Passionate about computers since my childhood, I programmed my first website at 12 years old and I have never stopped coding since. After having built distributed systems in Java, I became interested in deploying and operating these systems in production with a particular emphasis on observability. I have been working for several years with Docker, Mesos/Marathon, Kubernetes, and Istio as a Technical Architect in order to support organizations in implementing these solutions.
"You just have deployed your first Kubernetes cluster. You are about to make it accessible to your developers, but your CISO falls on you: he asks you to present all the measures taken to secure the cluster." We will start by auditing the technical configuration of a Kubernetes cluster in order to identify vulnerabilities and apply patches to technical components. We will continue with the exploitation of Kubernetes primitives to implement security mechanisms (RBAC, AdmissionController, NetworkPolicy, SecurityContext, ...). We will then enrich the cluster with Open Policy Agent, a rules engine allowing us to apply finer control than Kubernetes primitives. We will also integrate Falco, a behavior analyzer to detect suspicious actions performed within containers and at the Kubernetes API Server level. We will end with the implementation of a CI/CD pipeline integrating a vulnerability analysis carried out with Clair in order to detect compromised images during the build.