Date and time: June 7, 2023 from 10:00 to 17:00 (MSK)
Place: MCC ZIL, Moscow
This event is designed to help companies move to a new level of understanding of container security and adapt modern approaches to ensure it.
History of the name and creation
Our team has been engaged in container security for more than 3 years and we always follow such conferences as KubeCon, CloudNativeCon, CloudNativeSecurityCon, fwd:cloudsec, Cloud Village with DEFCON with great interest.
At the same time, we ourselves are actively engaged in research in this area, which we share at various conferences (ZeroNights, OFFZONE, PHDays, VolgaCTF, Kazhackstan, DevOpsConf, KuberConf, VK Kubernetes Conference, HighLoad++). And also interacting with our clients and friends, we know how many cool, interesting, and most importantly useful things are inside our companies!
Then things went like this:
January 19 – asked the opinion of the community in our telegram channel k8s(in)security
March 2 – launched a competition for the best name of the conference
April 10 – chose the name and announced the conference
As you already understood, the name was suggested by readers from the community. The question was posed as follows: “What do you think the name of the Russian specialized technical conference on the security of containers and container environments should be?”. I wanted something not pretentious, original – without being tied to our company and a bunch of prefixes Cloud, Kuber, Sec, Con, etc.
In general, this is how BaCon was born =)
The BaCon event will be useful:
infrastructure and platform teams,
specialists of the information security departments.
In a circle of like-minded people, participants will be able to meet and communicate personally with representatives of well-known companies, speakers and recognized experts in the field of container security. We will try to create the necessary atmosphere for a comfortable and productive exchange of experience and knowledge.
The BeCon program is a juicy selection of relevant reports from leading companies using containerization: OZON, Luntry, Tinkoff, Raiffeisen Bank, Yandex.Cloud, VKontakte, Flant, BI.ZONE. And most importantly – from their cool specialists and just cool guys!
The guideline in the reports/topics was to cover as many aspects of container security and maximum practicality as possible, so that when you come to work you can implement it at home.
The program of the event includes 12 reports covering almost all areas of container security (AuN, AuZ, Runtime, Host OS, Network, Policy Engines, Image OS, Cluster). We will discuss key Kubernetes security issues, the subtleties of the PCI DSS audit process, pitfalls in popular mechanisms (AppArmor, NetworkPolicy, …), approaches (DevSecOps, ZeroTrust, Security-as-Code), tools (Kyverno, OPA, … ) and much more.
We are against boring and lengthy presentations, so the presentations will be short – up to 30 minutes – without advertising and water, but saturated with real practical experience.
As you probably already noticed, we did not conduct any CFPs to form the conference program. So how did we get the program?! We went to our clients, friends and partners and asked them to tell us specific things that we already knew about from them and which we think are very useful for the entire community and industry 😉
Topics of reports
“OPA with shared Docker executor”
Pavel Sorokin (OZON)
Hardenim shared docker executor in multi-team/multi-tenancy CI/CD.
“Not so Obvious RBAC Kubernetes”
Dmitry Evdokimov (Luntry)
Consider whether it is easy to follow the principle of least privilege in Kubernetes and control this during the life of the cluster.
Anton Mokin (Tinkoff)
How? For what? What gives?
“K8s in PCI DSS”
Alexander Markelov (Raiffeisen Bank)
Let’s talk about the intricacies of the PCI DSS audit process for a microservice architecture based on Kubernetes.
“How to cook Kyverno and work with its alerts”
Alexander Markelov (Raiffeisen Bank)
Let’s tell you how to force roll kyverno and its policies on new clusters; about the nuances of setting up kyverno; show useful use cases that need to be responded to; share custom policies.
“Kubernetes, tell me who I am for you”
Konstantin Aksenov (Flant)
There are many options for providing access to the Kubernetes API. These can be x509 certificates or service account tokens. You can connect the provider’s OIDC or use an external authentication webhook. Further, the information received about the user is tied to roles or clustered roles. All these mechanisms have long been tested and actively used, but even they can have pitfalls. Let’s look a little deeper, talk about what problems can be and what tools are available to diagnose them.
“How to tame Linux capabilities in Kubernetes”
Nikolay Panchenko (Tinkoff)
Tweaking Linux capabilities for Kubernetes microservices via PSP and Policy Engines Kyverno and OPA Gatekeeper (tracing and hardening).
“AppArmor and Kubernetes: Configuring Proactive Protection for Application Security”
Sergey Kanibor (Luntry)
In this talk, you will learn the best way to prepare an AppArmor profile, what problems you might encounter while using it, and how to start using AppArmor in a Kubernetes cluster to improve the security of your application.
“NetworkPolicy for system and infrastructure components”
Alexander Kozhemyakin (VK)
As part of the report, we will consider the creation and organization of network restrictions on such components as DNS, Metrics, Logs, GitLab runners and other components, both at L3-L4 and L7 levels.
“The concept of Cluster API or how to deploy secure clusters”
Dmitry Putilin (VK)
With the development of Kubernetes and its deployment tools over the past 8 years, the issue of security and compliance with CIS Benchmark recommendations for the configuration of K8S clusters is becoming more and more relevant. In the report, the author will share the experience of using the Policy Engine bundle and Kubernetes resources to ensure security when deploying clusters using the Cluster-API and similar solutions.
“Container OS Flatcar: how to get smeared with dockers and forget about packages”
Alexander Kondratiev (BI.ZONE)
This report will talk about the advantages of container distributions – how they complicate the life of a hacker on the one hand, and make the work of ops engineers easier on the other. The speaker will talk about the experience of implementing Flatcar in several large organizations: what problems he faced and what benefits he received from the transition from the classic approach to the container approach anytime and anywhere.
“Talos Linux OS – the way to “the very” infrastructure hardening for k8s”
Nikolay Panchenko (Tinkoff)
Let’s think about immutable infrastructures. Let’s understand that you can turn the screws to the fullest if infrastructure support has time for this. Let’s look at the architecture of the Talos Linux OS and how it is good, highlight the pros and cons of the immutable approach when using OC Talos in production.
So, we invite you and your company to participate in the first highly specialized conference on container security in Russia – the most anticipated event in early summer 2023. We will be glad to see you! And we really appreciate your support!