Successfully reported this slideshow.

Enabling Security via Container Runtimes

0

Share

Feb. 14, 2020
0 likes 698 views
Upcoming SlideShare
Extended and embedding: containerd update & project use cases
Extended and embedding: containerd update & project use cases
Loading in …3
×
1 of 16
1 of 16

Enabling Security via Container Runtimes

Feb. 14, 2020
0 likes 698 views

0

Share

Download to read offline

Software

A talk given at the Google-hosted Container Security Summit on Wednesday, February 12th, 2020 in Seattle, Washington. This talk covered the impact of work done at the lower-level runtimes layer and up through layers like cri-o, containerd, and Docker to bring specific security features to overall platforms like Kubernetes.

A talk given at the Google-hosted Container Security Summit on Wednesday, February 12th, 2020 in Seattle, Washington. This talk covered the impact of work done at the lower-level runtimes layer and up through layers like cri-o, containerd, and Docker to bring specific security features to overall platforms like Kubernetes.

Software

Recommended

More Related Content

Similar to Enabling Security via Container Runtimes

Open source security tools for Kubernetes.
Michael Ducy
OpenShift Meetup 8th july 2019 at ConSol - OpenShift v4
Robert Bohne
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
ArangoDB Database
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Phil Estes
Containers what are they, and why are they important v2.1
Derrick Wippler
Introduction to containers
Nitish Jadia
Unraveling Docker Security: Lessons From a Production Cloud
Salman Baset
containerd and CRI
Docker, Inc.
Linux containers-namespaces(Dec 2014)
Ralf Dannert
Lightweight Virtualization in Linux
Sadegh Dorri N.
Microservices, Containers and Docker
Ioannis Papapanagiotou
Java in containers
Martin Baez
#Include os - From bootloader to REST API with the new C++
IncludeOS
SW Docker Security
Stephane Woillez
Introduction to kubernetes
Gabriel Carro
Cmm vm 002
Lalit Panwar
WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.
Dimitris Andreadis
Three Degrees of Mediation: Challenges and Lessons in building Cloud-agnostic...
Alex Maclinovsky
April 2016 HUG: The latest of Apache Hadoop YARN and running your docker apps...
Yahoo Developer Network
Chromium Sandbox on Linux (NDC Security 2019)
Patricia Aas

More from Phil Estes

Cloud Native TLV Meetup: Securing Containerized Applications Primer
Phil Estes
Securing Containerized Applications: A Primer
Phil Estes
Securing Containerized Applications: A Primer
Phil Estes
CraftConf 2019: CRI Runtimes Deep Dive: Who Is Running My Pod?
Phil Estes
JAX Con 2019: Containers. Microservices. Cloud. Open Source. Fantasy or Reali...
Phil Estes
Giving Back to Upstream | DockerCon 2019
Phil Estes
What's Running My Containers? A review of runtimes and standards.
Phil Estes
Docker London Meetup: Docker Engine Evolution
Phil Estes
FOSDEM 2019: A containerd Project Update
Phil Estes
CRI Runtimes Deep-Dive: Who's Running My Pod!?
Phil Estes
Docker Athens: Docker Engine Evolution & Containerd Use Cases
Phil Estes
It's 2018. Are My Containers Secure Yet!?
Phil Estes
Docker Engine Evolution: From Monolith to Discrete Components
Phil Estes
An Open Source Story: Open Containers & Open Communities
Phil Estes
Whose Job Is It Anyway? Kubernetes, CRI, & Container Runtimes
Phil Estes
Containerd Project Update: FOSDEM 2018
Phil Estes
Embedding Containerd For Fun and Profit
Phil Estes
Bucketbench: Benchmarking Container Runtime Performance
Phil Estes
Containerd Internals: Building a Core Container Runtime
Phil Estes
Container Runtimes: Comparing and Contrasting Today's Engines
Phil Estes

Featured

What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer

Related Books

Free with a 14 day trial from Scribd

See all
The Impulse Economy: Understanding Mobile Shoppers and What Makes Them Buy Gary Schwartz
(4.5/5)
Free
Tubes: A Journey to the Center of the Internet Andrew Blum
(4/5)
Free
Emergence: The Connected Lives of Ants, Brains, Cities, and Software Steven Johnson
(4.5/5)
Free
World Wide Mind: The Coming Integration of Humanity, Machines, and the Internet Michael Chorost
(4/5)
Free
An Army of Davids: How Markets and Technology Empower Ordinary People to Beat Big Media, Big Government, and Other Goliaths Glenn Reynolds
(4/5)
Free
In the Plex: How Google Thinks, Works, and Shapes Our Lives Steven Levy
(4.5/5)
Free
Hamlet's BlackBerry: A Practical Philosophy for Building a Good Life in the Digital Age William Powers
(4/5)
Free
The Thank You Economy Gary Vaynerchuk
(4/5)
Free
Talking Back to Facebook: The Common Sense Guide to Raising Kids in the Digital Age James P. Steyer
(4.5/5)
Free
The Nature of the Future: Dispatches from the Socialstructed World Marina Gorbis
(4/5)
Free
Public Parts: How Sharing in the Digital Age Improves the Way We Work and Live Jeff Jarvis
(3.5/5)
Free
Socialnomics: How Social Media Transforms the Way We Live and Do Business Erik Qualman
(4/5)
Free
The End of Business As Usual: Rewire the Way You Work to Succeed in the Consumer Revolution Brian Solis
(5/5)
Free
Blog Schmog: The Truth About What Blogs Can (and Can't) Do for Your Business Robert W. Bly
(4/5)
Free
From Counterculture to Cyberculture: Stewart Brand, the Whole Earth Network, and the Rise of Digital Utopianism Fred Turner
(2.5/5)
Free
101 Awesome Builds: Minecraft®™ Secrets from the World's Greatest Crafters Triumph Books
(4.5/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
The New New Thing: A Silicon Valley Story Michael Lewis
(4.5/5)
Free
The History of the Future: Oculus, Facebook, and the Revolution That Swept Virtual Reality Blake J. Harris
(4.5/5)
Free
Ten Arguments for Deleting Your Social Media Accounts Right Now Jaron Lanier
(4/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
Cognitive Surplus: Creativity and Generosity in a Connected Age Clay Shirky
(4/5)
Free
The Dark Net: Inside the Digital Underworld Jamie Bartlett
(4/5)
Free
The Social Life of Information: Updated, with a New Preface-Revised John Seely Brown
(0/5)
Free
An Introduction to Information Theory: Symbols, Signals and Noise John R. Pierce
(4.5/5)
Free
Who Owns the Future? Jaron Lanier
(4/5)
Free
Algorithms to Live By: The Computer Science of Human Decisions Brian Christian
(4.5/5)
Free
Alone Together: Why We Expect More from Technology and Less from Each Other Sherry Turkle
(4.5/5)
Free
The Death of Expertise: The Campaign Against Established Knowledge and Why it Matters Tom Nichols
(4.5/5)
Free
The Emperor's New Mind: Concerning Computers, Minds, and the Laws of Physics Roger Penrose
(3.5/5)
Free
Blockchain Revolution: How the Technology Behind Bitcoin Is Changing Money, Business, and the World Don Tapscott
(4/5)
Free
New Dark Age: Technology and the End of the Future James Bridle
(4.5/5)
Free
Platform: Get Noticed in a Noisy World Michael Hyatt
(4.5/5)
Free

Enabling Security via Container Runtimes

  1. 1. @estesp Enabling security via runtimes A container runtime perspective on security Phil Estes Distinguished Engineer & CTO, IBM Cloud Platform CNCF containerd project maintainer OCI Technical Oversight Board chair
  2. 2. @estesp Runtimes circa 2014 ● No seccomp ● No pids limit ● No user namespaces ● No rootless ● No content-addressable image format ● No sandboxes ● ...
  3. 3. @estesp Runtime Reorganization ● Open Container Initiative (OCI) and CNCF formed: Summer 2015 ● libcontainer project donated to become “runc” ● Docker architecturally splits into the engine, containerd, and runc ● Later, containerd and cri-o emerge as standalone runtimes without Docker engine
  4. 4. @estesp Runtime Security Progress Late 20162015 Early 2016 2017 PIDS controller SECCOMP support Docker 1.10 ● user namespaces, seccomp profiles, auth plugins ● New content-addressable image format (v2.2) No new privs support User NS nesting Ambient caps readonly+userns rootless runc
  5. 5. @estesp Secure image layer hashes, new manifest
  6. 6. @estesp User namespaces, Phase 1
  7. 7. @estesp Resources, Attack Surface, ...Privilege! Rootless containers refers to the ability for an unprivileged user to create, run and otherwise manage containers. ● Docker “Shocker” 2014 ● Docker CVE-2014-9357 ● Containerd #2001 (2018) ● Runc #1962 (2019) ● K8s CVE-2017-1002101, CVE-2017-1002102 ● K8s CVE-2018-1002105 ● …?
  8. 8. @estesp Rootless Containers ● Built on Linux kernel user namespaces functionality ○ An unprivileged user manages a user and group range in which containers will run ● Limitations for privileged actions handled via userspace functionality ○ slirp4netns - required for network creation/interactions ○ fuse-overlayfs - required for root filesystem interactions and handles UID/GID shifts ○ cgroups - cannot manage cgroups in rootless containers, v2 is solution ● Upstream kernel and related projects (overlayfs) continue work to remove limitations/performance impacts ● Available at all levels (runc, container runtimes, builders, Kubernetes***)
  9. 9. @estesp Are we done yet? 😅
  10. 10. @estesp Sandboxes: Linux Containers++ What if we could consolidate the developer experience of containers with the isolation guarantees of virtual machines?
  11. 11. @estesp Runtime shim v2 API ● Minimal and scoped to the execution lifecycle of a container ● Binary naming convention ○ Type io.containerd.runsc.v1 -> Binary containerd-shim-runsc-v1
  12. 12. @estesp Runtime Plugins - Task Service service Task { rpc State(StateRequest) returns (StateResponse); rpc Create(CreateTaskRequest) returns (CreateTaskResponse); rpc Start(StartRequest) returns (StartResponse); rpc Delete(DeleteRequest) returns (DeleteResponse); rpc Pids(PidsRequest) returns (PidsResponse); rpc Pause(PauseRequest) returns (google.protobuf.Empty); rpc Resume(ResumeRequest) returns (google.protobuf.Empty); rpc Checkpoint(CheckpointTaskRequest) returns (google.protobuf.Empty); rpc Kill(KillRequest) returns (google.protobuf.Empty); rpc Exec(ExecProcessRequest) returns (google.protobuf.Empty); rpc ResizePty(ResizePtyRequest) returns (google.protobuf.Empty); rpc CloseIO(CloseIORequest) returns (google.protobuf.Empty); rpc Update(UpdateTaskRequest) returns (google.protobuf.Empty); rpc Wait(WaitRequest) returns (WaitResponse); rpc Stats(StatsRequest) returns (StatsResponse); rpc Connect(ConnectRequest) returns (ConnectResponse); rpc Shutdown(ShutdownRequest) returns (google.protobuf.Empty); }
  13. 13. @estesp Using Sandboxes ● RuntimeClass + CRI provide a way to utilize custom sandboxes
  14. 14. @estesp Encrypted Container Layers ● Provide a method to encrypt specific image layers with target keys for secure delivery to approved runtime nodes ● Implemented components available/underway in: ○ containers/image, cri-o, buildah, containerd, generic library implementation ○ Kubernetes KEP under review (https://github.com/kubernetes/enhancements/pull/1066) ○ Proposed update to OCI image-spec (https://github.com/opencontainers/image-spec/pull/775)
  15. 15. @estesp What’s Left?
  16. 16. @estesp Thank You!

×