2025-08-04 –, Firenze
Many Kubernetes security strategies rely on detection after the fact: scan the image, ship the pod, then react to alerts. This talk flips that model by focusing on prevention over response. We’ll show how Kyverno blocks dangerous workloads before they deploy, and how KubeArmor enforces runtime behavior to stop malicious actions as they happen. These tools run in real clusters, use simple YAML policies, and don’t require changes to your workloads or underlying infrastructure. We’ll focus on common misconfigurations — like containers running as root — and show how they enable attacks like privilege escalation, tooling installs, and container escape, even in clusters that appear secure.
Many teams still treat Kubernetes security like a post-deployment problem: detection tools, dashboards, and alert fatigue. But the most common threats — containers running as root, unrestricted installs, exposed host paths — start earlier, in the pod spec. By the time you're reacting, it's already too late.
This talk presents a hands-on alternative. Using a controlled Kubernetes environment, we’ll demonstrate how Kyverno and KubeArmor — two well-supported open source tools — can block insecure workloads before they run and prevent malicious behavior during runtime. Kyverno enforces policy at admission, stopping bad configurations before they reach the cluster. KubeArmor applies system-level controls after the container starts, closing Time-of-Check to Time-of-Use (TOCTOU) gaps that traditional tools miss. Together, they prevent the kinds of activity that detection tools only alert on — after exploitation has already begun.
These aren’t abstract controls. They work today, in real clusters, with policies defined in human-readable YAML and managed in Git — no rewrites, no platform overhaul.
This talk covers:
- Why “detection as protection” doesn’t hold up
- What runtime security really looks like in Kubernetes
- How public containers and default chart configs quietly open the door
- How Kyverno and KubeArmor make actual enforcement simple and scalable
This talk assumes light Kubernetes familiarity and is designed to equip, not overwhelm. Kyverno and KubeArmor aren’t the full solution, but they fill the enforcement gap that often gets ignored.
Matt Brown is a solutions architect at Sysdig, with a background spanning AppSec, IAM, and cloud runtime security. He’s currently focused on securing Kubernetes environments using open source tools that favor prevention over post-incident analysis. A lover of all things open source — from dev to cloud — he’s passionate about making security approachable and effective, especially for teams without enterprise budgets or armies of engineers.