Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ten layers of container security for CloudCamp Nov 2017


Published on

This presentation describes the multiple layers at which container security should be thought about and implemented.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Ten layers of container security for CloudCamp Nov 2017

  1. 1. TEN LAYERS OF CONTAINER SECURITY Gordon Haff Technology Evangelist, Red Hat CloudCamp, South San Francisco: Nov. 2017 @ghaff
  2. 2. WHO AM I? ● Evangelist for emerging technologies and practices at Red Hat ● Co-author of From Pots and Vats to Programs and Apps (download for free at ● Former IT industry analyst ● Former big system guy ● Website:
  3. 3. MANA Reuse AutomationMicroservices Immutability Pervasive access Speed Rapid tech churn Flexible deploys Containers Software-defined MANAGED RISK Dev Ops
  4. 4. It depends on who you ask... 4 WHAT ARE CONTAINERS? ● Sandboxed application processes on a shared Linux OS kernel ● Simpler, lighter, and denser than virtual machines ● Portable across different environments ● Package my application and all of its dependencies ● Deploy to any environment in seconds and enable CI/CD ● Easily access and share containerized components INFRASTRUCTURE APPLICATIONS
  5. 5. Open source, Leadership, and Standards 5 THE COMMUNITY LANDSCAPE ● Docker/Moby ● Kubernetes/OpenShift ● OCI Specifications ● Cloud Native Technical Leadership The landscape is made up of committees, standards bodies, and open source projects:
  6. 6. 6 6. Container Platform 7. Network Isolation 8. Storage 9. API Management 10. Federated Clusters 1. Container Host 2. Container Content 3. Container Registries 4. Building Containers 5. Deploying Containers SECURING CONTAINERS: LAYERS, LIFECYCLE, AND AUTOMATION
  7. 7. A stable, reliable host environment with built-in security features that allow you to isolate containers from other containers and from the kernel. 7 CONTAINER HOST & MULTI-TENANCY THE OS MATTERS SELinux 1 Kernel namespaces Cgroups Seccomp THE FOUNDATION FOR SECURE, SCALABLE CONTAINERS R/O Mounts
  8. 8. 8 SELINUX - MAC - MCS1 ● SElinux is a LABELING system ● Every Process has a Label ● Every file, Directory, System object has a Label ● Policy rules control access between labeled processes and labeled objects ● The Kernel enforces the rules
  9. 9. 9 Cgroups - Resource Isolation1 CPU Memory Network Storage / IO Container 1 slice Container 2 slice
  11. 11. 11 ● Are there known vulnerabilities in the application layer? ● Are the runtime and OS layers up to date? ● How frequently will the container be updated and how will I know when it’s updated? CONTENT: USE TRUSTED SOURCES2
  12. 12. HOST OS CONTAINER OS RUNTIME APP 12 Image governance and private registries ● What security meta-data is available for your images? ● Are the images in the registry updated regularly? ● Are there processes to maintain currency? ● Are there access controls on the registry? How strong are they? PRIVATE REGISTRIES: SECURE ACCESS TO IMAGES 3
  13. 13. 13 Security & continuous integration ● Layered packaging model supports separation of concerns ● Integrate security testing into your build / CI process ● Use automated policies to flag builds with issues ● Trigger automated rebuilds MANAGING CONTAINER BUILDS Operations Architects Application developers 4
  14. 14. 14 Security & continuous deployment ● Monitor image registry to automatically replace affected images ● Use policies to gate what can be deployed: e.g. if a container requires root access, prevent deployment MANAGING CONTAINER DEPLOYMENT5
  15. 15. 15 Use a container orchestration platform with integrated security features including ● Role-based Access Controls with LDAP and OAuth2 integration ● Platform multitenant security ● Image signing (3.6) ● Secrets management ● Enable integration with the security ecosystem SECURING THE CONTAINER PLATFORM6
  16. 16. 16 ● Log (most) things ● Alarm few things ● Establish relevant metrics ● Root cause analysis (reactive) ● Detect patterns/trends (proactive) ● Context and distributions matter ● Incentives drive behavior SECURING THE CONTAINER PLATFORM: MONITORING, ALERTS, AND METRICS 6
  17. 17. 17 Use network namespaces to ● Isolate applications from other applications within a cluster ● Isolate environments (Dev / Test / Prod) from other environments within a cluster NETWORK DEFENSE7
  18. 18. 18 Secure storage by using ● SELinux access controls ● Secure mounts ● Supplemental group IDs for shared storage ATTACHED STORAGE8
  19. 19. 19 STORAGE ISOLATION8 SCC access Layer supplementalGroups fsGroup runAsUserseLinuxOption Create app with storage Check for UID/GIDfor access to shared storage? Is the pod’s "file system group" ID correct for the block storage? Is the seLinuxContext user, role,type set and is this user allowed to mount it? What is the RunAsUser or MustRunAsRange?
  20. 20. 20 Container platform & application APIs ● Authentication and authorization ● LDAP integration ● End-point access controls ● Rate limiting API MANAGEMENT9
  21. 21. 21 Securing federated clusters across data centers or environments ● Authentication and authorization ● API endpoints ● Secrets ● Namespaces FEDERATED CLUSTERS (coming) ROLES & ACCESS MANAGEMENT Source: Building Globally Distributed Services using Kubernetes Cluster Federation. October 14, 2016 10
  22. 22. 22 FEDERATED CLUSTERS (coming) ROLES & ACCESS MANAGEMENT Source: Building Globally Distributed Services using Kubernetes Cluster Federation. October 14, 2016 10 API Repl Ctrl Ubernetes state API Repl Ctrl Kubernetes Cluster state API Repl Ctrl Kubernetes Cluster state
  23. 23. 23 For enhanced security, or to meet existing policies, integrate with enterprise security tools, such as THE SECURITY ECOSYSTEM ● Identity and Access management / Privileged Access Management ● External Certificate Authorities ● External Vaults / Key Management solutions ● Container content scanners & vulnerability management tools ● Container runtime analysis tools ● Security Information and Event Monitoring (SIEM)
  24. 24. 24 BRINGING IT ALL TOGETHER Container Business Automation Container Integration Container Data & Storage Contaner Web & Mobile OpenShift Application Lifecycle Management (CI/CD) Build Automation Deployment Automation Service Catalog (Language Runtimes, Middleware, Databases) Self-Service Infrastructure Automation & Cockpit Networking Storage Registry Logs & Metrics Security Container Orchestration & Cluster Management (kubernetes) Container Runtime & Packaging (Docker) Enterprise Container Host Red Hat Enterprise LinuxAtomic Host Physical Virtual Private cloud Public cloud
  25. 25. THANK YOU 25