Posts
And here is the promised post 😮 Yesterday I attended BACON, Luntry's container security…
June 4, 2025 at 7:13 PM•Max Knyazev is typing…Telegram mirror
And here is the promised post
😮
Yesterday I visited BACON — conferences on container security from Luntry. There were 10 reports + 1 secret, a lot of technical revelations, and in the evening there was a speaker party with a quiz on Kubernetes and an alcohol casino. I'll tell you how it was ( as concise and to the point as possible, but with links to presentations, because I don’t want to make a longread, and the post won’t contain everything )
🏋️♀️
Report No. 1
It all started with a report from Dmitry Evdokimov ( the organizer of the event, by the way ). He gave a slap in the face to everyone who believes in
kubectl get all, forgets about allowPrivilegeEscalation and thinks that the default service account is safe. After this report, I immediately wanted to open all my manifestos and start an audit 😵💫
Report No. 2
Next, Evgeny Berendyaev from Avito told how to make friends with Kyverno in production and not die. Argo, AppSets, our own CI for policies, load testing - a cool engineering approach. If you already have Kyverno, check out this report
👨💻
Report No. 3
Anton Baranov from Astra went into the wilds of Cilium and eBPF, figuring out how to filter traffic by access levels according to GOST. It was difficult, but powerful. This is an example of how to customize network policy at the kernel level. And why do we need fallbacks for this?
💪
Report No. 4
Almir Sarvarov from DOM.RF reminded everyone that not all security is beneficial. He went through KSPP and CIS Benchmark and showed how you can kill rootless containers, observability and everything else with the best intentions. A very sobering report.
🍷
Report No. 5
Dmitry Rybalka spoke about Talos Linux. Without SSH, without bash, without crutches - simple
🤓
Report No. 6
Mikhail Kozhukhovsky from Flowmaster gave a presentation for the paranoid: how to collect images and not undermine CI. Compared Kaniko, Buildah, Buildkit, Ko, Jib. Showed how to escape from chroot and reminded that Docker in CI is not ok
🤔
Report No. 7
Andrey Slepykh from the Phobos-NT Scientific and Technical Center competently went through the requirements of FSTEC. How does a containerization tool differ from a containerized tool, how to describe SBOM, how to do an inventory and not be denied certification. Very useful, even if you don’t have FSTEC - just to understand where everything is going
👐
Report No. 8
Kairzhan Aubekerov from MTS revealed control-plane isolation topic in Kubernetes. I analyzed the Hosted Control Plane architecture and compared k0smotron, Hypershift and Kamaji. Spoiler: MTS has gone its own way and is making its own kubeadm provider
💥
Report No. 9
Then there was a report about Workload Identity Federation - the case when you finally understand how to do without secrets.yaml. Difficult, but very cool: Kubernetes pods receiving secrets from Yandex Lockbox without a single stored key. Projection token, OpenID, and other magic
✨
Report No. 10
The final was Nikolai Panchenko from T-Bank - a security checklist for ML clusters. GPU, Kubeflow, Ray, fake device plugins, dynamic resource allocation. A very unusual and rich report at the intersection of MLOps and security
🤯
Secret report
And then there was a secret report. About zero-day
and a task with CTF. About a vulnerability that has not yet been published. We promised the entire audience that we would not tell anything. So... we won’t tell anything. But it was strong
🤝
And of course, SpeakerParty
😎
We gathered on the roof, where we sat on comfortable bean bags. There were a lot of different snacks, alcohol and even hookahs. We had a quiz on Kubernetes. There was an alcohol casino - you had to guess the composition of the cocktail based on your taste and place bets, like in roulette, but with liqueur and gin. And also live communication. Lots of communication. With colleagues and like-minded people. And all this in a relaxing atmosphere and with a slight brain overload from information
😍
The conference turned out to be intimate, very warm, but at the same time eventful. BACON is one you want to come back next year. Even if you are not invited, you will still come
🌝
#information_security #bacon #luntry
Open original post on TelegramYesterday I visited BACON — conferences on container security from Luntry. There were 10 reports + 1 secret, a lot of technical revelations, and in the evening there was a speaker party with a quiz on Kubernetes and an alcohol casino. I'll tell you how it was ( as concise and to the point as possible, but with links to presentations, because I don’t want to make a longread, and the post won’t contain everything )
Report No. 1
It all started with a report from Dmitry Evdokimov ( the organizer of the event, by the way ). He gave a slap in the face to everyone who believes in
kubectl get all, forgets about allowPrivilegeEscalation and thinks that the default service account is safe. After this report, I immediately wanted to open all my manifestos and start an audit 😵💫
Report No. 2
Next, Evgeny Berendyaev from Avito told how to make friends with Kyverno in production and not die. Argo, AppSets, our own CI for policies, load testing - a cool engineering approach. If you already have Kyverno, check out this report
Report No. 3
Anton Baranov from Astra went into the wilds of Cilium and eBPF, figuring out how to filter traffic by access levels according to GOST. It was difficult, but powerful. This is an example of how to customize network policy at the kernel level. And why do we need fallbacks for this?
astra_mac_level
Report No. 4
Almir Sarvarov from DOM.RF reminded everyone that not all security is beneficial. He went through KSPP and CIS Benchmark and showed how you can kill rootless containers, observability and everything else with the best intentions. A very sobering report.
Report No. 5
Dmitry Rybalka spoke about Talos Linux. Without SSH, without bash, without crutches - simple
talosctl
. Minimalistic, API-centric distribution
Report No. 6
Mikhail Kozhukhovsky from Flowmaster gave a presentation for the paranoid: how to collect images and not undermine CI. Compared Kaniko, Buildah, Buildkit, Ko, Jib. Showed how to escape from chroot and reminded that Docker in CI is not ok
Report No. 7
Andrey Slepykh from the Phobos-NT Scientific and Technical Center competently went through the requirements of FSTEC. How does a containerization tool differ from a containerized tool, how to describe SBOM, how to do an inventory and not be denied certification. Very useful, even if you don’t have FSTEC - just to understand where everything is going
Report No. 8
Kairzhan Aubekerov from MTS revealed control-plane isolation topic in Kubernetes. I analyzed the Hosted Control Plane architecture and compared k0smotron, Hypershift and Kamaji. Spoiler: MTS has gone its own way and is making its own kubeadm provider
Report No. 9
Then there was a report about Workload Identity Federation - the case when you finally understand how to do without secrets.yaml. Difficult, but very cool: Kubernetes pods receiving secrets from Yandex Lockbox without a single stored key. Projection token, OpenID, and other magic
Report No. 10
The final was Nikolai Panchenko from T-Bank - a security checklist for ML clusters. GPU, Kubeflow, Ray, fake device plugins, dynamic resource allocation. A very unusual and rich report at the intersection of MLOps and security
Secret report
And of course, SpeakerParty
We gathered on the roof, where we sat on comfortable bean bags. There were a lot of different snacks, alcohol and even hookahs. We had a quiz on Kubernetes. There was an alcohol casino - you had to guess the composition of the cocktail based on your taste and place bets, like in roulette, but with liqueur and gin. And also live communication. Lots of communication. With colleagues and like-minded people. And all this in a relaxing atmosphere and with a slight brain overload from information
The conference turned out to be intimate, very warm, but at the same time eventful. BACON is one you want to come back next year. Even if you are not invited, you will still come
#information_security #bacon #luntry
Discussion
Comments
Comments are available only to confirmed email subscribers. No separate registration or password is required: a magic link opens a comment session.
Join the discussion
Enter the same email that you already used for your site subscription. We will send you a magic link to open comments on this device.
There are no approved comments here yet.