Ghost Security at KubeCon + CloudNativeCon Europe 2023

A commonly recommended best practice for security and compliance is to scan container images for vulnerabilities before allowing them to run inside a cluster. Many organizations codify allow/deny policies based on the results of these scans, using this policy-as-code approach to form the basis of trust. But what exactly are container scanners looking for? And can you always trust the results?

Let’s break this down layer by layer, from an attacker perspective. Why do certain changes in the way images are built produce wildly varying results? Can the flexibility in how container images are built and distributed be used to alter or prevent scanning tools from being able to fully understand what's in a container? How might clever image builders use these tricks to avoid scrutiny from these tools?

Join the hacker crew known as SIG-Honk, and let’s have some fun! Brad Geesaman, Ian Coldwater, Duffie Cooley, and Rory McCune will demonstrate some creative ways to intentionally bypass container image analysis and admission control detection. Attendees will walk away with a greater understanding of the limitations of tooling used to validate images, and learn how to create better security policies in their own environments. The results may surprise you!

This presentation will take place on Friday April 21, 2023 at 14:00 - 14:35 CEST in the Auditorium Center | Auditorium + Balcony. Event registration is required in order to view this session. Both inperson and virtual options are available. For more details and registration, visit: https://kccnceu2023.sched.com/event/1Hybu

If you aren’t able to attend in person or virtually, be sure to check the CNCF YouTube Channel after the event for the session recording.

Hope to see you there!