMWare released VMWare Workstation.

User / Workspace

Unix is an example of Virtualization at the User or Workspace Level. Multiple users share the same CPU, Memory, Hard Disk, etc… pool of resources, but each has its own profile, separate from the other users on the system. First step towards application virtualization.

Application

  • 1990, Sun Microsystems began a project known as “Stealth”. {JAVA} 1996 released

  • the JRE compiles the software just before running, the developer does not need to worry about what operating system or hardware platform the end-user will run the application on;

LXC

  • Logical Evolution of Type 2 Hypervisior + Application Virtulization

  • Whereas the JVM creates single isolated environment, containers are isolated environments

ContainerD Architecture

The Illusion

  • Personal sandpit

  • Flexibility to lego

  • Containers are Packages (RedHat)

Nirvana was to remove all distractions from our sandpit, no Ops, no Security…​ just Dev

A new Isolated Challenge

isolation-from-reality

Akido / Anti-Patterns Created

  • Dev & Ops Silos

  • Dev Don’t Need Ops

  • Dev as Tools Team

  • Rebranded SysAdmin

  • Ops Embedded in Dev Team

Operations (Defenders)

Business as Usual…​

"IT Operations is responsible for the smooth functioning of the infrastructure and operational environments that support application deployment to internal and external customers, including the network infrastructure; server and device management; computer operations; IT infrastructure library (ITIL) management; and help desk services for an organization." — Joe Hertvik

InfoSec: Blue Team

  • Defensive Security

  • Infrastructure Protection

  • Damage Control

  • Incident Response(s)

  • Operational Security

  • Threat Hunters

  • Digital Forensics

Security (Attackers)

Its Secure because its in a container…​

Legacy Models:

  • Developers are able to deploy code 20x more frequently

  • Containers treated like language packages, grabbed and deployed

Legacy Tools:

  • Explosion of WE Traffic

  • Containers & CGroups are Black Boxes

  • Shells are now malicious actors

InfoSec: Red Team

  • Offensive Security

  • Ethical Hacking

  • Exploiting Vulnerabilities

  • Penetration Tests

  • Black Box Testing

  • Social Engineering

  • Web App Scanning

Development (The Builders)

  • Developers placed all proverbial eggs in one basket

  • Security abandoned & viewed as noise to developers

  • Operations expected to run anything thrown at it

  • MicroServices & Functions can be replaced as desired

  • Ignorance is Bliss…​

InfoSec: Yellow Team

  • Software Builders

  • Application Developers

  • Software Engineers

  • System Architects

Collaboration via Container

Containers encapsulate the deployment and runtime, and large portion of security requirements of software into an aggregated, common & mostly reproducible environment.

If debugging is the process of removing bugs, then programming is the process of putting bugs into the application. Testing only proves the presence of bugs, not the absence of them.

Illusion

Yellow Builds it. Red Breaks it. Blue Defends it. Yellow Fixes it.

Reality

Yellow Builds it. Red Breaks it. Blue Complains about it. Yellow ignores it. Management hides it

Sir Are You Listening

Perceived Pain

Pain of Kubernetes

Control

Containers are MicroOS FileSystems supported by Minimal HyperVisors.

KataContainers

Kubernetes

  • Developers Drove Docker

  • Operations Drove Kubernetes

  • Security Drove HostOS Reform

Illusion (Sort of)

Kubernetes Orchestration

What?

"Kubernetes…​ eliminates the need for orchestration…​ (it) is comprised of a set of independent, composable control processes that continuously drive the current state towards the provided desired state" — What is Kubernetes

Landscape

CNCF Landscape

Architecture

Kubernetes 101
Application Dependency

Container Design Patterns

Container Design Patterns