Jay Beale Discusses His K8s Class At BlackHat, Kubernetes Developments, And Mental Health BrakeSec Education podcast

Content provided by Bryan Brake, Amanda Berlin, and Brian Boettcher. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Bryan Brake, Amanda Berlin, and Brian Boettcher or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://ppacc.player.fm/legal.

BrakeSec Education Podcast »
Jay Beale discusses his K8s class at BlackHat, Kubernetes developments, and mental health

23h ago 1:48:38

MP3•Episode home

Youtube Video at: https://www.youtube.com/watch?v=yHPvGVfPgjI

Jay Beale is a principal security consultant and CEO/CTO for InGuardians. He is the architect of multiple open source projects, including the Peirates attack tool for Kubernetes (in Kali Linux), the Bustakube CTF Kubernetes cluster, and Bastille Linux. Jay created and leads the Kubernetes CTF at DEF CON and previously helped in the Kubernetes project's Security efforts. He’s co-written eight books and given many public talks at Black Hat, DEF CON, RSA, CanSecWest, Blue Hat, ToorCon, DerbyCon, WWHF, HushCon and others. He teaches the highly-rated Black Hat class, “Attacking and Protecting Kubernetes, Linux, and Containers.” He has served on the review board of the O’Reilly Security Conference, the board of Mitre’s CVE-related Open Vulnerability and Assessment Language, and been a member of the HoneyNet project. He’s briefed both Congress and the White House.

Questions and topics: (please feel free to update or make comments for clarifications) * Kubernetes vs. Docker vs. LXC vs. VMs - why did you settle on K8s? * What’s new with k8s? Version 1.33? Do you always implement the latest version in your CTF, or something that is deliberately vulnerable? (https://www.loft.sh/blog/kubernetes-v-1-33-key-features-updates-and-what-you-need-to-know) * When you are making a CTF, what’s your methodology? Threat model then verify? Code review? Github pull requests? * Story time; Not the first year you’ve done this(?), have participants ever surprised you finding something you didn’t expect? * If I’m running K8s at my workplace, what should be bare minimum k8s security I should implement? Any security controls that I should implement that might cause performance or are ‘nice-to-have’ but may run counter to how orgs use k8s that I should be concerned about implementing?

Additional information / pertinent LInks (Would you like to know more?): https://kubernetes.io/ DEF CON Kubernetes CTF: https://containersecurityctf.com/ Black Hat training: https://www.blackhat.com/us-25/training/schedule/index.html#0-day-unnecessary-attacking-and-protecting-kubernetes-linux-and-containers-45335 https://www.bustakube.com/ https://github.com/inguardians/peirates Rory McCune’s blog: https://raesene.github.io/ https://www.oreilly.com/library/view/production-kubernetes/9781492092292/ - O’Reilly book: Production Kubernetes

Show points of Contact: Amanda Berlin: https://www.linkedin.com/in/amandaberlin/ Brian Boettcher: https://www.linkedin.com/in/bboettcher96/ Bryan Brake: https://linkedin.com/in/brakeb Brakesec Website: https://www.brakeingsecurity.com Youtube channel: https://youtube.com/@brakeseced Twitch Channel: https://twitch.tv/brakesec

465 episodes