Container security
Jay Beale @inguardians , @jaybeale
Containers
• What the heck is a container?
•
• Linux distribution with a kernel
•
• Containers run on top of that, sharing the kernel, but not the filesystem
• Namespaces
•
• Mount
• Network
• Hostname
• PID
• IPC
• Users
• Somebody said we’ve had containers since before Docker
•
• Containers started in 2005, with OpenVZ
• Docker was 2013, Kubernetes 2014
• Image Security
•
• CoreOS Clair for vuln scanning images
• Public repos vs private
• Don’t keep the image running for so long?
• Don’t run as root
• More Containment stuff
•
• Non-privileged containers
• Remap the users, so root in container isn’t root outside
• Drop root capabilities
• Seccomp for kernel syscalls
• AppArmor or SELinux
• All of above is about Docker, what about Kubernetes
•
• Get onto most recent version of K8S – 1.7 and 1.8 brought big security improvements
• Network policy (egress firewalls)
• RBAC (define what users and service accounts can do what)
• Use namespaces per tenant and think hard about multi-tenancy
• Use the CIS guides for lockdown of K8S and the host
• Kube-bench
Difference between containers and sandboxing
Roll your own –
Containers
Using public registries – leave you vulnerable
Use your own private repos for deploying containers
Reduce attack surface
Reduce user access
Automation will allow more security to get baked in.
S3 buckets / Azure Blobs
Join our #Slack Channel! Email us at bds.podcast@gmail.com
or DM us on Twitter @brakesec
#Spotify:
#RSS:
#Youtube Channel:
#iTunes Store Link:
#Google Play Store:
Our main site:
#iHeartRadio App:
#SoundCloud:
Comments, Questions, Feedback: bds.podcast@gmail.com (mailto:bds.podcast@gmail.com)
Support Brakeing Down Security Podcast by using our #Paypal: our #Patreon
#Twitter: @brakesec ( @boettcherpwned ( @bryanbrake ( @infosystir (
#Player.FM :
#Stitcher Network:
#TuneIn Radio App:
[ad_2]
source
