CoCo on Azure

Open Source Confidential Containers (CoCo) on Azure

Introduction In the realm of cloud computing, ensuring data privacy and security is paramount, yet profoundly challenging. One innovative solution to this challenge is Confidential Containers (CoCo)1, designed to provide an extra layer of security for data in use. However, deploying CoCo requires access to specialized hardware, which adds complexity. Beyond just finding the right hardware, the setup involves navigating a maze of technical specifications – from BIOS configurations to kernel versions – making the process daunting....

April 5, 2024 · 5 min · Suraj Deshmukh
cert

Certified Kubernetes Security Specialist CKS exam tips

I recently cleared the CKS certification exam. So it is incumbent upon me to help you navigate this stress-bound exam. All the tips that are provided are either from accrued knowledge or from personal experience. Study Material During the study of CKA almost three years ago, I studied everything from the documentation. Back then, the documentation had less content hence it was comprehensible. But now, to go through the entire documentation was not practical....

September 4, 2021 · 5 min · Suraj Deshmukh
Self Signed Certificates

How to 'automatically' generate a self-signed TLS certificate for Kubernetes Admission Webhook Servers?

The previous blog talked about generating self-signed certificates using a binary. It was a manual, cumbersome process where you had to generate the certificates using a tool, embed them into a Kubernetes Secret via Helm chart, and then use it. There is a better way of doing it! Which is what this blog will discuss. We will use a Helm chart, which has a couple of Kubernetes Jobs that generates the self-signed certificate, embed them in a Kubernetes Secret and finally update the ValidatingWebhookConfiguration or MutatingWebhookConfiguration of your choice....

June 25, 2021 · 4 min · Suraj Deshmukh
cert

How to generate a self-signed TLS certificate for Kubernetes Admission Webhook Servers?

UPDATE: There is a way to generate these certificates automatically. To find out how, read this post. If you are writing a webhook server for Kubernetes Admission Controllers like ValidatingAdmissionWebhooks or MutatingAdmissionWebhooks, you must expose it over HTTPS. To run these servers on HTTPS, you need TLS certificates. There are solutions available which you can use to solve this problem, first and foremost that comes to my mind is cert-manager....

May 21, 2021 · 2 min · Suraj Deshmukh
Config

Mitigation of: Access Any Kubernetes Secret

In the previous blog, we discussed how any user without RBAC access to a Kubernetes secret can use a trick to access that secret. To mitigate that problem, we will use a validating admission webhook. But before looking at what sorcery this validating admission webhook server is, let us understand how Kubernetes handles the API requests. What are admission controllers? All requests going to the Kubernetes API server go through the following four steps:...

May 20, 2021 · 4 min · Suraj Deshmukh
Forbidden

Access Any Kubernetes Secret

You can gain access to any secret that you want in Kubernetes even if you don’t have RBAC permissions to get, list or view that secret. All you need is permission that allows you to do anything on pods and an ability to guess the names of secrets. With these two ingredients, here is how you can access any secret out there. Nasty User Here is a user called nastyuser who can only do stuff on pod objects....

May 8, 2021 · 5 min · Suraj Deshmukh

Mental models for understanding Kubernetes Pod Security Policy

PodSecurityPolicy (PSP) is hard to get right in the first attempt. There has never been a situation when I haven’t banged my head to get it working on the cluster. It is a frustrating experience, but it is one of the essential security features of Kubernetes. Some applications have started shipping the PSP configs with their helm charts, but if a helm chart does not ship a PSP config, it must be handcrafted by the cluster-admin to make the application work reliably in the cluster....

January 16, 2021 · 6 min · Suraj Deshmukh