SlideShare a Scribd company logo
@estesp
IT’S 2018.
ARE MY CONTAINERS
SECURE YET?!
DevOps Pro Vilnius
@estesp
HELLO!
2
Phil Estes
> Office of the CTO, IBM Cloud
> Docker Captain
> Docker engine contributor
> Containerd and Moby Project
maintainer
@estesp
1.
A BRIEF OVERVIEW
Easing into containers: the what and why of security
3
@estesp
CONTAINERS AREN’T REAL (@jessfraz)
◈ Containers on Linux are an assembly of Linux kernel
isolation features
◈ These features have been developed independently
◈ Significant use and testing has improved these areas
over the past several years, but...
4
CGROUPS + NAMESPACES + SECURITY FEATURES
Memory,
CPU,
Disk
Mount, User,
Network, UTS,
IPC, Cgroup..
AppArmor,
SELinux,
Seccomp, Caps
@estesp
CONTAINERS AREN’T PERFECT
◈ Kernel isolation features continue to have CVEs
◈ Hedging on lightweight virtualization has gained
popularity (e.g. Hyper.sh, Intel Clear Containers)
◈ Docker and Kubernetes have added other elements to
“containers” that require security awareness:
◆ Container Images (mini OS images!)
◆ Container Networking
◆ Storage/Volumes/Secrets
◆ Orchestration/Distributed Systems security
5
@estesp
WHAT DO WE WANT FROM CONTAINERS?
> Isolation from host
> Security from other tenants
> Resource limits
> Secure SW supply chain
> Immutability
> Repeatability/reproducability
6
@estesp
SECURITY HAS IMPROVED SIGNIFICANTLY
◈ Docker focused on security in 2016-2017
◆ Application secrets, better “sane by default” policies
(AppArmor, Seccomp), User namespaces, Swarm mode node
security, image signing, secure image format/protocol
◈ Security vendor offerings around containers has
exploded in the past 24 months
◈ Project Grafaes, Entitlements, Kubernetes security
improvements are all recent advancements
◈ Defense-in-depth model is a valuable approach
7
@estesp
2.
HOST SECURITY
Container runtimes run on a Linux (or Windows) server
8
@estesp
HOST OS SECURITY
◈ Containers use a shared kernel
◆ Escapes through kernel would
affect all containers
◆ --privileged should be used
very sparingly
◈ Root on container runtime most
likely means root on system
◈ Tenancy: single tenancy per
node? Multi-tenancy with VMs?
9
BARE METAL {or} VM
HOST OS/KERNEL
CONTAINER RUNTIME
{ orchestrator }
CTR CTR CTR
Image
Registry
@estesp
3.
CONTENT SECURITY
Containers images are an important part of a security
posture
10
@estesp
CONTAINER IMAGE/CONTENT SECURITY
◈ (Base) Images updated regularly
◆ Use image scanning tools
◆ Don’t treat containers like VMs!
◈ Least privilege mentality:
◆ No root user
◆ Minimal, read-only if possible
◆ Drop privileges
◈ Image signing & provenance
(Docker Content Trust/Notary)
11
BARE METAL {or} VM
HOST OS/KERNEL
CONTAINER RUNTIME
{ orchestrator }
CTR CTR CTR
Image
Registry
@estesp
4.
RUNTIME SECURITY
What security capabilities exist for container runtimes?
12
@estesp
CONTAINER RUNTIME/ORCHESTRATOR SECURITY
◈ Understand deployment choices
◆ RBAC? Who has access to API?
◆ Storage, Network, Volume plugins
◆ Feature switches (e.g. require
image signing)
◈ Will you use lightweight
virtualization to improve
container isolation?
◈ Secrets implementation
13
BARE METAL {or} VM
HOST OS/KERNEL
CONTAINER RUNTIME
{ orchestrator }
CTR CTR CTR
Image
Registry
@estesp
5.
USABLE SECURITY
If security isn’t usable, then it probably won’t be used
14
@estesp
SECURITY WITHOUT USABILITY = NO SECURITY
> Developers will disable
security features if they get in
the way of progress and/or
successful software deployment.
> Developers won’t learn how to
enable security features. They
are too busy. Features must be
enabled with sane defaults.
15
@estesp
THE SECURITY CONUNDRUM
◈ Who will decide what is “secure” for your business?
◆ Myriad of choices require expertise to make decisions
◈ Developers will turn off intrusive security
◈ DevOps implications
◆ CI/CD impact (source/upstream hygiene, image scanning,
provenance/signing, promotion policies)
◆ Security vendors offering UX to bring “manageability” to
help with choices, configuration, auditing
16
@estesp
STEPS ON THE RIGHT PATH
◈ Container runtimes
◆ Out of the box “sane defaults”
◆ Docker (AppArmor, Seccomp profiles built-in)
◆ Kubelet choices: “secure” or “untrusted” container models
◈ An Example: Docker Swarm Mode
◆ Built-in certificate authority deployment, full TLS
intranode encryption, certificate rotation, node secure ID
◆ Kubernetes working on similar improvements, but
componentized model of K8s makes it more challenging
17
@estesp
6.
SECURITY FUTURES
What’s coming next? What improvements will enable better
security for the future?
18
@estesp
NEW PROJECTS AND NEW IDEAS
◈ Project Grafaes (potentially Kritis)
◈ libentitlement (Moby project)
◈ LinuxKit: using image labels (for
defining capabilities/etc.)
◈ Kubernetes runtimes: using
annotations to select trust level of
runtimes
19
@estesp
PROJECT GRAFEAS
> Open, common metadata
server API for representing
vulnerability/incident data for
container images
> Cross-vendor commitment to
publish in Grafeas format
(Google, IBM, Twistlock,
Aqua, Redhat, etc.)
20
https://github.com/grafeas/grafeas
@estesp
MOBY PROJECT: LIBENTITLEMENTS
> Uses concept of Android
permission model
> Developers need to
understand broad container
permission requirements
> Library will translate that to
low-level isolation constructs
21
https://github.com/moby/libentitlement
Android App Permissions:
ACCESS_WIFI_STATE
BLUETOOTH
BLUETOOTH_ADMIN
BROADCAST_STICKY
CHANGE_NETWORK_STATE
CHANGE_WIFI_MULTICAST_STAT
E CHANGE_WIFI_STATE
DISABLE_KEYGUARD
EXPAND_STATUS_BAR
GET_PACKAGE_SIZE
INSTALL_SHORTCUT INTERNET
KILL_BACKGROUND_PROCESSES
MODIFY_AUDIO_SETTINGS
@estesp
ANNOTATIONS: HINTS FOR CONTAINER RUNTIMES
> A Kubernetes CRI implemention can support multiple
underlying container runtimes and use annotations to
decide which one (more secure, less secure) to use
> In this case, cri-o can use lightweight virtualization
(Intel Clear Containers) for better isolation of untrusted
code
22
io.kubernetes.cri-o.TrustedSandbox: “false”Example:
@estesp
LINUXKIT: COMBINING SECURITY CONCEPTS
> Uses image label to specify
runtime config (e.g. security
settings for image)
> Image signing and trust
required (on by default)
> Minimal host OS (tiny
userspace, runs containers for
services)
23
https://github.com/linuxkit/linuxkit
https://github.com/linuxkit/kubernetes
@estesp
7.
SUMMARY
Conclusions on the state of container security
24
@estesp
THE STATE OF CONTAINER SECURITY
◈ Vastly improved from early days of Docker engine
◈ Open source projects have all the right knobs for
securing and isolating containers
◈ Vendors providing turnkey solutions for those who
want a guided UX to security
◈ Work continues to make security more usable, with
sane defaults for your platform
25
@estesp
WHAT CAN YOU DO?
◈ Implement “defense in depth”
◆ If one layer of your protection fails, another one may either
limit blast radius or also defend against the attack
◈ Understand building blocks of container security
◆ Host
◆ Runtime
◆ Image
◆ Platform-provided (Kubernetes, networking, etc.)
26
@estesp
27
THANKS!
@estesp
github.com/estesp
estesp@gmail.com
https://integratedcode.us
Slack/IRC: estesp
DevOps Pro Vilnius
@estesp
CREDITS
Special thanks to all the people who made and
released these awesome resources for free:
◈ Presentation template by SlidesCarnival
28

More Related Content

What's hot

Containerd Internals: Building a Core Container Runtime
Containerd Internals: Building a Core Container RuntimeContainerd Internals: Building a Core Container Runtime
Containerd Internals: Building a Core Container Runtime
Phil Estes
 
The State of containerd
The State of containerdThe State of containerd
The State of containerd
Moby Project
 
CRI-containerd
CRI-containerdCRI-containerd
CRI-containerd
Moby Project
 
KubeCon EU 2016: "rktnetes": what's new with container runtimes and Kubernetes
KubeCon EU 2016: "rktnetes": what's new with container runtimes and KubernetesKubeCon EU 2016: "rktnetes": what's new with container runtimes and Kubernetes
KubeCon EU 2016: "rktnetes": what's new with container runtimes and Kubernetes
KubeAcademy
 
LinuxKit
LinuxKitLinuxKit
LinuxKit
Moby Project
 
Continuous integration with Docker and Ansible
Continuous integration with Docker and AnsibleContinuous integration with Docker and Ansible
Continuous integration with Docker and Ansible
Dmytro Slupytskyi
 
Virtualization inside kubernetes
Virtualization inside kubernetesVirtualization inside kubernetes
Virtualization inside kubernetes
inwin stack
 
Docker London Meetup: Docker Engine Evolution
Docker London Meetup: Docker Engine EvolutionDocker London Meetup: Docker Engine Evolution
Docker London Meetup: Docker Engine Evolution
Phil Estes
 
Introduction kubernetes 2017_12_24
Introduction kubernetes 2017_12_24Introduction kubernetes 2017_12_24
Introduction kubernetes 2017_12_24
Sam Zheng
 
Kubernetes 架構與虛擬化之差異
Kubernetes 架構與虛擬化之差異Kubernetes 架構與虛擬化之差異
Kubernetes 架構與虛擬化之差異
inwin stack
 
KubeCon EU 2016: Killing containers to make weather beautiful
KubeCon EU 2016: Killing containers to make weather beautifulKubeCon EU 2016: Killing containers to make weather beautiful
KubeCon EU 2016: Killing containers to make weather beautiful
KubeAcademy
 
Docker e git lab
Docker e git labDocker e git lab
Docker e git lab
Gianluca Padovani
 
Introduction to CRI and OCI
Introduction to CRI and OCIIntroduction to CRI and OCI
Introduction to CRI and OCI
HungWei Chiu
 
An introduction to Docker and Project Atomic
An introduction to Docker and Project AtomicAn introduction to Docker and Project Atomic
An introduction to Docker and Project Atomic
Aditya Patawari
 
Moby Summit introduction
Moby Summit introductionMoby Summit introduction
Moby Summit introduction
Moby Project
 
Making kubernetes simple for developers
Making kubernetes simple for developersMaking kubernetes simple for developers
Making kubernetes simple for developers
Suraj Deshmukh
 
Introduction to Atomic: Tailoring a Trusted OS for Containers
Introduction to Atomic: Tailoring a Trusted OS for ContainersIntroduction to Atomic: Tailoring a Trusted OS for Containers
Introduction to Atomic: Tailoring a Trusted OS for Containers
Joe Brockmeier
 
Fabric8 CI/CD
Fabric8 CI/CDFabric8 CI/CD
Fabric8 CI/CD
Izzet Mustafaiev
 
Scale out data persistence for all your stateful container needs - Docker Mee...
Scale out data persistence for all your stateful container needs - Docker Mee...Scale out data persistence for all your stateful container needs - Docker Mee...
Scale out data persistence for all your stateful container needs - Docker Mee...
Jonas Rosland
 
How to Achieve Canary Deployment on Kubernetes
How to Achieve Canary Deployment on KubernetesHow to Achieve Canary Deployment on Kubernetes
How to Achieve Canary Deployment on Kubernetes
HanLing Shen
 

What's hot (20)

Containerd Internals: Building a Core Container Runtime
Containerd Internals: Building a Core Container RuntimeContainerd Internals: Building a Core Container Runtime
Containerd Internals: Building a Core Container Runtime
 
The State of containerd
The State of containerdThe State of containerd
The State of containerd
 
CRI-containerd
CRI-containerdCRI-containerd
CRI-containerd
 
KubeCon EU 2016: "rktnetes": what's new with container runtimes and Kubernetes
KubeCon EU 2016: "rktnetes": what's new with container runtimes and KubernetesKubeCon EU 2016: "rktnetes": what's new with container runtimes and Kubernetes
KubeCon EU 2016: "rktnetes": what's new with container runtimes and Kubernetes
 
LinuxKit
LinuxKitLinuxKit
LinuxKit
 
Continuous integration with Docker and Ansible
Continuous integration with Docker and AnsibleContinuous integration with Docker and Ansible
Continuous integration with Docker and Ansible
 
Virtualization inside kubernetes
Virtualization inside kubernetesVirtualization inside kubernetes
Virtualization inside kubernetes
 
Docker London Meetup: Docker Engine Evolution
Docker London Meetup: Docker Engine EvolutionDocker London Meetup: Docker Engine Evolution
Docker London Meetup: Docker Engine Evolution
 
Introduction kubernetes 2017_12_24
Introduction kubernetes 2017_12_24Introduction kubernetes 2017_12_24
Introduction kubernetes 2017_12_24
 
Kubernetes 架構與虛擬化之差異
Kubernetes 架構與虛擬化之差異Kubernetes 架構與虛擬化之差異
Kubernetes 架構與虛擬化之差異
 
KubeCon EU 2016: Killing containers to make weather beautiful
KubeCon EU 2016: Killing containers to make weather beautifulKubeCon EU 2016: Killing containers to make weather beautiful
KubeCon EU 2016: Killing containers to make weather beautiful
 
Docker e git lab
Docker e git labDocker e git lab
Docker e git lab
 
Introduction to CRI and OCI
Introduction to CRI and OCIIntroduction to CRI and OCI
Introduction to CRI and OCI
 
An introduction to Docker and Project Atomic
An introduction to Docker and Project AtomicAn introduction to Docker and Project Atomic
An introduction to Docker and Project Atomic
 
Moby Summit introduction
Moby Summit introductionMoby Summit introduction
Moby Summit introduction
 
Making kubernetes simple for developers
Making kubernetes simple for developersMaking kubernetes simple for developers
Making kubernetes simple for developers
 
Introduction to Atomic: Tailoring a Trusted OS for Containers
Introduction to Atomic: Tailoring a Trusted OS for ContainersIntroduction to Atomic: Tailoring a Trusted OS for Containers
Introduction to Atomic: Tailoring a Trusted OS for Containers
 
Fabric8 CI/CD
Fabric8 CI/CDFabric8 CI/CD
Fabric8 CI/CD
 
Scale out data persistence for all your stateful container needs - Docker Mee...
Scale out data persistence for all your stateful container needs - Docker Mee...Scale out data persistence for all your stateful container needs - Docker Mee...
Scale out data persistence for all your stateful container needs - Docker Mee...
 
How to Achieve Canary Deployment on Kubernetes
How to Achieve Canary Deployment on KubernetesHow to Achieve Canary Deployment on Kubernetes
How to Achieve Canary Deployment on Kubernetes
 

Similar to It's 2018. Are My Containers Secure Yet!?

Cloud Native TLV Meetup: Securing Containerized Applications Primer
Cloud Native TLV Meetup: Securing Containerized Applications PrimerCloud Native TLV Meetup: Securing Containerized Applications Primer
Cloud Native TLV Meetup: Securing Containerized Applications Primer
Phil Estes
 
Securing Containerized Applications: A Primer
Securing Containerized Applications: A PrimerSecuring Containerized Applications: A Primer
Securing Containerized Applications: A Primer
Phil Estes
 
Usernetes: Kubernetes as a non-root user
Usernetes: Kubernetes as a non-root userUsernetes: Kubernetes as a non-root user
Usernetes: Kubernetes as a non-root user
Akihiro Suda
 
Dev opsec dockerimage_patch_n_lifecyclemanagement_
Dev opsec dockerimage_patch_n_lifecyclemanagement_Dev opsec dockerimage_patch_n_lifecyclemanagement_
Dev opsec dockerimage_patch_n_lifecyclemanagement_
kanedafromparis
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes Istio
Araf Karsh Hamid
 
CraftConf 2019: CRI Runtimes Deep Dive: Who Is Running My Pod?
CraftConf 2019:  CRI Runtimes Deep Dive: Who Is Running My Pod?CraftConf 2019:  CRI Runtimes Deep Dive: Who Is Running My Pod?
CraftConf 2019: CRI Runtimes Deep Dive: Who Is Running My Pod?
Phil Estes
 
Introduction to openshift
Introduction to openshiftIntroduction to openshift
Introduction to openshift
MamathaBusi
 
Let's Try Every CRI Runtime Available for Kubernetes
Let's Try Every CRI Runtime Available for KubernetesLet's Try Every CRI Runtime Available for Kubernetes
Let's Try Every CRI Runtime Available for Kubernetes
Phil Estes
 
Webinar: Nightmares of a Container Orchestration System - Jorg Schad
Webinar: Nightmares of a Container Orchestration System - Jorg SchadWebinar: Nightmares of a Container Orchestration System - Jorg Schad
Webinar: Nightmares of a Container Orchestration System - Jorg Schad
Codemotion
 
Webinar - Nightmares of a Container Orchestration System - Jorg Schad
Webinar - Nightmares of a Container Orchestration System - Jorg SchadWebinar - Nightmares of a Container Orchestration System - Jorg Schad
Webinar - Nightmares of a Container Orchestration System - Jorg Schad
Codemotion
 
Kubernetes for Java Developers
Kubernetes for Java DevelopersKubernetes for Java Developers
Kubernetes for Java Developers
Anthony Dahanne
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
Phil Estes
 
Securing Containerized Applications: A Primer
Securing Containerized Applications: A PrimerSecuring Containerized Applications: A Primer
Securing Containerized Applications: A Primer
Phil Estes
 
The State of Rootless Containers
The State of Rootless ContainersThe State of Rootless Containers
The State of Rootless Containers
Akihiro Suda
 
Containers in depth – Understanding how containers work to better work with c...
Containers in depth – Understanding how containers work to better work with c...Containers in depth – Understanding how containers work to better work with c...
Containers in depth – Understanding how containers work to better work with c...
All Things Open
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
Dongwon Kim
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes Istio
Araf Karsh Hamid
 
Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in Docker
Phil Estes
 
Containers Docker Kind Kubernetes Istio
Containers Docker Kind Kubernetes IstioContainers Docker Kind Kubernetes Istio
Containers Docker Kind Kubernetes Istio
Araf Karsh Hamid
 
Kubernetes Architecture and Introduction – Paris Kubernetes Meetup
Kubernetes Architecture and Introduction – Paris Kubernetes MeetupKubernetes Architecture and Introduction – Paris Kubernetes Meetup
Kubernetes Architecture and Introduction – Paris Kubernetes Meetup
Stefan Schimanski
 

Similar to It's 2018. Are My Containers Secure Yet!? (20)

Cloud Native TLV Meetup: Securing Containerized Applications Primer
Cloud Native TLV Meetup: Securing Containerized Applications PrimerCloud Native TLV Meetup: Securing Containerized Applications Primer
Cloud Native TLV Meetup: Securing Containerized Applications Primer
 
Securing Containerized Applications: A Primer
Securing Containerized Applications: A PrimerSecuring Containerized Applications: A Primer
Securing Containerized Applications: A Primer
 
Usernetes: Kubernetes as a non-root user
Usernetes: Kubernetes as a non-root userUsernetes: Kubernetes as a non-root user
Usernetes: Kubernetes as a non-root user
 
Dev opsec dockerimage_patch_n_lifecyclemanagement_
Dev opsec dockerimage_patch_n_lifecyclemanagement_Dev opsec dockerimage_patch_n_lifecyclemanagement_
Dev opsec dockerimage_patch_n_lifecyclemanagement_
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes Istio
 
CraftConf 2019: CRI Runtimes Deep Dive: Who Is Running My Pod?
CraftConf 2019:  CRI Runtimes Deep Dive: Who Is Running My Pod?CraftConf 2019:  CRI Runtimes Deep Dive: Who Is Running My Pod?
CraftConf 2019: CRI Runtimes Deep Dive: Who Is Running My Pod?
 
Introduction to openshift
Introduction to openshiftIntroduction to openshift
Introduction to openshift
 
Let's Try Every CRI Runtime Available for Kubernetes
Let's Try Every CRI Runtime Available for KubernetesLet's Try Every CRI Runtime Available for Kubernetes
Let's Try Every CRI Runtime Available for Kubernetes
 
Webinar: Nightmares of a Container Orchestration System - Jorg Schad
Webinar: Nightmares of a Container Orchestration System - Jorg SchadWebinar: Nightmares of a Container Orchestration System - Jorg Schad
Webinar: Nightmares of a Container Orchestration System - Jorg Schad
 
Webinar - Nightmares of a Container Orchestration System - Jorg Schad
Webinar - Nightmares of a Container Orchestration System - Jorg SchadWebinar - Nightmares of a Container Orchestration System - Jorg Schad
Webinar - Nightmares of a Container Orchestration System - Jorg Schad
 
Kubernetes for Java Developers
Kubernetes for Java DevelopersKubernetes for Java Developers
Kubernetes for Java Developers
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
Securing Containerized Applications: A Primer
Securing Containerized Applications: A PrimerSecuring Containerized Applications: A Primer
Securing Containerized Applications: A Primer
 
The State of Rootless Containers
The State of Rootless ContainersThe State of Rootless Containers
The State of Rootless Containers
 
Containers in depth – Understanding how containers work to better work with c...
Containers in depth – Understanding how containers work to better work with c...Containers in depth – Understanding how containers work to better work with c...
Containers in depth – Understanding how containers work to better work with c...
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes Istio
 
Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in Docker
 
Containers Docker Kind Kubernetes Istio
Containers Docker Kind Kubernetes IstioContainers Docker Kind Kubernetes Istio
Containers Docker Kind Kubernetes Istio
 
Kubernetes Architecture and Introduction – Paris Kubernetes Meetup
Kubernetes Architecture and Introduction – Paris Kubernetes MeetupKubernetes Architecture and Introduction – Paris Kubernetes Meetup
Kubernetes Architecture and Introduction – Paris Kubernetes Meetup
 

More from Phil Estes

Enabling Security via Container Runtimes
Enabling Security via Container RuntimesEnabling Security via Container Runtimes
Enabling Security via Container Runtimes
Phil Estes
 
Extended and embedding: containerd update & project use cases
Extended and embedding: containerd update & project use casesExtended and embedding: containerd update & project use cases
Extended and embedding: containerd update & project use cases
Phil Estes
 
JAX Con 2019: Containers. Microservices. Cloud. Open Source. Fantasy or Reali...
JAX Con 2019: Containers. Microservices. Cloud. Open Source. Fantasy or Reali...JAX Con 2019: Containers. Microservices. Cloud. Open Source. Fantasy or Reali...
JAX Con 2019: Containers. Microservices. Cloud. Open Source. Fantasy or Reali...
Phil Estes
 
Giving Back to Upstream | DockerCon 2019
Giving Back to Upstream | DockerCon 2019Giving Back to Upstream | DockerCon 2019
Giving Back to Upstream | DockerCon 2019
Phil Estes
 
FOSDEM 2019: A containerd Project Update
FOSDEM 2019: A containerd Project UpdateFOSDEM 2019: A containerd Project Update
FOSDEM 2019: A containerd Project Update
Phil Estes
 
Bucketbench: Benchmarking Container Runtime Performance
Bucketbench: Benchmarking Container Runtime PerformanceBucketbench: Benchmarking Container Runtime Performance
Bucketbench: Benchmarking Container Runtime Performance
Phil Estes
 
Container Runtimes: Comparing and Contrasting Today's Engines
Container Runtimes: Comparing and Contrasting Today's EnginesContainer Runtimes: Comparing and Contrasting Today's Engines
Container Runtimes: Comparing and Contrasting Today's Engines
Phil Estes
 
AtlanTEC 2017: Containers! Why Docker, Why NOW?
AtlanTEC 2017: Containers! Why Docker, Why NOW?AtlanTEC 2017: Containers! Why Docker, Why NOW?
AtlanTEC 2017: Containers! Why Docker, Why NOW?
Phil Estes
 
Quantifying Container Runtime Performance: OSCON 2017 Open Container Day
Quantifying Container Runtime Performance: OSCON 2017 Open Container DayQuantifying Container Runtime Performance: OSCON 2017 Open Container Day
Quantifying Container Runtime Performance: OSCON 2017 Open Container Day
Phil Estes
 
Empower Your Docker Containers with Watson - DockerCon 2017 Austin
Empower Your Docker Containers with Watson - DockerCon 2017 AustinEmpower Your Docker Containers with Watson - DockerCon 2017 Austin
Empower Your Docker Containers with Watson - DockerCon 2017 Austin
Phil Estes
 
Containerize, PaaS, or Go Serverless!?
Containerize, PaaS, or Go Serverless!?Containerize, PaaS, or Go Serverless!?
Containerize, PaaS, or Go Serverless!?
Phil Estes
 
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...Diving Through The Layers: Investigating runc, containerd, and the Docker eng...
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...
Phil Estes
 
Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're Going
Phil Estes
 
Devoxx 2016: A Developer's Guide to OCI and runC
Devoxx 2016: A Developer's Guide to OCI and runCDevoxx 2016: A Developer's Guide to OCI and runC
Devoxx 2016: A Developer's Guide to OCI and runC
Phil Estes
 
Live Container Migration: OpenStack Summit Barcelona 2016
Live Container Migration: OpenStack Summit Barcelona 2016Live Container Migration: OpenStack Summit Barcelona 2016
Live Container Migration: OpenStack Summit Barcelona 2016
Phil Estes
 

More from Phil Estes (15)

Enabling Security via Container Runtimes
Enabling Security via Container RuntimesEnabling Security via Container Runtimes
Enabling Security via Container Runtimes
 
Extended and embedding: containerd update & project use cases
Extended and embedding: containerd update & project use casesExtended and embedding: containerd update & project use cases
Extended and embedding: containerd update & project use cases
 
JAX Con 2019: Containers. Microservices. Cloud. Open Source. Fantasy or Reali...
JAX Con 2019: Containers. Microservices. Cloud. Open Source. Fantasy or Reali...JAX Con 2019: Containers. Microservices. Cloud. Open Source. Fantasy or Reali...
JAX Con 2019: Containers. Microservices. Cloud. Open Source. Fantasy or Reali...
 
Giving Back to Upstream | DockerCon 2019
Giving Back to Upstream | DockerCon 2019Giving Back to Upstream | DockerCon 2019
Giving Back to Upstream | DockerCon 2019
 
FOSDEM 2019: A containerd Project Update
FOSDEM 2019: A containerd Project UpdateFOSDEM 2019: A containerd Project Update
FOSDEM 2019: A containerd Project Update
 
Bucketbench: Benchmarking Container Runtime Performance
Bucketbench: Benchmarking Container Runtime PerformanceBucketbench: Benchmarking Container Runtime Performance
Bucketbench: Benchmarking Container Runtime Performance
 
Container Runtimes: Comparing and Contrasting Today's Engines
Container Runtimes: Comparing and Contrasting Today's EnginesContainer Runtimes: Comparing and Contrasting Today's Engines
Container Runtimes: Comparing and Contrasting Today's Engines
 
AtlanTEC 2017: Containers! Why Docker, Why NOW?
AtlanTEC 2017: Containers! Why Docker, Why NOW?AtlanTEC 2017: Containers! Why Docker, Why NOW?
AtlanTEC 2017: Containers! Why Docker, Why NOW?
 
Quantifying Container Runtime Performance: OSCON 2017 Open Container Day
Quantifying Container Runtime Performance: OSCON 2017 Open Container DayQuantifying Container Runtime Performance: OSCON 2017 Open Container Day
Quantifying Container Runtime Performance: OSCON 2017 Open Container Day
 
Empower Your Docker Containers with Watson - DockerCon 2017 Austin
Empower Your Docker Containers with Watson - DockerCon 2017 AustinEmpower Your Docker Containers with Watson - DockerCon 2017 Austin
Empower Your Docker Containers with Watson - DockerCon 2017 Austin
 
Containerize, PaaS, or Go Serverless!?
Containerize, PaaS, or Go Serverless!?Containerize, PaaS, or Go Serverless!?
Containerize, PaaS, or Go Serverless!?
 
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...Diving Through The Layers: Investigating runc, containerd, and the Docker eng...
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...
 
Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're Going
 
Devoxx 2016: A Developer's Guide to OCI and runC
Devoxx 2016: A Developer's Guide to OCI and runCDevoxx 2016: A Developer's Guide to OCI and runC
Devoxx 2016: A Developer's Guide to OCI and runC
 
Live Container Migration: OpenStack Summit Barcelona 2016
Live Container Migration: OpenStack Summit Barcelona 2016Live Container Migration: OpenStack Summit Barcelona 2016
Live Container Migration: OpenStack Summit Barcelona 2016
 

Recently uploaded

ppt on the brain chip neuralink.pptx
ppt  on   the brain  chip neuralink.pptxppt  on   the brain  chip neuralink.pptx
ppt on the brain chip neuralink.pptx
Reetu63
 
Going AOT: Everything you need to know about GraalVM for Java applications
Going AOT: Everything you need to know about GraalVM for Java applicationsGoing AOT: Everything you need to know about GraalVM for Java applications
Going AOT: Everything you need to know about GraalVM for Java applications
Alina Yurenko
 
14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision
ShulagnaSarkar2
 
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
gapen1
 
Building API data products on top of your real-time data infrastructure
Building API data products on top of your real-time data infrastructureBuilding API data products on top of your real-time data infrastructure
Building API data products on top of your real-time data infrastructure
confluent
 
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
dakas1
 
Boost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management AppsBoost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management Apps
Jhone kinadey
 
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom KittEnhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Peter Caitens
 
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
Luigi Fugaro
 
Stork Product Overview: An AI-Powered Autonomous Delivery Fleet
Stork Product Overview: An AI-Powered Autonomous Delivery FleetStork Product Overview: An AI-Powered Autonomous Delivery Fleet
Stork Product Overview: An AI-Powered Autonomous Delivery Fleet
Vince Scalabrino
 
Optimizing Your E-commerce with WooCommerce.pptx
Optimizing Your E-commerce with WooCommerce.pptxOptimizing Your E-commerce with WooCommerce.pptx
Optimizing Your E-commerce with WooCommerce.pptx
WebConnect Pvt Ltd
 
How GenAI Can Improve Supplier Performance Management.pdf
How GenAI Can Improve Supplier Performance Management.pdfHow GenAI Can Improve Supplier Performance Management.pdf
How GenAI Can Improve Supplier Performance Management.pdf
Zycus
 
一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理
dakas1
 
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Paul Brebner
 
Orca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container OrchestrationOrca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container Orchestration
Pedro J. Molina
 
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
widenerjobeyrl638
 
The Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdfThe Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdf
kalichargn70th171
 
42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert
vaishalijagtap12
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
The Third Creative Media
 

Recently uploaded (20)

ppt on the brain chip neuralink.pptx
ppt  on   the brain  chip neuralink.pptxppt  on   the brain  chip neuralink.pptx
ppt on the brain chip neuralink.pptx
 
Going AOT: Everything you need to know about GraalVM for Java applications
Going AOT: Everything you need to know about GraalVM for Java applicationsGoing AOT: Everything you need to know about GraalVM for Java applications
Going AOT: Everything you need to know about GraalVM for Java applications
 
14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision
 
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
 
Building API data products on top of your real-time data infrastructure
Building API data products on top of your real-time data infrastructureBuilding API data products on top of your real-time data infrastructure
Building API data products on top of your real-time data infrastructure
 
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
 
Boost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management AppsBoost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management Apps
 
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom KittEnhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
 
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
 
Stork Product Overview: An AI-Powered Autonomous Delivery Fleet
Stork Product Overview: An AI-Powered Autonomous Delivery FleetStork Product Overview: An AI-Powered Autonomous Delivery Fleet
Stork Product Overview: An AI-Powered Autonomous Delivery Fleet
 
Optimizing Your E-commerce with WooCommerce.pptx
Optimizing Your E-commerce with WooCommerce.pptxOptimizing Your E-commerce with WooCommerce.pptx
Optimizing Your E-commerce with WooCommerce.pptx
 
How GenAI Can Improve Supplier Performance Management.pdf
How GenAI Can Improve Supplier Performance Management.pdfHow GenAI Can Improve Supplier Performance Management.pdf
How GenAI Can Improve Supplier Performance Management.pdf
 
一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理
 
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
 
Orca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container OrchestrationOrca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container Orchestration
 
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
 
The Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdfThe Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdf
 
42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
 

It's 2018. Are My Containers Secure Yet!?

  • 1. @estesp IT’S 2018. ARE MY CONTAINERS SECURE YET?! DevOps Pro Vilnius
  • 2. @estesp HELLO! 2 Phil Estes > Office of the CTO, IBM Cloud > Docker Captain > Docker engine contributor > Containerd and Moby Project maintainer
  • 3. @estesp 1. A BRIEF OVERVIEW Easing into containers: the what and why of security 3
  • 4. @estesp CONTAINERS AREN’T REAL (@jessfraz) ◈ Containers on Linux are an assembly of Linux kernel isolation features ◈ These features have been developed independently ◈ Significant use and testing has improved these areas over the past several years, but... 4 CGROUPS + NAMESPACES + SECURITY FEATURES Memory, CPU, Disk Mount, User, Network, UTS, IPC, Cgroup.. AppArmor, SELinux, Seccomp, Caps
  • 5. @estesp CONTAINERS AREN’T PERFECT ◈ Kernel isolation features continue to have CVEs ◈ Hedging on lightweight virtualization has gained popularity (e.g. Hyper.sh, Intel Clear Containers) ◈ Docker and Kubernetes have added other elements to “containers” that require security awareness: ◆ Container Images (mini OS images!) ◆ Container Networking ◆ Storage/Volumes/Secrets ◆ Orchestration/Distributed Systems security 5
  • 6. @estesp WHAT DO WE WANT FROM CONTAINERS? > Isolation from host > Security from other tenants > Resource limits > Secure SW supply chain > Immutability > Repeatability/reproducability 6
  • 7. @estesp SECURITY HAS IMPROVED SIGNIFICANTLY ◈ Docker focused on security in 2016-2017 ◆ Application secrets, better “sane by default” policies (AppArmor, Seccomp), User namespaces, Swarm mode node security, image signing, secure image format/protocol ◈ Security vendor offerings around containers has exploded in the past 24 months ◈ Project Grafaes, Entitlements, Kubernetes security improvements are all recent advancements ◈ Defense-in-depth model is a valuable approach 7
  • 8. @estesp 2. HOST SECURITY Container runtimes run on a Linux (or Windows) server 8
  • 9. @estesp HOST OS SECURITY ◈ Containers use a shared kernel ◆ Escapes through kernel would affect all containers ◆ --privileged should be used very sparingly ◈ Root on container runtime most likely means root on system ◈ Tenancy: single tenancy per node? Multi-tenancy with VMs? 9 BARE METAL {or} VM HOST OS/KERNEL CONTAINER RUNTIME { orchestrator } CTR CTR CTR Image Registry
  • 10. @estesp 3. CONTENT SECURITY Containers images are an important part of a security posture 10
  • 11. @estesp CONTAINER IMAGE/CONTENT SECURITY ◈ (Base) Images updated regularly ◆ Use image scanning tools ◆ Don’t treat containers like VMs! ◈ Least privilege mentality: ◆ No root user ◆ Minimal, read-only if possible ◆ Drop privileges ◈ Image signing & provenance (Docker Content Trust/Notary) 11 BARE METAL {or} VM HOST OS/KERNEL CONTAINER RUNTIME { orchestrator } CTR CTR CTR Image Registry
  • 12. @estesp 4. RUNTIME SECURITY What security capabilities exist for container runtimes? 12
  • 13. @estesp CONTAINER RUNTIME/ORCHESTRATOR SECURITY ◈ Understand deployment choices ◆ RBAC? Who has access to API? ◆ Storage, Network, Volume plugins ◆ Feature switches (e.g. require image signing) ◈ Will you use lightweight virtualization to improve container isolation? ◈ Secrets implementation 13 BARE METAL {or} VM HOST OS/KERNEL CONTAINER RUNTIME { orchestrator } CTR CTR CTR Image Registry
  • 14. @estesp 5. USABLE SECURITY If security isn’t usable, then it probably won’t be used 14
  • 15. @estesp SECURITY WITHOUT USABILITY = NO SECURITY > Developers will disable security features if they get in the way of progress and/or successful software deployment. > Developers won’t learn how to enable security features. They are too busy. Features must be enabled with sane defaults. 15
  • 16. @estesp THE SECURITY CONUNDRUM ◈ Who will decide what is “secure” for your business? ◆ Myriad of choices require expertise to make decisions ◈ Developers will turn off intrusive security ◈ DevOps implications ◆ CI/CD impact (source/upstream hygiene, image scanning, provenance/signing, promotion policies) ◆ Security vendors offering UX to bring “manageability” to help with choices, configuration, auditing 16
  • 17. @estesp STEPS ON THE RIGHT PATH ◈ Container runtimes ◆ Out of the box “sane defaults” ◆ Docker (AppArmor, Seccomp profiles built-in) ◆ Kubelet choices: “secure” or “untrusted” container models ◈ An Example: Docker Swarm Mode ◆ Built-in certificate authority deployment, full TLS intranode encryption, certificate rotation, node secure ID ◆ Kubernetes working on similar improvements, but componentized model of K8s makes it more challenging 17
  • 18. @estesp 6. SECURITY FUTURES What’s coming next? What improvements will enable better security for the future? 18
  • 19. @estesp NEW PROJECTS AND NEW IDEAS ◈ Project Grafaes (potentially Kritis) ◈ libentitlement (Moby project) ◈ LinuxKit: using image labels (for defining capabilities/etc.) ◈ Kubernetes runtimes: using annotations to select trust level of runtimes 19
  • 20. @estesp PROJECT GRAFEAS > Open, common metadata server API for representing vulnerability/incident data for container images > Cross-vendor commitment to publish in Grafeas format (Google, IBM, Twistlock, Aqua, Redhat, etc.) 20 https://github.com/grafeas/grafeas
  • 21. @estesp MOBY PROJECT: LIBENTITLEMENTS > Uses concept of Android permission model > Developers need to understand broad container permission requirements > Library will translate that to low-level isolation constructs 21 https://github.com/moby/libentitlement Android App Permissions: ACCESS_WIFI_STATE BLUETOOTH BLUETOOTH_ADMIN BROADCAST_STICKY CHANGE_NETWORK_STATE CHANGE_WIFI_MULTICAST_STAT E CHANGE_WIFI_STATE DISABLE_KEYGUARD EXPAND_STATUS_BAR GET_PACKAGE_SIZE INSTALL_SHORTCUT INTERNET KILL_BACKGROUND_PROCESSES MODIFY_AUDIO_SETTINGS
  • 22. @estesp ANNOTATIONS: HINTS FOR CONTAINER RUNTIMES > A Kubernetes CRI implemention can support multiple underlying container runtimes and use annotations to decide which one (more secure, less secure) to use > In this case, cri-o can use lightweight virtualization (Intel Clear Containers) for better isolation of untrusted code 22 io.kubernetes.cri-o.TrustedSandbox: “false”Example:
  • 23. @estesp LINUXKIT: COMBINING SECURITY CONCEPTS > Uses image label to specify runtime config (e.g. security settings for image) > Image signing and trust required (on by default) > Minimal host OS (tiny userspace, runs containers for services) 23 https://github.com/linuxkit/linuxkit https://github.com/linuxkit/kubernetes
  • 24. @estesp 7. SUMMARY Conclusions on the state of container security 24
  • 25. @estesp THE STATE OF CONTAINER SECURITY ◈ Vastly improved from early days of Docker engine ◈ Open source projects have all the right knobs for securing and isolating containers ◈ Vendors providing turnkey solutions for those who want a guided UX to security ◈ Work continues to make security more usable, with sane defaults for your platform 25
  • 26. @estesp WHAT CAN YOU DO? ◈ Implement “defense in depth” ◆ If one layer of your protection fails, another one may either limit blast radius or also defend against the attack ◈ Understand building blocks of container security ◆ Host ◆ Runtime ◆ Image ◆ Platform-provided (Kubernetes, networking, etc.) 26
  • 28. @estesp CREDITS Special thanks to all the people who made and released these awesome resources for free: ◈ Presentation template by SlidesCarnival 28