SlideShare a Scribd company logo
www.twosigma.com
Securing Your Docker Image
Registry for Production
November 16, 2016
Jason Heiss
Image Registry
November 16, 2016
A place to store your container images
Private version of hub.docker.com
Image Registry Security
November 16, 2016
 Why do we need registry security?
 Malicious changes
 Inadvertent changes
 Developer pushes to production image
 Production team A pushes to Production team B image
 Naming standards
 hub.example.com/databese:1.0
 hub.example.com/my_quick_hack:0.1
AAA
November 16, 2016
Authentication
Authorization
Audit Logging
Authentication
November 16, 2016
Who is the user?
Photograph by Robert Rexach
Why Authentication?
November 16, 2016
 Hard to do authorization without authentication
 Makes audit logs more useful
 Image X pushed Oct 31, 2016
 Image X pushed by Jane Doe Oct 31, 2016
Authentication Choices
November 16, 2016
 Lots of choices
 Password
 SSL cert
 Kerberos
 Fingerprint
 Physical token
 Many organizations often have unusual or custom authentication needs
Image Registry Choices
November 16, 2016
 Docker Registry (open source)
 Docker Trusted Registry
 CoreOS Quay Enterprise
 JFrog Artifactory
 Notable for allowing you to front it with Apache httpd or nginx for authentication
 You can use any authentication scheme supported by httpd or nginx
Docker Registry
November 16, 2016Proprietary and Confidential – Not for Redistribution
Image from https://docs.docker.com/registry/spec/auth/token/
 Registry redirects daemon to auth
service
 Daemon authenticates to auth service
with password or OAuth2 token, gets a
bearer token
 Daemon uses bearer token to
authenticate to registry
 Registry trusts bearer tokens from auth
service based on public/private key pair
that you configure
Docker Registry
November 16, 2016Proprietary and Confidential – Not for Redistribution
Image from https://docs.docker.com/registry/spec/auth/token/
 Registry redirects daemon to auth
service
 Daemon authenticates to auth service
with password or OAuth2 token, gets a
bearer token
 Daemon uses bearer token to
authenticate to registry
 Registry trusts bearer tokens from auth
service based on public/private key pair
that you configure
Auth Service Choices
November 16, 2016
 https://github.com/docker/distribution/tree/master/contrib/token-server
 https://github.com/cesanta/docker_auth
 https://github.com/opendns/registry-oauth-server
 https://github.com/SUSE/Portus
 GitLab Container Registry
Authentication Demo
November 16, 2016
Demonstrate authentication with Docker Registry, Docker Engine
(Client/Daemon), and https://github.com/opendns/registry-oauth-server
Proprietary and Confidential – Not for Redistribution
Docker Client and Registry Authentication
November 16, 2016
 Docker daemon asks Docker client for username, password to authenticate to registry
auth server
 https://docs.docker.com/engine/reference/commandline/login/
 docker login
 Password stored, unencrypted, in $HOME/.docker/config.json
 Credentials store
 Configured in config.json: {"credsStore": “mycredstore"}
 Docker runs docker-credential-mycredstore
 Must be in your PATH
 Can be abused to fetch a password on the fly
Credentials Store Demo
November 16, 2016
Demonstrate using a credentials store to fetch a password
Proprietary and Confidential – Not for Redistribution
Authorization
November 16, 2016
What is the user allowed to do?
Photograph by Tony Webster
Docker Registry
November 16, 2016Proprietary and Confidential – Not for Redistribution
Image from https://docs.docker.com/registry/spec/auth/token/
Docker Registry Authorization
November 16, 2016
 Redirect from registry to auth service includes info about requested operation:
 Actions: push, pull, *
 Auth server lists allowed actions in the token it returns
WWW-Authenticate: Bearer
realm="https://auth.example.com/token",
service="registry.example.com",
scope="repository:samalba/my-app:pull,push"
Authorization Demo
November 16, 2016
Demonstrate allowing or blocking actions based on the scope parameter
sent to the auth server
Proprietary and Confidential – Not for Redistribution
Audit Logging
November 16, 2016
What happened in the past?
Photograph by U.S. Department of Labor
Why Audit Logging?
November 16, 2016
 Who pushed the last change to image A?
 When was image B last changed?
Docker Registry Audit Logging
November 16, 2016
 Registry server logs: docker logs registry
 Registry notifications
 https://docs.docker.com/registry/notifications/
 Webhook notifications to external service
 Registry sends JSON blob of details
 You can extract the interesting bits and save them
Audit Logging Demo
November 16, 2016
Demonstrate configuring the registry to send notifications to our server
Proprietary and Confidential – Not for Redistribution
Kubernetes and Registry Authentication
November 16, 2016
 http://kubernetes.io/docs/user-guide/images/
 kubelet acts as Docker client for pulling images
 So, same choices as previously mentioned for the Docker client:
 docker login, password in /root/.docker/config.json
 credential manager, configured in config.json
 Or user can provide their own image registry “password” as image pull secret
in their pod manifest
 kubelet creates a one-off config.json in this case
The End
November 16, 2016
 Me:
 @jason_heiss
 This talk: slides and demo code
 https://github.com/twosigma/docker-repo-auth-demo
 Work:
 Two Sigma Investments
 https://www.twosigma.com/
 We’re hiring!

More Related Content

What's hot

2020.02.15 DelEx - CI/CD in AWS Cloud
2020.02.15 DelEx - CI/CD in AWS Cloud2020.02.15 DelEx - CI/CD in AWS Cloud
2020.02.15 DelEx - CI/CD in AWS Cloud
Peter Salnikov
 
Introduction to Octopress at DRUG
Introduction to Octopress at DRUGIntroduction to Octopress at DRUG
Introduction to Octopress at DRUG
Wojciech Langiewicz
 
Dockercon - Building a Chef cookbook testing pipeline with Drone.IO and Docker
Dockercon - Building a Chef cookbook testing pipeline with Drone.IO and DockerDockercon - Building a Chef cookbook testing pipeline with Drone.IO and Docker
Dockercon - Building a Chef cookbook testing pipeline with Drone.IO and Docker
pczarkowski
 
WebRTC Conference Prototype Implementation
WebRTC Conference Prototype ImplementationWebRTC Conference Prototype Implementation
WebRTC Conference Prototype Implementation
Henry Hung Yu Chen
 
What's new on Laravel 5.5
What's new on Laravel 5.5What's new on Laravel 5.5
What's new on Laravel 5.5
Glend Maatita
 
How to extend (properly) and old Alfresco Share feature
How to extend (properly) and old Alfresco Share featureHow to extend (properly) and old Alfresco Share feature
How to extend (properly) and old Alfresco Share feature
Angel Borroy López
 

What's hot (6)

2020.02.15 DelEx - CI/CD in AWS Cloud
2020.02.15 DelEx - CI/CD in AWS Cloud2020.02.15 DelEx - CI/CD in AWS Cloud
2020.02.15 DelEx - CI/CD in AWS Cloud
 
Introduction to Octopress at DRUG
Introduction to Octopress at DRUGIntroduction to Octopress at DRUG
Introduction to Octopress at DRUG
 
Dockercon - Building a Chef cookbook testing pipeline with Drone.IO and Docker
Dockercon - Building a Chef cookbook testing pipeline with Drone.IO and DockerDockercon - Building a Chef cookbook testing pipeline with Drone.IO and Docker
Dockercon - Building a Chef cookbook testing pipeline with Drone.IO and Docker
 
WebRTC Conference Prototype Implementation
WebRTC Conference Prototype ImplementationWebRTC Conference Prototype Implementation
WebRTC Conference Prototype Implementation
 
What's new on Laravel 5.5
What's new on Laravel 5.5What's new on Laravel 5.5
What's new on Laravel 5.5
 
How to extend (properly) and old Alfresco Share feature
How to extend (properly) and old Alfresco Share featureHow to extend (properly) and old Alfresco Share feature
How to extend (properly) and old Alfresco Share feature
 

Viewers also liked

GitLab/GitLab.com勉強会 第2回
GitLab/GitLab.com勉強会 第2回GitLab/GitLab.com勉強会 第2回
GitLab/GitLab.com勉強会 第2回
NaohiroHamada
 
Using GitLab CI
Using GitLab CIUsing GitLab CI
Using GitLab CI
ColCh
 
GitLab & web hooks & git-flowで実現する企業向けgit環境の構築
GitLab & web hooks & git-flowで実現する企業向けgit環境の構築GitLab & web hooks & git-flowで実現する企業向けgit環境の構築
GitLab & web hooks & git-flowで実現する企業向けgit環境の構築
CROOZ, inc.
 
少人数チームにおけるプロジェクト管理のベストプラクティス
少人数チームにおけるプロジェクト管理のベストプラクティス少人数チームにおけるプロジェクト管理のベストプラクティス
少人数チームにおけるプロジェクト管理のベストプラクティス
Cake YOSHIDA
 
GitLab Meetup Tokyo #1 LT:「わりと大きい会社でGitLabをホスティングしてみた話」
GitLab Meetup Tokyo #1 LT:「わりと大きい会社でGitLabをホスティングしてみた話」GitLab Meetup Tokyo #1 LT:「わりと大きい会社でGitLabをホスティングしてみた話」
GitLab Meetup Tokyo #1 LT:「わりと大きい会社でGitLabをホスティングしてみた話」
Taisuke Inoue
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your Niche
Leslie Samuel
 

Viewers also liked (6)

GitLab/GitLab.com勉強会 第2回
GitLab/GitLab.com勉強会 第2回GitLab/GitLab.com勉強会 第2回
GitLab/GitLab.com勉強会 第2回
 
Using GitLab CI
Using GitLab CIUsing GitLab CI
Using GitLab CI
 
GitLab & web hooks & git-flowで実現する企業向けgit環境の構築
GitLab & web hooks & git-flowで実現する企業向けgit環境の構築GitLab & web hooks & git-flowで実現する企業向けgit環境の構築
GitLab & web hooks & git-flowで実現する企業向けgit環境の構築
 
少人数チームにおけるプロジェクト管理のベストプラクティス
少人数チームにおけるプロジェクト管理のベストプラクティス少人数チームにおけるプロジェクト管理のベストプラクティス
少人数チームにおけるプロジェクト管理のベストプラクティス
 
GitLab Meetup Tokyo #1 LT:「わりと大きい会社でGitLabをホスティングしてみた話」
GitLab Meetup Tokyo #1 LT:「わりと大きい会社でGitLabをホスティングしてみた話」GitLab Meetup Tokyo #1 LT:「わりと大きい会社でGitLabをホスティングしてみた話」
GitLab Meetup Tokyo #1 LT:「わりと大きい会社でGitLabをホスティングしてみた話」
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your Niche
 

Similar to ContainerDays NYC 2016: "Securing Your Docker Image Registry for Production" (Jason Heiss)

Experts Live Switzerland 2017 - Automatisierte Docker Release Pipeline mit VS...
Experts Live Switzerland 2017 - Automatisierte Docker Release Pipeline mit VS...Experts Live Switzerland 2017 - Automatisierte Docker Release Pipeline mit VS...
Experts Live Switzerland 2017 - Automatisierte Docker Release Pipeline mit VS...
Marc Müller
 
Continuous delivery with jenkins, docker and exoscale
Continuous delivery with jenkins, docker and exoscaleContinuous delivery with jenkins, docker and exoscale
Continuous delivery with jenkins, docker and exoscale
Julia Mateo
 
(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure
Amazon Web Services
 
How to easy deploy app into any cloud
How to easy deploy app into any cloudHow to easy deploy app into any cloud
How to easy deploy app into any cloud
Ladislav Prskavec
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your App
FIWARE
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your app
Álvaro Alonso González
 
Docker Enterprise Workshop - Technical
Docker Enterprise Workshop - TechnicalDocker Enterprise Workshop - Technical
Docker Enterprise Workshop - Technical
Patrick Chanezon
 
Docker Datacenter Launch - Meetup in Mountain View
Docker Datacenter Launch - Meetup in Mountain ViewDocker Datacenter Launch - Meetup in Mountain View
Docker Datacenter Launch - Meetup in Mountain View
Banjot Chanana
 
Stups.io - an Open Source Cloud Framework for AWS
Stups.io - an Open Source Cloud Framework for AWSStups.io - an Open Source Cloud Framework for AWS
Stups.io - an Open Source Cloud Framework for AWS
Jan Löffler
 
Shipping to Server and Cloud with Docker
Shipping to Server and Cloud with DockerShipping to Server and Cloud with Docker
Shipping to Server and Cloud with Docker
Atlassian
 
Docker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notesDocker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notes
Sreenivas Makam
 
AWS Atlanta meetup Build Tools - Code Commit, Code Build, Code Deploy
AWS Atlanta meetup Build Tools - Code Commit, Code Build, Code DeployAWS Atlanta meetup Build Tools - Code Commit, Code Build, Code Deploy
AWS Atlanta meetup Build Tools - Code Commit, Code Build, Code Deploy
Adam Book
 
Why your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSyncWhy your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSync
Yan Cui
 
Integrating IBM Connections Docs with BOX
Integrating IBM Connections Docs with BOXIntegrating IBM Connections Docs with BOX
Integrating IBM Connections Docs with BOX
LetsConnect
 
Socconx12 integrating ibm connections docs 2 and box
Socconx12 integrating ibm connections docs 2 and boxSocconx12 integrating ibm connections docs 2 and box
Socconx12 integrating ibm connections docs 2 and box
Roberto Boccadoro
 
A Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container PlatformsA Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container Platforms
Salman Baset
 
DockerCon 2016 Seattle Recap
DockerCon 2016 Seattle RecapDockerCon 2016 Seattle Recap
DockerCon 2016 Seattle Recap
Philipp Garbe
 
Amazon AWS Workspace Howto
Amazon AWS Workspace HowtoAmazon AWS Workspace Howto
Amazon AWS Workspace Howto
mailbhargav
 
Multi-container Applications on OpenShift with Ansible Service Broker
Multi-container Applications on OpenShift with Ansible Service BrokerMulti-container Applications on OpenShift with Ansible Service Broker
Multi-container Applications on OpenShift with Ansible Service Broker
Amazon Web Services
 
What's Rio 〜Standalone〜
What's Rio 〜Standalone〜What's Rio 〜Standalone〜
What's Rio 〜Standalone〜
cyberblack28 Ichikawa
 

Similar to ContainerDays NYC 2016: "Securing Your Docker Image Registry for Production" (Jason Heiss) (20)

Experts Live Switzerland 2017 - Automatisierte Docker Release Pipeline mit VS...
Experts Live Switzerland 2017 - Automatisierte Docker Release Pipeline mit VS...Experts Live Switzerland 2017 - Automatisierte Docker Release Pipeline mit VS...
Experts Live Switzerland 2017 - Automatisierte Docker Release Pipeline mit VS...
 
Continuous delivery with jenkins, docker and exoscale
Continuous delivery with jenkins, docker and exoscaleContinuous delivery with jenkins, docker and exoscale
Continuous delivery with jenkins, docker and exoscale
 
(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure
 
How to easy deploy app into any cloud
How to easy deploy app into any cloudHow to easy deploy app into any cloud
How to easy deploy app into any cloud
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your App
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your app
 
Docker Enterprise Workshop - Technical
Docker Enterprise Workshop - TechnicalDocker Enterprise Workshop - Technical
Docker Enterprise Workshop - Technical
 
Docker Datacenter Launch - Meetup in Mountain View
Docker Datacenter Launch - Meetup in Mountain ViewDocker Datacenter Launch - Meetup in Mountain View
Docker Datacenter Launch - Meetup in Mountain View
 
Stups.io - an Open Source Cloud Framework for AWS
Stups.io - an Open Source Cloud Framework for AWSStups.io - an Open Source Cloud Framework for AWS
Stups.io - an Open Source Cloud Framework for AWS
 
Shipping to Server and Cloud with Docker
Shipping to Server and Cloud with DockerShipping to Server and Cloud with Docker
Shipping to Server and Cloud with Docker
 
Docker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notesDocker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notes
 
AWS Atlanta meetup Build Tools - Code Commit, Code Build, Code Deploy
AWS Atlanta meetup Build Tools - Code Commit, Code Build, Code DeployAWS Atlanta meetup Build Tools - Code Commit, Code Build, Code Deploy
AWS Atlanta meetup Build Tools - Code Commit, Code Build, Code Deploy
 
Why your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSyncWhy your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSync
 
Integrating IBM Connections Docs with BOX
Integrating IBM Connections Docs with BOXIntegrating IBM Connections Docs with BOX
Integrating IBM Connections Docs with BOX
 
Socconx12 integrating ibm connections docs 2 and box
Socconx12 integrating ibm connections docs 2 and boxSocconx12 integrating ibm connections docs 2 and box
Socconx12 integrating ibm connections docs 2 and box
 
A Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container PlatformsA Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container Platforms
 
DockerCon 2016 Seattle Recap
DockerCon 2016 Seattle RecapDockerCon 2016 Seattle Recap
DockerCon 2016 Seattle Recap
 
Amazon AWS Workspace Howto
Amazon AWS Workspace HowtoAmazon AWS Workspace Howto
Amazon AWS Workspace Howto
 
Multi-container Applications on OpenShift with Ansible Service Broker
Multi-container Applications on OpenShift with Ansible Service BrokerMulti-container Applications on OpenShift with Ansible Service Broker
Multi-container Applications on OpenShift with Ansible Service Broker
 
What's Rio 〜Standalone〜
What's Rio 〜Standalone〜What's Rio 〜Standalone〜
What's Rio 〜Standalone〜
 

More from DynamicInfraDays

ContainerDays NYC 2016: "From Hello World to Real World: Building a Productio...
ContainerDays NYC 2016: "From Hello World to Real World: Building a Productio...ContainerDays NYC 2016: "From Hello World to Real World: Building a Productio...
ContainerDays NYC 2016: "From Hello World to Real World: Building a Productio...
DynamicInfraDays
 
ContainerDays NYC 2016: "OpenWhisk: A Serverless Computing Platform" (Rodric ...
ContainerDays NYC 2016: "OpenWhisk: A Serverless Computing Platform" (Rodric ...ContainerDays NYC 2016: "OpenWhisk: A Serverless Computing Platform" (Rodric ...
ContainerDays NYC 2016: "OpenWhisk: A Serverless Computing Platform" (Rodric ...
DynamicInfraDays
 
ContainerDays NYC 2016: "State of the Persistence Art: Present Best Practices...
ContainerDays NYC 2016: "State of the Persistence Art: Present Best Practices...ContainerDays NYC 2016: "State of the Persistence Art: Present Best Practices...
ContainerDays NYC 2016: "State of the Persistence Art: Present Best Practices...
DynamicInfraDays
 
ContainerDays NYC 2016: "Observability and Manageability in a Container Envir...
ContainerDays NYC 2016: "Observability and Manageability in a Container Envir...ContainerDays NYC 2016: "Observability and Manageability in a Container Envir...
ContainerDays NYC 2016: "Observability and Manageability in a Container Envir...
DynamicInfraDays
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
DynamicInfraDays
 
ContainerDays NYC 2016: "Containers in Azure: Understanding the Microsoft Con...
ContainerDays NYC 2016: "Containers in Azure: Understanding the Microsoft Con...ContainerDays NYC 2016: "Containers in Azure: Understanding the Microsoft Con...
ContainerDays NYC 2016: "Containers in Azure: Understanding the Microsoft Con...
DynamicInfraDays
 
ContainerDays NYC 2016: "Introduction to Application Automation with Habitat"...
ContainerDays NYC 2016: "Introduction to Application Automation with Habitat"...ContainerDays NYC 2016: "Introduction to Application Automation with Habitat"...
ContainerDays NYC 2016: "Introduction to Application Automation with Habitat"...
DynamicInfraDays
 
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
DynamicInfraDays
 
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
DynamicInfraDays
 
ContainerDays Boston 2016: "Autopilot: Running Real-world Applications in Con...
ContainerDays Boston 2016: "Autopilot: Running Real-world Applications in Con...ContainerDays Boston 2016: "Autopilot: Running Real-world Applications in Con...
ContainerDays Boston 2016: "Autopilot: Running Real-world Applications in Con...
DynamicInfraDays
 
ContainerDays NYC 2015: "Container Orchestration Compared: Kubernetes and Doc...
ContainerDays NYC 2015: "Container Orchestration Compared: Kubernetes and Doc...ContainerDays NYC 2015: "Container Orchestration Compared: Kubernetes and Doc...
ContainerDays NYC 2015: "Container Orchestration Compared: Kubernetes and Doc...
DynamicInfraDays
 
ContainerDays NYC 2015: "What It Really Takes to Build a Container Platform" ...
ContainerDays NYC 2015: "What It Really Takes to Build a Container Platform" ...ContainerDays NYC 2015: "What It Really Takes to Build a Container Platform" ...
ContainerDays NYC 2015: "What It Really Takes to Build a Container Platform" ...
DynamicInfraDays
 
ContainerDays NYC 2015: "How Yodle Cleaned Up the Mess Using Containers and M...
ContainerDays NYC 2015: "How Yodle Cleaned Up the Mess Using Containers and M...ContainerDays NYC 2015: "How Yodle Cleaned Up the Mess Using Containers and M...
ContainerDays NYC 2015: "How Yodle Cleaned Up the Mess Using Containers and M...
DynamicInfraDays
 
ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...
ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...
ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...
DynamicInfraDays
 
ContainerDays Boston 2015: "CoreOS: Building the Layers of the Scalable Clust...
ContainerDays Boston 2015: "CoreOS: Building the Layers of the Scalable Clust...ContainerDays Boston 2015: "CoreOS: Building the Layers of the Scalable Clust...
ContainerDays Boston 2015: "CoreOS: Building the Layers of the Scalable Clust...
DynamicInfraDays
 
ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)
ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)
ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)
DynamicInfraDays
 
ContainerDays Boston 2015: "A Brief History of Containers" (Jeff Victor & Kir...
ContainerDays Boston 2015: "A Brief History of Containers" (Jeff Victor & Kir...ContainerDays Boston 2015: "A Brief History of Containers" (Jeff Victor & Kir...
ContainerDays Boston 2015: "A Brief History of Containers" (Jeff Victor & Kir...
DynamicInfraDays
 

More from DynamicInfraDays (17)

ContainerDays NYC 2016: "From Hello World to Real World: Building a Productio...
ContainerDays NYC 2016: "From Hello World to Real World: Building a Productio...ContainerDays NYC 2016: "From Hello World to Real World: Building a Productio...
ContainerDays NYC 2016: "From Hello World to Real World: Building a Productio...
 
ContainerDays NYC 2016: "OpenWhisk: A Serverless Computing Platform" (Rodric ...
ContainerDays NYC 2016: "OpenWhisk: A Serverless Computing Platform" (Rodric ...ContainerDays NYC 2016: "OpenWhisk: A Serverless Computing Platform" (Rodric ...
ContainerDays NYC 2016: "OpenWhisk: A Serverless Computing Platform" (Rodric ...
 
ContainerDays NYC 2016: "State of the Persistence Art: Present Best Practices...
ContainerDays NYC 2016: "State of the Persistence Art: Present Best Practices...ContainerDays NYC 2016: "State of the Persistence Art: Present Best Practices...
ContainerDays NYC 2016: "State of the Persistence Art: Present Best Practices...
 
ContainerDays NYC 2016: "Observability and Manageability in a Container Envir...
ContainerDays NYC 2016: "Observability and Manageability in a Container Envir...ContainerDays NYC 2016: "Observability and Manageability in a Container Envir...
ContainerDays NYC 2016: "Observability and Manageability in a Container Envir...
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
 
ContainerDays NYC 2016: "Containers in Azure: Understanding the Microsoft Con...
ContainerDays NYC 2016: "Containers in Azure: Understanding the Microsoft Con...ContainerDays NYC 2016: "Containers in Azure: Understanding the Microsoft Con...
ContainerDays NYC 2016: "Containers in Azure: Understanding the Microsoft Con...
 
ContainerDays NYC 2016: "Introduction to Application Automation with Habitat"...
ContainerDays NYC 2016: "Introduction to Application Automation with Habitat"...ContainerDays NYC 2016: "Introduction to Application Automation with Habitat"...
ContainerDays NYC 2016: "Introduction to Application Automation with Habitat"...
 
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
 
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
 
ContainerDays Boston 2016: "Autopilot: Running Real-world Applications in Con...
ContainerDays Boston 2016: "Autopilot: Running Real-world Applications in Con...ContainerDays Boston 2016: "Autopilot: Running Real-world Applications in Con...
ContainerDays Boston 2016: "Autopilot: Running Real-world Applications in Con...
 
ContainerDays NYC 2015: "Container Orchestration Compared: Kubernetes and Doc...
ContainerDays NYC 2015: "Container Orchestration Compared: Kubernetes and Doc...ContainerDays NYC 2015: "Container Orchestration Compared: Kubernetes and Doc...
ContainerDays NYC 2015: "Container Orchestration Compared: Kubernetes and Doc...
 
ContainerDays NYC 2015: "What It Really Takes to Build a Container Platform" ...
ContainerDays NYC 2015: "What It Really Takes to Build a Container Platform" ...ContainerDays NYC 2015: "What It Really Takes to Build a Container Platform" ...
ContainerDays NYC 2015: "What It Really Takes to Build a Container Platform" ...
 
ContainerDays NYC 2015: "How Yodle Cleaned Up the Mess Using Containers and M...
ContainerDays NYC 2015: "How Yodle Cleaned Up the Mess Using Containers and M...ContainerDays NYC 2015: "How Yodle Cleaned Up the Mess Using Containers and M...
ContainerDays NYC 2015: "How Yodle Cleaned Up the Mess Using Containers and M...
 
ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...
ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...
ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...
 
ContainerDays Boston 2015: "CoreOS: Building the Layers of the Scalable Clust...
ContainerDays Boston 2015: "CoreOS: Building the Layers of the Scalable Clust...ContainerDays Boston 2015: "CoreOS: Building the Layers of the Scalable Clust...
ContainerDays Boston 2015: "CoreOS: Building the Layers of the Scalable Clust...
 
ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)
ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)
ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)
 
ContainerDays Boston 2015: "A Brief History of Containers" (Jeff Victor & Kir...
ContainerDays Boston 2015: "A Brief History of Containers" (Jeff Victor & Kir...ContainerDays Boston 2015: "A Brief History of Containers" (Jeff Victor & Kir...
ContainerDays Boston 2015: "A Brief History of Containers" (Jeff Victor & Kir...
 

Recently uploaded

Step-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From ScratchStep-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From Scratch
softsuave
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
David Wilson
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
ldtexsolbl
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
SynapseIndia
 
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
Priyanka Aash
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Kunal Gupta
 
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
alexjohnson7307
 
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
aslasdfmkhan4750
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
SAI KAILASH R
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
shyamraj55
 
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptxMAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
janagijoythi
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
DianaGray10
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
Matthias Neugebauer
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
ssuser1915fe1
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
Zilliz
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
Bhajan Mehta
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
ankush9927
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
shanihomely
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Networks
 

Recently uploaded (20)

Step-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From ScratchStep-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From Scratch
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
 
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
 
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
 
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
 
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptxMAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
 

ContainerDays NYC 2016: "Securing Your Docker Image Registry for Production" (Jason Heiss)

  • 1. www.twosigma.com Securing Your Docker Image Registry for Production November 16, 2016 Jason Heiss
  • 2. Image Registry November 16, 2016 A place to store your container images Private version of hub.docker.com
  • 3. Image Registry Security November 16, 2016  Why do we need registry security?  Malicious changes  Inadvertent changes  Developer pushes to production image  Production team A pushes to Production team B image  Naming standards  hub.example.com/databese:1.0  hub.example.com/my_quick_hack:0.1
  • 5. Authentication November 16, 2016 Who is the user? Photograph by Robert Rexach
  • 6. Why Authentication? November 16, 2016  Hard to do authorization without authentication  Makes audit logs more useful  Image X pushed Oct 31, 2016  Image X pushed by Jane Doe Oct 31, 2016
  • 7. Authentication Choices November 16, 2016  Lots of choices  Password  SSL cert  Kerberos  Fingerprint  Physical token  Many organizations often have unusual or custom authentication needs
  • 8. Image Registry Choices November 16, 2016  Docker Registry (open source)  Docker Trusted Registry  CoreOS Quay Enterprise  JFrog Artifactory  Notable for allowing you to front it with Apache httpd or nginx for authentication  You can use any authentication scheme supported by httpd or nginx
  • 9. Docker Registry November 16, 2016Proprietary and Confidential – Not for Redistribution Image from https://docs.docker.com/registry/spec/auth/token/  Registry redirects daemon to auth service  Daemon authenticates to auth service with password or OAuth2 token, gets a bearer token  Daemon uses bearer token to authenticate to registry  Registry trusts bearer tokens from auth service based on public/private key pair that you configure
  • 10. Docker Registry November 16, 2016Proprietary and Confidential – Not for Redistribution Image from https://docs.docker.com/registry/spec/auth/token/  Registry redirects daemon to auth service  Daemon authenticates to auth service with password or OAuth2 token, gets a bearer token  Daemon uses bearer token to authenticate to registry  Registry trusts bearer tokens from auth service based on public/private key pair that you configure
  • 11. Auth Service Choices November 16, 2016  https://github.com/docker/distribution/tree/master/contrib/token-server  https://github.com/cesanta/docker_auth  https://github.com/opendns/registry-oauth-server  https://github.com/SUSE/Portus  GitLab Container Registry
  • 12. Authentication Demo November 16, 2016 Demonstrate authentication with Docker Registry, Docker Engine (Client/Daemon), and https://github.com/opendns/registry-oauth-server Proprietary and Confidential – Not for Redistribution
  • 13. Docker Client and Registry Authentication November 16, 2016  Docker daemon asks Docker client for username, password to authenticate to registry auth server  https://docs.docker.com/engine/reference/commandline/login/  docker login  Password stored, unencrypted, in $HOME/.docker/config.json  Credentials store  Configured in config.json: {"credsStore": “mycredstore"}  Docker runs docker-credential-mycredstore  Must be in your PATH  Can be abused to fetch a password on the fly
  • 14. Credentials Store Demo November 16, 2016 Demonstrate using a credentials store to fetch a password Proprietary and Confidential – Not for Redistribution
  • 15. Authorization November 16, 2016 What is the user allowed to do? Photograph by Tony Webster
  • 16. Docker Registry November 16, 2016Proprietary and Confidential – Not for Redistribution Image from https://docs.docker.com/registry/spec/auth/token/
  • 17. Docker Registry Authorization November 16, 2016  Redirect from registry to auth service includes info about requested operation:  Actions: push, pull, *  Auth server lists allowed actions in the token it returns WWW-Authenticate: Bearer realm="https://auth.example.com/token", service="registry.example.com", scope="repository:samalba/my-app:pull,push"
  • 18. Authorization Demo November 16, 2016 Demonstrate allowing or blocking actions based on the scope parameter sent to the auth server Proprietary and Confidential – Not for Redistribution
  • 19. Audit Logging November 16, 2016 What happened in the past? Photograph by U.S. Department of Labor
  • 20. Why Audit Logging? November 16, 2016  Who pushed the last change to image A?  When was image B last changed?
  • 21. Docker Registry Audit Logging November 16, 2016  Registry server logs: docker logs registry  Registry notifications  https://docs.docker.com/registry/notifications/  Webhook notifications to external service  Registry sends JSON blob of details  You can extract the interesting bits and save them
  • 22. Audit Logging Demo November 16, 2016 Demonstrate configuring the registry to send notifications to our server Proprietary and Confidential – Not for Redistribution
  • 23. Kubernetes and Registry Authentication November 16, 2016  http://kubernetes.io/docs/user-guide/images/  kubelet acts as Docker client for pulling images  So, same choices as previously mentioned for the Docker client:  docker login, password in /root/.docker/config.json  credential manager, configured in config.json  Or user can provide their own image registry “password” as image pull secret in their pod manifest  kubelet creates a one-off config.json in this case
  • 24. The End November 16, 2016  Me:  @jason_heiss  This talk: slides and demo code  https://github.com/twosigma/docker-repo-auth-demo  Work:  Two Sigma Investments  https://www.twosigma.com/  We’re hiring!