Add a short blurb about wek8s and security

k8s/malicious-pod.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: malicious
+spec:
+  volumes:
+  - name: slash
+    hostPath:
+      path: /
+  containers:
+  - image: alpine
+    name: alpine
+    securityContext:
+      privileged: true
+    command:
+    - sleep
+    - "1000000000"
+    volumeMounts:
+    - name: slash
+      mountPath: /hostfs
+  restartPolicy: Never

slides/wek8s/security.md

@@ -0,0 +1,19 @@
+## Security in the context of wek8s
+
+- The wek8s dev clusters have permissive policies
+
+  (so that we can easily experiment and try things)
+
+- This means that we need to be particularly careful about unknown sources
+
+- Check the provenance of images, YAML bundles, Helm Charts, etc.:
+
+  - does it come from the website / documentation / repository of a trusted vendor?
+
+  - is it maintained; how often does it get updates?
+
+- For images:
+
+  - is the source (Dockerfile or otherwise) available?
+
+  - are they checked by an automated vulnerability scanner?

slides/wwrk.yml

@@ -100,6 +100,7 @@ chapters:
   - k8s/localkubeconfig.md
   - k8s/accessinternal.md
   - k8s/dashboard.md
+  - wek8s/security.md
   - k8s/healthchecks.md
   - k8s/helm.md
   - k8s/create-chart.md