Anthony Chow, profile picture
Uploaded byAnthony Chow
PPTX, PDF256 views

Container security

The document discusses container security, providing advantages and disadvantages of containers as well as threats. It outlines different approaches to container security including host-based methods using namespaces, control groups, and capabilities as well as container-based scanning and digital signatures. Third-party security tools are also mentioned. The document concludes with examples of using containers for microservices and network policies for protection.

Embed presentation

Downloaded 33 times
What You Should Know About Container Security DeveloperWeek Austin November 8, 2017 Anthony Chow Auth0 Ambassador Twitter: @vCloudernBeer Blog: http://cloudn1n3.blogspot.com/
 Small footprint  Self contained  Fast provisioning time  Docker: Build – Ship - Run  Useful tool for DevOps  Effective solution for Microservices Advantages of Containers
 Not easy with persistent storage  Less isolated than a Virtual Machine  Share the same OS Kernel  Networking solutions to provide isolation Disadvantages of Container
 Escape  Cross-container attacks  Application vulnerabilities  Denial of Service attack on the host. Types of Threads to Containers
 Host based  Container based  3rd Party Security Offerings  Miscellaneous Different ways of looking into Container Security
 Namespace  Control group (cgroup)  Root capabilities  Linux Security Modules (LSM) Host based container security
Image source: https://image.slidesharecdn.com/linuxcontainersnextgenvirtualizationforcloudatlsummitar4-3-copy-140514133120-phpapp02/95/linux-containers-next- gen-virtualization-for-cloud-atl-summit-ar4-3-copy-11-638.jpg?cb=1400074471
 Not turned on by default in Docker  Docker daemon needs to be started with “–userns- remap=default” User Namespace
Image source: https://image.slidesharecdn.com/linuxcontainersnextgenvirtualizationforcloudatlsummitar4-3-copy-140514133120-phpapp02/95/linux-containers-next- gen-virtualization-for-cloud-atl-summit-ar4-3-copy-6-638.jpg?cb=1400074471
 Fine grain control over ‘root’ privileges  /usr/include/linux/capability.h  sudo /sbin/capsh –-print  https://linux.die.net/man/7/capabilities  docker run -ti --name ubuntu1 --cap-drop=net_raw ubuntu bash  RedHat uses SystemTap to find capabilities of a container (https://developers.redhat.com/blog/2017/02/16/find-what-capabilities-an-application-requires-to-successful-run-in-a-container/)  https://docs.docker.com/engine/security/seccomp/ Root Capabilities
 Discretionary Access Control  the owner of the object specifies which subjects can access the object  Mandatory Access Control  the system (and not the users) specifies which subjects can access specific data objects  Role Based Access Control  Access is based on permission associated with a role and user is assigned with different roles.  Rule Based Access Control  Access is allowed or denied to resource objects based on a set of rules defined by a system administrator Access Control Types
 https://www.cyberciti.biz/tips/selinux-vs-apparmor-vs-grsecurity.html  SELinux  3 modes: Enforcing, Permissive and disabled  http://www.projectatomic.io/docs/docker-and-selinux/  https://opensource.com/business/14/9/security-for-docker  Works with labels.  AppArmor  2 modes: Enforcement and Complain  https://docs.docker.com/engine/security/apparmor/  Works with file path. Linux Security Module (LSM)
 Digital Digest for container image integrity  Docker Content Trust  CoreOS – dm_verify  Registry Authentication  OAuth2  Keyclock  Container Scanning  IBM – Vulnerability Advisor  RedHat – Atomic host  CoreOS – Clair and Quary  Docker – Docker cloud and Docker Hub Container based security
Image source: http://cdn.ttgtmedia.com/rms/onlineImages/ss_digitalsignature_2014_v01_desktop.png
Image source: http://wiki.snom.com/wiki/images/thumb/0/05/M9_custom_cert.PNG/800px-M9_custom_cert.PNG
 Aqua - https://www.aquasec.com/  Anchore - https://github.com/anchore/anchore  TwistLock - https://www.twistlock.com/  Tenable - http://www.tenable.com/  Blackduck -https://www.blackducksoftware.com/  StackRox - stackrox.com 3rd Party Security Offerings
 Aqua - https://www.aquasec.com/  Anchore - https://github.com/anchore/anchore  TwistLock - https://www.twistlock.com/  Tenable - http://www.tenable.com/  Blackduck -https://www.blackducksoftware.com/  StackRox - stackrox.com 3rd Party Security Offerings
 Open Container Initiative (OCI)  Hardware Assisted:  Intel Clear Container  SCONE - Secure Linux Containers on Intel SGX  LinuxKit  Docker 1.13 Secret Management  Docker Authentication with Keycloak  Linux Container Hardening Miscellaneous
 QEMU-light  DAX – Direct Access  KSM – Kernel Same-page Mapping Intel Clear Container core technologies
Intel Clear Container – a container run timeimage source: https://github.com/clearcontainers/runtime/blob/master/docs/architecture/architecture.md
Intel Clear Container ArchitectureImage Source: https://clearlinux.org/documentation/clear-containers/architecture-overview.html
onboot: - name: dhcpcd image: linuxkit/dhcpcd:<hash> command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] - name: wg image: linuxkit/ip:<hash> net: new binds: - /etc/wireguard:/etc/wireguard command: ["sh", "-c", "ip link set dev wg0 up; ip address add dev wg0 192.168.2.1 peer 192.168.2.2; wg setconf wg0 /etc/wireguard/wg0.conf; wg show wg0"] runtime: interfaces: - name: wg0 add: wireguard createInRoot: true bindNS: net: /run/netns/wg services: - name: nginx image: nginx:alpine net: /run/netns/wg capabilities: - CAP_NET_BIND_SERVICE - CAP_CHOWN - CAP_SETUID - CAP_SETGID - CAP_DAC_OVERRIDE
 OAuth2 for authentication and authorization  Calico for security policy to protect east-west traffic Container Use case - Microservices
 Resource Owner  Resource Server  Authorization Server  Access Token  Authorization Grant OAuth2 Terminologies
OAuth2 in Microservicesimage source: https://dzone.com/articles/microservices-in-practice-1
 Frequent and short life span  Increase East-West traffic  Individual container/pod not isolated for functionality Microservices opens up Security risk
cat << EOF | calicoctl create -f - - apiVersion: v1 kind: policy metadata: name: frontend spec: order: 0 selector: role == 'frontend' egress: - action: allow protocol: tcp destination: selector: role == 'database' ports: - 3306 Sample Calico network policy
 https://opensource.com/business/14/7/docker-security- selinux  https://docs.docker.com/engine/security/security/  https://opensource.com/business/14/9/security-for-docker  https://coreos.com/blog/verifying-os-at-runtime.html  https://developers.redhat.com/blog/2017/10/31/docker- authentication-keycloak/ Useful blog post on container security
Thanks for coming and enjoy the rest of DeveloperWeek Austin, 2017

More Related Content

PDF
How Secure Is Your Container? ContainerCon Berlin 2016
byPhil Estes
 
PDF
Rooting Out Root: User namespaces in Docker
byPhil Estes
 
PDF
Veer's Container Security
byJim Barlow
 
PDF
Ten layers of container security for CloudCamp Nov 2017
byGordon Haff
 
PDF
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
byZach Hill
 
ODP
CLI Wizardry - A Friendly Intro To sed/awk/grep
byAll Things Open
 
PDF
Docker Security Paradigm
byAnis LARGUEM
 
PDF
Docker Security: Are Your Containers Tightly Secured to the Ship?
byMichael Boelen
 
How Secure Is Your Container? ContainerCon Berlin 2016
byPhil Estes
 
Rooting Out Root: User namespaces in Docker
byPhil Estes
 
Veer's Container Security
byJim Barlow
 
Ten layers of container security for CloudCamp Nov 2017
byGordon Haff
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
byZach Hill
 
CLI Wizardry - A Friendly Intro To sed/awk/grep
byAll Things Open
 
Docker Security Paradigm
byAnis LARGUEM
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
byMichael Boelen
 

What's hot

PDF
Docker Security in Production Overview
byDelve Labs
 
PPTX
Docker: Aspects of Container Isolation
byallingeek
 
PDF
Container Security: How We Got Here and Where We're Going
byPhil Estes
 
PPTX
Understanding container security
byJohn Kinsella
 
PDF
Docker, Linux Containers (LXC), and security
byJérôme Petazzoni
 
PDF
Security of Linux containers in the cloud
byDobrica Pavlinušić
 
PDF
Container Security
bySalman Baset
 
PDF
Tokyo OpenStack Summit 2015: Unraveling Docker Security
byPhil Estes
 
PDF
Docker security: Rolling out Trust in your container
byRonak Kogta
 
PDF
5 Ways to Secure Your Containers for Docker and Beyond
byBlack Duck by Synopsys
 
PPT
Container security
byAnthony Chow
 
PDF
Docker and kernel security
bysmart_bit
 
PDF
Linux Container Technology 101
byinside-BigData.com
 
PDF
Testing Docker Security Linuxlab 2017
byJose Manuel Ortega Candel
 
PDF
Evoluation of Linux Container Virtualization
byImesh Gunaratne
 
PDF
Security on a Container Platform
byAll Things Open
 
PDF
Docker Security and Content Trust
byehazlett
 
PPTX
Linux Container Brief for IEEE WG P2302
byBoden Russell
 
PPTX
Oscon London 2016 - Docker from Development to Production
byPatrick Chanezon
 
Docker Security in Production Overview
byDelve Labs
 
Docker: Aspects of Container Isolation
byallingeek
 
Container Security: How We Got Here and Where We're Going
byPhil Estes
 
Understanding container security
byJohn Kinsella
 
Docker, Linux Containers (LXC), and security
byJérôme Petazzoni
 
Security of Linux containers in the cloud
byDobrica Pavlinušić
 
Container Security
bySalman Baset
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
byPhil Estes
 
Docker security: Rolling out Trust in your container
byRonak Kogta
 
5 Ways to Secure Your Containers for Docker and Beyond
byBlack Duck by Synopsys
 
Container security
byAnthony Chow
 
Docker and kernel security
bysmart_bit
 
Linux Container Technology 101
byinside-BigData.com
 
Testing Docker Security Linuxlab 2017
byJose Manuel Ortega Candel
 
Evoluation of Linux Container Virtualization
byImesh Gunaratne
 
Security on a Container Platform
byAll Things Open
 
Docker Security and Content Trust
byehazlett
 
Linux Container Brief for IEEE WG P2302
byBoden Russell
 
Oscon London 2016 - Docker from Development to Production
byPatrick Chanezon
 

Similar to Container security

PPT
What You Should Know About Container Security
byAll Things Open
 
PPT
Container security
byAnthony Chow
 
PDF
Docker London: Container Security
byPhil Estes
 
PPTX
Docker Security
byantitree
 
PPTX
Docker Security Overview
bySreenivas Makam
 
PPTX
SW Docker Security
byStephane Woillez
 
PPTX
Exploring Docker Security
byPatrick Kleindienst
 
PDF
LXC, Docker, security: is it safe to run applications in Linux Containers?
byJérôme Petazzoni
 
ODP
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
byDocker, Inc.
 
PDF
Securing Applications and Pipelines on a Container Platform
byAll Things Open
 
PDF
Docker, Linux Containers, and Security: Does It Add Up?
byJérôme Petazzoni
 
PDF
Containers & Security
byAll Things Open
 
PDF
Securing Applications and Pipelines on a Container Platform
byAll Things Open
 
PDF
Containers and security
bysriram_rajan
 
PDF
Docker Container: isolation and security
by宇 傅
 
PDF
Docker Security - Secure Container Deployment on Linux
byMichael Boelen
 
PDF
Unraveling Docker Security: Lessons From a Production Cloud
bySalman Baset
 
PPTX
Containers and workload security an overview
byKrishna-Kumar
 
PPTX
A Survey of Container Security in 2016: A Security Update on Container Platforms
bySalman Baset
 
PDF
Securing the container DevOps pipeline by William Henry
byDevSecCon
 
What You Should Know About Container Security
byAll Things Open
 
Container security
byAnthony Chow
 
Docker London: Container Security
byPhil Estes
 
Docker Security
byantitree
 
Docker Security Overview
bySreenivas Makam
 
SW Docker Security
byStephane Woillez
 
Exploring Docker Security
byPatrick Kleindienst
 
LXC, Docker, security: is it safe to run applications in Linux Containers?
byJérôme Petazzoni
 
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
byDocker, Inc.
 
Securing Applications and Pipelines on a Container Platform
byAll Things Open
 
Docker, Linux Containers, and Security: Does It Add Up?
byJérôme Petazzoni
 
Containers & Security
byAll Things Open
 
Securing Applications and Pipelines on a Container Platform
byAll Things Open
 
Containers and security
bysriram_rajan
 
Docker Container: isolation and security
by宇 傅
 
Docker Security - Secure Container Deployment on Linux
byMichael Boelen
 
Unraveling Docker Security: Lessons From a Production Cloud
bySalman Baset
 
Containers and workload security an overview
byKrishna-Kumar
 
A Survey of Container Security in 2016: A Security Update on Container Platforms
bySalman Baset
 
Securing the container DevOps pipeline by William Henry
byDevSecCon
 

More from Anthony Chow

PPTX
Build your own Blockchain with the right tool for your application
byAnthony Chow
 
PPT
MQTT security
byAnthony Chow
 
PPTX
Understanding gRPC Authentication Methods
byAnthony Chow
 
PPTX
Api security with o auth2
byAnthony Chow
 
PPTX
V brownbag sept-14-2016
byAnthony Chow
 
PPTX
Understanding the container landscape and it associated projects
byAnthony Chow
 
PPTX
Getting over the barrier and start contributing to OpenStack
byAnthony Chow
 
PPT
Introduction to go
byAnthony Chow
 
PPTX
Micro segmentation – a perfect fit for microservices
byAnthony Chow
 
PPTX
An overview of OpenStack for the VMware community
byAnthony Chow
 
PPTX
VXLAN in the contemporary data center
byAnthony Chow
 
PPT
What a Beginner Should Know About OpenStack
byAnthony Chow
 
Build your own Blockchain with the right tool for your application
byAnthony Chow
 
MQTT security
byAnthony Chow
 
Understanding gRPC Authentication Methods
byAnthony Chow
 
Api security with o auth2
byAnthony Chow
 
V brownbag sept-14-2016
byAnthony Chow
 
Understanding the container landscape and it associated projects
byAnthony Chow
 
Getting over the barrier and start contributing to OpenStack
byAnthony Chow
 
Introduction to go
byAnthony Chow
 
Micro segmentation – a perfect fit for microservices
byAnthony Chow
 
An overview of OpenStack for the VMware community
byAnthony Chow
 
VXLAN in the contemporary data center
byAnthony Chow
 
What a Beginner Should Know About OpenStack
byAnthony Chow
 

Recently uploaded

PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PPTX
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
PPTX
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PPT
software-security-intro in information security.ppt
byismaeelsahib032
 
PPTX
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PPTX
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
PDF
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
software-security-intro in information security.ppt
byismaeelsahib032
 
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 

Container security

  • 1.
    What You ShouldKnow About Container Security DeveloperWeek Austin November 8, 2017 Anthony Chow Auth0 Ambassador Twitter: @vCloudernBeer Blog: http://cloudn1n3.blogspot.com/
  • 2.
     Small footprint Self contained  Fast provisioning time  Docker: Build – Ship - Run  Useful tool for DevOps  Effective solution for Microservices Advantages of Containers
  • 3.
     Not easywith persistent storage  Less isolated than a Virtual Machine  Share the same OS Kernel  Networking solutions to provide isolation Disadvantages of Container
  • 4.
     Escape  Cross-containerattacks  Application vulnerabilities  Denial of Service attack on the host. Types of Threads to Containers
  • 5.
     Host based Container based  3rd Party Security Offerings  Miscellaneous Different ways of looking into Container Security
  • 6.
     Namespace  Controlgroup (cgroup)  Root capabilities  Linux Security Modules (LSM) Host based container security
  • 7.
  • 8.
     Not turnedon by default in Docker  Docker daemon needs to be started with “–userns- remap=default” User Namespace
  • 9.
  • 10.
     Fine graincontrol over ‘root’ privileges  /usr/include/linux/capability.h  sudo /sbin/capsh –-print  https://linux.die.net/man/7/capabilities  docker run -ti --name ubuntu1 --cap-drop=net_raw ubuntu bash  RedHat uses SystemTap to find capabilities of a container (https://developers.redhat.com/blog/2017/02/16/find-what-capabilities-an-application-requires-to-successful-run-in-a-container/)  https://docs.docker.com/engine/security/seccomp/ Root Capabilities
  • 11.
     Discretionary AccessControl  the owner of the object specifies which subjects can access the object  Mandatory Access Control  the system (and not the users) specifies which subjects can access specific data objects  Role Based Access Control  Access is based on permission associated with a role and user is assigned with different roles.  Rule Based Access Control  Access is allowed or denied to resource objects based on a set of rules defined by a system administrator Access Control Types
  • 12.
     https://www.cyberciti.biz/tips/selinux-vs-apparmor-vs-grsecurity.html  SELinux 3 modes: Enforcing, Permissive and disabled  http://www.projectatomic.io/docs/docker-and-selinux/  https://opensource.com/business/14/9/security-for-docker  Works with labels.  AppArmor  2 modes: Enforcement and Complain  https://docs.docker.com/engine/security/apparmor/  Works with file path. Linux Security Module (LSM)
  • 13.
     Digital Digestfor container image integrity  Docker Content Trust  CoreOS – dm_verify  Registry Authentication  OAuth2  Keyclock  Container Scanning  IBM – Vulnerability Advisor  RedHat – Atomic host  CoreOS – Clair and Quary  Docker – Docker cloud and Docker Hub Container based security
  • 14.
  • 15.
  • 16.
     Aqua -https://www.aquasec.com/  Anchore - https://github.com/anchore/anchore  TwistLock - https://www.twistlock.com/  Tenable - http://www.tenable.com/  Blackduck -https://www.blackducksoftware.com/  StackRox - stackrox.com 3rd Party Security Offerings
  • 17.
     Aqua -https://www.aquasec.com/  Anchore - https://github.com/anchore/anchore  TwistLock - https://www.twistlock.com/  Tenable - http://www.tenable.com/  Blackduck -https://www.blackducksoftware.com/  StackRox - stackrox.com 3rd Party Security Offerings
  • 18.
     Open ContainerInitiative (OCI)  Hardware Assisted:  Intel Clear Container  SCONE - Secure Linux Containers on Intel SGX  LinuxKit  Docker 1.13 Secret Management  Docker Authentication with Keycloak  Linux Container Hardening Miscellaneous
  • 19.
     QEMU-light  DAX– Direct Access  KSM – Kernel Same-page Mapping Intel Clear Container core technologies
  • 20.
    Intel Clear Container– a container run timeimage source: https://github.com/clearcontainers/runtime/blob/master/docs/architecture/architecture.md
  • 21.
    Intel Clear ContainerArchitectureImage Source: https://clearlinux.org/documentation/clear-containers/architecture-overview.html
  • 23.
    onboot: - name: dhcpcd image:linuxkit/dhcpcd:<hash> command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] - name: wg image: linuxkit/ip:<hash> net: new binds: - /etc/wireguard:/etc/wireguard command: ["sh", "-c", "ip link set dev wg0 up; ip address add dev wg0 192.168.2.1 peer 192.168.2.2; wg setconf wg0 /etc/wireguard/wg0.conf; wg show wg0"] runtime: interfaces: - name: wg0 add: wireguard createInRoot: true bindNS: net: /run/netns/wg services: - name: nginx image: nginx:alpine net: /run/netns/wg capabilities: - CAP_NET_BIND_SERVICE - CAP_CHOWN - CAP_SETUID - CAP_SETGID - CAP_DAC_OVERRIDE
  • 24.
     OAuth2 forauthentication and authorization  Calico for security policy to protect east-west traffic Container Use case - Microservices
  • 25.
     Resource Owner Resource Server  Authorization Server  Access Token  Authorization Grant OAuth2 Terminologies
  • 26.
    OAuth2 in Microservicesimagesource: https://dzone.com/articles/microservices-in-practice-1
  • 27.
     Frequent andshort life span  Increase East-West traffic  Individual container/pod not isolated for functionality Microservices opens up Security risk
  • 28.
    cat << EOF| calicoctl create -f - - apiVersion: v1 kind: policy metadata: name: frontend spec: order: 0 selector: role == 'frontend' egress: - action: allow protocol: tcp destination: selector: role == 'database' ports: - 3306 Sample Calico network policy
  • 29.
     https://opensource.com/business/14/7/docker-security- selinux  https://docs.docker.com/engine/security/security/ https://opensource.com/business/14/9/security-for-docker  https://coreos.com/blog/verifying-os-at-runtime.html  https://developers.redhat.com/blog/2017/10/31/docker- authentication-keycloak/ Useful blog post on container security
  • 30.
    Thanks for comingand enjoy the rest of DeveloperWeek Austin, 2017