We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

KubeVirt: privilege dropping one capability at a time

00:00
subtitles
off
playback rate
1
subtitles
off
Englisch (auto-generated)
playback rate
0.25
0.5
0.75
1
1.25
1.5
1.75
2
quality
576p
 Cite
 Share
 Related Material
 Download Purchase
FOSDEM VZW
 Barroso, Miguel Duarte

Formal Metadata

Title
KubeVirt: privilege dropping one capability at a time
Title of Series
Number of Parts
Author
License
CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
KubeVirt's architecture is composed of two main components: virt-handler, a trusted DaemonSet, running in each node, which operates as the virtualization agent, and virt-launcher, an untrusted Kubernetes pod encapsulating a single libvirt + qemu process. To reduce the attack surface of the overall solution, the untrusted virt-launcher component should run with as little linux capabilities as possible. The goal of this talk is to explain the journey to get there, and the steps taken to drop CAP NET ADMIN, and CAP NET RAW from the untrusted component. This talk will encompass changes in KubeVirt and Libvirt, and requires some general prior information about networking (dhcp / L2 networking).
00:00
Computer animation
00:37
Cloud computingDemo (music)Raw image formatComputer networkKeyboard shortcutProcess (computing)Network socketComputer architectureEndliche ModelltheorieQueue (abstract data type)Configuration spaceInformation securityTheory of everythingBuildingLink (knot theory)Basis <Mathematik>Greatest elementTheory of relativityFunctional (mathematics)System callGroup actionMultiplication signSurfaceEmailPhysical systemDivisorElement (mathematics)2 (number)Graph coloringService (economics)TouchscreenInheritance (object-oriented programming)VirtualizationSoftware developerHypermediaContext awarenessDistribution (mathematics)Category of beingSheaf (mathematics)Virtual machine40 (number)Presentation of a groupRepository (publishing)Medical imagingElectronic program guidePlug-in (computing)Universe (mathematics)Interface (computing)Focus (optics)Statement (computer science)Type theorySound effectElectronic mailing listCodeDemo (music)Process modelingMaxima and minimaProfil (magazine)Kernel (computing)Address spaceBridging (networking)Gastropod shellGoodness of fitComputer animation
05:25
WeightAddress spaceBridging (networking)Computer networkOrder (biology)Network socketConfiguration spaceDifferent (Kate Ryan album)ResultantComputer programmingGastropod shellVirtualizationInterface (computing)MereologyMedical imagingType theoryOperator (mathematics)CASE <Informatik>Parameter (computer programming)Socket-SchnittstelleError messageQuicksortInstance (computer science)Form (programming)Phase transitionNetwork topologySingle-precision floating-point formatLine (geometry)Prisoner's dilemmaArithmetic meanDean numberSource codeJSON
08:15
Demo (music)WeightRaw image formatLeakDynamic Host Configuration ProtocolRaw image formatComputer networkNetwork socketMedical imagingWindows RegistryError messageExecution unitKeyboard shortcutOperator (mathematics)Coma BerenicesAddress spaceConnected spaceImage resolutionPhysical systemServer (computing)State of matterMultiplication signCoefficient of determinationOrder (biology)Parameter (computer programming)TorusType theoryPresentation of a groupComputer configurationGroup actionRepository (publishing)NamespaceFigurate numberCodeDemosceneInterface (computing)Direct numerical simulationGame controllerDegree (graph theory)RoutingDemo (music)Router (computing)Default (computer science)State observerDifferent (Kate Ryan album)Film editingGateway (telecommunications)Data storage deviceUtility softwareChemical equationIdentity managementBinary codeInternetworkingBridging (networking)Time zoneSheaf (mathematics)RootSystem administratorDrop (liquid)Computer animation
14:41
Mechanism designInterface (computing)RoutingInstance (computer science)Computer networkKeyboard shortcutGame controllerConnectivity (graph theory)Functional (mathematics)IP addressComputer architectureProcess modelingVirtual machineMechanism designGroup actionInterface (computing)Server (computing)Object (grammar)Process (computing)Type theoryOperator (mathematics)Message passingBridging (networking)Latent heatPlug-in (computing)Set (mathematics)Metric systemAdditionVirtualizationDefault (computer science)Finite differenceDifferent (Kate Ryan album)WorkloadDependent and independent variablesDemonQuicksortTask (computing)MereologyLogicCorrespondence (mathematics)LoginInverter (logic gate)WordState of matterConfiguration spaceRow (database)Queue (abstract data type)Revision controloutputConsistencyObservational studyCodecClosed setDomain nameResultantPresentation of a group2 (number)Theory of relativityEngineering drawingDiagram
21:07
Translation (relic)Mechanism designConfiguration spaceComputer networkKeyboard shortcutOperator (mathematics)Domain nameTranslation (relic)Virtual machineMechanism designLatent heatType theoryMereologyParameter (computer programming)Dependent and independent variablesSequenceBridging (networking)Queue (abstract data type)
21:53
Mechanism designConfiguration spaceDynamic Host Configuration ProtocolServer (computing)Computer configurationNetwork socketDynamic random-access memoryDigital filterInterface (computing)Price indexNetwork socketComputer architectureConnectivity (graph theory)Virtual machineOrder (biology)Computer networkIP addressLevel (video gaming)Physical systemType theoryCodeDependent and independent variablesSheaf (mathematics)Keyboard shortcutProcess (computing)Server (computing)Parameter (computer programming)SurfaceSequenceoutputImplementationLimit (category theory)Task (computing)Demo (music)Computer configurationConfiguration spaceSlide ruleSet (mathematics)NamespaceRectangleSystem callSubject indexingInterface (computing)Principal ideal domainOperator (mathematics)MultilaterationLatent heatAnalytic continuationHeegaard splittingSelectivity (electronic)DivisorQueue (abstract data type)Presentation of a groupCASE <Informatik>Socket-SchnittstelleNumberSpacetimeFerry CorstenOctahedronDiagram
27:28
Dynamic random-access memoryNetwork socketInterface (computing)Price indexDigital filterEmulationElement (mathematics)ExistenceAttribute grammarKernel (computing)Process (computing)Data structureContext awarenessMechanism designRevision controlTemplate (C++)Patch (Unix)Connectivity (graph theory)Configuration spaceElement (mathematics)System administratorVirtual machineKeyboard shortcutInterface (computing)Process (computing)Computer networkKernel (computing)Subject indexingContext awarenessRevision controlElectronic mailing listSoftware bugPresentation of a groupVirtualizationLatent heatParameter (computer programming)Bridging (networking)NamespaceMechanism designSystem callMessage passingLevel (video gaming)Game controllerSelectivity (electronic)Cartesian coordinate systemTranslation (relic)Type theorySinc functionPlanningPrincipal ideal domainIntrusion detection systemMatching (graph theory)Group actionNetwork socketMultiplication signTask (computing)Formal languageElectric generatorMereologyTemplate (C++)Domain nameOperator (mathematics)Tap (transformer)Distribution (mathematics)Streaming mediaDot productInternet service providerData structureQueue (abstract data type)Inheritance (object-oriented programming)Range (statistics)Sheaf (mathematics)Limit (category theory)Socket-SchnittstelleView (database)BackupAxiom of choiceComputer configurationAnalytic continuationFreewareDifferent (Kate Ryan album)ParsingoutputSpacetimeCASE <Informatik>Personal area networkXML
36:09
Element (mathematics)TelecommunicationComputer animation
45:05
Element (mathematics)Computer animation
Transcript: Englisch(auto-generated)