Community post by Marco De Benedictis
The Inaugural stand-alone CloudNativeSecurityCon North America was a slightly different event to the previous pre-KubeCon + CloudNativeCon instances. The cloud native security community came together from across the development and engineering spectrum to play the Capture the flag (CTF) games, and unify their understanding of cloud native systems and configurations from either side of the great security divide — which the event’s primary focus is to close!
The intention of these CTF games is to level the playing field for non-security engineers and seasoned practitioners alike, giving attendees a safe space in which to learn and develop their cloud native security skills so they have practical experience that they can take back to their day jobs.
To this end, the CTF infrastructure is as real as it can get — clusters are spun up in dedicated, isolated accounts and configured to as production-like a standard as possible. This focus on real-world infrastructure, configurations, and scenarios helps bring a sense of urgency to the CTF events that is incomparable to playing on a local VM.
Behind the scenes, the CTF event was powered by a gargantuan set of 2,500 nodes, running multiple Kubernetes clusters to ensure the day-long Cloud Native Capture the Flag provisioned infrastructure directly to players. And as ever the event featured the CNCF’s archetypal 8-bit adversary, Dread Pirate Captain Hashjack!
Conference attendees with the support of the organization and event volunteers were able to complete the designated challenges in the pursuit of retrieving flags, connect and apply what they were learning from the event talk sessions, and gain practical skills to be even sharper security practitioners.
As the great Sun Tzu was continually misquoted as saying, “Scenarios define the game, strategy wins it” — and our scenarios were generated by the ControlPlane Offensive Security and Engineering team: battle-hardened practitioners of the Kubernetes and cloud native security space.
There was spectacular engagement from all the attendees who battled furiously against the intentionally confusing and often trifurcated paths of deviantly stupefying container and cluster optionality, ranging from container escape to multi-staged privilege escalation, with superficial admin misconfiguration in between. It’s testament to the interest and curiosity of those in the room that almost everybody made it through the scenarios they attempted, and there were many that made it all the way to the end of the final triple-flagged flummoxing feature!
The tally was 27 teams in participation for a total of 69 flags captured. Congratulations to Mohit Gupta from WithSecure who stood out blazing solo through the challenges at an astonishing speed capturing 7 flags in record time.
Kudos to all other participants who played, including Greg Castle and the GKE security team, Jay Beale (who runs the DEFCON K8s CTF with Inguardians), and Isovalent Field CTO Duffie Cooley, long-time collaborator and teacher to players of the game.
The organization is pleased that participants enjoyed the event and had fun while learning. CNCF will continue to sponsor and host Capture the Flag games at the Security Village at KubeCon + CloudNativeCon Europe and North America.