How Aqua runs its own security service in gcloud using Kubernetes. Was presented at Seattle Kubernetes meetup (http://www.meetup.com/Seattle-Kubernetes-Meetup/events/231348751/)
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
Running security service in gcloud
1. Copyright @ 2016 Aqua Security Software Ltd. All Rights Reserved.
Running a Security
Service in gcloud
Michael Cherny
Head of Research
2. 2
WHO AM I
Head of Security Research at Aqua Security, a leader
in container security
20 years of building security products, development
and research
Held senior security research positions at Microsoft,
Aorato
and Imperva.
Presented at security conferences, among them,
BlackHat Europe, RSA Europe and Virus Bulleting.
3. 3
PEEKR
Scans for known vulnerabilities (CVEs)
Profiles container activities on host and network
Automatically runs the image and checks it against malicious
behaviors
Highlights suspicious container behavior
Free (no credit card needed for registration)
https://peekr.aquasec.com
5. 5
YOU WERE SAYING...
Automatically runs the image and checks it against
malicious behaviors
Meaning we are running arbitrary, unknown containers
on our infrastructure
Every time we consulted people and organizations, we
got same response...
12. 12
OVERALL SECURITY
Log everything
Use Kubectl to access containers, to limit ssh access
Apply resource quota and limits with Kubernetes
namespaces
Network segregation through Kubernetes clusters
13. 13
PROTECTING AGAINST MALICIOUS
CONTAINERS
Local
Run unprivileged
Run with user namespace
Containers data (volumes) on separate partition
Aqua
Network
Deny network access
No internet access to backend cluster
Communication between clusters is limited to absolute
minimum
15. 15
FORK BOMB PROTECTION
nproc
ulimit –u 100
Limit per user per session
Can be done either for docker daemon or per container
Doesn’t enforce for root
PID cgroup
Future, kernel 4.3