In-person + Virtual
18-21 April
Learn More and Register to Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon Europe 2023 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Central European Summer Time (UTC +2). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change and session seating is available on a first-come, first-served basis. 
Back To Schedule
Friday, April 21 • 11:55 - 12:30
Least Privilege Containers: Keeping a Bad Day from Getting Worse - Greg Castle & Vinayak Goyal, Google

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.

“Don’t run containers as root”. The K8s security community has been saying this for years. There’s tools that can detect these types of misconfigurations. But detection, and knowing you have a problem, is just the start of the journey. How do you actually fix it? What can you do if those permissions are required for the container to work?

We’ve run multiple de-privileging efforts for production containers. In 2020 we focused on converting containers from running as root to running as unprivileged users. In 2021 we moved containers to minimal distroless images. For some containers the solution was as simple as removing unused permissions. But sometimes we needed to do something more drastic, like charge the design of the container to segment out powerful permissions, or split functionality out into initContainers. We’ll share how we approached these tasks, what we learned working through problems with container owners, and describe how we put checks in place to prevent new privileged containers from appearing in the future.

avatar for Greg Castle

Greg Castle

GKE Security Tech Lead, Google
Greg is the tech lead for the Google Kubernetes Engine (GKE) security team and has been contributing to K8s security since 2017. He founded the K8s Container Identity Working Group and led GKE team members who built K8s OIDC support, Secrets Encryption, RuntimeClass, and more. Greg... Read More →
avatar for Vinayak Goyal

Vinayak Goyal

Senior Software Engineer, Google
Vinayak works as a senior software engineer at Google, focusing on hardening Kubernetes. His work at Google is focused on de-privileging containers to make GKE the most secure Kubernetes offering for customers. Vinayak is also the tech lead for GKE Autopilot security, focusing on... Read More →

Friday April 21, 2023 11:55 - 12:30 CEST
In Virtual Platform
  Security + Identity