- Популярные видео
- Авто
- Видео-блоги
- ДТП, аварии
- Для маленьких
- Еда, напитки
- Животные
- Закон и право
- Знаменитости
- Игры
- Искусство
- Комедии
- Красота, мода
- Кулинария, рецепты
- Люди
- Мото
- Музыка
- Мультфильмы
- Наука, технологии
- Новости
- Образование
- Политика
- Праздники
- Приколы
- Природа
- Происшествия
- Путешествия
- Развлечения
- Ржач
- Семья
- Сериалы
- Спорт
- Стиль жизни
- ТВ передачи
- Танцы
- Технологии
- Товары
- Ужасы
- Фильмы
- Шоу-бизнес
- Юмор
Why Kubernetes Multi-Tenancy Keeps Failing: An Offensive Security Perspective
If you're running multiple teams, customers, or workloads on a shared Kubernetes cluster, you're doing multi-tenancy — whether you planned for it or not. The question is whether the boundaries you're relying on actually hold up under attack.
In this session, Lewis Denham-Parry (Staff Solutions Engineer, Edera) sits down with Iain Smart (Principal Consultant, Amberwolf), an offensive security specialist with a decade of penetration testing experience, the last eight years focused on Kubernetes and cloud-native environments. The conversation walks through real attack chains Iain has used to compromise multi-tenant clusters, why common Kubernetes primitives fail as security boundaries, and what organizations get wrong about isolation.
Topics covered:
What multi-tenancy actually means in Kubernetes: application-level, namespace-level, and direct API access models
Why taints, tolerations, and Kubernetes namespaces are not security boundaries — and the specific mechanisms attackers use to bypass them
How overly permissive RBAC and AWS metadata service access enable lateral movement across tenant boundaries
A real attack: using namespace-scoped wildcard RBAC to modify Pod Security Admission labels and escalate to privileged containers
The difference between virtualization and isolation, and why containers give you one but not the other
Where AI agent sandboxing fits into the multi-tenancy problem
Zero trust in Kubernetes: why it's a mindset, not a product, and where the model breaks down
Compliance and auditing challenges when your security boundaries don't map to what auditors expect
The session closes with audience Q&A on threat modeling adoption, and a detailed walkthrough of why namespaces aren't enough even with Pod Security Admission enforced.
0:00 Introduction
2:02 Meet Iain Smart: Offensive Security and Kubernetes Pen Testing
6:02 What Is Multi-Tenancy in Kubernetes?
10:01 Hard vs. Soft Multi-Tenancy
13:37 Why Taints, Tolerations, and Namespaces Fail as Security Boundaries
21:12 AI Agents and the Case for Secure Sandboxing
23:18 Virtualization vs. Isolation: Why Containers Give You One But Not the Other
29:12 RBAC, Lateral Movement, and the AWS Metadata Attack
41:56 Zero Trust in Kubernetes: Mindset vs. Product
46:26 Compliance and Auditing in Multi-Tenant Environments
53:19 Q&A: Threat Modeling and the Namespace RBAC Bypass
Видео Why Kubernetes Multi-Tenancy Keeps Failing: An Offensive Security Perspective канала Edera
In this session, Lewis Denham-Parry (Staff Solutions Engineer, Edera) sits down with Iain Smart (Principal Consultant, Amberwolf), an offensive security specialist with a decade of penetration testing experience, the last eight years focused on Kubernetes and cloud-native environments. The conversation walks through real attack chains Iain has used to compromise multi-tenant clusters, why common Kubernetes primitives fail as security boundaries, and what organizations get wrong about isolation.
Topics covered:
What multi-tenancy actually means in Kubernetes: application-level, namespace-level, and direct API access models
Why taints, tolerations, and Kubernetes namespaces are not security boundaries — and the specific mechanisms attackers use to bypass them
How overly permissive RBAC and AWS metadata service access enable lateral movement across tenant boundaries
A real attack: using namespace-scoped wildcard RBAC to modify Pod Security Admission labels and escalate to privileged containers
The difference between virtualization and isolation, and why containers give you one but not the other
Where AI agent sandboxing fits into the multi-tenancy problem
Zero trust in Kubernetes: why it's a mindset, not a product, and where the model breaks down
Compliance and auditing challenges when your security boundaries don't map to what auditors expect
The session closes with audience Q&A on threat modeling adoption, and a detailed walkthrough of why namespaces aren't enough even with Pod Security Admission enforced.
0:00 Introduction
2:02 Meet Iain Smart: Offensive Security and Kubernetes Pen Testing
6:02 What Is Multi-Tenancy in Kubernetes?
10:01 Hard vs. Soft Multi-Tenancy
13:37 Why Taints, Tolerations, and Namespaces Fail as Security Boundaries
21:12 AI Agents and the Case for Secure Sandboxing
23:18 Virtualization vs. Isolation: Why Containers Give You One But Not the Other
29:12 RBAC, Lateral Movement, and the AWS Metadata Attack
41:56 Zero Trust in Kubernetes: Mindset vs. Product
46:26 Compliance and Auditing in Multi-Tenant Environments
53:19 Q&A: Threat Modeling and the Namespace RBAC Bypass
Видео Why Kubernetes Multi-Tenancy Keeps Failing: An Offensive Security Perspective канала Edera
Kubernetes security multi-tenancy Kubernetes namespaces RBAC container escape lateral movement penetration testing Kubernetes pen test pod security admission AWS metadata service container isolation Edera Edera Protect zero trust Kubernetes Kubernetes compliance DevSecOps platform engineering Amberwolf offensive security Iain Smart container security Kubernetes attack
Комментарии отсутствуют
Информация о видео
8 ч. 1 мин. назад
01:02:05
Другие видео канала
Daily Cyber Stoic 5: If it's Endurable, Then Endure It
Edera Protect Demo
What's Your Favorite Ivy Look?
Edera Protect 1.0 Demo
Hardening the Code: How Trail of Bits Built an AI System That Finds and Patches Real Vulnerabilities
WTF is Confidential Computing? From Encrypted Execution to Zero-Trust Workloads
GPU passthrough with Edera
2 Years of Edera
Daily Cyber Stoic 6: Discomfort is a Path to Growth
Cybersecurity Awareness Month 2024: The Supercut
Tag Team Champions: Confidential Computing meets Edera
Why Container Security Is Stuck on Detection — and How to Fix It
Docker vs Apple Container Framework: Security & Isolation Demo Explained
Cybersecurity Awareness Month Day 4: Public Wifi Beats
Daily Cyber Stoic 3: Obstacles are the Way
MCPee Demo: How MCPs Leak Secrets & The Edera Solution
Cybersecurity Awareness Month Day 3: Scrub your devices
Daily Cyber Stoic 4: Futurorum malorum præmeditatio
Daily Cyber Stoic 2: Focus
Fresh Apps
