Episode 23: Kubernetes and Cloud Security with Andrew Martin

Update: 2021-10-10

Description

Sponsored by Reblaze, creators of Curiefense

Panelists

Justin Dorfman | Richard Littauer

Guest

Andrew Martin

Show Notes

Hello and welcome to Committing to Cloud Native Podcast! It’s the podcast sponsored by Reblaze where we talk about the confluence of Cloud Native technology and Open Source. We have a great guest today, Andrew Martin, joining us from London. He is the CEO of Control Plane, a Cloud Native security consultancy training and pen test firm. We learn more about Andrew’s background, how he got involved in Kubernetes and Cloud security, and more about Cloud Plane. In 2019, Andrew made some Kubernetes predictions, and we find out today if any of them came true. We also find out how he keeps updated on what’s going on with open source in Cloud Native and other things. Since he has such a wealth of knowledge, Andrew fills us in on his book coming out soon called Hacking Kubernetes: Threat-Driven Analysis and Defense, and what chapter he’s most looking forward to people reading and why. We couldn’t let Andrew go without asking him for his “Predictions for 2023!” Go ahead and download this episode now to learn so much more from Andrew!

[00:01:34 ] Andrew tells us what Control Plane is, what does it does, and how many people they have working there.

[00:02:13 ] What is the average size of company in this space and why would someone need extra security on top of Cloud Native?

[00:06:58 ] Andrew tells us how he got involved with Kubernetes, Cloud security, and more about his background.

[00:10:22 ] We find out why Andrew thinks Kubernetes succeeded and Docker Swarm didn’t.

[00:11:57 ] In 2019, Andrew made some predictions and Justin wants to see if any of them came true. First prediction, did hosted services catch up with GKE?

[00:12:59 ] Second prediction, did non-container VM-based isolation improvement happen?

[00:16:39 ] With Andrew’s vast knowledge Richard wonders what he uses to keep updated on how open source works in Cloud Native and if there’s a Medium Blog that he’s subscribes to. Also, he shares which conference he will be attending this year and others he recommends. Justin gives a shout-out to TAG Security and their meetups.

[00:20:05 ] Andrew’s book he co-wrote with Michael Hausenblas, Hacking Kubernetes, is discussed and he tells us the chapter he’s most looking forward to having people read.

[00:23:49 ] Justin wonders if any of Andrew’s colleagues reviewed the book or if it’s all done with O’Reilly.

[00:25:26 ] Andrew explains what he does to make sure that people at Control Plane are actually getting the best of the open source world without which it wouldn’t exist.

[00:29:03 ] Richard is curious to know what method Andrew uses to find an interesting problem and how does he do security research in a way that makes him feel really excited about doing that sort of work.

[00:32:22 ] We hear one last 2019 Kubernetes prediction and that is, if the tangle of YAML was going to unravel by 2019? He also talks about image and build metadata security matures which was another prediction.

[00:35:53 ] Richard asks Andrew if he’s worked with Dan Lorenc in the Sigstore Project and Justin gives a shout-out to Dan and Episode 20 on this podcast to check out.

[00:36:14 ] Andrew shares his predictions for 2023.

[00:39:27 ] Find out where you can follow Andrew and the work he does.

Quotes

[00:03:21 ] “The shared responsibility model gives us a different level of interaction with our cloud provider based upon what is ultimately platform as a service or infrastructure as a service or software as a service as well.”

[00:04:03 ] “But when it comes to how we behave operationally the cloud provider can make no guarantees that we’re not shipping bad code to production.”

[00:10:51 ] “And service meshes were being shipped by Docker Swarm before they were cool.”

[00:11:29 ] “So, from a networking perspective, Docker Swarm was much better out of the box because it was batteries included, but changeable, and came with its own networking paradigm.”

[00:11:40 ] “However, the inability to run multiple containers in a pod meant that there was no flexibility of application to Pology, and that’s really where Kubernetes stole the show.”

[00:13:14 ] “Google had this huge infrastructure, all these Borg cells, Flexible Compute to host Gmail and Google Search and calendar, and maps.”

[00:14:10 ] “And so still definitely harboring loads of zero days that are probably being exploited somewhere by somebody.”

[00:25:32 ] “Democratization and open sourcing of security, tooling, and information has been a constant source of utter amazement to me.”

[00:26:13 ] “At some point, I have wondered, and I noticed the case for other security researchers in the Cloud Native space as well, if actually we’re a bit further ahead with the art of the possible than the current state of the art.”

[00:26:36 ] “So we try very hard to open source everything.”

[00:29:23 ] “I think the most important think speaking personally, but also infusing teams and displaying leadership, is to infuse or inculcate a shared sense of passion for thing.”

[00:37:11 ] “So actually, one of the things that I really love is the function as a service approach, on top of STO, on top of Knative, on top of Kubernetes, because you then get the full observability of the whole platform.”

[00:37:23 ] “You can apply this intrusion detection, you can use your namespace, aware tools in order to introspect more deeply, and you can also satisfy what ultimately the kingmakers, the developers require because there’s no point building a secure system if the developers can’t ship business functionality through it.”