Custom seccomp profiles with Inspektor Gadget | Jose Blanquicet | скачать в хорошем качестве

Custom seccomp profiles with Inspektor Gadget | Jose Blanquicet |

Using a custom seccomp profile is one of the most recommended ways to increase the security of our Kubernetes workload. However, to be able to do that, we need to know all the system calls that our application uses during its whole life cycle, which is not a simple task. By default, Kubernetes asks the container runtime to create a container using the `Unconfined` seccomp profile, meaning that seccomp is disabled. Such default behavior ensures that our application will run without problems, but it leaves the containers exposed to remote code execution vulnerabilities. During this talk, I will show how to use Inspektor Gadget, an eBPF-powered open-source project from the Kinvolk team at Microsoft, to identify all the system calls used by an application and how to generate a custom seccomp profile that ensures it will continue working as intended and with the exact system calls it requires. Incontro DevOps Italia 2022 si è tenuto a Bologna il 18 Marzo 2022. Info e dettagli di questa edizione: https://www.2022.incontrodevops.it __________ Partecipa alla prossima edizione: https://www.incontrodevops.it ✉️ Iscriviti alla newsletter: http://grusp.org/newsletter Guarda i video delle passate edizioni:    / grusp   Partecipa alle nostre iniziative: https://www.grusp.org/iniziative Scopri la nostra academy: https://www.grusp.org/academy Seguici su: Sito ufficiale per i prossimi eventi - https://www.grusp.org LinkedIn -   / grusp   Twitter -   / grusp   -   / incontrodevops   Instagram -   / grusp_   Facebook -   / grusp