 live. Hello everyone. We promised to break everything. We broke everything. Very good. Hi Ben, nice to meet you here. Ben, nice to meet you. I don't know where we broke, but as I said, this is a CNCF official event, so respect the CNCF code of conduct to everyone. And as we have here a great guy, Ben, Vice President of R&D at Armo, and we will bro the security of Kubernetes and show to us the code. Ben, thank you so much for joining us today. Thank you for having me. Let's go, break everything. Yeah, let's go for it. Hi, so are you there? Hello, do you see my screen? Oh, not yet, but it will. Hello, Tunis. Nice to meet you. We feel it's here. We are going just a minute. Just a minute there. Hacking easily. Oh, I will be more. Hacking is illegal, if you guys see, etc. Good. Hello, Mongolia. Nice to meet you. Thank you for joining us today. Hi, guys. Bruno Kaufman, my friend. Nice to meet you here. Thank you so much. Let's, oh man, let's, let's learn how breaking, not how not break Kubernetes. Awesome. With Ben, one more, please. Yeah, just tell me when to start and I will start here. You can start. Let's go. Yeah, do you see my screen? Not yet, please. I'm, I'm re-sharing my screen. Just give me a nod if it's being shared. Oh, for me not. I don't know. Got it level. I'm not seeing it. Let me check the if it is on Twitter. Okay. Oh, you cannot. Okay. We are, we are facing a little problem with the streaming, restrain. That way they did a bit more. Please. Oh, great. Awesome. Very great. So, hi guys. I'm really glad being to be here. Especially I'm so glad that, you know, I see people here from, you know, Italy and Mongolia and really, you know, from States and I really, you know, appreciate, you know, having me here and also appreciate, you know, your attention. So, so what we are going to talk today, I'm going to show you our take on, on, on attacking Kubernetes. I'm going to show you a few simple attacks. You're around. And let's jump into it. So, just as Paul said, you know, I'm Ben, I'm a VP R&D at Armo. And just for your, you know, for your to know, I'm a white attacker for really long time. And I love hacking and just as much as I love Kubernetes. And, you know, we all love Kubernetes and cloud native. And, you know, there's no, no denial that Kubernetes and cloud native at all is a big, a big, a big success. And, you know, with a big success in, in the security world, you know, comes, you know, the attacks actually, you know, but because once you are, you are, you become a key player, then, then, you know, you're, you're becoming a target for many, many attacks. And, you know, I just brought here a few examples, you know, happened only, you know, in the past few months of attacks on Kubernetes. And, you know, as a white hacker, you know, I, I understand that, you know, we have power and, and Kubernetes has a great power and with the great powers comes great responsibility. So I know that I saw here that someone was concerned about, you know, the legality of, of hacking, you know, we are hacking Kubernetes and we are doing stuff in order to, to, you know, to make things better. And, you know, I, I also encourage everyone, you know, to report issues to the Kubernetes teams, rather than Kubernetes teams, if they found something else, just as I did before. So what, you know, what an attacker can once from Kubernetes cluster and Kubernetes system, you know, you may want to steal data. And, you know, here I'm talking about not just stealing data, you know, necessarily directly from the Kubernetes from, from a pod, but stealing data using the credentials that has been stolen for Kubernetes cluster. So think about all the, you know, cloud credentials, you know, you are having in your cluster in, in your different objects and also in your file system. So each of them can be an attack vector in the mean of stealing more data. Also, you know, Kubernetes cluster can be used to, to, you know, to gain computational resources. So it can be a, you know, it's going, it is a, it's an interesting data vector, you know, today that when people are looking for computational resources in order to do some mining and stuff like that, to, to use the Kubernetes in order to gain such computational resources. We've been starting to hear in the security community about ransomware in around Kubernetes. People are locking out administrators and, and locking data in order to, to, to, you know, to have some financial gain. And, you know, it's a real threat. And also, you know, we, we are as just I told you that before that any service provider, you know, is also can be a victim of deny service tax and bringing down a Kubernetes cluster, you know, can be a really big problem. So these things that occur may want, you know, when we're looking into a Kubernetes, Kubernetes environment. So my story today, I always like to tell, you know, a framing story here around these, in these talks and, and our story begins with, with Google's, Google's online boutique microservices demo application, which is, you know, we are calling it hipster shop and because it was the old name and, and, and, you know, we have hipster shop running in the GKE in Google's own Kubernetes solution. And, you know, this is an online application, a web shop, which is running with Kubernetes. And it has some security measures in place. So containers are scanned for local abilities before uploading. We have installed Falco in this cluster. And, you know, this is the point of start, you know, for our discussion. So this is when the attacker is going to start to work. And just, you know, in order to, to, to enable you to focus on this whole talk on this demonstration and, and, and, you know, I will stop here and there to, to review questions and try to answer during the time to answer your questions in place. But my attack is, is, has been broken down to, to several smaller attacks. I'm going to, to install a malware or get the operators of this, of this Kubernetes cluster in order to install malware in, in their cluster. Then I'm going to use this malware to, to get, get into the pod of the victim. Then I'm going to steal the service account from this pod and, and from remotely, not from the, not from the Kubernetes cluster, but from remotely I'm going to use the service account to identify myself against the API server and start to communicate with the API server from outside the cluster. And, and then I'm going to start to steal secrets from your Kubernetes cluster. And, and after it, we are going to exit to, to the worker nodes and, and still more, more interesting things from there. So this is, this is up until now. And let's, you know, jump into, into the first vector, which is actually, you know, the, yeah, sorry, Paul, have you asked something? So, yeah, just, just one thing. Our friendly brain asked if you will talk about any attacks over the OS hosting from the Kubernetes processing. You covered this, this kind of attack today. So not true. So we are going to exit to the, exit to the OS level at the end. But at the beginning, we are focusing only from the Kubernetes layer. It's more, more of that. So, thanks. So sure. And again, just ask me questions during the time and I will stop for, for, for answering. So let's say that for now I'm taking the hat of, of, of the operator, operator of this, this solution. And, and, and as the operator, I'm, I'm opening my slack one morning. And, you know, I, I see that, that first, obviously I'm in the Kubernetes channel, but I, I returned to my home channel and I see that my friend just sent me that, that in the microservices demo, there is a new version. And I'm pretty great because I, usually, you know, I, I love new versions of, of the software because they are usually better. And, and, you know, I go to the GitHub and I see that, well, this, this, this must be a very, very good, very nice and very good version. And, you know, I'm, as the operator, I'm, I'm a little bit, maybe, you know, I, I use to, to scan the vulnerabilities for, for the images I'm installing in my Kubernetes cluster. So I'm, I'm going into this public repositor at Quay.io, which has just scanned this image. And I see that, that it's, it's a pretty good scan result. Okay. The Quay security scanner has not detected any vulnerabilities in this, in this image. So as the operator right now, I'm, I'm, I'm pretty, pretty fine with installing, okay, this new version from this public repository. And, and what I'm going to do now is just before, well, I've got disconnected, maybe from, but what I'm going to do is I'm going to go to my solution, okay, which is working here. You can see the online boutique is, is up and running. And, and, you know, I can see my workhorse here also running smoothly. And from, from my control shell, okay, what I'm going to do is I'm going to patch, okay, this, this service, I'm going to install this version 0.2.2 of this front end. And, and, you know, we'll see what, what is going to happen. Okay. I've, I've updated with this new version, my deployment, and the new version started to work. Okay. And I'm the operator coming here doing some checks. And, well, it's still working. I'm, I'm still able to buy stuff in the boutique. So I'm, I, I feel fine. I am go to sleep now. And, and now to your bounce. So, sorry for interrupting you again. But you, when you put in your, your show, you can increase a little bit your character size, because it's seen, it's seen a little bit, just some, yes, a little bit more. I, I'm not, I think I've already the largest. I'm not sure that maybe the lights theme is better. Oh, do you think it's better? Oh, no, come back to black. I think that's okay. Okay. Okay. It's not okay. No problem. And please, if it possible, could you put your, your name, your Twitter account, people are asking. Yeah, sure. At the end. Okay. Someone switch screens if it's okay. Okay. Thank you so much. So for Interp too. So what's happened here behind the scenes is that I'm as an attacker. I'm switching, you know, my hats and I'm the attacker. I was able to add a back door into, into the new version of, of this front end component here. So actually, my code as an attacker is started to run in, in your cluster. Now you can say that, well, you know, I, someone took it from a public repository, but, but, you know, there was endless, you know, examples in the last, even in the last month of tainted images in public repositories. And I, I, you know, everyone was looking, was worried about cybersecurity and reading out cybersecurity. I guess, you also heard about some of the solar winds attack, which is what we call, was supply chain attack. And, and, and you know, exactly this is what, what it is, what I'm showing you that, that I published a malware enabled version of a public component in the public container repository, and I got someone to install it. So now what's happening at the next step? The next step is, is that the next step that as an attacker, okay, I'm going to connect my backdoor. Okay. So I hope the text is there here. So I'm going to connect this IP, okay, which is actually the public IP of this web shop at the service board. And I'm going to connect. Okay. Do you see my, my friends? Is it okay? We're going to connect my backdoor within the service, which is totally legit. And what I can show you that I've opened a reverse shell in the pod. What you see here, that I threw a TCP connection. I've opened a connection against the service. I've added my own request path and connected my backdoor, which was embedded in this new version. So right now you see that I've opened, opened this. If you want, I see that people still want even bigger text. I'm going to just put something even. Okay. So I was able to, to connect my, my malware. And right now I'm running a process within the pod. I've opened the reverse shell. So I have an access, access to the, to the system, to the pod inside. And, and the, when I'm inside, I'm, I can do different things as an attacker. Someone, Daniel asked what service permitted this. So this is not really a service. Again, we have taken a, a, a, a legit application and added a malware to the legit application. Okay. And, and someone installed this, this version, this malware version of this application because it was pushed into a public repository and no containers can reveal the actual problem with damage. Okay. So actually what's running here is it was the front end application, which you can see also in the microservices demo GitHub at Google. And what I'm going to show you that, that beyond just, you know, looking into the files, what I'm going to do here, I'm going to, to take one very, very interesting file here. This very interesting file is, wait a second, this doesn't look good, right? This, okay. So this file is, is the service account token. Okay. Service account token is, is actually the secret running the secret, which is, has been mapped into the Kubernetes pod. Wait a second. Okay. So service account token is, is actually the secret, which is used by the Kubernetes pod, which wants to connect the Qube API and, and make requests to Qube API. This token is used to authenticate this pod against the Qube API. So it's, it's essentially, it's like, it's, it's like authentication, you know, a password or, or, or, or authentication secret, as you will. And this is used, okay, by Kubernetes in order to authenticate services. Now what I'm going to, what I'm going to do here, as I'm, I'm going, as an attacker, I'm going to take this service account token. Okay. I'm returning to my cloud shell, okay, which can be, you know, any, any other shell from Word. Okay. And, and I'm taking this token and, and I'm going to use it later. And beyond that, the token, okay. I'm also taking something else, which is a certificate. C-A-C-R-T. Yeah. So this is also the certificate, which is used for communicating with the API server. And I'm copying it just as I did with the service account token exiting now and disconnected from, from the pod. So, yeah, there is a real good, really good question here. So are all service account tokens mounted in the pod in this way automatically by Kubernetes? Yes. At least the question by us is really good. So auto Kubernetes mounts the service account tokens into the pod. I did not, didn't do any explicit mount here. And, you know, every Kubernetes pod has a service account by default, which is the namespace service account. And I, and, you know, you can see it in the pod, but you can tell Kubernetes not to mount this into, into your, your system. So, yeah, returning to place. I'm going to store my certificate also. I have an old certificate here. I'm just cleaning it up. And what I have here at this console, I have two things. Okay. Sorry. Two things here. Okay. One is the token. The second is the certificate. So I'm returning, you know, to show you where we are in, in this whole scan. So we've opened the reverse shell and stolen the service account token. Okay. From this pod. Now, the interesting thing is that, that I'm going to, that service accounts are, are a way in Kubernetes to authenticate services within Kubernetes. Now, the interesting part is that, that as of today, these tokens can all, can be used from anywhere to authenticate against the QBAPI server. So now you don't need, you don't necessarily need to be in the cluster. And why this is important. This is important because if I'm operating, you know, within the system, I don't necessarily want to do it from within the system. I, it's, as an attacker, it's way more easy for, easier for me to do it from the outside. I, I have to clean up less, less after myself. Okay. Doing that. Now, let's just go into one. I see that we have a few questions here. So, well, literally asked, I would imagine tokens should only be able to list view and not much harm unless our buck is messed up. So it's a good point. Okay. There are, it depends on you really, you know, what are you doing? Okay. There are public facing pods. I mean, public facing, you know, pods, which are, you know, can be accessible, accessible from the public internet, which do have, do have a service account, which is meaningful. So by default, a default service account usually doesn't have any interesting authorizations in the RBAC system. But, but they're allowed, which too. Okay. And, and why I really appreciate, you know, that you're saying that the RBAC is messed up. And I, more or less, I agree with you. But, but, but sometimes, you know, for example, monitoring tools, which are used from remotely to monitor systems, usually need, you know, need a lot of authorizations. And they're also public facing. So it's a kind of good target. In this case, okay. In this case, you know, what we are going to do, we are going to use this service account token to start to talk to the Kubernetes API server. So there is a simple, prepared simple comment here, which I want to, you know, do a very fast walkthrough with you. So the interesting part is that I'm, I'm, I'm, obviously I'm using curl in this case, but I've added a header authorization header to the curl request authorization where the beer is contains this token with just, which we've just copied here. Okay. And, and, you know, I'm going to the API server host, which, you know, can be found more or less easily. And I'm turned to API, we want namespace is default. But so what I'm going to do here, I'm going to show you that that using only curl and this service account token, while not running inside the Kubernetes cluster, I'm able to do, to connect this, the Kubernetes API server. So I'm just need to set up here. The, the address is set API server, taking cluster. This is the IP of the API server from the outside world at port 443. Okay. And as you can see, I've just got a response using the, this token from the API server from the public internet. And not with inside the cluster. So it is, it is also, you know, a small proof of concept, okay, that you can start, you know, to, to operate against the API server using this token. As next stage, I'm going to show you, okay, that that I using this token, okay, and, and, and I agree with one of the questions, obviously this talk, the service account has privileges here in the system. But I'm able to, to, to start to jump Kubernetes secrets. So just as I did here, the, wait a second. I did my, my request here to pause. I'm just in the same way. I can request secrets. And I get the answer, okay, from, from the QB API. Also, I can go to the hipster shop namespace. Okay. And as you can see, you know, I can look into what kind of, of secrets are residing here. Okay. In this namespace. And I, I bump into AWS XSID. Okay. And this not just can be, you know, any kind of secret XSID or, or, or any kind of authentication token to other cloud services. So obviously, you know, if someone starts to access your secrets from remote, it is a problem. And this is something, you know, you should, you know, be sure, okay, to, to, to why. Okay. And, and I was able to, you know, to, to dump the secrets remotely, you know, using golly curl and, and this token. But also, you know, I have other secrets here, like the, the recipe of, of Big Mac sauce. And here are the ingredients. So, you know, have, you have, you have here a lot of, you know, stuff you're taking from the API server. So, sorry for interrupting. We have a question very interesting. That is how, how, you know, the API server in the point. Yeah, of course. So you are talking about, you are talking about maintain or retain security, security key. And of course, you can use it everywhere. But to use it, one thing you need is the door. And the door is the end point. So this is a good question. Yeah. So, okay. I didn't want to cover here because I didn't see it very interesting, you know, in this talk, but, but there is an easy strategy. Okay. So scanning, scanning, you know, and crawling, you know, IPs and, and more or less, you know, the IP range is used by Google for, for, for Kubernetes API endpoints are, are pretty clear. And, you know, finding out which one is answering, you know, taking my own, my, my service account token and, and agreeing, accepting it, you know, it, it should be, you know, rather, you know, small task, you know, to do and maybe can take up to, you know, a few hours to find out which one is the actual API server endpoint for me. But, but, but it shouldn't be, you know, a big, a big task to, to find out. And yeah. Our friend, our friend Valid asked you if you can show how much access you have. Yeah. You ask it here. Yeah. I am going to show, show it at the end. But, but I cannot, but obviously Valid, okay, just, just as I told before, obviously, you know, this is a elevated service account. Okay. I, I don't have, you know, I'm, I, I agree with you that, that obviously it has authorizations, but just think about, you know, any, any monitoring tool that monitors cube objects and even secrets. I guess the cube API needs these authorization levels. So, so it's not really, you know, far-fetched thing that, that they, that they do have this account. So, this account do have elevated privileges, you know, beyond the simple things. So, return, okay, I've showed you that, that, that I've just was able to, to, you know, to take the secrets and dump the secrets out. Now, as the last part, and we are getting to the last part of this remote attack, what I'm going to do is, is creating, you know, more, more persistency in, in the system. And, and in order to do that, I'm going to exit the, the, this pod and not just, I'm going to create a new pod in the system, okay, which is going to mount, mount a host, mount the host file system. And it's not going to be what we call a privileged pod, it only, you know, amounts the node file system. And what I'm going to do is, I'm going to take from there the, the private key and, and certificate of the Kubernetes node, which is used to authenticate the nodes against the Kubernetes management system. So, as I told you, again, I still have these elevated privileges, and I've just created a new namespace and, and which is not really, you know, interesting, just fine things. And what I did is I've created a new deployment, okay, just let me show you what we have here. So, within this new deployment, okay, you have, again, the same core request, more or less, again, the same API server and host. And, and, you know, what, within this new namespace, which is called that namespace, I, I've pushed, I created a new deployment. And just to show you, you know, there is nothing really curious about, about this deployment, but what you have to, what you need to see here, that there is a mount, a volume mount within this pod, mounted from the host, the root directory of the host. And, and, and, you know, I'm, I'm going to connect this and in order to start to look on the host. So, let's see the questions. So, do we have new questions? So, this is one of our big Mac, but let's, let's put this in the, in the, in the, in the on them. Yeah, yeah. Okay. It's going to be on comment. So, yeah, where were we? So, this is the, for me, you know, doing these tricks, you know, the interesting part was that I've never used used the Kubernetes API beforehand from Curl, and you know, here I started to use it from Curl and at this stage of the attack, you know, I want to start to execute processes from using this authentication mechanism. And in order to do that, you know, in the one hand, I wanted to use Curl and in the other hand, you know, I need to connect the exact API of the pod in Kubernetes. Now, honestly, you know, I've never went to this site. So for me, I'm sure that most, for most of the audience, it's not, but for me, it was new that to see that that the exact API in Kubernetes is actually a WebSocket API. And, you know, when I realized that I saw that, that, you know, doing WebSockets in Curl is not a, you know, it's not an easy thing to do. So that's why I've just wrote myself a Python code, you know, which actually does this connection for me, you know, based on this authentication token. So I took some code from our stuff. Okay. And the interesting part is here, more or less, you know, this line, okay, which I'm using here to create the configuration for the Python module, in order to think that we are running inside the cluster. So I wouldn't call this an attack, but it's an interesting thing, you know, that, you know, that you can convince your Python Kubernetes module that, to take the token certificate you want from a different place, it usually takes. And then I'm connecting this Python module in order to execute comments on the destination pod. So what I'm going to do here is I'm going to get the pod name for, for us, which is what's bad name, space in space is pods rep name. Okay, so I have this and yet deployment name here. So I have here another thing here. So what we are going to do here is, is start to look on, on this pod which was, which has mounted this volume. And we are running in the bad name space. This is the pod name. And I want to see what we have, what do we have in this directory. Okay, so we are missing the certificates. Just give me a minute. So export certificates. So we don't have, okay, we have our hosts are not working. Certificate is, is not called certificate. Wait a second. I just need to check what they're wrong. I think I need to copy again the same certificate. Let's take it from here. Um, yeah, no, it's actually, I think I do think that I had a typo there. I just reconnecting. Okay, now it's working. So actually again, using this, this token, okay, I've looked into the, the host a, a file system under Warly Kubelet PKI. And, and yeah, I, I know that again, I see the comments, but the PAM actually with the A, I know that I did the before a typo. And that's why the database used PAM. So returning to this. Um, so with, if someone looks, has the whole host file system in, and especially, you know, under Warly Kubelet PKI, you know, there are these certificates here, certificate files, which actually contain not just the certificates, uh, but also, uh, private keys. So if I'm, if I'm looking into this, um, okay, I do see that I got the electric curve private key, uh, here and the related certificate there. So, um, in my, if I take it and parsing it, uh, um, if I'm looking to what do I have inside, uh, X509 in host PAM minus text, I think. Yeah. So I've parsed this file and I do see that, you know, I do have, uh, a certificate which is good for the next five years. So, um, if I'm taking away this certificate, uh, and I have, I can have permanent, uh, permanent access for the next five years, uh, to, to this cluster from within. Um, and obviously it's, it's a good thing for the attacker to take. It has, um, I can, uh, connect, uh, you know, the control plane of Kubernetes and start to get everything you have in this DCD for any type and manipulating it. So it's also a good thing, you know, to take away if something is running. And if I'm, you know, looking into the file co-logged, um, actually just, you know, in order to show that that since I've been, you know, using, uh, this thing remotely, um, and also, you know, I, I, I haven't, um, there wasn't, I haven't used a privileged, uh, pod here. Um, I didn't get any notification from Falco about, you know, about, uh, any suspicious activity here. Um, and you know, I, from my point of view, you know, it's, it's more or less, you know, a game over. Okay. Uh, in this case. So just, you know, uh, recapping, uh, uh, this stuff. Um, so we went from, you know, uh, from doing initial penetration to the, to the cluster using a front, uh, a front end application. Um, which was in, in my case, it contained the malware. Uh, but just as it contained the malware, it could have a software vulnerability. So I see, I think I saw, uh, last week, a very interesting, uh, other video, uh, which was posted in, in the Slack, uh, in the Kubernetes, uh, uh, security group, uh, uh, when someone did the same initial penetration, uh, using a well-known, um, uh, vulnerability in Drupal. Uh, but in, in our case, we used, uh, a malware and we've packed the malware, uh, um, malware, uh, uh, uh, to, to connect it. And this malware was, was what we call packed, uh, using a tool called Azure. It's an open source tool. And it's, it, it encrypts and decrypts, uh, the malware, uh, with, in the RAM. So therefore it is pretty, uh, um, uh, pretty stealth. Um, and it's hard to detect. Um, and when we attacked, connected this backdoor, we started, we took the service account tokens for authentication from the pod, then start to use the service account token, uh, from here till the end in order to authenticate ourselves from outside the cluster using this token. We showed that, you know, easily, if we have, if you have access to the QBAPI from the outside, you know, you can start to, obviously you can start to read secrets. Uh, you can start to bring a pod. And in our case, we brought the pod and, and also taken, uh, um, uh, from, uh, from, uh, our pod, we used it to, to mount the host file system and taken, uh, the node, uh, certificate and private key. And so let's go to, to some more, uh, uh, uh, some, uh, some more questions. Um, so, um, I have a question for valid. What would you, uh, what would you do if you wanted to defend against this attack? So it's a very, very good question. Okay. So, um, okay. Now I, uh, obviously I, I have a problem answering. Okay. Because ARMO is, is one of my companies optionally doing protections against such, such attacks. But obviously, you know, one of the most important thing here is to be sure where we are taking your, your software updates from, okay, subline chain is, is a very delicate thing. And, and obviously as, um, not just from commercial point of view, but from, you know, as a community, you know, we have to think of, of how we can better protect, uh, the supply chains and how we can better, you know, look for, for such a packed malware. Um, and obviously, you know, taking, uh, taking versions, uh, where you have a pretty decent, you know, um, uh, respect from the place where you have, you have taken it. Um, and, um, and also, you know, I, I do think that, that, that we need to improve our, our runtime detections. Obviously I, I, I do feel that although I understand why, but I do feel that it's not a good thing that, that you can authenticate using, uh, a service account, uh, um, from the outside of the public internet, from the public internet against the Qube API and Qube, Qube API is not checking the source IP. Um, although again, I, I do think that there is, uh, there, I know that there is design reason for that, but, but, but still I feel that there can be some improvement here. Um, and, and obviously, you know, just as well it said, you know, our box are and elevated pods are a problem. Yeah. And more questions. Um, yeah. So Paul asked about this, uh, Drupal thing. I think that, um, yeah, I'm going to post it. I, yeah, it's here, uh, in the, in the security, uh, thread. It was posted. I'm, I'm going to, I'm writing down. I'm going to try to, uh, share it afterwards. More questions. Um, but there's a, for example, you cannot block APS or within the enterprise. For example, I'm just weird using githubs. Um, yeah. So it's also a good question. Okay. That's why Falco has not, uh, um, not reported access, uh, to ETC credits, PK files. Uh, there is a good reason for that because these files are, uh, can be used legitimately. Also the service account files can be used legitimately. Okay. So, um, these are legit files, which can, which are accessed by some of the processes. Now the question is how you can differentiate between the good process and bad, bad process, uh, because only obviously kubelet is accessing the PK, the private key files, uh, and within the pod also, you know, maybe the application itself uses this service account. So it's, it's pretty hard for Falco to, to not going into love, uh, none of false alerts here. Uh, um, yeah, I'm, I, I will, I'm going to share with you also, uh, Polo, where should we share everything, uh, the everything, the, you know, the things we've, we've just shown here. Yeah. Yeah. This, this show will, it's being recorded and, uh, I invite everyone to join us in chats for CNCF and of course, uh, invite Ben to, to be presenting CNCF slack, uh, because there we can, uh, share other contents. And, uh, after all, please put your, uh, tweeted account because you can, uh, share the, your, get, get, your, get, uh, entry to people, get their files, et cetera. It's so much important. Of course, again, everyone is welcome to be part of CNCF slack community and reach, reach us there and ask anything. Of course, I know that sometimes it's difficult to, to make questions. We have, I'll just from everywhere, YouTube, uh, to really, uh, LinkedIn. It's some, it's, it's amazing, but at the same time, it's difficult to manage all questions and at the same time, we'll answer everything and everyone be represented. So, uh, it's, uh, please, everyone come on, uh, reach us in CNCF slack channels and we'll be there to help. My, my, my, my entry points for, for slack is, it's like the Twitter I put here and Ben will put in, you, you, we will put the Ben entry here to, from Twitter. Yeah. Uh, but can you put that? I don't see how I can put it in the chat. My Twitter and I, yeah, I see it. Yeah, we will. Yes. And, uh, Libby, please, uh, put the security now. So everyone's welcome, you know, to, to, to talk to me. I'm going to stay for at least for a half an hour or two in the security slack. So, uh, I will be, you know, happy to answer. And I hope, um, this talk was interesting. I was really, it was fun for me. I hope it was, you know, it gave you some interesting insights. You, you, you showed the focus running focus. It's amazing projects. It's a project inside the SF landscape. Yesterday I was with Dan Pop, chatting, talking about Falco. Yeah, it's really amazing. And, uh, it's, uh, what, what, what I can see here today was a set of best practices together with the tools and the, uh, questions and what about the security, security, security, uh, issues when, when you can cops. I think I have, sorry. Oh, yes. I, I'm, I'm here. Oh my God. Again, the internet. Please, if you want, can send a cable for me. I will be amazing because I'm lost every day, every time my connection is terrible. Okay. Uh, Ben, uh, I see, uh, can you hear me? No. I live here. Yeah. So good. Oh, Ben, I saw many, many good best, best practice. Of course, you showed the, the patterns when you have, uh, attacks, et cetera. Uh, do you have an, uh, oh, I like libraries. I like reference. Uh, when I can, uh, when I can read more about that, uh, you, you, you have a, your, your page, your, your armor has a blog that show more about the security. How, how can I learn more because learn, it's difficult. It's amazing to see you're showing, you will watch again the show, but, uh, uh, we want to get something in the hands to learn, to read. What do you think to have something that can show to us? Yeah. So, so, well, I, you, I really, you know, I'm restarting my screen share. Um, um, sorry, because I've just removed that share. Um, oh, but you don't see that. Yeah. Okay. So you have almost like IO. Okay. Our homepage, uh, and you have here, you know, uh, uh, our blog, um, which I, you know, I, I really, you know, tell you that, that, that, uh, uh, you should, you know, follow. And also on LinkedIn, we are, we are publishing every, uh, every week some interesting reading here. Um, you know, this thing about, I haven't published, uh, about this remote service account token, uh, issue, uh, because I, I reported just a week ago. So, uh, so therefore I didn't want to make a big buzz around that. Um, but obviously, you know, I'm, I'm going to make you, you know, write up here in this blog, uh, and, uh, and, uh, and we'll, you know, you can follow us here and read here and also in our, uh, LinkedIn and Twitter accounts. You can follow us. Oh, great. Thank you. Uh, we, uh, of course, again, I, I, I want to say you, you are read to answer questions in, in offline, of course. Uh, so you can, where, where is the better place to meet, to read to you, Ben? Uh, you are from your Twitter or from your our likes. I prefer our Slack, CNCF, of course, because this is a community. I'm on Slack. You're welcome really to write me on Slack. Um, I, I'm trying to, my most, you know, to, to, to answer you on, on Slack. And if not, I'm, I'm, when I open it, I'm, I'm sure I'm going to answer every, every questions. Also, you know, I, I, LinkedIn and Twitter's, these are my main places where I publish, but, but Slackie, if you want to, you know, discuss me with me and I love discussions about security and also about Kubernetes. Uh, so, so you're really welcome to connect me on, on Slack, uh, Ben Hirschberg, uh, uh, um, and, you know, find me there. Okay. Excellent. And Armor has a Twitter account, too. Uh, yeah, I do think, but, but I think that I'm, I'm, uh, I'm not sure where it, where is it? Uh, uh, we'll, we'll post it here. Okay. Okay. Okay. Excellent. Excellent. Uh, oh yeah. If someone's interested. Okay. You have a LinkedIn account. Okay. You can reach you in the LinkedIn too. Amazing. Uh, Ben, of course, was amazing. Of course, was amazing. I don't have more questions here. Oh, uh, our valid asking that could not see an, an message related to what you said in the SIG, SIGSEC, I suppose that is on SIGSEC from Kubernetes or CNSF. What, what are you, Paolo, Paolo, Paolo. There is a Paolo, my friend from Italy, maybe, because Paolo is Italy. Uh, and, uh, we can, of course, we can try this again the other time. So again, other, other, uh, oh my God, fading again. Oh, yes. Come back. Sorry. Oh, that's the problem that live in some place where the telecommunication is also very good. It's here in Brazil. Sometimes we have problems with tech communications. Okay. Our 4G is like 3G. Our 5G is like 2G sometimes. Okay. So, was amazing. Break the things with you, uh, Ben, and want to invite you again for next time. Talk more about SIGSEC. SIGSEC is a point, uh, it's a DevSecOps. SIGSEC is a point very, very important for us in, and we are increased that we can see the, the, the, how much the, the battle, the, the attacks, the cyber attacks are growing the world. We are doing, uh, every day when we open newspaper, you can see that someone have a data branch or something else, my accounts are breaking at many times. So really, really important this, this subject. So I want to, I can, to invite you to present for us. You can choose. I can't stand in the deep dive or, or another time to this. And of course, uh, uh, I want to invite you, Ben, and everyone from Armory and from the chat for our Cuban Europe, you have a session for Secure, right? Cuban Secure today will be amazing. My friend ambassador, Ricardo, uh, is doing a great job in the, uh, doing, uh, working the, the community from this, this, this, uh, event. You'll be there. Uh, you'll be there, Ben. No question. I'm, I'm going to be there. You know, I love Cuban. Oh, okay. But, but, but we can, we, we're participating in the Cuban, right? Yeah. Oh, excellent. We can, we can read to you there. Okay. Oh, Ben, thank you so much for, uh, this, uh, uh, this show today. Uh, this show, uh, we don't have more questions. I'm seeing your blogs. It's amazing here. I, I'm, I'm open here. I have a container drip, another example of why ATTP based authentication is flowered. It's yours. Yeah. Okay. Yeah. So yeah, I mean, there we have, you know, interesting people and, and, you know, we're, you really should, you know, go in here and, you know, if you want to, you know, broaden your, your, your security mindset, you know, these are really, really good blogs because I think we do really have here a big opportunity when, you know, the industry is going to cloud and cloud native. We have a great opportunity to enhance our security. And it's just as you said, it's really important. Yes, for sure. At the, at the least it's cloud native is a distributed computer and we have a microservices that it's like a gremlin. You don't know what is a gremlin because it's a film very old, like me, but microservices is a gremlin. Yes. Every gremlin, when you put some water, they transform you into a crazy, crazy destructor. So we can have care with security in many aspects. So thank you so much again. Dan was amazing. We will watch again, your presentation because I want to learn more with you was amazing. I want to thank you for our more that has gives you a opportunity to be here with us. And I want to thank you, everyone. So guys, thank you for joining us at this last episode of our, this week in the cloud native is our live stream, the cloud native live stream. It's amazing, our cloud native TV. It was great to have you, Ben, with us talk about security aspects of Kubernetes and break everything. And we also really love the interaction and questions from the audience was amazing. We did not talk about the big Mac recipe, but okay, I don't know if you have a big Mac today was amazing too. And we bring you and we bring you the last cloud native code every Wednesday at 3pm Eastern time. Next week, we will have someone very, very good to present something amazing like Ben. Thank you, Ben, to join us. Thank you, everyone. Thank you. See you, guys. See you. Bye. See you the next, the next week. Come on. The same bad channel in the same bad time. Yeah. Yeah. See you. Thank you.