How To Break Multi-Tenancy Again and Again …and What We Can Learn From It - Lorin Lehawany & Sven Nobis, ERNW

less than 1 minute read

Abstract

Namespace-based multi-tenancy is challenging to implement and less effective than control-plane isolation. Thus, the latter is the standard today. But is this really true? Workloads such as machine learning, pipelines, or scripting capabilities can introduce unobvious multi-tenancy in clusters and become increasingly popular. So the question is: How to isolate those workloads from each other securely? Pod Security Standards, Network Policies, and Admission Controller are well-adopted, but is it enough? The answer is no: This talk presents real-world exploits in Kubeflow, Istio, and Traefik to bypass threat boundaries between namespaces and workloads. Based on these examples, this talk presents a methodology for assessing complex environments with isolation problems and guides how to address them.

Sched URL

Video

Share on

X Facebook LinkedIn Bluesky

About

Conferences

How To Break Multi-Tenancy Again and Again …and What We Can Learn From It - Lorin Lehawany & Sven Nobis, ERNW

Abstract

Video

Share on

You May Also Enjoy

The Shared Service Blueprint: A Guide to Multi-Tenancy, Illustrated With KEDA - Aya Igarashi, Preferred Networks, Inc.

Tailor Made: Dynamic Fine-Grained Authorization for API Traffic - Erica Hughberg, Tetrate & Andres Aguiar, Okta

SPIFFE Meets OAuth: Federated Identity for Cloud Native Workloads - Yoshiyuki Tabata, Hitachi, Ltd.

SB💣💣M: Making SBOMs Play Together - Jacopo Bufalino, CNAM & Agathe Blaise, Thales SIX GTS France