Given the recent focus on container software supply chain security I’ve been increasingly asked how to verify container signatures before they are run on Kubernetes. There are a few solutions out there including cosigned which is a Kubernetes webhook admission controller that handles cosign signature verification. Another solution is Gatekeeper…

With the recent release of Notary v2 alpha 1 I wanted to dive in and share how the Notation CLI can be used to sign and verify container images (full disclosure — I am a collaborator on the Notary v2 project). You can find more details in the announcement blog…

A friend of mine recommended that I should take a look at Kubescape as we were chatting about Kubernetes cluster hardening. Kubescape is an open source tool that codifies the Kubernetes hardening guidance by the NSA and CISA. …

In my last blog, we learned about setting the RuntimeDefault flag in Kubernetes which configures all Pods to use a specific seccomp profile. While this is a great addition to improve your Kubernetes security posture, the runtime default seccomp profile might expose more syscalls than your application needs. In addition…

Kubernetes v1.22 shipped with a new feature in alpha that provides a way to use the container RuntimeDefault as the default seccomp profile for all workloads. At this point you might be asking, “What are RuntimeDefaults and why should I care?” By default, when Kubernetes makes a call to the…

Gatekeeper is a Kubernetes policy controller that allows you to define policy to enforce which fields and values are permitted in Kubernetes resources. It operates as a Kubernetes admission controller and utilizes Open Policy Agent as its policy engine. Up until recently, Gatekeeper could only validate Kubernetes resources. …

Kubernetes v1.22 provides an alpha release for the successor of Pod Security Policy (PSP) (which is scheduled for deprecation in v1.25). This new enhancement is called Pod Security Admission (PSA). I’ve taken an initial look at PSA and will cover what you need to know about how it works and…

During Build, we announced a new service integration “Azure Policy for AKS”. With this integration, you can apply at-scale enforcements and safeguards for AKS clusters in a centralized, consistent manner through Azure Policy. …

What’s the winning formula for writing a tech conference CFP you ask? This is a question that has been playing on my mind recently and I thought I would take the time to share what I have learned over the years. This is by no means perfect and is simply…