Lorin Lehawany
Lorin is a security analyst specializing in penetration testing and an expert in cloud and Kubernetes security. At ERNW GmbH, she constantly improves the security of infrastructures for many companies in Germany. She is also an active member of the BlackHoodie community, where she regularly organizes events, mentors newcomers, and delivers workshops about Kubernetes security, supporting hands-on security education and fostering inclusion in tech. Lorin has published several critical vulnerabilities in enterprise cloud software, such as Broadcom VMware.
Session
Implementing Kubernetes namespace-based multi-tenancy is challenging, and its isolation is generally considered less effective than control-plane isolation. That's why the latter is often recommended ... and also implemented? Not really, as workloads such as machine learning, pipelines, and scripting capabilities are increasingly common in enterprise environments. And they can introduce unobvious multi-tenancy in clusters.
So the question is: How can we securely isolate those workloads from each other? Pod Security Standards, Network Policies, and Admission Controls are well adopted, but are they sufficient?
The answer is no – this talk presents new vulnerabilities and real-world exploits in Kubeflow, Istio, and Traefik that violate trust boundaries between namespaces and workloads.
We will discuss these vulnerabilities in detail, together with the underlying conditions and root causes that render them exploitable.
Based on these examples, we will present a methodology for assessing complex environments with isolation problems and provide guidance on mitigating these issues.