Good Fences Make Good Neighbors: Making Cross-Namespace References More Secure with ReferenceGrant - Nick Young, Isovalent

less than 1 minute read

Abstract

The Kubernetes security model is very reliant on namespacing for enclosing trust boundaries. But what happens when an resource or set of resources need to cross those trust boundaries? How can we be confident that both parties in cross-namespace communications agree to the relationship between objects? In the SIG-Network Gateway API subproject, we’ve found that this is a little tricky. The answer is that both parties have to agree. The owner of the resources in the target namespace has to agree to someone outside their control accessing their stuff, and the resource that wants to refer to that stuff has to explicitly ask. Come and learn about the solution the Gateway API subproject of SIG-Network has put in place, the ReferenceGrant resource, how it works, and how it can be used to ensure that a cross-namespace reference is agreed to by both parties. We’ve also used variants of the same approach in other parts of the Gateway API, and this talk will explain those as well. You will come away with some knowledge both of the ReferenceGrant resource, the history behind it, and how it fits into the Gateway API.

Sched URL

Video

Twitter Facebook LinkedIn

About

Conferences

Good Fences Make Good Neighbors: Making Cross-Namespace References More Secure with ReferenceGrant - Nick Young, Isovalent

Abstract

Video

You May Also Enjoy

You Shall Not Pass! Unless You Are GUAC Verified…. - Parth Patel, Kusari & Dejan Bosanac, Red Hat

Living off the Land Techniques in Managed Kubernetes Clusters - Ronen Shustin & Shay Berkovich, Wiz

Leveraging OCI 1.1 for Enhanced SBOM Integration and Vulnerability Scanning in Harbor - Anais Urlichs, Aqua Security & Shengwen Yu, VMware

Lessons Learned from Generating 100M SBOMs: Google’s Approach to SBOM Compliance - Brandon Lum & Isaac Hepworth, Google