Sven Nobis
Sven is a senior security researcher and analyst at ERNW. He has worked in IT for more than 15 years and specializes in cloud security. His daily work includes security assessments, red teaming, training, and consulting for European Fortune 100 companies. Before joining IT security, he was a professional developer and continues to use his passion for it to improve security by sharing knowledge and contributing to open-source projects from time to time. Sven has published several critical vulnerabilities in enterprise cloud software, such as Broadcom VMware.
Session
Implementing Kubernetes namespace-based multi-tenancy is challenging, and its isolation is generally considered less effective than control-plane isolation. That's why the latter is often recommended ... and also implemented? Not really, as workloads such as machine learning, pipelines, and scripting capabilities are increasingly common in enterprise environments. And they can introduce unobvious multi-tenancy in clusters.
So the question is: How can we securely isolate those workloads from each other? Pod Security Standards, Network Policies, and Admission Controls are well adopted, but are they sufficient?
The answer is no – this talk presents new vulnerabilities and real-world exploits in Kubeflow, Istio, and Traefik that violate trust boundaries between namespaces and workloads.
We will discuss these vulnerabilities in detail, together with the underlying conditions and root causes that render them exploitable.
Based on these examples, we will present a methodology for assessing complex environments with isolation problems and provide guidance on mitigating these issues.