KubeCon EU 2016: Integrated trusted computing in Kubernetes
-
Upload
kubeacademy -
Category
Technology
-
view
212 -
download
0
Transcript of KubeCon EU 2016: Integrated trusted computing in Kubernetes
Matthew Garrett@mjg59 | [email protected] | coreos.com
Integrated Trusted Computing in Kubernetes
Secure runtimes require a secure base
How do we trust a system?
Trusted Computing
Trusted Platform Module
Unique per-system identity
Cryptographically verifiable system state
Attestation
How does this fit into Kubernetes?
Verify system state before providing access
Two-pronged approach
Authentication Controller
Initial authentication is TPM based
Attestation is slow :(
On valid auth, provide secrets
Admission Controller
Validate state on node operations
Can we go further?
Measure initial container state
Cryptographically verifiable audit trail
Proof of concept implementation
JSON-based policy description
Should this be in-tree?
https://github.com/mjg59/kubernetes
Thank you!
Matthew Garrett@mjg59 | [email protected] | coreos.com Were hiring in all departments!Email: [email protected] Positions: coreos.com/careers