BACON 2024 – conference on CONTAINER SECURITY and container environments
Date of: June 5, 2024
Place: Moscow
Website: www.bekon.luntry.ru
On June 5 in Moscow, our Luntry team will hold the second BeCon conference dedicated to the security of containers and container environments.
The goal of BeKon is to help companies and information security specialists move to a new level of understanding of container security and adapt modern approaches.
How was the first BeCon conference in 2023?
The event was attended by 350 participants interested in container security. Among them were DevOps/DevSecOps experts, information security specialists, architects, infrastructure and platform teams from 37 companies.
Participants noted the quality of technical reports and the high concentration of useful information. One report at BeCon takes no more than half an hour – during this time the speaker has time to share his developments in the field of Kubernetes security and answer questions from the audience.
The event included presentations from almost every area of container security. Representatives of OZON, Luntry, Tinkoff, Raiffeisen Bank, Yandex.Cloud, VKontakte, Flant, BI.ZONE shared their experience.
At the BeCon 2023 conference we considered:
key Kubernetes security issues;
subtleties of the PCI DSS audit process;
following the principle of least privilege in Kubernetes during the life of the cluster;
creation and organization of network restrictions on components such as DNS, Metrics, Logs, GitLab runners, etc.;
Talos Linux OS architecture;
issues of setting up Linux capabilities for Kubernetes microservices;
advantages of container distributions and experience in implementing Flatcar OS;
pitfalls in popular mechanisms (AppArmor, NetworkPolicy), approaches (DevSecOps, Zero Trust, Security-as-Code) and tools (Kyverno, OPA).
After the reports, a question and answer session took place in the form of an open discussion, during which everyone could ask the speakers any remaining questions.
Photos from the past event were posted in the community. We have published presentations of speeches Onlineand the videos were collected into one playlist.
Program 2024
The BeKona program will continue to be a concentrated selection of relevant short talks – without advertising and water – from leading companies using containerization.
The selection of reports is carried out according to strict criteria:
uniqueness;
diversity in aspects of container security;
possibility of practical use.
No. | Name | Speaker | Description |
1 | “Why should a whole department be dedicated to protecting k8s?” | Artem Merets (Tinkoff) | More and more companies and services live in container orchestration systems. Cybersecurity is responding to these changes by developing security practices in and around k8s, with resources often appearing under-invested in this part. Let's talk about what problems the teams should solve, what kind of expertise they should have, and why it looks like an entire department to protect “one application.” |
2 | “Linux user namespace in the halls of Kubernetes” | Dmitry Evdokimov (Luntry) | In the Linux community, debates about the usefulness and necessity of such a mechanism as user namespace in the field of security continue to this day. Although this is exactly what it was created for. Let's look at what role and significance it plays in conjunction with Kubernetes, and figure out who it is: friend or foe? |
3 | “Do antiviruses dream of Docker images?” | Vladimir Kapistka (Samokat.Tech) | Let's consider one of the steps of our pipeline, which is associated with anti-virus scanning of public Docker images downloaded from the Internet to a private registry. |
4 | “Are all Service Meshes equally useful for information security?” | Maxim Chudnovsky (SberTech) | Everyone knows that one of the most popular features of Service Mesh is the zero-trust perimeter functionality for microservices: mTLS, mutual authentication and authorization policies are available to us right out of the box. And everyone also knows that Service Mesh can be different – on sidecar containers, like Istio, or network daemons, like Cilium, or something in between, like the new Istio Ambient Mesh. In the report, we will look at how popular security mechanisms are implemented under the hood in these solutions and learn how to choose a Service Mesh from the point of view of container security. |
5 | “From standard to non-standard methods for managing secrets in containers” | Valery Kunavin | Today there are a huge number of ways to manage secrets – for almost every taste and color. It is important to navigate this and understand which method to choose in a given case. At the same time, understand which violators this will not protect us from anyway… And, if necessary, think in the direction of non-standard methods – in the direction of short-lived secrets. |
6 | “Multi-tenancy in Kubernetes: is there a silver bullet?” | Konstantin Aksenov (Flant) | There are various options for organizing multi-tenancy in Kubernetes, for example, Hierarchical Namespace Controller (HNC) or Capsule. You can implement your own approach to isolation using the base Kubernetes API or create your own API. Naturally, the choice largely depends on the requirements and internal structure of processes and teams. In the report we will look at the advantages and disadvantages of different approaches, as well as what we came to in the process of developing our solution. |
7 | “Patching up flaws in application images using Kubernetes” | Anatoly Karpenko (Luntry) | The usual situation is that you received an image that does not at all follow the best security practices. And you cannot refuse it and you cannot correct anything about it. Or can you still do it?! Using Kubernetes mechanisms?! This is exactly what we will deal with in this report. |
8 | “We are building fences between services” | Andrey Boytsev (Yandex Fintech) | In this report, we will talk about our experience in implementing authorization policies (building zero-trust inter-service authorization based on Istio) in several clusters, discuss examples and difficulties that we encountered during implementation. |
9 | “Haven't you read the Kubernetes Audit Log yet? Then we go to you!” | Alisa Kirichenko (Numerator Laboratory) | Many companies, incl. large ones face the problem of effectively collecting and processing logs. In the report we will look at: why collect Kubernetes logs, how to select them, not to lose them during collection and redirection, and also not to overload the storage. |
Latest news about the conference – in the VK community.
Audience
Thanks to its narrow focus, “BeKon” brings together many experts united by a single context.
The conference will be interesting:
architects;
infrastructure and platform teams;
DevOps/DevSecOps;
specialists of information security departments.
“BeCon” is an opportunity to meet and communicate with colleagues, like-minded people and representatives of famous companies.
At the event, we create a comfortable atmosphere for a productive exchange of experience and knowledge: short technical reports of up to 30 minutes provide maximum benefit, and the breaks between them are great for networking.
If you have ideas or proposals for cooperation in organizing the second BeCon conference, please address them using the form on the official site.
