Build Systems that Drive Business
June 11–12, 2018: Training
June 12–14, 2018: Tutorials & Conference
San Jose, CA

How to reduce the attack surface of your container workloads

Cynthia Thomas (Google)
4:35pm–5:15pm Thursday, June 14, 2018
Location: LL21 E/F Level: Intermediate
Secondary topics: Resilient, Performant & Secure Distributed Systems
Average rating: ***..
(3.33, 3 ratings)

Prerequisite knowledge

  • A basic understanding of networking and security
  • Familiarity with container orchestration platforms like Kubernetes (useful but not required)

What you'll learn

  • Explore traditional firewall methods and the evolution of the distributed security model to enforce least privilege for microservices


Modern microservices architectures divvy up application functions into individual services and expose them via APIs using protocols such as HTTP/REST, gRPC, or Kafka. The rise of container-based orchestration platforms, such as Kubernetes, is creating demand for routing, load balancing, and security infrastructure that is highly scalable, application aware, and resilient. At the same time, BPF (the Berkeley Packet Filter) is becoming the fastest growing technology in the Linux kernel and is revolutionizing networking, security and tracing.

What was done for security before microservices is no longer sufficient. The firewall is dead, and there’s a new norm for the modern world: security needs to be distributed and least privilege for pod-to-pod traffic in the container world.

While navigating from an architectural design to the lab and eventually production, it is important to understand the pain points and gaps of traditional firewall methods when exposing services via APIs in microservices architectures. Cynthia Thomas outlines traditional firewall methods and details the evolution of the distributed security model to enforce least privilege for microservices.

Photo of Cynthia Thomas

Cynthia Thomas


Cynthia Thomas is a Networking Specialist at Google Cloud. She has spent 10+ years in the networking industry, most recently with open source cloud and networking solutions. Cynthia has been an advocate of open source technologies while working on cloud-related technologies for the last 5 years. She is a frequent speaker at conferences, including DevOpsDays, DockerCon, Kubernetes meetups, and OpenStack events.